Show HN: Hezo – Self-hosted teams of AI agents that never see your real secrets

A whole AI workforce. And you're the boss.

Hezo hires AI agents, runs them, and ships their work — without ever handing them your keys.

$ curl -fsSL https://hezo.ai/install.sh | sh

No cloud dependency Secrets never in agent context Signed commits Per-agent budget caps

01 How it works

Three moves to a working team.

STEP 01

Create a project

Describe the work to the CEO. It scopes the project and provisions a team — each in its own container.

STEP 02

Set the direction

Lay out the project plan, then hire or customize agents, tune their prompts, and give any agent its own model.

STEP 03

Approve and run

Agents work autonomously on a heartbeat. You watch live, approve sensitive actions, cap the spend, and change direction any time.

02 Talk to your company

Chat with the CEO. The Coach does the rest.

CEOHQ

You

Spin up a team to research our top 3 competitors.

CEO

On it — scoping a Market Research team: one researcher and one analyst, sharing your Claude key. They'll start with positioning and pricing

Ask the CEO anything, across every project…

one conversation · always one click away · picks up where you left off

CEO Your point of contact

The CEO sees every project, ticket, and roster. Ask how things are going or tell it to hire a role — replies stream back live, and anything consequential returns as an approval.

COACH Teams that improve every ship

When a ticket completes, the Coach reviews it and writes durable learned rules back onto the agent. The same mistake doesn't happen twice — no prompt-tuning by hand.

03 Why Hezo · Secure by design

Agents never hold your secrets.

Agent container · sees only placeholders

Authorization: Bearer HEZO_SECRET_STRIPE

Egress proxy · checks destination

✓ host = api.stripe.com → swap in the real key

✕ any other host → request blocked, no substitution

Leaves the box only if allowed

Authorization: Bearer sk_live_••••••••

every substitution is logged by name, never by value

AES-256-GCM Encrypted at rest

Keys and tokens sit behind a master key that lives in memory only, never on disk. Hezo can't unlock itself without you.

DOCKER Sandboxed

Every agent runs in a per-project container — no host access, all traffic through the proxy. A bad run's blast radius is one box.

SELF-HOSTED Yours

You own the machine, the keys, the spend, and the data. Git commits are signed host-side with your project key.

04 Works with your models

Bring your own providers. Mix freely.

ProviderModelsRuntimeAuth

AnthropicClaudeClaude CodeAPI key or subscription

OpenAIChatGPT / GPTCodexAPI key or subscription

GoogleGeminiGemini CLIAPI key or subscription

KimiKimi (Moonshot)KimiAPI key or subscription

DeepSeekDeepSeekClaude CodeAPI key

Z.aiGLMClaude CodeAPI key

OpenRouterMany, via one keyOpenCodeAPI key

No need to host your own models — Hezo runs the agents, your provider accounts power them.

05 What's in the box

Everything a team of agents needs to ship.

Security & control

Secret substitution at the egress proxy — placeholders in, real keys swapped in only for allowed hosts.

Encrypted at rest (AES-256-GCM) behind one master key only you hold.

Per-project Docker isolation, with all agent traffic forced through the proxy.

Verified git commits, signed host-side with your project key.

An append-only audit trail of every action and secret use.

Orchestration

An org chart of roles — CEO, Coach, Captain, and workers — that coordinate.

A task board with per-task rules and an agent-maintained progress summary.

Heartbeat execution: agents wake on a schedule to pick up work, gated by budget.

Multiple projects, each an independent team in its own container.

Models & cost

Bring your own providers; mix models freely, down to one per agent.

Hard budget caps — daily, weekly, monthly — per agent and per project.

Agents pause when a window is exhausted and resume when it rolls over.

Memory & documents

Long-term memory — the CEO remembers your standing preferences across every conversation.

Durable project documents — PRDs, specs, and research, kept with full version history.

Work carries cleanly across runs instead of evaporating between sessions.

Assets & previews

Bring references in — upload mockups, images, and PDFs for the team to work from.

Agents produce interactive HTML & SVG deliverables, not just text.

Preview their work in-app on any device, as it's built.

Interface

A mobile-first web app — oversee, chat, and approve from any device.

MCP in and out — a built-in server so any client can drive your teams, plus external MCP servers that give agents the tools you already use.

One self-contained binary: web app, API, realtime, database, and vault.

06 How Hezo compares

Not tabs. Not someone else's cloud.

Agents in terminal tabs

Hosted agent platforms

Frameworks / SDKs

Hezo

Runs on

Your machine, by hand

Someone else's cloud

Wherever you build it

Hardware you own

Your secrets

Live in your shell

Held by the vendor

You wire them up

Never exposed to the agent

Many agents

Tabs and willpower

Varies

You build it

An org chart, built in

Spend control

Watch the meter

Vendor billing

Do it yourself

Hard budget caps

You provide

Prompts, by hand

Vendor config

Code

Goals and rules

07 FAQ

Questions, answered.

Do I need to host my own models?+

No — bring API keys or subscriptions for the providers you want. Hezo runs the agents; the models stay with them.

Can agents see my API keys?+

No. Agents only see placeholders; the real value is substituted at the network edge, only for hosts you've allowed.

Is my data sent anywhere?+

Hezo is self-hosted. Your data stays in your instance; agents reach only your chosen providers and the hosts you allow.

Can I run multiple projects?+

Yes — each gets its own team and isolated container.

How are agents kept from running up a huge bill?+

Set daily, weekly, or monthly budgets per agent and project; agents pause when a window is exhausted and resume when it rolls over.

Up and running in one command.

bash

curl -fsSL https://hezo.ai/install.sh | sh

Then see Your first project →

Open localhost:3100 — the setup flow walks you through your master key and connecting a model.