PUBLIC · PRE-GA CLOSED BETA 公开 · 正式版前封闭测试

Zero Trust for the LLM
and the upstream. 对大模型、上游，
零信任。

A local Zero Trust gateway for LLM agents. Every upstream response, relay output, MCP result, web page, and generated tool call is untrusted by default — and every high-risk action is verified against local policy and your intent before it runs. One Rust binary on 127.0.0.1, fail-closed, every claim yours to verify. 面向 LLM Agent 的本地零信任安全网关。任何来自上游 LLM、Relay、MCP、网页、Issue、聊天消息、README 或大模型生成的 Tool Call，默认都不可信；在 Agent 执行任何高危动作之前，先在本地按策略与你的意图验证。一个运行在 127.0.0.1 上的 Rust 单二进制，fail-closed，每一条声明你都能自己验证。

$ get-started开始使用 View on GitHub ↗在 GitHub 查看 ↗

sieve — decisions watch

$ cosign verify-blob --signature sieve.sig sieve

✓ Verified OK — keyid 8F3A…D21

$ sieve decisions watch

→ outbound · redacted PRIVATE_KEY ×1 (0x4f…a9 → ●●●)

→ inbound · BLOCKED transfer(2.4 ETH) fail-closed

→ inbound · PASS read_balance()

→

0.00%

Critical false-positive rateCritical 误报率

99.71%

attack recall攻击召回率

<8ms

added latency · p50新增延迟 · p50

binary · zero cloud个二进制 · 零云端

ZERO TRUST GATEWAY零信任网关

Untrusted in. Verified out. 不可信进，验证后出。

Sieve assumes every external input reaching your agent is hostile until proven otherwise, and gates every irreversible thing your agent can do. Between the two sits one local checkpoint — policy plus your intent — that nothing crosses unverified. Sieve 默认抵达 Agent 的每一个外部输入都是敌意的，直到被证明无害；并为 Agent 能做的每一件不可逆的事设置闸门。两者之间，只有一个本地检查点——策略加你的意图——任何东西未经验证都无法通过。

Untrusted by default默认不可信 8 sources8 类来源

Any input that can carry an injected instruction — not just the LLM.任何可能夹带注入指令的输入——不止是大模型。

LLMUpstream LLM response上游 LLM 响应

RELAYRelay / proxy outputRelay / 中转输出

MCPMCP tool resultMCP 工具结果

WEBFetched web page抓取的网页

REPOIssue / PR / READMEIssue / PR / README

MSGChat message聊天消息

DOCExternal document外部文档

CALLLLM-generated tool call大模型生成的 Tool Call

untrusted · all routed to the gate默认不可信 · 全部送入网关

CHECKPOINT

SIEVE GATEWAYSIEVE 网关

Checked against local policy + your intent按本地策略 + 你的意图逐项校验

✓matches → allow符合 → 放行 ✗violates → block · fail-closed违背 → 阻断 · fail-closed

✓ Guarded actions受守护的执行 6 classes6 类动作

Every high-risk thing an agent can execute — not just crypto.Agent 能执行的一切高危动作——不止 crypto。

⊟Read local secrets读取本地密钥exfiltration数据外泄

⊟Execute shell执行 ShellRCE

⊟Access network访问网络exfil / C2外泄 / C2

⊟Sign transactions签名交易fund loss资金损失

⊟Install tools安装工具supply chain供应链

⊟Deploy code部署代码production生产环境

only verified actions run仅放行已验证的动作

→ It stops prompt-injected instructions and unauthorized irreversible actions — at the gate, before they ever run.在门口拦下被注入的指令与未经许可的不可逆操作——赶在它们执行之前。

ZERO TRUST零信任

Trust nothing on the wire — not the LLM, not the upstream. 链路上谁都不信——不信大模型，也不信上游。

Coding agents now sign transactions, move funds, and deploy contracts on your behalf. The prompt leaves your machine with your secrets inside it; the LLM sends back tool calls that execute without a second look. Zero-trust means assuming either end can be wrong — and putting one checkpoint on the only wire you actually control. 编码 agent 如今会代替你签名交易、转移资金、部署合约。提示词带着你的密钥离开本机；大模型把工具调用发回来，未经第二眼便执行。零信任，意味着假设两端都可能出错——并在你唯一真正掌控的那条链路上，设一个检查点。

Secrets leak outbound — keys, seed phrases and .env values ride along inside the context window.密钥随出站泄漏——私钥、助记词、.env 值都夹在上下文窗口里一起发出。

Tool calls land inbound — transfer(), approve() and deploy() run with no human beat in between.工具调用随入站落地——transfer()、approve()、deploy() 中间没有任何人为停顿便执行。

