Crust: A Microsecond-Latency Security Layer for AI Agents That Runs Entirely On Your Machine
Hook
Your AI coding assistant has root access and internet connectivity. It takes exactly one prompt injection for it to exfiltrate your AWS credentials or rm -rf your production database. Crust blocks these threats in microseconds before they execute.
Context
AI agents have evolved from simple chatbots to autonomous systems that write code, execute commands, and interact with external APIs. Tools like GitHub Copilot, Cursor, and AutoGPT have become indispensable development companions. But this power comes with terrifying attack surface: a malicious prompt hidden in a README could instruct your agent to scan for secrets and POST them to an attacker-controlled endpoint. Traditional security tools aren't built for this threat model—API gateways don't understand LLM-specific attacks, and cloud-based LLM firewalls require sending your data to third parties.
Crust emerged from this gap as local-first security infrastructure specifically designed for agentic workflows. Rather than building yet another cloud service or requiring agents to adopt new SDKs, the BakeLens team created a transparent interception layer that sits between AI agents and everything they touch—LLM APIs, file systems, and external tools. The architecture supports three critical integration points: HTTP proxy mode for intercepting OpenAI/Anthropic API calls, Model Context Protocol (MCP) gateway mode for securing server interactions, and Agent Client Protocol (ACP) proxy mode for stdio-based agents. Every request flows through a unified evaluation pipeline that performs pattern matching, secret scanning, path validation, and Unicode normalization—all executing locally in microseconds with zero external dependencies.
Technical Insight
The genius of Crust's architecture lies in its multi-entry-point design that funnels disparate protocols through a single evaluation pipeline. When you start Crust in HTTP proxy mode, it spins up a local server that intercepts LLM API requests. The provider detection system automatically identifies whether you're calling OpenAI, Anthropic, or another service by parsing the model name from the request payload—no configuration files required. Your existing API keys pass through untouched, so agents work exactly as before.
Here's what a typical integration looks like for an agent using the OpenAI SDK:
# Before: Direct API calls
client = OpenAI(api_key=os.environ["OPENAI_API_KEY"])
# After: Route through Crust proxy (one line change)
client = OpenAI(
api_key=os.environ["OPENAI_API_KEY"],
base_url="http://localhost:8080/v1" # Crust proxy endpoint
)
# Agent code remains identical
response = client.chat.completions.create(
model="gpt-4",
messages=[{"role": "user", "content": prompt}]
)
Under the hood, Crust's evaluation pipeline runs a gauntlet of security checks. The self-protection layer prevents agents from disabling Crust itself or tampering with its configuration. Input sanitization strips ANSI escape codes and other injection vectors. Unicode normalization prevents homoglyph attacks where visually identical characters bypass pattern matching (е vs e). The DLP scanner uses regex patterns and entropy analysis to detect AWS keys, GitHub tokens, and other secrets before they reach the LLM or get written to logs.
The path normalization component is particularly clever for securing file system operations. When an agent attempts to read or write files, Crust resolves symlinks and normalizes paths before checking them against allowlists and denylists. This prevents directory traversal attacks where an agent might try to access /etc/passwd via ../../../../etc/passwd or through symlink manipulation. The rule engine then applies user-defined policies—block all writes outside the project directory, prevent network calls to non-whitelisted domains, deny execution of shell commands containing dangerous flags.
For Model Context Protocol servers, Crust operates as a gateway that wraps stdio or HTTP-based MCP servers. MCP allows agents to interact with external tools through a standardized interface—think database queries, API calls, or code execution. By intercepting these interactions, Crust validates tool calls before they execute:
// Simplified example of MCP tool call validation
func (e *Evaluator) ValidateMCPToolCall(call ToolCall) error {
// Check if tool is in allowed list
if !e.isToolAllowed(call.Name) {
return fmt.Errorf("tool %s not in allowlist", call.Name)
}
// Validate arguments against rules
for key, value := range call.Arguments {
if e.containsSecrets(value) {
return fmt.Errorf("potential secret in argument %s", key)
}
if e.matchesDenyPattern(value) {
return fmt.Errorf("argument matches deny pattern")
}
}
return nil
}
The performance characteristics matter enormously here. Since Crust sits in the critical path of every agent action, even millisecond delays compound into frustrating lag. The team built the entire pipeline in Go for its concurrency primitives and low-latency characteristics. All checks run in parallel where possible, and the pattern matching engine uses compiled regex for maximum throughput. Fuzz testing across 46 targets ensures that pathological inputs don't cause denial-of-service through regex backtracking or infinite loops.
Logging happens locally with encryption at rest, creating an immutable audit trail without data leaving your machine. Every blocked action, every secret detected, every policy violation gets recorded with full context—the prompt that triggered it, the agent's identity, the timestamp. This is critical for compliance requirements and post-incident forensics, but the privacy guarantee means you can deploy Crust for sensitive codebases without worrying about telemetry leaking proprietary information.
Gotcha
The Elastic License 2.0 is the first hurdle—despite 'Open Source' branding, it prohibits offering Crust as a managed service, creating legal uncertainty for platform builders. The bigger limitation is pattern-based detection: Crust catches known threats (regex for secrets, path traversal signatures) brilliantly but struggles with novel prompt injections that use encoding, semantic obfuscation, or multi-turn attacks. Sophisticated adversaries can craft payloads that LLMs understand but regex engines don't. Dynamic analysis would help, but it would sacrifice the microsecond-latency promise.
Deployment friction hits agents without configuration hooks. SDK-based agents where you control base URLs work perfectly, but hardcoded endpoints or closed-source binaries require LD_PRELOAD hacks, iptables rules, or container wrapping—far from the advertised 'one command' setup. The project also assumes you're comfortable with Go tooling and can debug proxy issues when agents misbehave. If your team lacks systems programming experience, troubleshooting why MCP stdio interception fails becomes painful quickly.
Verdict
Use if: You're deploying AI coding assistants or autonomous agents in environments with sensitive credentials, compliance requirements, or security audits where you need immutable local logs and real-time blocking without data exfiltration. The zero-config provider detection and multi-protocol support make it ideal for teams wanting 'security by default' across heterogeneous agent tooling. It shines for SDK-based agents (OpenAI, Anthropic wrappers) in regulated industries where cloud-based LLM firewalls aren't acceptable. Skip if: You're working in already-sandboxed environments (containers with strict capabilities), using closed-source agents without base URL configuration, or need ML-based detection for sophisticated prompt injection beyond pattern matching. Also reconsider if the Elastic License 2.0 conflicts with your plans to offer agents as a service, or if your threat model demands guarantees beyond regex-based rules. For those cases, invest in purpose-built sandboxing (gVisor, Firecracker) or accept the data privacy tradeoff of cloud-based LLM security platforms with behavioral analysis.
