
Your agents should never (try to) read your secrets.
Website • How It Works • Quick Start • Agent Setup • Protection • Plugins • Docs • Issues • Discussions
Crust is a transparent, local gateway between your AI agents and LLM providers. It intercepts every tool call — file reads, shell commands, network requests — and blocks dangerous actions before they execute. No code changes required.
100% local. Your data never leaves your machine.


Crust has five entry points — use one or combine them:
| Entry Point | Command | What It Does |
|---|---|---|
| HTTP Proxy | crust start |
Sits between your agent and the LLM API. Scans tool calls in both the request (conversation history) and response (new actions) before they execute. |
| MCP Stdio Gateway | crust wrap |
Wraps any stdio MCP server, intercepting tools/call and resources/read in both directions — including DLP scanning of server responses for leaked secrets. |
| MCP HTTP Gateway | crust wrap |
Reverse proxy for Streamable HTTP MCP servers — same rule engine, no stdio required. |
| ACP Stdio Proxy | crust wrap |
Wraps any ACP agent, intercepting file reads, writes, and terminal commands before the IDE executes them. |
| Auto-detect | crust wrap |
Inspects both MCP and ACP methods simultaneously — use when you don't know which protocol a subprocess speaks. |
All entry points apply the same evaluation pipeline — self-protection, input sanitization, Unicode normalization, obfuscation detection, DLP secret scanning, path normalization, symlink resolution, and rule matching — each step in microseconds.
All activity is logged locally to encrypted storage.
macOS / Linux / BSD:
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/BakeLens/crust/main/install.sh)"
Windows (PowerShell):
irm https://raw.githubusercontent.com/BakeLens/crust/main/install.ps1 | iex
Docker:
docker compose up -d # uses the included docker-compose.yml
# or manually:
docker build -t crust https://github.com/BakeLens/crust.git
docker run -p 9090:9090 crust
Then start the gateway:
crust start --auto
Auto mode detects your LLM provider from the model name — no endpoint URL or API key configuration needed. Your agent's existing auth is passed through.
Point your agent to Crust:
| Agent | Configuration |
|---|---|
| Claude Code | ANTHROPIC_BASE_URL=http://localhost:9090 |
| Codex CLI | OPENAI_BASE_URL=http://localhost:9090/v1 |
| Cursor | Settings → Models → Override OpenAI Base URL → http://localhost:9090/v1 |
| Cline | Settings → API Configuration → Base URL → http://localhost:9090/v1 |
| Windsurf | Settings → AI → Provider Base URL → http://localhost:9090/v1 |
| JetBrains AI | Settings → AI Assistant → Providers & API keys → Base URL → http://localhost:9090/v1 |
| Continue | Set apiBase to http://localhost:9090/v1 in config |
| Aider | OPENAI_API_BASE=http://localhost:9090/v1 |
More agents...
| Agent | Configuration |
|---|---|
| Zed | Set api_url to http://localhost:9090/v1 in settings |
| Tabby | Set api_endpoint to http://localhost:9090/v1 in config |
| avante.nvim | Set endpoint to http://localhost:9090/v1 in config |
| codecompanion.nvim | Set url to http://localhost:9090/v1 in adapter config |
| CodeGPT | Set custom provider URL to http://localhost:9090/v1 |
| OpenClaw | Set baseUrl to http://localhost:9090 in ~/.openclaw/openclaw.json |
| OpenCode | OPENAI_BASE_URL=http://localhost:9090/v1 |
| Any OpenAI-compatible agent | Set your LLM base URL to http://localhost:9090/v1 |
Crust auto-detects the provider from the model name and passes through your auth — no endpoint URL or API key configuration needed. Clients that send /api/v1/... paths (e.g. some JetBrains configurations) are also supported. For providers with non-standard base paths like OpenRouter (https://openrouter.ai/api), use --endpoint.
crust status # Check if running
crust status --agents # Detect running AI agents and protection status
crust logs -f # Follow logs
crust doctor # Diagnose provider endpoints
crust stop # Stop crust
For MCP servers, Crust intercepts tools/call and resources/read requests before they reach the server.
crust wrap -- npx -y @modelcontextprotocol/server-filesystem /path/to/dir
Works with any MCP server. See the MCP setup guide for details and examples.
For IDEs that use the Agent Client Protocol (ACP), Crust can wrap any ACP agent as a transparent stdio proxy — intercepting file reads, writes, and terminal commands before the IDE executes them. No changes to the agent or IDE required.
crust wrap -- goose acp
Supports JetBrains IDEs and other ACP-compatible editors. See the ACP setup guide for step-by-step instructions.
Crust ships as a native iOS 15+ library (CrustKit) for embedding in mobile apps. The same rule engine that protects desktop agents also protects mobile AI agents.
Three integration paths — pick one:
import CrustKit
let engine = CrustEngine()
try engine.initialize()
// ── Option 1: Local reverse proxy ──
// Best when your AI SDK doesn't use URLSession or you want explicit control.
try engine.startProxy(port: 8080, upstreamURL: "https://api.anthropic.com")
// Point your AI SDK base URL to http://127.0.0.1:8080
// ── Option 2: URLProtocol (zero-config) ──
// Best when your AI SDK uses URLSession — no base URL change needed.