Cloud scanners can't help — they never see localhost traffic, and you can't audit what they do.云端扫描器帮不上——它们看不到 localhost 流量，你也无法审计它们做了什么。

HOW IT WORKS工作原理

One checkpoint, the full round trip. 一个检查点，完整往返。

Point your agent's base URL at 127.0.0.1. Watch a single request travel out, get sanitized, return, and get inspected before anything irreversible runs. 把 agent 的 base URL 指向 127.0.0.1。看一次请求如何出站、被净化、返回，并在任何不可逆操作执行前被检查。

DETECTION检测能力

Built for crypto's irreversible actions. 为加密世界中不可逆的操作而生。

The gateway is general; the ruleset is not. Crypto is where Sieve goes deepest — the differentiator no general-purpose guard matches — with detection tuned for the actions you can never take back. 网关是通用的，规则集却不是。Crypto 是 Sieve 下探最深的地方——通用防护无法企及的差异化护城河——检测专为那些永远无法收回的操作而调校。

KEY

Private keys & seed phrases私钥与助记词

Entropy- and format-aware matching for raw keys, mnemonics and keystore blobs.基于熵值与格式感知，匹配裸私钥、助记词与 keystore 数据。

SIGN

Signing requests签名请求

eth_sign, personal_sign and typed-data prompts are flagged before they leave.eth_sign、personal_sign 与类型化数据提示，在离开前即被标记。

Transfers & approvals转账与授权

transfer() and unlimited approve() calls are held for a confirming human beat.transfer() 与无限额 approve() 调用会被暂留，等待一次人为确认。

DEPLOY

Contract deploys合约部署

New bytecode deployments are surfaced with the target chain and gas in view.新字节码的部署会连同目标链与 gas 一并呈现。

ENV

.env & credentials.env 与凭据

API tokens, RPC URLs and credential files are redacted in place, not blocked.API 令牌、RPC 地址与凭据文件就地脱敏，而非直接阻断。

INJECT

Prompt-injected calls注入式调用

Tool calls the LLM was talked into are caught on the inbound side, fail-closed.大模型被诱导发出的工具调用，在入站侧被捕获，fail-closed。

TRUST MODEL信任模型

Verifiable, not trusted. 可验证，而非仅仅信任。

✓

Signed builds签名构建

cosign-verify every release against our published public key before you run it.在运行前，用我们公布的公钥对每个版本执行 cosign-verify。

✓

Runs local本地运行

Detection happens on your machine. Nothing about your traffic is sent to us.检测在你的机器上完成。你的流量不会有任何内容被发送给我们。

✓

Open engine开放引擎

Read the rules, run the test suite, and reproduce the published numbers yourself.阅读规则、运行测试套件，亲手复现公布的数字。

✓

Fail-closedFail-closed

If Sieve can't reach a decision, the action does not happen. Critical rules can't be disabled.Sieve 无法做出判断时，该操作就不会发生。Critical 规则无法被关闭。

GET STARTED开始使用

Up in one command. 一条命令即可启动。

$ brew install sieve-sh/tap/sievecoming soon即将上线

The Homebrew tap and signed binaries ship with the first release — watch the repo to get notified.Homebrew tap 与签名二进制将随首个版本一同发布 —— 关注仓库即可第一时间收到通知。

$ sieve init

Generates a local cert and starts the proxy on 127.0.0.1:8788.生成本地证书，并在 127.0.0.1:8788 启动代理。

$ export OPENAI_BASE_URL=http://127.0.0.1:8788

Point your agent at Sieve. That is the whole integration.把 agent 指向 Sieve。集成到此为止。

Read the docs →阅读文档 → ★ Watch the first release★ 关注首个发布 no account, no telemetry无需账号，无遥测

NOTES注释

LLM — the large language model behind an agent; its output can be steered, so it is untrusted.agent 背后的大语言模型；输出会被左右，故视为不可信。

Zero Trust零信任 (Zero Trust) — grant nothing implicit trust; verify every request against policy.不给任何主体默认信任，按策略逐一验证每个请求。

AI agent — an LLM wired to real tools that act on your behalf, not just chat.接上真实工具、能代你行动的大模型，而非只会聊天。

Prompt injection提示词注入 — a hostile instruction hidden in normal content to hijack the LLM.藏进正常内容里的敌意指令，用来劫持大模型。

MCP — Model Context Protocol — the standard interface agents use to call external tools.模型上下文协议；agent 调用外部工具的标准接口。

Fail-closed — when a check is uncertain, block rather than allow.校验不确定时一律阻断，而非放行。