Crust
🌟 Open Source AI Agent Security Infrastructure — intercepts and blocks dangerous agent behaviors before they happen. Just one command! Join us to build safer Human-AI Symbiosis!
Install / Use
/learn @BakeLens/CrustREADME
What is Crust?
Crust is a transparent, local gateway between your AI agents and LLM providers. It intercepts every tool call — file reads, shell commands, network requests — and blocks dangerous actions before they execute. No code changes required.
100% local. Your data never leaves your machine.
<p align="center"> <img src="docs/demo.gif" alt="Crust in action" width="800" /> </p>How It Works
<p align="center"> <img src="docs/crust.png" alt="Crust architecture" width="90%" /> </p>Crust has five entry points — use one or combine them:
| Entry Point | Command | What It Does |
|-------------|---------|--------------|
| HTTP Proxy | crust start | Sits between your agent and the LLM API. Scans tool calls in both the request (conversation history) and response (new actions) before they execute. |
| MCP Stdio Gateway | crust wrap | Wraps any stdio MCP server, intercepting tools/call and resources/read in both directions — including DLP scanning of server responses for leaked secrets. |
| MCP HTTP Gateway | crust wrap | Reverse proxy for Streamable HTTP MCP servers — same rule engine, no stdio required. |
| ACP Stdio Proxy | crust wrap | Wraps any ACP agent, intercepting file reads, writes, and terminal commands before the IDE executes them. |
| Auto-detect | crust wrap | Inspects both MCP and ACP methods simultaneously — use when you don't know which protocol a subprocess speaks. |
All entry points apply the same evaluation pipeline — self-protection, input sanitization, Unicode normalization, obfuscation detection, DLP secret scanning, path normalization, symlink resolution, and rule matching — each step in microseconds.
All activity is logged locally to encrypted storage.
Quick Start
macOS / Linux / BSD:
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/BakeLens/crust/main/install.sh)"
Windows (PowerShell):
irm https://raw.githubusercontent.com/BakeLens/crust/main/install.ps1 | iex
Docker:
docker compose up -d # uses the included docker-compose.yml
# or manually:
docker build -t crust https://github.com/BakeLens/crust.git
docker run -p 9090:9090 crust
Then start the gateway:
crust start
Auto mode is the default — it detects your LLM provider from the model name with zero configuration. Your agent's existing auth is passed through.
Agent Setup
HTTP Proxy
Point your agent to Crust:
| Agent | Configuration |
|-------|---------------|
| Claude Code | ANTHROPIC_BASE_URL=http://localhost:9090 |
| Codex CLI | OPENAI_BASE_URL=http://localhost:9090/v1 |
| Cursor | Settings → Models → Override OpenAI Base URL → http://localhost:9090/v1 |
| Cline | Settings → API Configuration → Base URL → http://localhost:9090/v1 |
| Windsurf | Settings → AI → Provider Base URL → http://localhost:9090/v1 |
| JetBrains AI | Settings → AI Assistant → Providers & API keys → Base URL → http://localhost:9090/v1 |
| Continue | Set apiBase to http://localhost:9090/v1 in config |
| Aider | OPENAI_API_BASE=http://localhost:9090/v1 |
| Agent | Configuration |
|-------|---------------|
| Zed | Set api_url to http://localhost:9090/v1 in settings |
| Tabby | Set api_endpoint to http://localhost:9090/v1 in config |
| avante.nvim | Set endpoint to http://localhost:9090/v1 in config |
| codecompanion.nvim | Set url to http://localhost:9090/v1 in adapter config |
| CodeGPT | Set custom provider URL to http://localhost:9090/v1 |
| OpenClaw | Set baseUrl to http://localhost:9090 in ~/.openclaw/openclaw.json |
| OpenCode | OPENAI_BASE_URL=http://localhost:9090/v1 |
| Any OpenAI-compatible agent | Set your LLM base URL to http://localhost:9090/v1 |
Crust auto-detects the provider from the model name and passes through your auth — no endpoint URL or API key configuration needed. Clients that send /api/v1/... paths (e.g. some JetBrains configurations) are also supported. For providers with non-standard base paths like OpenRouter (https://openrouter.ai/api), use --endpoint.
crust status # Check if running
crust status --agents # Detect running AI agents and protection status
crust logs -f # Follow logs
crust doctor # Diagnose provider endpoints
crust stop # Stop crust
MCP Gateway
For MCP servers, Crust intercepts tools/call and resources/read requests before they reach the server.
crust wrap -- npx -y @modelcontextprotocol/server-filesystem /path/to/dir
Works with any MCP server. See the MCP setup guide for details and examples.
ACP Integration
For IDEs that use the Agent Client Protocol (ACP), Crust can wrap any ACP agent as a transparent stdio proxy — intercepting file reads, writes, and terminal commands before the IDE executes them. No changes to the agent or IDE required.
crust wrap -- goose acp
Supports JetBrains IDEs and other ACP-compatible editors. See the ACP setup guide for step-by-step instructions.
iOS / Mobile
Crust ships as a native iOS 15+ library (CrustKit) for embedding in mobile apps. The same rule engine that protects desktop agents also protects mobile AI agents.
Three integration paths — pick one:
import CrustKit
let engine = CrustEngine()
try engine.initialize()
// ── Option 1: Local reverse proxy ──
// Best when your AI SDK doesn't use URLSession or you want explicit control.
try engine.startProxy(port: 8080, upstreamURL: "https://api.anthropic.com")
// Point your AI SDK base URL to http://127.0.0.1:8080
// ── Option 2: URLProtocol (zero-config) ──
// Best when your AI SDK uses URLSession — no base URL change needed.
CrustURLProtocol.engine = engine
let session = URLSession(configuration: .crustProtected)
// ── Option 3: Direct evaluation ──
// Best for custom integrations or manual checks.
let result = await engine.evaluateAsync(toolName: "read_contacts", arguments: [:])
print(result.matched) // true — blocked by protect-mobile-pii
// ── Content scanning (DLP for text responses & user input) ──
let scan = engine.scanContent(aiTextResponse) // secrets in AI output
let outbound = engine.scanOutbound(userMessage) // secrets in user input
let urlCheck = engine.validateURL("tel:+1234567890") // blocked URL schemes
Mobile-specific protections (7 locked rules + shared rules):
| Category | Blocked Tools | Rule |
|----------|--------------|------|
| PII | contacts, photos, calendar, location, health, camera, microphone, call log, SMS | protect-mobile-pii |
| Keychain | keychain read/write/delete | protect-os-keychains |
| Clipboard | clipboard read (writes allowed) | protect-mobile-clipboard |
| URL Schemes | tel:, sms:, facetime:, itms-services:, app-settings: | protect-mobile-url-schemes |
| Hardware | Bluetooth scan/connect, NFC read/write | protect-mobile-hardware |
| Biometric |
Related Skills
healthcheck
338.0kHost security hardening and risk-tolerance configuration for OpenClaw deployments
tmux
338.0kRemote-control tmux sessions for interactive CLIs by sending keystrokes and scraping pane output.
prose
338.0kOpenProse VM skill pack. Activate on any `prose` command, .prose files, or OpenProse mentions; orchestrates multi-agent workflows.
Writing Hookify Rules
83.4kThis skill should be used when the user asks to "create a hookify rule", "write a hook rule", "configure hookify", "add a hookify rule", or needs guidance on hookify rule syntax and patterns.
