Your agents should never (try to) read your secrets.
Website β’ How It Works β’ Quick Start β’ Agent Setup β’ Protection β’ Plugins β’ Docs β’ Issues β’ Discussions
Crust is a transparent, local gateway between your AI agents and LLM providers. It intercepts every tool call β file reads, shell commands, network requests β and blocks dangerous actions before they execute. No code changes required.
100% local. Your data never leaves your machine.
Crust has five entry points β use one or combine them:
| Entry Point | Command | What It Does |
|---|---|---|
| HTTP Proxy | crust start |
Sits between your agent and the LLM API. Scans tool calls in both the request (conversation history) and response (new actions) before they execute. |
| MCP Stdio Gateway | crust wrap |
Wraps any stdio MCP server, intercepting tools/call and resources/read in both directions β including DLP scanning of server responses for leaked secrets. |
| MCP HTTP Gateway | crust wrap |
Reverse proxy for Streamable HTTP MCP servers β same rule engine, no stdio required. |
| ACP Stdio Proxy | crust wrap |
Wraps any ACP agent, intercepting file reads, writes, and terminal commands before the IDE executes them. |
| Auto-detect | crust wrap |
Inspects both MCP and ACP methods simultaneously β use when you don't know which protocol a subprocess speaks. |
All entry points apply the same evaluation pipeline β self-protection, input sanitization, Unicode normalization, obfuscation detection, DLP secret scanning, path normalization, symlink resolution, and rule matching β each step in microseconds.
All activity is logged locally to encrypted storage.
macOS / Linux / BSD:
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/BakeLens/crust/main/install.sh)"Windows (PowerShell):
irm https://raw.githubusercontent.com/BakeLens/crust/main/install.ps1 | iexDocker:
docker compose up -d # uses the included docker-compose.yml
# or manually:
docker build -t crust https://github.com/BakeLens/crust.git
docker run -p 9090:9090 crustThen start the gateway:
crust start --autoAuto mode detects your LLM provider from the model name β no endpoint URL or API key configuration needed. Your agent's existing auth is passed through.
Point your agent to Crust:
| Agent | Configuration |
|---|---|
| Claude Code | ANTHROPIC_BASE_URL=http://localhost:9090 |
| Codex CLI | OPENAI_BASE_URL=http://localhost:9090/v1 |
| Cursor | Settings β Models β Override OpenAI Base URL β http://localhost:9090/v1 |
| Cline | Settings β API Configuration β Base URL β http://localhost:9090/v1 |
| Windsurf | Settings β AI β Provider Base URL β http://localhost:9090/v1 |
| JetBrains AI | Settings β AI Assistant β Providers & API keys β Base URL β http://localhost:9090/v1 |
| Continue | Set apiBase to http://localhost:9090/v1 in config |
| Aider | OPENAI_API_BASE=http://localhost:9090/v1 |
More agents...
| Agent | Configuration |
|---|---|
| Zed | Set api_url to http://localhost:9090/v1 in settings |
| Tabby | Set api_endpoint to http://localhost:9090/v1 in config |
| avante.nvim | Set endpoint to http://localhost:9090/v1 in config |
| codecompanion.nvim | Set url to http://localhost:9090/v1 in adapter config |
| CodeGPT | Set custom provider URL to http://localhost:9090/v1 |
| OpenClaw | Set baseUrl to http://localhost:9090 in ~/.openclaw/openclaw.json |
| OpenCode | OPENAI_BASE_URL=http://localhost:9090/v1 |
| Any OpenAI-compatible agent | Set your LLM base URL to http://localhost:9090/v1 |
Crust auto-detects the provider from the model name and passes through your auth β no endpoint URL or API key configuration needed. Clients that send /api/v1/... paths (e.g. some JetBrains configurations) are also supported. For providers with non-standard base paths like OpenRouter (https://openrouter.ai/api), use --endpoint.
crust status # Check if running
crust status --agents # Detect running AI agents and protection status
crust logs -f # Follow logs
crust doctor # Diagnose provider endpoints
crust stop # Stop crustFor MCP servers, Crust intercepts tools/call and resources/read requests before they reach the server.
crust wrap -- npx -y @modelcontextprotocol/server-filesystem /path/to/dirWorks with any MCP server. See the MCP setup guide for details and examples.
For IDEs that use the Agent Client Protocol (ACP), Crust can wrap any ACP agent as a transparent stdio proxy β intercepting file reads, writes, and terminal commands before the IDE executes them. No changes to the agent or IDE required.
crust wrap -- goose acpSupports JetBrains IDEs and other ACP-compatible editors. See the ACP setup guide for step-by-step instructions.
