Zero Trust AI Agent β Secured by Design, Trusted by Network.
Odin is an open-source autonomous AI agent built on Zero Trust principles. Every action is verified, every data flow is tracked, and nothing is trusted by default. Built by AgentLayers.
M2 Research Project β Odin is the reference implementation accompanying the master's thesis "Zero Trust Security Architecture for Autonomous LLM Agents". See
docs/thesis_odin_zero_trust_agent.docxand the scientific review indocs/annexe-revue-scientifique.md.
- Feature Status Legend
- Architecture
- Project Structure
- Getting Started
- LLM Configuration
- Dashboard
- A2A Protocol & Gateways
- Design Principles
- Tech Stack
- Development
- Security
- Documentation
- License
Every feature listed in the Architecture section below carries one of three status badges. The intent is to keep this README a truthful map of the codebase rather than an aspirational one.
| Badge | Meaning |
|---|---|
| β Shipped | Implemented, covered by tests, behaves as described on main. |
| π¨ In Progress | Scaffolded and partially working β usable but with caveats called out inline. |
| π Planned | Design-only at this stage; no runtime code yet. |
If you find a claim in this file that does not match the code, that is a bug β please open an issue.
Odin is organized as a TypeScript monorepo of 7 packages built around 4 subsystems.
The execution backbone of the agent.
- β LLM Router β Dual-LLM CaMeL pattern with a privileged model (planning, tool calls) and a quarantined model (untrusted output processing)
- β
Provider Adapters β
AnthropicAdapter,OpenAIAdapter,OllamaAdapter, andNullAdapter(boot with no LLM, plug one in at runtime) - β Memory Store β SQLite + FTS5 full-text search with Merkle tree integrity verification
- π Skill Loader β Dynamic capability loading with security scanning. Planned β no runtime loader yet; skill manifests are defined as types only.
Local, free, always-on security layer.
- β IFC Engine β FIDES-inspired Information Flow Control with dual-lattice taint tracking (integrity Γ confidentiality)
- π¨ Sandbox Manager β Ring 0 / 1 / 2 privilege taxonomy with resource limits is implemented today as an in-process timeout wrapper; a real process-level isolate (
child_process.fork+ structured-clone IPC) is in development. Docker / gVisor backends remain π planned β they are an orchestration decision, not a runtime one. - β Policy Engine β Cedar-inspired declarative access policies, sub-millisecond evaluation
- β DID Manager β Ed25519 decentralized identity, signed messages, ephemeral task-scoped credentials
Network-level trust verification via the AgentLayers API (optional paid tier β the agent is fully functional without it).
- π¨ Trust Score β 6-dimensional model (performance, transparency, security, compliance, reputation, reliability). Three dimensions are computed from real local evidence (performance, security, reliability); the other three currently fall back to neutral baselines when the AgentLayers API is unavailable. Evidence-based computation for all six is in development.
- β
Circuit Breaker β 5-state protection:
CLOSED β DEGRADED β OPEN β HALF_OPEN(DEGRADED is an Odin innovation) - π¨ Skill / MCP / A2A Scanners β Wire protocol + client exists; scanner engines are hosted on the AgentLayers side and require an API key. Local adversarial tests cover the client, not the backend.
- π¨ EU AI Act Compliance β
AuditLog.exportComplianceReport()produces decision summaries suitable as Article-50 evidence; a dedicated Article 13 / 14 checker module is in development.
Reasoning, memory and self-improvement, organised in three progressive phases.
| Phase | Components | Status |
|---|---|---|
| Phase 1 β Foundation | EpisodicStore (Graphiti-style graph memory), CIK taxonomy (Capabilities / Identity / Knowledge), ModelFirstReasoner (world model + counterfactuals) |
π¨ In progress β modules scaffolded with tests, end-to-end wiring into the agent loop still underway |
| Phase 2 β Autonomy | SleepAgent (offline consolidation), EvolutionSandbox (T1βT4 tier progression with rollback), AMEMController (trajectory-compressed procedural memory) |
π¨ In progress β individual components unit-tested; orchestrator that runs them in a live session is π planned |
| Phase 3 β Advanced Reasoning | MCTSPlanner + HierarchicalPlanner, CausalEngine (Pearl's 3-level SCM with do-calculus), CIKInvariantVerifier (TLA+-inspired formal invariants), SelfImprovementLoop (closed-loop failure analysis) |
π¨ In progress β algorithms implemented and tested in isolation; integration with the decision loop is π planned |
Full visibility into agent behaviour.
