Skip to content
AgentZero

Introduction

AgentZero

Section titled “AgentZero”

AgentZero is the secure operating layer for AI agents. It lets local AI agents work with private files, code, tools, and secrets without bypassing policy, redaction, audit, or runtime isolation.

The Problem

Section titled “The Problem”

AI coding agents are powerful but risky. They need access to your filesystem, shell, and credentials to be useful — but that access is typically unconstrained:

  • No policy governing what the agent can do
  • No redaction before data leaves your machine
  • No audit trail of what happened
  • Secrets exposed in prompts and logs
  • No isolation between trusted and untrusted content

The Solution

Section titled “The Solution”

AgentZero wraps every tool call in a security layer:

User → Model → Tool Request → Policy Check → Audit Event → Execution
                                    
                              Deny / Approve / Redact

Every action passes through policy evaluation before execution. Every action emits an auditable event. Secrets are handles, not values. PII is redacted before remote calls.

Core Principles

Section titled “Core Principles”
  • Safety is the product — not a feature bolted on later
  • Deny by default — unknown permissions are denied
  • Local first — all inference local unless policy allows remote
  • Secrets are handles — models never see raw values
  • Content is labeled — tool output marked as untrusted
  • Everything is auditable — structured event log for every action

What You Can Do

Section titled “What You Can Do”
  • Chat with local LLMs (Ollama, llama.cpp, vLLM, LM Studio) or remote providers (Anthropic Claude)
  • Use tools (read, list, search, write, edit, shell, generate_tool) with policy enforcement
  • Edit files with surgical search-and-replace
  • Run single-shot queries with JSON output for scripting
  • Generate editor configs for VS Code, Cursor, Zed
  • Run security scanners with configurable pattern files
  • Generate new WASM tools on the fly via the self-improving agent loop
  • Expose tools via ACP (native protocol) or MCP (optional, --features mcp)
  • Encrypt sessions and audit logs at rest
  • Manage secrets in an encrypted vault
  • Install and share skills via git
  • Extend functionality with WASM plugins (az plugin install)
  • Manage a personal knowledge vault with Brain (az brain init)
  • Bootstrap your environment with az bootstrap (detects platform, probes backends, generates config)
  • Connect messaging gateways (Slack) for multi-channel agent access
  • Hibernate sessions with --hibernate-after and resume from full checkpoints
  • Add custom LLM providers via models.json without code changes