<p align="center">
<img src="site/public/social-preview.jpg" alt="Earl - AI-safe CLI for AI agents" width="100%" />
</p>
[](https://github.com/brwse/earl/actions/workflows/ci.yml)
[](https://crates.io/crates/earl)
[](https://docs.rs/earl)
[](LICENSE)
[](#)
[](#)
[](#)
[](#)
[](#)
 
[](https://github.com/brwse/earl/releases/latest)
[](https://github.com/brwse/earl/releases/latest)
[](https://github.com/brwse/earl/releases/latest)
Earl sits between agents and external services. Operations are HCL files committed to your repository. The LLM sees a tool name and description; it never reads the template body. An injected instruction in an API response has nowhere to land because the LLM isn't reading the part of the request that executes.
Secrets stay in the OS keychain. They aren't in tool arguments, tool descriptions, or output.
**[→ Documentation](https://brwse.github.io/earl)**
## Quick start
```bash
# Install
# Import a provider template
earl templates import https://raw.githubusercontent.com/brwse/earl/main/examples/github.hcl
# Store a secret — prompts for the value, not echoed
earl secrets set github.token
# Call a command
earl call --yes --json github.search_repos --query "language:rust stars:>100"
```
To use Earl as MCP tools in your agent, add it to your MCP config and restart. Claude Code and Cursor use the same format:
```json
{
"mcpServers": {
"earl": {
"command": "earl",
"args": ["mcp", "stdio"]
}
}
}
```
MCP tools don't activate until after restart. In the current session, use `earl call --yes --json` through the Bash tool.
See [Quick Start](https://brwse.github.io/earl/docs/quick-start) for the full walkthrough, or [Agent-Assisted Setup](https://brwse.github.io/earl/docs/agent-assisted-setup) to let an agent handle the install and configuration.
## How it works
You write an HCL template describing an operation: method, URL, auth, parameters. When an agent calls the tool, Earl loads the template, reads the required secret from the OS keychain, renders the Jinja expressions against the agent's supplied values, and executes the request. The LLM only ever provided parameter values. Every other part of the request — the URL, the auth header, the method — was written by a human and committed to the repo.
See [How Earl Works](https://brwse.github.io/earl/docs/how-earl-works) for the full security model.
## Documentation
- [Introduction](https://brwse.github.io/earl/docs) — why Earl exists, how the security model works
- [Quick Start](https://brwse.github.io/earl/docs/quick-start) — install, first call, MCP config in five steps
- [Writing Templates](https://brwse.github.io/earl/docs/templates) — HTTP, GraphQL, gRPC, Bash, SQL; auth; result formatting
- [Template Schema](https://brwse.github.io/earl/docs/template-schema) — field-by-field reference
- [Secrets & Auth](https://brwse.github.io/earl/docs/secrets-and-auth) — OS keychain storage, OAuth2 flows
- [External Secrets](https://brwse.github.io/earl/docs/external-secrets) — 1Password, Vault, AWS, GCP, Azure
- [MCP Integration](https://brwse.github.io/earl/docs/mcp) — stdio and HTTP transport, full vs. discovery mode
- [Policy Engine](https://brwse.github.io/earl/docs/policy-engine) — JWT auth and access control for HTTP deployments
- [Environments](https://brwse.github.io/earl/docs/environments) — production, staging, and per-environment overrides
- [Hardening](https://brwse.github.io/earl/docs/hardening) — SSRF protection, egress allowlist, production checklist
- [Commands](https://brwse.github.io/earl/docs/commands) — complete CLI reference
- [Troubleshooting](https://brwse.github.io/earl/docs/troubleshooting) — keychain errors, template validation, MCP issues
## License
MIT