A controlled multi-agent workbench designed for authorized security assessments, code auditing, internal reviews, and research. It empowers security professionals and researchers by orchestrating specialized agents within a governed workflow, ensuring traceable and secure operations. The system facilitates planning, evidence collection, validation, and reporting through clear role boundaries and sandboxed execution.

How It Works

Z3r0 employs a layered architecture with a React frontend, FastAPI backend, and a robust agent runtime orchestration. It coordinates a Chief Security Officer (CSO) agent with domain specialists (audit, intelligence, penetration, reverse engineering, crypto) to decompose and execute tasks. Core to its design are Docker-backed sandboxes for controlled execution of commands and tools, interrupt-driven task handling for atomicity, and a durable timeline event log for session replay and auditing. This approach ensures clear separation of concerns, traceable execution, and secure, isolated environments for sensitive operations.

Quick Start & Requirements

• Primary install / run command: Copy .z3r0/config.json.example to .z3r0/config.json and configure settings, then run docker compose -f docker-compose.prod.yml up -d --build. Access the workbench at http://127.0.0.1:8000.
• Non-default prerequisites: Docker, PostgreSQL (managed via Docker Compose), OpenAI-compatible model provider configuration.
• Links: QUICKSTART.md (mentioned for setup).

Highlighted Details

• Specialized Agent Team: Features distinct agents for Chief Security Officer, Audit Engineer, Intelligence Engineer, Penetration Engineer, Reverse Engineer, and Cryptography Engineer roles.
• Layered Architecture: Explicit separation of concerns from the user-facing workbench and API to the runtime, drivers, execution sandboxes, and persistence layers.
• Controlled Execution: Utilizes Docker sandboxes for command execution, browser access, file management, and GUI tooling, ensuring isolated environments.
• Traceable Workflows: Sessions, tool calls, delegation jobs, and streamed events are persisted, enabling session resumption and auditability.

Maintenance & Community

The project acknowledges support from the Linux.do website and its community. No specific details on active maintainers, sponsorships, or dedicated community channels (like Discord/Slack) are provided in the README.

Licensing & Compatibility

This project is licensed under the MIT License, which is generally permissive for commercial use and integration into closed-source projects.

Limitations & Caveats

Z3r0 is strictly intended for authorized security assessment, code auditing, internal review, and controlled research or training environments. It explicitly prohibits unauthorized or unlawful use, including testing third-party systems without explicit permission. Users are solely responsible for obtaining authorization, defining scope, and complying with all applicable laws and contracts. High-privilege assets like the Docker socket and model credentials necessitate trusted, isolated environments.