CrustURLProtocol.engine = engine
let session = URLSession(configuration: .crustProtected)
// ── Option 3: Direct evaluation ──
// Best for custom integrations or manual checks.
let result = await engine.evaluateAsync(toolName: "read_contacts", arguments: [:])
print(result.matched) // true — blocked by protect-mobile-pii
// ── Content scanning (DLP for text responses & user input) ──
let scan = engine.scanContent(aiTextResponse) // secrets in AI output
let outbound = engine.scanOutbound(userMessage) // secrets in user input
let urlCheck = engine.validateURL("tel:+1234567890") // blocked URL schemes
Mobile-specific protections (7 locked rules + shared rules):
| Category | Blocked Tools | Rule |
|---|---|---|
| PII | contacts, photos, calendar, location, health, camera, microphone, call log, SMS | protect-mobile-pii |
| Keychain | keychain read/write/delete | protect-os-keychains |
| Clipboard | clipboard read (writes allowed) | protect-mobile-clipboard |
| URL Schemes | tel:, sms:, facetime:, itms-services:, app-settings: |
protect-mobile-url-schemes |
| Hardware | Bluetooth scan/connect, NFC read/write | protect-mobile-hardware |
| Biometric | Face ID, Touch ID, biometric auth | protect-mobile-biometric |
| Purchases | in-app purchases, financial transactions | protect-mobile-purchases |
| Persistence | background task scheduling | protect-persistence |
| Notifications | push/local notification sending | (user-configurable) |
| Content DLP | secrets/PII in AI text responses, user input, clipboard | DLP engine (46 patterns) |
| URL Validation | dangerous URL schemes (tel:, sms:, etc.) |
protect-mobile-url-schemes |
Installation:
# Local development — build the xcframework
./scripts/build-ios.sh
# Then add ios/CrustKit/ as a local Swift Package in Xcode
For release builds, Libcrust.xcframework.zip is attached to each GitHub release with a SHA-256 checksum for use as a remote SPM binary target.
Mobile and desktop rules are unified using virtual paths (mobile://) — the same YAML file protects both platforms. See internal/rules/builtin/security.yaml for all 30 rules.
Crust ships with 35 security rules (32 locked, 3 user-disablable) and 46 DLP token-detection patterns out of the box:
| Category | What's Protected |
|---|---|
| Credentials | .env, SSH keys, cloud creds (AWS, GCP, Azure), GPG keys |
| System Auth | /etc/passwd, /etc/shadow, sudoers |
| Shell History | .bash_history, .zsh_history, .python_history, and more |
| Browser Data | Chrome, Firefox, Safari passwords, cookies, local storage |
| Package Tokens | npm, pip, Cargo, Composer, NuGet, Gem auth tokens |
| Git Credentials | .git-credentials, .config/git/credentials |
| Persistence | Shell RC files, authorized_keys, cron/systemd/launchd, git hooks, mobile background tasks |
| Mobile | PII (contacts, photos, calendar, location, health, camera, microphone, call log, SMS), keychain, clipboard, URL schemes (tel:, sms:), Bluetooth/NFC, biometric auth, in-app purchases |
| Agent Config | .claude/settings.json, .cursor/mcp.json, .mcp.json — prevents privilege escalation |
| DLP Token Detection | Content-based scanning for real API keys and tokens (AWS, GitHub, Stripe, OpenAI, Anthropic, and 35 more) |
| Key Exfiltration | Content-based PEM private key detection |
| Crypto Wallets | BIP39 mnemonics, xprv/WIF keys (checksum-validated), wallet directories for 16 chains |
| Self-Protection | Agents cannot read, modify, or disable Crust itself |
| Dangerous Commands | eval/exec with dynamic code execution |
All rules are open source: internal/rules/builtin/security.yaml (path rules), internal/rules/dlp.go (DLP patterns), and internal/rules/dlp_crypto.go (crypto key detection)
These defenses are validated against 50 real-world CVEs affecting Cursor, GitHub Copilot, Claude Code, OpenAI Codex CLI, and other AI agents — including prompt injection, config hijacking, env var poisoning, and token exfiltration attacks.
Rules use a progressive disclosure schema — start simple, add complexity only when needed:
rules:
# One-liner: block all .env files
- block: "**/.env"
# With exceptions and specific actions
- block: "**/.ssh/*"
except: ["**/*.pub", "**/known_hosts"]
actions: [read, copy]
message: "Cannot access SSH directory"
# Advanced: regex matching on commands
- name: block-rm-rf
match:
command: "re:rm\\s+-rf\\s+/"
message: "Blocked: recursive delete from root"
crust add-rule my-rules.yaml # Rules active immediately (hot reload)
Plugins are late-stage protection layers that run after the built-in 17-step evaluation pipeline. When the engine allows a tool call, it
$ claude mcp add crust \
-- python -m otcore.mcp_server <graph>