Hurricane AIHurricaneAI
← Back to document history
Document version

Muzzle v1

This is the stored snapshot for the approved document version. The diff below shows what changed from the previous version.

Preview
Source path
muzzle/README.md
Source commit
No commit recorded
Created at
Jun 29, 2026, 6:22 AM UTC
Source digest
2153211aea05fe9c48886ecc12b408850bf227d686812b5a82f8921add8ca6ad

Document snapshot

Muzzle

Summary

Muzzle is the AI input, output, and execution security layer. It runs as a transparent inspecting proxy in front of your model providers: clients keep talking to the same host and port, and every request, response, and tool call flows through Muzzle's policy engine on the way past.

Status

Preview. There is no public download; v1 is installed locally from source on a Linux host.

What v1 is

The v1 preview is a provider-agnostic gateway proxy. It started as an Ollama-only shim and now normalizes Ollama, OpenAI, and Anthropic traffic into one canonical model so a single policy engine inspects all three the same way — including streaming responses and tool calls.

A v1 install gives you four things:

  • The proxy — one or more listeners, each binding a local port and forwarding to a configured upstream provider, inspecting traffic in both directions.
  • A local admin UI — served on a second (admin) listener in the same process. It renders the live config as an editable form, accepts edits, previews policy decisions (simulation), and tails the JSONL decision log. The form supports adding and removing upstreams, listeners, policy overrides, and denylist terms, with an advanced YAML escape hatch.
  • A muzzle CLI on PATH — for adding upstreams, editing policy, validating the config, checking status, running simulations, tailing logs, and restarting the service.
  • Install/uninstall toolinginstall.sh lays down /opt/muzzle/v1, a default /etc/muzzle/muzzle.yaml, a systemd unit, and a Python virtualenv with all dependencies; uninstall.sh removes the install, config, logs, CLI wrapper, and service artifacts.

How policy works

Detectors run rules-first and fast — prompt injection / jailbreak, secrets, PII, and a configurable content denylist. Each detector maps to a category, and each category has a per-direction action: allow, log, redact, transform, or block. Tool calls are blocked by default. An optional LLM judge can add a deeper second opinion but is off by default. Muzzle fails closed by default: if inspection cannot complete, the request is blocked rather than passed through (configurable to fail open).

Docs workflow

The living docs in products/muzzle are the canonical source of truth. When a doc set is approved, an export step writes a new immutable, timestamped MongoDB snapshot for each document, stamped with source path, commit, and digest. The API serves the latest approved snapshot for normal product pages, and the website can browse the version history and diffs per document.

Direction

v1 is the enterprise gateway foundation: one canonical model, three providers, streaming and tool-call inspection, and policy simulation shared by the CLI and the admin UI. Next steps deepen provider coverage and the policy surface rather than reworking the core.

More

  • Getting started and v1 scope: v1/README.md
  • How it works (technical): HOWITWORKS.md
  • Plain-English overview: PLAINENGLISH.md
  • Help desk: HELPDESK.md
  • Full design: docs/plans/2026-06-23-muzzle-v1-design.md
  • Enterprise proxy core design: docs/plans/2026-06-24-muzzle-enterprise-proxy-core.md

Diff from previous

This is the first approved version, so there is no previous diff.