Skip to content

netsim-labs/zn

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 
 
 

Repository files navigation

zn Logo

🛡️ zn

License: MIT Rust WASM Svelte Docker

The Zero Trust Layer for AI Agents.

zn is a high-performance, transparent security proxy for AI agents. It intercepts tool calls (MCP), scrubs sensitive data, assesses tool risk, and enforces cryptographically signed, state-aware WASM security policies in real-time.


🔥 Key Features

🛡️ Programmable Security (WASM)

Define your security rules in Rust and compile them to WebAssembly. logic is executed in a secure sandbox with nanosecond latency.

  • Hot Reloading: Update policies without restarting the proxy.
  • Stateful Logic: Policies can remember past actions (e.g., "Allow delete_file ONLY if backup_file was called first").

🏢 Enterprise Multi-Tenancy

Built for SaaS and large organizations.

  • Namespaces: Isolate traffic between teams (@dev, @prod) or customers.
  • Role-Based Access: Standard RBAC (SuperAdmin, Admin, User, Viewer).
  • Data Sovereignty: Audit logs are strictly partitioned by tenant.

🧠 Advanced Attack Protection

Blocks sophisticated attacks before they reach your infrastructure:

  • SQL Injection Guard: Detects SQLi patterns in tool arguments.
  • Prompt Injection: Analyzing context to prevent jailbreaks.
  • Shodan Canary: Identifies and blocks reconnaissance scanners.
  • NoSQL Injection: Prevents MongoDB/NoSQL payload attacks.

👁️ Real-Time Observability

  • Live Dashboard: Watch agent activity as it happens via Server-Sent Events (SSE).
  • Audit Vault: AES-256-GCM encrypted local storage for compliance.
  • SIEM Export: Stream logs to Splunk, Datadog or Elastic.

🚀 Quick Start (Enterprise Docker)

The recommended way to deploy zn for production is using the Enterprise Stack (Backend + Dashboard + WASM).

  1. Clone the repository:

    git clone https://github.com/netsim-labs/zn.git
    cd zn
  2. Configure Environment: Create a .env file (or use default variables):

    ZN_API_KEY=my_secure_super_admin_key
  3. Launch Stack:

    docker-compose -f docker-compose.prod.yml up -d --build
  4. Access Dashboard: Open http://localhost in your browser. Login with your ZN_API_KEY.


🏗️ Manual Installation (Dev)

Prerequisites

  • Rust 1.75+
  • Node.js 18+
  • SQLite3

1. Build & Run Backend

# Compile WASM Policies
cd policies
cargo build --target wasm32-unknown-unknown --release
# Copy to bin directory
mkdir -p ../policies_bin
cp target/wasm32-unknown-unknown/release/policies.wasm ../policies_bin/base_security.wasm

# Run Proxy
cd ..
cargo run --bin zn -- start

2. Run Dashboard

cd web
npm install
npm run dev

📚 Usage Guide

Connecting an AI Agent

zn acts as a transparent proxy. Configure your agent to use the zn URL instead of the direct MCP server.

Example (Claude Code / OpenCode):

your-agent-cli --proxy-url "http://localhost:9090?api_key=YOUR_TENANT_KEY"

Managing Tenants

  1. Go to Dashboard > Tenants.
  2. Click + New Tenant.
  3. Copy the generated API Key.
  4. Use this key in your agent's configuration. Traffic will now be isolated to this tenant's namespace.

📐 Architecture

graph TD
    Agent["🤖 AI Agent"] -->|"1. JSON-RPC (HTTP/WS)"| Proxy["🛡️ zn Proxy"]
    
    subgraph Core["zn Core"]
        Proxy -->|"2. Auth & RBAC"| Auth["🔑 Tenant Manager"]
        Proxy -->|"3. Guardrails"| Guards["🧠 SQL/Prompt Guards"]
        Proxy -->|"4. Policy Engine"| WASM["📦 WASM Sandbox"]
        WASM -->|"5. State Check"| DB["💾 SQLite Audit Vault"]
    end
    
    WASM -- DENY --> Proxy
    WASM -- ALLOW --> MCP["🔌 Upstream Tool"]
    
    Proxy --"6. Stream Event"--> Dash["🖥️ Live Dashboard"]
    Proxy --"7. Response"--> Agent
Loading

🤝 Contributing

We welcome contributions! Please check CONTRIBUTING.md (coming soon) for details on how to submit Pull Requests.


🏗️ Built by Netsim Labs

“Building the infrastructure for a safe, agentic world.”

usezn.com | x.com/use_zn | x.com/netsimlabs

About

Zero Trust Layer for AI Agents

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors