@araskovalabs/cerberus
v0.2.1
Published
Cerberus — terminal-first agentic security framework by Araskova Labs.
Maintainers
Readme
Cerberus OSS — AI Security Runtime with Global Brain
Built by Araskova Labs
Cerberus is an autonomous security runtime for AI-native developers. It sits inside every project you work on, learns from every finding across every project on your machine, and evolves into a personalized security expert calibrated to your exact stack, patterns, and risk tolerance.
The Difference From Generic Security Tools
| Generic Security Tool | Cerberus |
|---|---|
| Same advice for everyone | Calibrated to your specific codebase |
| Resets to zero each session | Persistent memory across all projects |
| Hallucinated findings | Evidence-backed, verifiable findings |
| No governance | Policy gates before any intrusive action |
| No agent integration | Any AI agent reads .cerberus/CERBERUS.md |
| Static rules | Reinforcement learning from your feedback |
🚀 Quick Start
Via NPM (recommended):
npm install -g @araskovalabs/cerberusVia Cargo:
cargo install cerberus-cli1. One-time setup
cerberus setup # configure your LLM provider
cerberus init # initialise .cerberus/ in your projectcerberus init creates:
.cerberus/
├── CERBERUS.md ← agent contract — commit this to your repo
├── policy.toml ← security policy for this project
└── state.db ← project findings databaseCERBERUS.md is the key file. Every AI agent (Antigravity, Cursor, Claude Code, Gemini CLI) that reads it instantly gets current project security state — open findings, what to check before making changes, and how to interact with Cerberus. Works exactly like .prettierrc or .eslintrc.
2. Scan your code
cerberus review . # review uncommitted changes
cerberus review . --fix # review + auto-patch vulnerabilities
cerberus review . --ci # CI mode (structured text output)3. Verify and train the brain
cerberus findings list # view open findings
cerberus verify --finding <id> --evidence "note" # confirm real finding
cerberus feedback sql-injection --confirmed false # mark false positive
cerberus learn # feed to global brain4. See what the brain has learned
cerberus status # global brain stats across all projects
cerberus profile # your operator security profile🧠 The Global Brain
Cerberus maintains a machine-wide SQLite database at ~/.cerberus/brain.db that accumulates knowledge across every project you work on.
How it learns:
- Every
cerberus reviewrecords which vulnerability patterns were detected - When you confirm a finding → that pattern gets a higher confidence score
- When you mark a false positive → confidence drops in that context
- When you fix a vulnerability → the fix pattern is stored in memory
- Next project: confirmed patterns from project A boost confidence in project B
The learning formula is simple reinforcement learning:
new_confidence = old_confidence + 0.1 × (reward − old_confidence)Where reward = 1.0 (confirmed) or 0.0 (false positive). After ~50 interactions, Cerberus stops being generic and becomes calibrated to you.
🦀 Why Rust?
Rust is not just a performance choice — it is an architectural enforcement mechanism:
- Policy gates are Rust match statements — the LLM cannot bypass them
- Brain confidence updates are Rust functions — not prompt instructions the model can ignore
- Evidence must be attached before verification — enforced by the type system
- SQLite via
rusqlite(bundled) — zero dependencies, no server, single file on disk tokioasync — reconnaissance, policy checks, and tool execution run in parallel
🏗 Architecture
crates/
cerberus-brain Global RL engine — ~/.cerberus/brain.db
cerberus-cli Terminal interface, all commands, CERBERUS.md generator
cerberus-core Agent kernel, mission data, plan execution
cerberus-memory Project-level SQLite state (per-project .cerberus/state.db)
cerberus-policy Risk levels, policy gates, approval workflow
cerberus-llm LLM provider connectors (OpenAI, Anthropic, Ollama)
cerberus-gateway Telegram and WhatsApp operator bridges🔑 Bring Your Own Model (BYOM)
Cerberus is completely LLM agnostic:
- Anthropic / Claude — deep semantic analysis
- OpenAI / GPT-4o — test script generation
- Ollama (local) — zero data leaves your machine
🏢 Licensing (Open Core)
| Tier | What's included | |---|---| | OSS | Full brain engine, CLI, review/fix/verify workflow, global brain | | Pro | Operator console, fleet-wide dashboards, compliance packs (SOC2, HIPAA, PCI-DSS), federated brain sync |