- π¨ OpenTelemetry-compatible tracing β
DecisionTraceremits spans with the OTel shape (traceId / spanId / attributes). An actual@opentelemetry/*SDK exporter is π planned β today spans live in memory and on the dashboard, not in an OTel collector. - β DecisionTracer β Step-by-step reasoning audit trail
- β AuditLog β Append-only, signed log (file-backed, Ed25519-verifiable)
- π¨ ComplianceReporter β Generic decision/denial/trust-range summary is shipped as
AuditLog.exportComplianceReport(). Framework-specific reporters (EU AI Act Art. 13/14, OWASP ASI 2026, Singapore MGF, SLSA) are π planned. - β Dashboard β Real-time WebSocket UI with live KPIs, AEGIS panel, hover tooltips on every setting
odin/
βββ packages/
β βββ cli/ # CLI entry point, OdinAgent orchestrator
β β βββ src/
β β β βββ a2a/ # Agent-to-Agent protocol (client, server, discovery)
β β β βββ gateways/ # Telegram, Discord, base gateway
β βββ core/ # LLM router, memory, provider adapters
β βββ security/ # IFC, sandbox, policies, DID
β βββ trust/ # Trust scoring, circuit breaker, scanners
β βββ cognition/ # Episodic, CIK, MCTS, causal, evolution
β βββ observability/ # Tracing, audit logs, compliance
β βββ dashboard/ # Real-time monitoring UI
βββ docs/
β βββ architecture.md
β βββ security-model.md
β βββ cognitive-architecture.md
β βββ annexe-revue-scientifique.md # Scientific review (annex)
β βββ thesis_odin_zero_trust_agent.docx
β βββ generate-thesis.cjs
βββ .github/workflows/ci.yml # GitHub Actions CI
βββ Dockerfile
βββ docker-compose.yml
βββ odin.yaml # Agent configuration
βββ vitest.config.ts
βββ pnpm-workspace.yaml
βββ package.json
- Node.js β₯ 20
- pnpm β₯ 8
- (Optional) Ollama, an Anthropic API key, or an OpenAI API key
You do NOT need an LLM to boot. Odin launches in "no LLM" mode and you can plug one in later from the dashboard, the
/llmCLI command, or environment variables.
git clone https://github.com/kevcoutellier/ODIN-project.git
cd ODIN-project
pnpm install
pnpm build# Start the agent in interactive CLI mode
pnpm start
# Development mode with hot reload
pnpm dev
# Show security status and exit
pnpm start -- --status
# Use a custom config file
pnpm start -- --config ./my-odin.yamldocker compose up -d # Start Odin
docker compose logs -f odin # Follow logsOdin supports four providers selected at runtime. API keys are read from the environment; the provider is auto-detected if any of them is set.
| Provider | Environment variable | Auto-selected model (privileged / quarantined) |
|---|---|---|
| Anthropic | ANTHROPIC_API_KEY |
claude-sonnet-4 / claude-haiku-4-5 |
| OpenAI | OPENAI_API_KEY |
gpt-4o / gpt-4o-mini |
| Ollama | OLLAMA_BASE_URL or OLLAMA_HOST |
gemma3 / gemma3 |
| None | (nothing set) | NullAdapter β agent boots, dashboard works, chat returns a configure-me notice |
You can also force a provider with ODIN_LLM_PROVIDER=anthropic|openai|ollama|none.
# From the CLI
/llm anthropic claude-sonnet-4
/llm ollama gemma3 http://localhost:11434
/llm none # detach β agent stays alive
# Or via the Dashboard β LLM settings panel
# (Provider dropdown, Model, API Key, Max Tokens, Temperature)/status Show trust score, mode, and decision counters
/memory <query> Search episodic memory
/llm <provider> β¦ Switch the LLM at runtime
/quit Graceful shutdown
The dashboard is served at http://localhost:3333 (port configurable via odin.yaml). It renders live agent state over WebSocket β no mocked values.
