Provider-agnostic. Bring your own model, keep your own privacy.
The Privateer CLI reads, writes, and runs code across your projects — with a safe-by-default permission gate, attested TEE inference, an on-device PII gate, MCP servers, sub-agents, scheduled routines, and control from iOS, Android, or the web.
MIT licensed · Node 22+ · macOS & Linux · built on the open Pi agent toolkit
Describe the change and the agent does the work — reading files, editing
code, running your tests — with every action classified and gated behind
your approval before it runs. Launch it in any project with
privateer,
or try it instantly with npx privateer-agent.
Built for developers
Every major provider, one command to switch — OpenRouter and the frontier
labs, fast open-model clouds, TEE and zero-retention inference, local
Ollama, or any OpenAI-compatible endpoint. Tool-calling and streaming
work identically across every provider — no model lock-in, no separate
code paths. One key is enough; or skip keys entirely and
/signin
to bill your Privateer account.
Bring your own key
Privateer is built on the open Pi agent toolkit, so the whole Pi package ecosystem plugs in — MCP servers, parallel sub-agents, on-device context compression, private-by-default web search. The part that matters: Privateer's permission gate intercepts every tool any package registers, so anything you add is safe-by-default — and destructive shell commands are blocked even in unattended runs.
One gate over everything
Say what you want done and when — "summarize world news every morning" — approve it once, and a background daemon runs it unattended, recurring or one-off. The agent can even schedule its own follow-up work. Runs get a safe read/web toolset by default; any extra tool grants are flagged at approval. Results deliver to a file, the next session, your phone, or straight to Slack or Discord through named webhooks — with secrets redacted before anything leaves.
Link a terminal to the Privateer app with
/remote-access on
(off by default) and drive it from any device — iOS, Android, or the
web app: send prompts, watch the agent work, and Allow or Deny every
action it wants to take. Execution never leaves your machine.
The stream exists only while you watch — nothing is archived, and no keys ever cross the relay. Terminals get a random tag, not your username or hostname.
A remote-driven turn relays each would-be tool action to the app for Allow / Deny. The permission model is the same one you use at the keyboard.
Output is size-truncated and run through a best-effort secret redactor (PEM keys, bearer tokens, API keys) before it leaves — a safety net, not a guarantee.
A model has to read your prompt to answer it — anyone who tells you
otherwise is overclaiming. So the guarantee isn't "nobody sees it";
it's "nobody retains it" — and you can check.
Your conversation history stays as files on your own disk under
~/.privateer/.
The shield is green, yellow, or red for the model you're on — before you send anything — and it's graded honestly: a cryptographic proof never reads like a policy promise. Opt-in ZDR enforcement pins OpenRouter routing to zero-retention endpoints; Venice and Fireworks run zero-retention by default.
NEAR AI and Tinfoil run models inside Trusted Execution Environments — TLS terminates inside the enclave. /verify fetches a live cryptographic attestation: nonce-fresh reports on NEAR, TLS-key-bound reports on Tinfoil.
Before a prompt reaches an unverified model, Privateer scans it locally for structured personal data — emails, phones, SSNs, cards, IBANs, IPs — and offers to redact or hold it. Detection never leaves your machine, and it's skipped on an attested channel that can't read your data anyway.
With /signin, the server proxies your prompts; it does not store them. Only billing metadata — model, token counts, cost — is written, never prompt or response text.
Straight answers to what developers actually ask.
No. Run /signin to bill inference to your Privateer account — approve a short code in the Privateer app and there's no key to manage. Or bring your own key (BYOK) for any major provider: OpenRouter, Anthropic, OpenAI, Google, xAI, Groq, Mistral, Z.ai, DeepSeek, Together, MiniMax, Qwen, NEAR AI, Tinfoil, Venice, Fireworks, or any custom OpenAI-compatible endpoint. With a local Ollama install you don't need a key at all.
You use your own provider credentials. Set an environment variable (OPENROUTER_API_KEY, ANTHROPIC_API_KEY, OPENAI_API_KEY, GROQ_API_KEY, NEAR_AI_API_KEY, TINFOIL_API_KEY, …) — one provider is enough to start. Switch providers and models anytime with /model, specified as provider/model (for example openrouter/anthropic/claude-opus-4.8).
Yes. It's an MCP client: local stdio servers and remote HTTP servers, with interactive OAuth for the remote servers that need it. Every MCP tool goes through the same safe-by-default permission gate as the built-in tools.
Yes — it's built on the open Pi agent toolkit, so the whole Pi package ecosystem composes in: MCP servers, parallel sub-agents, context compression, and private-by-default web search. The key point is that Privateer's permission gate intercepts every tool any package registers, so anything you add is gated the same way — destructive shell commands stay blocked even in unattended runs.
Yes — MIT licensed, on GitHub and on npm as privateer-agent.
Yes. Point it at a local Ollama install (OLLAMA_BASE_URL) and inference runs on your own machine with no API key. Cloud providers are one /model switch away when you need bigger models.
Saved tasks a background daemon runs unattended, on a cron schedule or one-off. You ask the agent to schedule the work and approve it once; the agent can even schedule its own follow-up runs. Results deliver to a file, the next session, your phone, email, or a webhook (Slack/Discord), with secrets redacted before anything leaves the machine.
Yes. Before a prompt goes to a channel that isn't verified-private, an on-device PII gate scans it locally for structured personal data — emails, phone numbers, SSNs, credit-card numbers, IBANs, IP and MAC addresses — and offers to redact or hold it. Detection is deterministic and never leaves your machine, and it's skipped on an attested TEE or on-device channel that provably can't read your prompt anyway. It's best-effort structured-PII detection, labeled as such.
Turn on /remote-access (off by default) and link the terminal to the Privateer app on iOS, Android, or the web. You can send prompts from any of them, and every action the agent wants to take is relayed to the app for Allow or Deny. Execution stays on your machine, the relay is live-only (nothing archived), output is size-truncated and run through a best-effort secret redactor, and no keys ever cross the relay.
The guarantee is retention, stated honestly: providers have to read a prompt to run inference, so the promise isn't "nobody sees it" — it's "nobody retains it". A ⛉ shield shows the selected model's live posture, graded so a verified proof never reads like a policy promise. NEAR AI and Tinfoil run models inside attested Trusted Execution Environments (fetch the cryptographic attestation with /verify), the on-device PII gate warns before structured personal data leaves for an unverified model, and the billed-account path proxies prompts without storing them — only billing metadata is kept. Your conversation history stays as files on your own disk under ~/.privateer.
macOS and Linux — it runs anywhere Node.js 22+ runs. Install with curl -fsSL https://privateer.pro/install.sh | sh, or try it instantly with npx privateer-agent.
One command and the agent is in your terminal.