MCPcopy Index your code
hub / github.com/BakeLens/crust

github.com/BakeLens/crust @v4.4.0

Chat with this repo
repository ↗ · DeepWiki ↗ · release v4.4.0 ↗ · + Follow
3,402 symbols 14,709 edges 361 files 2,248 documented · 66%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

Crust Banner

Crust

Your agents should never (try to) read your secrets.

WebsiteHow It WorksQuick StartAgent SetupProtectionPluginsDocsIssuesDiscussions

CI Go Report Card Release Go Version License Platform

Security Policy SAST Fuzz Tested Secret Scanning

What is Crust?

Crust is a transparent, local gateway between your AI agents and LLM providers. It intercepts every tool call — file reads, shell commands, network requests — and blocks dangerous actions before they execute. No code changes required.

100% local. Your data never leaves your machine.

Crust in action

How It Works

Crust architecture

Crust has five entry points — use one or combine them:

Entry Point Command What It Does
HTTP Proxy crust start Sits between your agent and the LLM API. Scans tool calls in both the request (conversation history) and response (new actions) before they execute.
MCP Stdio Gateway crust wrap Wraps any stdio MCP server, intercepting tools/call and resources/read in both directions — including DLP scanning of server responses for leaked secrets.
MCP HTTP Gateway crust wrap Reverse proxy for Streamable HTTP MCP servers — same rule engine, no stdio required.
ACP Stdio Proxy crust wrap Wraps any ACP agent, intercepting file reads, writes, and terminal commands before the IDE executes them.
Auto-detect crust wrap Inspects both MCP and ACP methods simultaneously — use when you don't know which protocol a subprocess speaks.

All entry points apply the same evaluation pipeline — self-protection, input sanitization, Unicode normalization, obfuscation detection, DLP secret scanning, path normalization, symlink resolution, and rule matching — each step in microseconds.

All activity is logged locally to encrypted storage.

Quick Start

macOS / Linux / BSD:

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/BakeLens/crust/main/install.sh)"

Windows (PowerShell):

irm https://raw.githubusercontent.com/BakeLens/crust/main/install.ps1 | iex

Docker:

docker compose up -d        # uses the included docker-compose.yml
# or manually:
docker build -t crust https://github.com/BakeLens/crust.git
docker run -p 9090:9090 crust

Then start the gateway:

crust start --auto

Auto mode detects your LLM provider from the model name — no endpoint URL or API key configuration needed. Your agent's existing auth is passed through.

Agent Setup

HTTP Proxy

Point your agent to Crust:

Agent Configuration
Claude Code ANTHROPIC_BASE_URL=http://localhost:9090
Codex CLI OPENAI_BASE_URL=http://localhost:9090/v1
Cursor Settings → Models → Override OpenAI Base URL → http://localhost:9090/v1
Cline Settings → API Configuration → Base URL → http://localhost:9090/v1
Windsurf Settings → AI → Provider Base URL → http://localhost:9090/v1
JetBrains AI Settings → AI Assistant → Providers & API keys → Base URL → http://localhost:9090/v1
Continue Set apiBase to http://localhost:9090/v1 in config
Aider OPENAI_API_BASE=http://localhost:9090/v1

More agents...

Agent Configuration
Zed Set api_url to http://localhost:9090/v1 in settings
Tabby Set api_endpoint to http://localhost:9090/v1 in config
avante.nvim Set endpoint to http://localhost:9090/v1 in config
codecompanion.nvim Set url to http://localhost:9090/v1 in adapter config
CodeGPT Set custom provider URL to http://localhost:9090/v1
OpenClaw Set baseUrl to http://localhost:9090 in ~/.openclaw/openclaw.json
OpenCode OPENAI_BASE_URL=http://localhost:9090/v1
Any OpenAI-compatible agent Set your LLM base URL to http://localhost:9090/v1

Crust auto-detects the provider from the model name and passes through your auth — no endpoint URL or API key configuration needed. Clients that send /api/v1/... paths (e.g. some JetBrains configurations) are also supported. For providers with non-standard base paths like OpenRouter (https://openrouter.ai/api), use --endpoint.

crust status     # Check if running
crust status --agents  # Detect running AI agents and protection status
crust logs -f    # Follow logs
crust doctor     # Diagnose provider endpoints
crust stop       # Stop crust

MCP Gateway

For MCP servers, Crust intercepts tools/call and resources/read requests before they reach the server.

crust wrap -- npx -y @modelcontextprotocol/server-filesystem /path/to/dir

Works with any MCP server. See the MCP setup guide for details and examples.

ACP Integration

For IDEs that use the Agent Client Protocol (ACP), Crust can wrap any ACP agent as a transparent stdio proxy — intercepting file reads, writes, and terminal commands before the IDE executes them. No changes to the agent or IDE required.

crust wrap -- goose acp

Supports JetBrains IDEs and other ACP-compatible editors. See the ACP setup guide for step-by-step instructions.

iOS / Mobile

Crust ships as a native iOS 15+ library (CrustKit) for embedding in mobile apps. The same rule engine that protects desktop agents also protects mobile AI agents.