- β Identity & KPIs β DID, trust mode, uptime, tokens used, installed skills, connected agents
- β AEGIS panel β IFC Engine, Supply Chain Scanner, Policy Engine, Trust Mesh with real-time metrics
- β Activity log & Decision trace β timestamped tool calls, chats, A2A interactions, Allow / Warn / Block decisions
- β Settings β LLM, Skills, MCP, Memory, Gateway, Security, Terminal, Cron β every form field has a hover tooltip describing what it does
- π¨ Compliance card β Renders totals and denial rates today. Framework-specific scoring (EU AI Act, OWASP ASI 2026, Singapore MGF) is π planned.
Odin agents discover and talk to each other over a signed A2A protocol:
GET /.well-known/agent.json β AgentCard {did, capabilities, endpoints, trustScore, signature}
Message types include task/send, task/result, task/status, task/cancel, peer/discover, peer/heartbeat, trust/query, trust/report. Every message is Ed25519-signed; peer AgentCards are verified via the AgentLayers Trust Mesh; circuit breakers protect against flaky peers.
| Gateway | Protocol | Status |
|---|---|---|
| CLI / Dashboard | WebSocket | β Default |
| Telegram | Bot API (long polling) | β Shipped |
| Discord | Gateway API v10 (WebSocket) | β Shipped |
| Slack / WhatsApp | β | π§ Planned |
All gateways share the BaseGateway abstract class: user allow-list, @mention requirement for group chats, automatic routing to agent.chat(), long-message splitting.
| Principle | Implementation |
|---|---|
| Zero Trust | Every input, tool output, and peer message is verified β nothing is implicitly trusted |
| Security is architectural | Enforced through IFC taint tracking, sandboxing, and CaMeL β not statistical guardrails |
| Free security, paid trust | Local security features are free & open source; network trust verification is via AgentLayers |
| Defense in depth | Ring sandboxing + Cedar policies + IFC + DID signing = layered protection |
| Optional by design | No LLM, no AgentLayers account, no Docker required β the agent still boots and runs locally |
| Component | Technology | Status |
|---|---|---|
| Runtime | Node.js / TypeScript (ES2022) | β |
| LLMs | Anthropic, OpenAI, Ollama, or none (NullAdapter) | β |
| Database | SQLite + FTS5 + Merkle trees | β |
| Security | IFC taint tracking, Cedar-style policies, Ed25519 (TweetNaCl) | β |
| Sandbox | Ring 0β2 taxonomy + in-process timeout wrapper | π¨ |
| Sandbox (Docker / gVisor backend) | Container-based isolation | π |
| Cognition | Graph episodic memory, MCTS + UCB1, Pearl SCM, TLA+-inspired invariants | π¨ |
| Observability (OTel-compatible in-memory) | DecisionTracer emits OTel-shaped spans |
β |
| Observability (OTel SDK exporter) | @opentelemetry/* integration |
π |
| Dashboard | WebSocket real-time UI | β |
| Monorepo | pnpm workspaces | β |
| Testing | Vitest (150+ unit / adversarial tests across core / security / trust / cognition) | β |
| CI / Packaging | GitHub Actions, Dockerfile, docker-compose | β |
pnpm build # Build all 7 packages
pnpm test # Run the full Vitest suite
pnpm lint # Lint
pnpm dev # Hot-reload dev modepnpm --filter @odin/cognition test
pnpm --filter @odin/security testOdin addresses the OWASP Agentic Security Initiative (ASI) 2026 top-10 risks for autonomous AI agents. See docs/security-model.md for the full threat model and mitigations.
If you discover a vulnerability, please report it responsibly to security@agent-layers.com rather than opening a public issue.
| Document | Contents |
|---|---|
docs/architecture.md |
System architecture, message pipeline, subsystem interactions |
docs/security-model.md |
Threat model, CaMeL, IFC lattices, sandbox rings |
docs/cognitive-architecture.md |
Three-phase cognitive design, CIK, MCTS, causal engine |
docs/annexe-revue-scientifique.md |
Annex β Scientific review (French) accompanying the M2 thesis |
docs/thesis_odin_zero_trust_agent.docx |
M2 thesis manuscript |