Crust ships as a native iOS 15+ library (CrustKit) for embedding in mobile apps. The same rule engine that protects desktop agents also protects mobile AI agents.
Three integration paths β pick one:
import CrustKit
let engine = CrustEngine()
try engine.initialize()
// ββ Option 1: Local reverse proxy ββ
// Best when your AI SDK doesn't use URLSession or you want explicit control.
try engine.startProxy(port: 8080, upstreamURL: "https://api.anthropic.com")
// Point your AI SDK base URL to http://127.0.0.1:8080
// ββ Option 2: URLProtocol (zero-config) ββ
// Best when your AI SDK uses URLSession β no base URL change needed.
CrustURLProtocol.engine = engine
let session = URLSession(configuration: .crustProtected)
// ββ Option 3: Direct evaluation ββ
// Best for custom integrations or manual checks.
let result = await engine.evaluateAsync(toolName: "read_contacts", arguments: [:])
print(result.matched) // true β blocked by protect-mobile-pii
// ββ Content scanning (DLP for text responses & user input) ββ
let scan = engine.scanContent(aiTextResponse) // secrets in AI output
let outbound = engine.scanOutbound(userMessage) // secrets in user input
let urlCheck = engine.validateURL("tel:+1234567890") // blocked URL schemesMobile-specific protections (7 locked rules + shared rules):
| Category | Blocked Tools | Rule |
|---|---|---|
| PII | contacts, photos, calendar, location, health, camera, microphone, call log, SMS | protect-mobile-pii |
| Keychain | keychain read/write/delete | protect-os-keychains |
| Clipboard | clipboard read (writes allowed) | protect-mobile-clipboard |
| URL Schemes | tel:, sms:, facetime:, itms-services:, app-settings: |
protect-mobile-url-schemes |
| Hardware | Bluetooth scan/connect, NFC read/write | protect-mobile-hardware |
| Biometric | Face ID, Touch ID, biometric auth | protect-mobile-biometric |
| Purchases | in-app purchases, financial transactions | protect-mobile-purchases |
| Persistence | background task scheduling | protect-persistence |
| Notifications | push/local notification sending | (user-configurable) |
| Content DLP | secrets/PII in AI text responses, user input, clipboard | DLP engine (46 patterns) |
| URL Validation | dangerous URL schemes (tel:, sms:, etc.) |
protect-mobile-url-schemes |
Installation:
# Local development β build the xcframework
./scripts/build-ios.sh
# Then add ios/CrustKit/ as a local Swift Package in XcodeFor release builds, Libcrust.xcframework.zip is attached to each GitHub release with a SHA-256 checksum for use as a remote SPM binary target.
Mobile and desktop rules are unified using virtual paths (mobile://) β the same YAML file protects both platforms. See internal/rules/builtin/security.yaml for all 30 rules.
Crust ships with 35 security rules (32 locked, 3 user-disablable) and 46 DLP token-detection patterns out of the box:
| Category | What's Protected |
|---|---|
| Credentials | .env, SSH keys, cloud creds (AWS, GCP, Azure), GPG keys |
| System Auth | /etc/passwd, /etc/shadow, sudoers |
| Shell History | .bash_history, .zsh_history, .python_history, and more |
| Browser Data | Chrome, Firefox, Safari passwords, cookies, local storage |
| Package Tokens | npm, pip, Cargo, Composer, NuGet, Gem auth tokens |
| Git Credentials | .git-credentials, .config/git/credentials |
| Persistence | Shell RC files, authorized_keys, cron/systemd/launchd, git hooks, mobile background tasks |
| Mobile | PII (contacts, photos, calendar, location, health, camera, microphone, call log, SMS), keychain, clipboard, URL schemes (tel:, sms:), Bluetooth/NFC, biometric auth, in-app purchases |
| Agent Config | .claude/settings.json, .cursor/mcp.json, .mcp.json β prevents privilege escalation |
| DLP Token Detection | Content-based scanning for real API keys and tokens (AWS, GitHub, Stripe, OpenAI, Anthropic, and 35 more) |
| Key Exfiltration | Content-based PEM private key detection |
| Crypto Wallets | BIP39 mnemonics, xprv/WIF keys (checksum-validated), wallet directories for 16 chains |
| Self-Protection | Agents cannot read, modify, or disable Crust itself |
| Dangerous Commands | eval/exec with dynamic code execution |
All rules are open source: internal/rules/builtin/security.yaml (path rules), internal/rules/dlp.go (DLP patterns), and internal/rules/dlp_crypto.go (crypto key detection)
These defenses are validated against 50 real-world CVEs affecting Cursor, GitHub Copilot, Claude Code, OpenAI Codex CLI, and other AI agents β including prompt injection, config hijacking, env var poisoning, and token exfiltration attacks.
