The Hanzo OSS estate, mapped.
curl -fsSL hanzo.sh | bash
hanzo init my-app
hanzo dev| Repo | Role |
|---|---|
| cloud | Unified Go control plane and binary (HIP-0106) |
| zip | Canonical Go web framework, Fiber v3-based |
| base | Per-tenant SQLite + extension runtimes (HIP-0105) |
| iam | Identity, OAuth2/OIDC/SAML |
| kms | Secrets and signing |
| gateway | HTTP gateway: routing, JWT, identity strip |
| vfs | Object-store abstraction (HIP-0107) |
| commerce | Checkout + billing (light router; NOT in PCI scope) |
| o11y | Metrics + traces + logs |
| Repo | Role |
|---|---|
| mcp | Model Context Protocol (HIP-0300 unified tools) |
| agents | Multi-agent orchestration |
| brain | Memory + RAG |
| ai | LLM control plane + RAG + model hub |
| Repo | Lang |
|---|---|
| zip-rs | Rust handler SDK (wasm output) |
| zip-js | TypeScript handler SDK |
| python-sdk | Python SDK |
| go-sdk | Go SDK |
| rust-sdk | Rust SDK with crypto/DID |
| js-sdk | TypeScript client library |
| Repo | Role |
|---|---|
| chat | Hanzo Chat — 14 Zen models + MCP tools |
| platform | PaaS deployment UI |
| console | LLM dev + evals + prompt management |
| desktop | Desktop agent client |
| flow | Visual workflow builder |
| bot | Channel adapter framework |
| Repo | Lang | Why isolated |
|---|---|---|
| vault | Go | PCI-DSS CDE (the only system that touches PAN) |
| payments | Rust | PCI-CDE-connected, payment orchestration |
| datastore | C++ | OLAP column store |
| engine | Rust | Inference worker (CUDA/Metal/CPU) |
| insights | Python | LLM observability + evals + prompt mgmt |
| Repo | Role |
|---|---|
| HIPs | Hanzo Improvement Proposals — protocol specs |
- Unified binary (HIP-0106): single Go process mounts iam, kms, base, commerce, ai, gateway, o11y, vfs, mq, dns, amqp, mcp via the
Mount(*zip.App, cloud.Deps) errorcontract. - Extension runtimes (HIP-0105): user code runs in goja (JS), pyvm (Python), wazero (Rust/AS/wasm), starkvm (Starlark policy DSL).
- Per-tenant SQLite (HIP-0302): each org gets its own SQLite file with KMS-derived DEK; replicated to S3 via replicate.
- PCI isolation: vault is the only L1-audited CDE; payments and commerce are CDE-connected; everything else is out of scope.
- White-label: same binary, different brand at startup. Fork hanzoai/cloud to launch your own ecosystem.
- Specs: HIPs
- Security: see
SECURITY.mdin any core repo - PR response: 48 hours
- License: BSD-3, Apache-2.0, or MIT per repo
HIPs implemented:
- HIP-0014 Application Deployment
- HIP-0026 IAM
- HIP-0027 KMS
- HIP-0037 AI Cloud Platform
- HIP-0060 Serverless Functions
- HIP-0105 In-Process Extension Runtime
- HIP-0106 Unified Cloud Binary
- HIP-0107 Streaming Replication over VFS
- HIP-0302 Encrypted SQLite + ZapDB Durability
