Crust

Your agents should never (try to) read your secrets.

Website • Quick Start • MCP • ACP • Protection • How It Works • Docs • Issues • Discussions

What is Crust?

Crust is a transparent, local gateway between your AI agents and LLM providers. It intercepts every tool call — file reads, shell commands, network requests — and blocks dangerous actions before they execute. No code changes required.

100% local. Your data never leaves your machine.

Quick Start

macOS / Linux:

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/BakeLens/crust/main/install.sh)"

Windows (PowerShell):

irm https://raw.githubusercontent.com/BakeLens/crust/main/install.ps1 | iex

Docker:

docker compose up -d        # uses the included docker-compose.yml
# or manually:
docker build -t crust https://github.com/BakeLens/crust.git
docker run -p 9090:9090 crust

Then start the gateway:

crust start --auto

Auto mode detects your LLM provider from the model name — no endpoint URL or API key configuration needed. Your agent's existing auth is passed through.

Point your agent to Crust:

Agent	Configuration
Claude Code	ANTHROPIC_BASE_URL=http://localhost:9090
Codex CLI	OPENAI_BASE_URL=http://localhost:9090/v1
Cursor	Settings → Models → Override OpenAI Base URL → http://localhost:9090/v1
Cline	Settings → API Configuration → Base URL → http://localhost:9090/v1
Windsurf	Settings → AI → Provider Base URL → http://localhost:9090/v1
JetBrains AI	Settings → AI Assistant → Providers & API keys → Base URL → http://localhost:9090/v1
Continue	Set apiBase to http://localhost:9090/v1 in config
Aider	OPENAI_API_BASE=http://localhost:9090/v1

More agents...

Agent	Configuration
Zed	Set api_url to http://localhost:9090/v1 in settings
Tabby	Set api_endpoint to http://localhost:9090/v1 in config
avante.nvim	Set endpoint to http://localhost:9090/v1 in config
codecompanion.nvim	Set url to http://localhost:9090/v1 in adapter config
CodeGPT	Set custom provider URL to http://localhost:9090/v1
OpenClaw	Set baseUrl to http://localhost:9090 in ~/.openclaw/openclaw.json
OpenCode	OPENAI_BASE_URL=http://localhost:9090/v1
Any OpenAI-compatible agent	Set your LLM base URL to http://localhost:9090/v1

Crust auto-detects the provider from the model name and passes through your auth — no endpoint URL or API key configuration needed. Clients that send /api/v1/... paths (e.g. some JetBrains configurations) are also supported. For providers with non-standard base paths like OpenRouter (https://openrouter.ai/api), use --endpoint.

crust status     # Check if running
crust logs -f    # Follow logs
crust doctor     # Diagnose provider endpoints
crust stop       # Stop crust

MCP Gateway

For MCP servers, Crust intercepts tools/call and resources/read requests before they reach the server.

crust mcp-gateway -- npx -y @modelcontextprotocol/server-filesystem /path/to/dir

Works with any MCP server. See the MCP setup guide for details and examples.

ACP Integration

For IDEs that use the Agent Client Protocol (ACP), Crust can wrap any ACP agent as a transparent stdio proxy — intercepting file reads, writes, and terminal commands before the IDE executes them. No changes to the agent or IDE required.

crust acp-wrap -- goose acp

Supports JetBrains IDEs and other ACP-compatible editors. See the ACP setup guide for step-by-step instructions.

Built-in Protection

Crust ships with 14 security rules and 19 DLP token-detection patterns out of the box:

Category	What's Protected
Credentials	.env, SSH keys, cloud creds (AWS, GCP, Azure), GPG keys
System Auth	/etc/passwd, /etc/shadow, sudoers
Shell History	.bash_history, .zsh_history, .python_history, and more
Browser Data	Chrome, Firefox, Safari passwords, cookies, local storage
Package Tokens	npm, pip, Cargo, Composer, NuGet, Gem auth tokens
Git Credentials	.git-credentials, .config/git/credentials
Persistence	Shell RC files, authorized_keys
DLP Token Detection	Content-based scanning for real API keys and tokens (AWS, GitHub, Stripe, OpenAI, Anthropic, and 14 more)
Key Exfiltration	Content-based PEM private key detection
Self-Protection	Agents cannot read, modify, or disable Crust itself
Dangerous Commands	eval/exec with dynamic code execution

All rules are open source: internal/rules/builtin/security.yaml (path rules) and internal/rules/dlp.go (DLP patterns)

Custom Rules

Rules use a progressive disclosure schema — start simple, add complexity only when needed:

rules:
  # One-liner: block all .env files
  - block: "**/.env"

  # With exceptions and specific actions
  - block: "**/.ssh/id_*"
    except: "**/*.pub"
    actions: [read, copy]
    message: "Cannot access SSH private keys"

  # Advanced: regex matching on commands
  - name: block-rm-rf
    match:
      command: "re:rm\\s+-rf\\s+/"
    message: "Blocked: recursive delete from root"

crust add-rule my-rules.yaml    # Rules active immediately (hot reload)

How It Works

Crust inspects tool calls at multiple layers:

1. Layer 0 (Request Scan): Scans tool calls in conversation history before they reach the LLM — catches agents replaying dangerous actions.
2. Layer 1 (Response Scan): Scans tool calls in the LLM's response before they execute — blocks new dangerous actions in real-time.
3. Stdio Proxy (MCP / ACP): Wraps MCP servers or ACP agents as a stdio proxy, intercepting security-relevant JSON-RPC messages in both directions — including DLP scanning of server responses for leaked secrets.

All modes apply a 16-step evaluation pipeline — input sanitization, Unicode normalization, obfuscation detection, DLP secret scanning, path-based rules, and fallback content matching — each step in microseconds.

All activity is logged locally to encrypted storage.

Documentation

Setup

Guide	Description
Configuration	Providers, auto mode, block modes
MCP Gateway	Stdio proxy for MCP servers — Claude Desktop, custom servers
ACP Integration	Stdio proxy for ACP agents — JetBrains, VS Code
Docker	Dockerfile, docker-compose, container setup

Reference

Guide	Description
CLI Reference	Commands, flags, environment variables
How It Works	Architecture, rule engine, evaluation pipeline
Shell Parsing	Bash command parsing for path/command extraction
Migration	Upgrade guides for breaking changes

Build from Source

Requires Go 1.24+ and a C compiler (CGO is needed for SQLite).

git clone https://github.com/BakeLens/crust.git
cd crust
go build .
./crust version   # Windows: .\crust.exe version

Contributing

Crust is open-source and in active development. We welcome contributions — PRs for new security rules are especially appreciated.

• Report a bug
• Security vulnerabilities — please report privately
• Discussions

Add this badge to your project's README:

[![Protected by Crust](https://img.shields.io/badge/Protected%20by-Crust-blue)](https://github.com/BakeLens/crust)

Citation

If you use Crust in your research, please cite:

@software{crust2026,
  title = {Crust: A Transparent Gateway for AI Agent Security},
  author = {Chen, Zichen and Chen, Yuanyuan and Jiang, Bowen and Xu, Zhangchen},
  year = {2026},
  url = {https://github.com/BakeLens/crust}
}

License

Elastic License 2.0