🛡️ zn

The Zero Trust Layer for AI Agents.

zn is a high-performance, transparent security proxy for AI agents. It intercepts tool calls (MCP), scrubs sensitive data, assesses tool risk, and enforces cryptographically signed, state-aware WASM security policies in real-time.

---

🔥 Key Features

🛡️ Programmable Security (WASM)

Define your security rules in Rust and compile them to WebAssembly. logic is executed in a secure sandbox with nanosecond latency.

• Hot Reloading: Update policies without restarting the proxy.
• Stateful Logic: Policies can remember past actions (e.g., "Allow delete_file ONLY if backup_file was called first").

🏢 Enterprise Multi-Tenancy

Built for SaaS and large organizations.

• Namespaces: Isolate traffic between teams (@dev, @prod) or customers.
• Role-Based Access: Standard RBAC (SuperAdmin, Admin, User, Viewer).
• Data Sovereignty: Audit logs are strictly partitioned by tenant.

🧠 Advanced Attack Protection

Blocks sophisticated attacks before they reach your infrastructure:

• SQL Injection Guard: Detects SQLi patterns in tool arguments.
• Prompt Injection: Analyzing context to prevent jailbreaks.
• Shodan Canary: Identifies and blocks reconnaissance scanners.
• NoSQL Injection: Prevents MongoDB/NoSQL payload attacks.

👁️ Real-Time Observability

• Live Dashboard: Watch agent activity as it happens via Server-Sent Events (SSE).
• Audit Vault: AES-256-GCM encrypted local storage for compliance.
• SIEM Export: Stream logs to Splunk, Datadog or Elastic.

---

🚀 Quick Start (Enterprise Docker)

The recommended way to deploy zn for production is using the Enterprise Stack (Backend + Dashboard + WASM).

1. Clone the repository:

   git clone https://github.com/netsim-labs/zn.git
   cd zn

2. Configure Environment: Create a .env file (or use default variables):

   ZN_API_KEY=my_secure_super_admin_key

3. Launch Stack:

   docker-compose -f docker-compose.prod.yml up -d --build

4. Access Dashboard: Open http://localhost in your browser. Login with your ZN_API_KEY.

---

🏗️ Manual Installation (Dev)

Prerequisites

• Rust 1.75+
• Node.js 18+
• SQLite3

1. Build & Run Backend

# Compile WASM Policies
cd policies
cargo build --target wasm32-unknown-unknown --release
# Copy to bin directory
mkdir -p ../policies_bin
cp target/wasm32-unknown-unknown/release/policies.wasm ../policies_bin/base_security.wasm

# Run Proxy
cd ..
cargo run --bin zn -- start

2. Run Dashboard

cd web
npm install
npm run dev

---

📚 Usage Guide

Connecting an AI Agent

zn acts as a transparent proxy. Configure your agent to use the zn URL instead of the direct MCP server.

Example (Claude Code / OpenCode):

your-agent-cli --proxy-url "http://localhost:9090?api_key=YOUR_TENANT_KEY"

Managing Tenants

1. Go to Dashboard > Tenants.
2. Click + New Tenant.
3. Copy the generated API Key.
4. Use this key in your agent's configuration. Traffic will now be isolated to this tenant's namespace.

---

📐 Architecture

graph TD
    Agent["🤖 AI Agent"] -->|"1. JSON-RPC (HTTP/WS)"| Proxy["🛡️ zn Proxy"]
    
    subgraph Core["zn Core"]
        Proxy -->|"2. Auth & RBAC"| Auth["🔑 Tenant Manager"]
        Proxy -->|"3. Guardrails"| Guards["🧠 SQL/Prompt Guards"]
        Proxy -->|"4. Policy Engine"| WASM["📦 WASM Sandbox"]
        WASM -->|"5. State Check"| DB["💾 SQLite Audit Vault"]
    end
    
    WASM -- DENY --> Proxy
    WASM -- ALLOW --> MCP["🔌 Upstream Tool"]
    
    Proxy --"6. Stream Event"--> Dash["🖥️ Live Dashboard"]
    Proxy --"7. Response"--> Agent

Loading

---

🤝 Contributing

We welcome contributions! Please check CONTRIBUTING.md (coming soon) for details on how to submit Pull Requests.

---

🏗️ Built by Netsim Labs

“Building the infrastructure for a safe, agentic world.”

usezn.com | x.com/use_zn | x.com/netsimlabs