AgentZero is a local-first runtime that evaluates policy before every tool call, redacts PII before it leaves your machine, stores secrets as encrypted handles, and produces a structured audit trail for every action an agent takes.
AI coding agents need filesystem access, shell execution, and sometimes credentials to do real work. That access is typically unconstrained — no policy, no redaction, no audit trail, no isolation between trusted instructions and untrusted content. AgentZero closes that gap.
Connect to a local model. Ask questions about your code. Read files, search patterns, run commands. Every tool call passes through policy evaluation. Dangerous operations require your explicit approval.
you> are there any leaked credentials in this repo? [tool: search] pattern="password=" … ok (890 B) [tool: search] pattern="ghp_" … ok (0 B) [tool: read] config/database.yml … ok (240 B) agentzero> Found one issue. config/database.yml line 8 has a hardcoded password. The value was redacted from this response. I recommend moving it to the vault: $ agentzero vault add postgres db-password you> run the full security audit [APPROVE shell: agentzero run repo-security-audit?] (y/yes-all/n) y Scanning 42 files… 3 findings. Report → .agentzero/audit/security-report.md
No tool call, model request, file write, or shell command executes without passing through the policy engine first. The decision is logged. The action is auditable. There is no side door.
Every request is matched against rules loaded from .agentzero/policy.yml. Capabilities are explicit: FileRead, FileWrite, ShellCommand, ModelCall, SecretHandleUsage. Unknown permissions are denied.
Session start, model calls, tool executions, policy decisions, redactions applied, approvals granted or denied. JSONL format. Optionally encrypted at rest with AES-256-GCM.
Tool output is wrapped with trust boundary markers before returning to the model. The agent knows what is trusted instruction and what is untrusted data. Prompt injection from file content does not escalate.
Shell commands and file writes require explicit user approval. The agent asks. You decide. The decision is recorded. Scopes: once, session, project, or never.
AgentZero runs as an ACP server (native protocol) or MCP server (optional). Claude Code, Cursor, Zed — any client gets policy-controlled, audited tool access without changing application code.
{
"mcpServers": {
"agentzero": {
"command": "agentzero",
"args": ["mcp"]
}
}
} read_file · list_directory · search_files · write_file · edit_file · run_command · generate_tool
Path validation blocks traversal outside the project root. Sensitive paths (.ssh, .env, .aws/credentials, .agentzero/) are denied. Every call emits a structured audit event with the decision, capability, and context.
Security is not a feature that can be toggled. These invariants are structural — enforced in the type system, the policy engine, and the execution contracts.
Unknown permissions denied. Unknown data classifications fail closed. The agent proves access before acting.
Models see handle://vault/github/token. Never raw values. Exposed only at execution time, only after policy approval.
Content scanned before remote model calls. Emails, tokens, keys replaced with typed placeholders. Automatic, not optional.
AES-256-GCM with Argon2id key derivation. Vault, sessions, audit logs. Per-line encryption so logs stay appendable.
Ollama, llama.cpp, vLLM, LM Studio, Anthropic Claude. Try local first, fall back with redaction. Retry with exponential backoff on transient failures.
The agent can generate new WASM tools on the fly via generate_tool. Template-based codegen, per-project versioning, and directory-based tool registries.
Extend AgentZero with WASM plugins. Full host import API (az::read_file, az::write_file, az::log). Path-validated, time-limited, memory-capped. The Brain plugin ships as the first example — a personal LLM wiki with daily notes, capture, query, and review.
Long conversations auto-summarize older messages. System prompt and recent context preserved. No context overflow, no lost instructions.
13 Rust crates. Each one has a single responsibility. The facade crate re-exports everything under a clean namespace. The CLI is one of many possible frontends — the MCP server, ACP adapter, and session engine all use the same policy and audit contracts.
Types, crypto, vault, trust labels, redaction, model routing. The shared vocabulary.
Rule-based engine with TOML loader. Deny by default. First matching rule wins.
Session engine, providers, tool executor, router, retry logic, context compaction.
JSONL file sink, encrypted sink, in-memory sink. Every event is structured and replayable.
MCP server. JSON-RPC 2.0 over stdio. Five tools with full policy enforcement.
Manifests, security scanner, report generator, skill registry with lockfile tracking.
Open source. MIT licensed. 6 MB binary. Built in Rust for developers who work with private code and can't afford to leak.