A Private AI Coding Agent for Your Terminal

Provider-agnostic. Bring your own model, keep your own privacy.

The Privateer CLI reads, writes, and runs code across your projects — with a safe-by-default permission gate, attested TEE inference, an on-device PII gate, MCP servers, sub-agents, scheduled routines, and control from iOS, Android, or the web.

curl -fsSL https://privateer.pro/install.sh | sh
# or run it instantly, nothing installed:
npx privateer-agent

MIT licensed · Node 22+ · macOS & Linux · built on the open Pi agent toolkit

Your Projects, One Prompt Away

Describe the change and the agent does the work — reading files, editing code, running your tests — with every action classified and gated behind your approval before it runs. Launch it in any project with privateer, or try it instantly with npx privateer-agent.

privateer
> add rate limiting to the API
reading server/routes/api.js
edit server/middleware/rateLimit.js — approve? yes
tests: 12 passing
mcp: github postgres · sub-agent: audit
approved from the app · next routine: nightly-audit 02:00

Built for developers

Safe-by-default gate BYO model — every major provider Attested TEE inference On-device PII gate MCP & sub-agents Scheduled routines Drive it from iOS, Android & web

Any Model. Your Key — or No Key.

Every major provider, one command to switch — OpenRouter and the frontier labs, fast open-model clouds, TEE and zero-retention inference, local Ollama, or any OpenAI-compatible endpoint. Tool-calling and streaming work identically across every provider — no model lock-in, no separate code paths. One key is enough; or skip keys entirely and /signin to bill your Privateer account.

# one key is enough — pick a provider
export OPENROUTER_API_KEY=sk-or-... # gateway to ~everything
export TINFOIL_API_KEY=... # private, attested TEE inference
export OLLAMA_BASE_URL=http://localhost:11434/v1 # local, no key
# launch, then switch models anytime with /model
privateer
> /model openrouter/anthropic/claude-opus-4.8

Bring your own key

OpenRouter Anthropic OpenAI Google xAI Groq Mistral Z.ai DeepSeek Together MiniMax Qwen Ollama — local NEAR AI — TEE Tinfoil — TEE Venice — ZDR Fireworks — ZDR Custom endpoint …or /signin, no key at all

Composable by Design

Privateer is built on the open Pi agent toolkit, so the whole Pi package ecosystem plugs in — MCP servers, parallel sub-agents, on-device context compression, private-by-default web search. The part that matters: Privateer's permission gate intercepts every tool any package registers, so anything you add is safe-by-default — and destructive shell commands are blocked even in unattended runs.

# connect your tools over MCP — .privateer/mcp.json
{
  "mcpServers": {
    "github": { "command": "npx", "args": ["-y", "@modelcontextprotocol/server-github"] },
    "internal": { "url": "https://mcp.internal.example/mcp" }
  }
}
# local stdio + remote HTTP (interactive OAuth) — every tool gated

One gate over everything

MCP servers Parallel sub-agents Context compression Private web search Any Pi package — automatically gated

Routines That Run While You Sleep

Say what you want done and when — "summarize world news every morning" — approve it once, and a background daemon runs it unattended, recurring or one-off. The agent can even schedule its own follow-up work. Runs get a safe read/web toolset by default; any extra tool grants are flagged at approval. Results deliver to a file, the next session, your phone, or straight to Slack or Discord through named webhooks — with secrets redacted before anything leaves.

privateer
> summarize world news each morning and post it to Slack
create routine "morning-news" · 0 7 * * * → webhook:eng-slack
approve? yes — scheduled, runs unattended
# the daemon runs it every day; results post to Slack, secrets redacted

Control It from iOS, Android, or the Web

Link a terminal to the Privateer app with /remote-access on (off by default) and drive it from any device — iOS, Android, or the web app: send prompts, watch the agent work, and Allow or Deny every action it wants to take. Execution never leaves your machine.

Live-only relay

The stream exists only while you watch — nothing is archived, and no keys ever cross the relay. Terminals get a random tag, not your username or hostname.

Every action gated

A remote-driven turn relays each would-be tool action to the app for Allow / Deny. The permission model is the same one you use at the keyboard.

Redacted by default

Output is size-truncated and run through a best-effort secret redactor (PEM keys, bearer tokens, API keys) before it leaves — a safety net, not a guarantee.

Privacy, Stated Honestly

A model has to read your prompt to answer it — anyone who tells you otherwise is overclaiming. So the guarantee isn't "nobody sees it"; it's "nobody retains it" — and you can check. Your conversation history stays as files on your own disk under ~/.privateer/.

