Why We Built a Zero-Knowledge Relay
The architecture behind Commands.com's end-to-end encrypted agent gateway
When we set out to build Commands.com, we had a simple question: how do you let someone interact with an AI agent running on your machine without uploading your code to the cloud? The answer turned out to be a zero-knowledge relay — an infrastructure layer that routes encrypted messages without ever being able to read them.
The Problem
AI coding agents are most powerful when they run locally — reading your files, understanding your project structure, running commands in your environment. But sharing that power with someone else has always meant one of two bad options: give them access to your entire repo, or upload everything to a cloud environment.
We wanted a third option: keep the agent local, relay the conversation securely.
End-to-End Encryption by Design
Every session between a local agent and a remote user establishes a fresh cryptographic channel:
- X25519 ECDH for ephemeral key exchange — new keys every session
- Ed25519 for agent identity verification — the relay can authenticate agents without decrypting messages
- HKDF-SHA256 for deriving directional session keys
- AES-256-GCM with deterministic nonces and strict sequence enforcement for replay protection
The relay verifies the agent's signature during the handshake, then passes through encrypted bytes. It never holds session keys. Even if our servers were fully compromised, an attacker would see nothing but ciphertext.
Permission Profiles: Security at the Agent Level
Encryption protects the transport. But the agent also needs to protect your machine. That's why we built configurable permission profiles:
- Read-only — file reads, code search, directory listing. Nothing else.
- Dev-safe — adds tool access with blocked sensitive paths (
.ssh,.aws,.gnupg) and restricted bash patterns - Full — unrestricted, for trusted collaborators only
You choose the profile when you start the agent. The remote user never sees the policy — they just interact with whatever capabilities you've allowed.
Architecture
| Layer | Stack |
|---|---|
| Local Agent | TypeScript, Claude Agent SDK, Node.js crypto |
| Gateway Relay | Go, Fiber, Redis, WebSocket + SSE |
| Browser Client | Web Crypto API, SSE for events, HTTP for messages |
| Infrastructure | ECS Fargate, ElastiCache Redis, DynamoDB, CloudFormation |
What's Next
We're working on agent-to-agent communication — letting agents on different machines talk to each other through the relay. The encryption and identity infrastructure already supports it. The relay doesn't care whether the other end is a browser or another agent — it just passes encrypted frames. More on that soon.
Our goal: let anyone share a local AI agent with anyone else, securely, without uploading a single file. The relay handles the connectivity — you handle the permissions.