Rules use a progressive disclosure schema β start simple, add complexity only when needed:
rules:
# One-liner: block all .env files
- block: "**/.env"
# With exceptions and specific actions
- block: "**/.ssh/*"
except: ["**/*.pub", "**/known_hosts"]
actions: [read, copy]
message: "Cannot access SSH directory"
# Advanced: regex matching on commands
- name: block-rm-rf
match:
command: "re:rm\\s+-rf\\s+/"
message: "Blocked: recursive delete from root"crust add-rule my-rules.yaml # Rules active immediately (hot reload)Plugins are late-stage protection layers that run after the built-in 14-step evaluation pipeline. When the engine allows a tool call, it passes through registered plugins before returning the final verdict. Plugins can implement sandboxing, rate limiting, audit logging, or custom policy enforcement.
Plugins communicate over a JSON wire protocol (newline-delimited JSON over stdin/stdout) β write them in any language: Python, Go, Rust, Node.js, etc.
# sandbox_plugin.py β restrict file access to project directory
def handle_evaluate(req):
for path in req.get("paths", []):
if not path.startswith("/home/user/project"):
return {"rule_name": "sandbox:fs-deny", "severity": "high",
"message": f"path {path} is outside sandbox"}
return None # allowKey features:
- OS-level crash isolation β plugins run as separate processes; a crash cannot affect the engine
- Circuit breaker β plugins that fail 3 times are auto-disabled with exponential backoff
- Rule snapshot access β plugins receive a read-only view of all active engine rules
- First-block wins β plugins evaluate concurrently; the first block cancels the rest
See the Plugin System documentation for the full wire protocol specification, data types, and examples.
A security tool must protect itself first. Crust is built to resist tampering β even by the AI agents it monitors:
| Principle | What it means |
|---|---|
| Only you can access it | Crust's control interface only listens on your machine β no one else on the network can reach it |
| Agents can't disable it | A hardcoded pre-filter prevents AI agents from turning off, reconfiguring, or bypassing Crust |
| Your files stay private | All config and log files are locked to your user account β other users and programs can't read them |
| Secrets use OS keyring | API keys and encryption keys are stored in your OS keyring (macOS Keychain / Linux Secret Service / Windows Credential Manager), never in environment variables |
| Logs are encrypted | Activity logs are stored in an encrypted database; the key never appears in command history |
| Oversized requests are rejected | Abnormally large inputs are dropped before processing to prevent abuse |
| Connections are encrypted | All traffic to LLM providers uses modern encryption (TLS 1.2+) |
| Every code change is scanned | 16 automated security checks run on every commit β vulnerability scanning, secret detection, race condition testing |
See SECURITY.md for vulnerability reporting.
Setup
| Guide | Description |
|---|---|
| Configuration | Providers, auto mode, block modes |
| MCP Gateway | Stdio proxy for MCP servers β Claude Desktop, custom servers |
| ACP Integration | Stdio proxy for ACP agents β JetBrains, VS Code |
| Docker | Dockerfile, docker-compose, container setup |
Reference
| Guide | Description |
|---|---|
| CLI Reference | Commands, flags, environment variables |
| How It Works | Architecture, rule engine, evaluation pipeline |
| Plugin System | Wire protocol, crash isolation, circuit breaker, examples |
| Shell Parsing | Bash command parsing for path/command extraction |
| CVE Tracker | AI agent vulnerability tracker |
| Migration | Upgrade guides for breaking changes |
Build from Source
Requires Go 1.26.1+ and a C compiler (CGO is needed for SQLite).
git clone https://github.com/BakeLens/crust.git
cd crust
go build .
./crust version # Windows: .\crust.exe versionGo 1.26 enables the Green Tea garbage collector by default, which reduces GC overhead by 10β40% β this meaningfully improves latency for the hot-path proxy pipeline. Run go fix ./... before submitting PRs to apply any pending modernizations automatically.
Crust is open-source and in active development. We welcome contributions β PRs for new security rules are especially appreciated.
- Report a bug
- Security vulnerabilities β please report privately
- Discussions
Add this badge to your project's README:
[](https://github.com/BakeLens/crust)Citation
If you use Crust in your research, please cite:
@software{crust2026,
title = {Crust: A Transparent Gateway for AI Agent Security},
author = {Chen, Zichen and Chen, Yuanyuan and Jiang, Bowen and Xu, Zhangchen},
year = {2026},
url = {https://github.com/BakeLens/crust}
}