Three integration paths — pick one:

import CrustKit

let engine = CrustEngine()
try engine.initialize()

// ── Option 1: Local reverse proxy ──
// Best when your AI SDK doesn't use URLSession or you want explicit control.
try engine.startProxy(port: 8080, upstreamURL: "https://api.anthropic.com")
// Point your AI SDK base URL to http://127.0.0.1:8080

// ── Option 2: URLProtocol (zero-config) ──
// Best when your AI SDK uses URLSession — no base URL change needed.
CrustURLProtocol.engine = engine
let session = URLSession(configuration: .crustProtected)

// ── Option 3: Direct evaluation ──
// Best for custom integrations or manual checks.
let result = await engine.evaluateAsync(toolName: "read_contacts", arguments: [:])
print(result.matched)  // true — blocked by protect-mobile-pii

// ── Content scanning (DLP for text responses & user input) ──
let scan = engine.scanContent(aiTextResponse)     // secrets in AI output
let outbound = engine.scanOutbound(userMessage)    // secrets in user input
let urlCheck = engine.validateURL("tel:+1234567890") // blocked URL schemes

Mobile-specific protections (7 locked rules + shared rules):

Category Blocked Tools Rule
PII contacts, photos, calendar, location, health, camera, microphone, call log, SMS protect-mobile-pii
Keychain keychain read/write/delete protect-os-keychains
Clipboard clipboard read (writes allowed) protect-mobile-clipboard
URL Schemes tel:, sms:, facetime:, itms-services:, app-settings: protect-mobile-url-schemes
Hardware Bluetooth scan/connect, NFC read/write protect-mobile-hardware
Biometric Face ID, Touch ID, biometric auth protect-mobile-biometric
Purchases in-app purchases, financial transactions protect-mobile-purchases
Persistence background task scheduling protect-persistence
Notifications push/local notification sending (user-configurable)
Content DLP secrets/PII in AI text responses, user input, clipboard DLP engine (46 patterns)
URL Validation dangerous URL schemes (tel:, sms:, etc.) protect-mobile-url-schemes

Installation:

# Local development — build the xcframework
./scripts/build-ios.sh

# Then add ios/CrustKit/ as a local Swift Package in Xcode

For release builds, Libcrust.xcframework.zip is attached to each GitHub release with a SHA-256 checksum for use as a remote SPM binary target.

Mobile and desktop rules are unified using virtual paths (mobile://) — the same YAML file protects both platforms. See internal/rules/builtin/security.yaml for all 30 rules.

Protection

Built-in Rules

Crust ships with 35 security rules (32 locked, 3 user-disablable) and 46 DLP token-detection patterns out of the box:

Category What's Protected
Credentials .env, SSH keys, cloud creds (AWS, GCP, Azure), GPG keys
System Auth /etc/passwd, /etc/shadow, sudoers
Shell History .bash_history, .zsh_history, .python_history, and more
Browser Data Chrome, Firefox, Safari passwords, cookies, local storage
Package Tokens npm, pip, Cargo, Composer, NuGet, Gem auth tokens
Git Credentials .git-credentials, .config/git/credentials
Persistence Shell RC files, authorized_keys, cron/systemd/launchd, git hooks, mobile background tasks
Mobile PII (contacts, photos, calendar, location, health, camera, microphone, call log, SMS), keychain, clipboard, URL schemes (tel:, sms:), Bluetooth/NFC, biometric auth, in-app purchases
Agent Config .claude/settings.json, .cursor/mcp.json, .mcp.json — prevents privilege escalation
DLP Token Detection Content-based scanning for real API keys and tokens (AWS, GitHub, Stripe, OpenAI, Anthropic, and 35 more)
Key Exfiltration Content-based PEM private key detection
Crypto Wallets BIP39 mnemonics, xprv/WIF keys (checksum-validated), wallet directories for 16 chains
Self-Protection Agents cannot read, modify, or disable Crust itself
Dangerous Commands eval/exec with dynamic code execution

All rules are open source: internal/rules/builtin/security.yaml (path rules), internal/rules/dlp.go (DLP patterns), and internal/rules/dlp_crypto.go (crypto key detection)

These defenses are validated against 50 real-world CVEs affecting Cursor, GitHub Copilot, Claude Code, OpenAI Codex CLI, and other AI agents — including prompt injection, config hijacking, env var poisoning, and token exfiltration attacks.

Custom Rules

Rules use a progressive disclosure schema — start simple, add complexity only when needed:

rules:
  # One-liner: block all .env files
  - block: "**/.env"

  # With exceptions and specific actions
  - block: "**/.ssh/*"
    except: ["**/*.pub", "**/known_hosts"]
    actions: [read, copy]
    message: "Cannot access SSH directory"

  # Advanced: regex matching on commands
  - name: block-rm-rf
    match:
      command: "re:rm\\s+-rf\\s+/"
    message: "Blocked: recursive delete from root"
crust add-rule my-rules.yaml    # Rules active immediately (hot reload)

Plugins

Plugins are late-stage protection layers that run after the built-in 17-step evaluation pipeline. When the engine allows a tool call, it

Extension points exported contracts — how you extend this code

Core symbols most depended-on inside this repo

Shape

Function 2,385
Method 633
Struct 320
TypeAlias 30
Class 18
Interface 10
FuncType 6

Languages

Go97%
Python3%

Modules by API surface

internal/plugin/plugin_test.go126 symbols
internal/rules/extractor_test.go113 symbols
internal/telemetry/coverage_test.go76 symbols
internal/rules/extractor_shell.go61 symbols
internal/httpproxy/proxy_test.go55 symbols
cmd/libcrust-cgo/main.go53 symbols
internal/telemetry/storage.go51 symbols
internal/rules/engine.go47 symbols
internal/security/interceptor_test.go46 symbols
internal/rules/extractor_windows_test.go42 symbols
tests/agents/test_openclaw.py41 symbols
pkg/libcrust/libcrust_test.go39 symbols

For agents

$ claude mcp add crust \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact

Ask about this repo answers extend the page