# the status bar wears the selected model's privacy posture — live, graded honestly
⛉ ZDR? · ⚓ privateer · openrouter/anthropic/claude-opus-4.8
> email jane@acme.com about invoice 555-123-4567
▸ ⚠ 1 email, 1 phone detected — unverified channel · Redact / Send?
# switch to an attested enclave — the PII gate is then safely skipped
> /model tinfoil/deepseek-v4-pro
> /verify
Tinfoil TEE attestation — inference.tinfoil.sh
✓ Verified — TLS terminates inside a genuine TEE
⛉ TEE · ⚓ privateer · tinfoil/deepseek-v4-pro

⛉ Honest privacy shield

The shield is green, yellow, or red for the model you're on — before you send anything — and it's graded honestly: a cryptographic proof never reads like a policy promise. Opt-in ZDR enforcement pins OpenRouter routing to zero-retention endpoints; Venice and Fireworks run zero-retention by default.

⛉ Attested TEE inference

NEAR AI and Tinfoil run models inside Trusted Execution Environments — TLS terminates inside the enclave. /verify fetches a live cryptographic attestation: nonce-fresh reports on NEAR, TLS-key-bound reports on Tinfoil.

On-device PII gate

Before a prompt reaches an unverified model, Privateer scans it locally for structured personal data — emails, phones, SSNs, cards, IBANs, IPs — and offers to redact or hold it. Detection never leaves your machine, and it's skipped on an attested channel that can't read your data anyway.

Account mode: proxy, not storage

With /signin, the server proxies your prompts; it does not store them. Only billing metadata — model, token counts, cost — is written, never prompt or response text.

Questions, Answered

Straight answers to what developers actually ask.

Do I need an API key?

No. Run /signin to bill inference to your Privateer account — approve a short code in the Privateer app and there's no key to manage. Or bring your own key (BYOK) for any major provider: OpenRouter, Anthropic, OpenAI, Google, xAI, Groq, Mistral, Z.ai, DeepSeek, Together, MiniMax, Qwen, NEAR AI, Tinfoil, Venice, Fireworks, or any custom OpenAI-compatible endpoint. With a local Ollama install you don't need a key at all.

What does BYOK mean?

You use your own provider credentials. Set an environment variable (OPENROUTER_API_KEY, ANTHROPIC_API_KEY, OPENAI_API_KEY, GROQ_API_KEY, NEAR_AI_API_KEY, TINFOIL_API_KEY, …) — one provider is enough to start. Switch providers and models anytime with /model, specified as provider/model (for example openrouter/anthropic/claude-opus-4.8).

Does it support MCP?

Yes. It's an MCP client: local stdio servers and remote HTTP servers, with interactive OAuth for the remote servers that need it. Every MCP tool goes through the same safe-by-default permission gate as the built-in tools.

Can I extend it with more tools?

Yes — it's built on the open Pi agent toolkit, so the whole Pi package ecosystem composes in: MCP servers, parallel sub-agents, context compression, and private-by-default web search. The key point is that Privateer's permission gate intercepts every tool any package registers, so anything you add is gated the same way — destructive shell commands stay blocked even in unattended runs.

Is it open source?

Yes — MIT licensed, on GitHub and on npm as privateer-agent.

Can it run models locally?

Yes. Point it at a local Ollama install (OLLAMA_BASE_URL) and inference runs on your own machine with no API key. Cloud providers are one /model switch away when you need bigger models.

What are routines?

Saved tasks a background daemon runs unattended, on a cron schedule or one-off. You ask the agent to schedule the work and approve it once; the agent can even schedule its own follow-up runs. Results deliver to a file, the next session, your phone, email, or a webhook (Slack/Discord), with secrets redacted before anything leaves the machine.

Does it protect personal data before it's sent?

Yes. Before a prompt goes to a channel that isn't verified-private, an on-device PII gate scans it locally for structured personal data — emails, phone numbers, SSNs, credit-card numbers, IBANs, IP and MAC addresses — and offers to redact or hold it. Detection is deterministic and never leaves your machine, and it's skipped on an attested TEE or on-device channel that provably can't read your prompt anyway. It's best-effort structured-PII detection, labeled as such.

How does controlling the CLI from another device work?

Turn on /remote-access (off by default) and link the terminal to the Privateer app on iOS, Android, or the web. You can send prompts from any of them, and every action the agent wants to take is relayed to the app for Allow or Deny. Execution stays on your machine, the relay is live-only (nothing archived), output is size-truncated and run through a best-effort secret redactor, and no keys ever cross the relay.

How private is it, really?

The guarantee is retention, stated honestly: providers have to read a prompt to run inference, so the promise isn't "nobody sees it" — it's "nobody retains it". A shield shows the selected model's live posture, graded so a verified proof never reads like a policy promise. NEAR AI and Tinfoil run models inside attested Trusted Execution Environments (fetch the cryptographic attestation with /verify), the on-device PII gate warns before structured personal data leaves for an unverified model, and the billed-account path proxies prompts without storing them — only billing metadata is kept. Your conversation history stays as files on your own disk under ~/.privateer.

What platforms does it run on?

macOS and Linux — it runs anywhere Node.js 22+ runs. Install with curl -fsSL https://privateer.pro/install.sh | sh, or try it instantly with npx privateer-agent.

Hoist the colors.

One command and the agent is in your terminal.

curl -fsSL https://privateer.pro/install.sh | sh