runeward
Skip to content
Initializing search
Runewardd/runeward
Why governance
Install
Quickstart
Concepts
Profiles
Bring your own model
Fleets
CLI reference
REST API
Adapters
Security model
Observability
Testing
runeward¶
Governed execution cells for AI agents.
Declarative profiles provision isolated sandboxes (Docker or Kubernetes) with<br>deny-by-default egress, a tamper-evident audit ledger, human-in-the-loop policy<br>gates, and cost/loop guardrails — driven over REST, MCP, a CLI, and a web<br>dashboard.
Install¶
curl -fsSL https://raw.githubusercontent.com/Runewardd/runeward/main/install.sh | sh
Homebrew, container images, and building from source are covered in<br>Install. Then jump to the Quickstart.
Why runeward¶
Letting an AI agent run shell commands, edit files, install packages, and hit the<br>network is useful right up until it rm -rfs the wrong directory, exfiltrates a<br>secret, or burns your API budget in a retry loop. Raw isolation ("jail the agent<br>in a box") is table stakes. runeward adds the governance layer around the box —<br>enforcing the rules outside the model instead of hoping it was trained to behave<br>(why governance, not training):
Profiles are a security contract. Everything you don't grant is denied by<br>default, so the blast radius is explicit.
Governed, not just isolated. Every action flows through one path — policy,<br>approval gate, guardrails, backend exec, audit ledger — whether it arrives via<br>REST, the dashboard, or MCP.
Tamper-evident by construction. An append-only, hash-chained, ed25519-signed<br>ledger records every call and its verdict, and exports as an independently<br>verifiable transcript.
Human-in-the-loop where it matters. Per-action allow / deny /<br>require-approval verdicts pause risky operations for an operator.
Cost and loop guardrails. Hard caps on wall-clock, exec count, egress<br>requests, and token/spend budgets, plus retry-loop detection.
Authenticated, multi-user control plane. Bearer-token auth by default off<br>loopback, optional multi-principal RBAC (per-token profile/approval scopes),<br>and per-principal dashboard views with an interactive login.
Pluggable backends. Docker/Podman for zero-setup laptop use, or Kubernetes<br>(strict L3 egress, CRDs, admission webhook, PSA + NetworkPolicy multi-tenancy)<br>for production and fleets.
How it compares¶
typical agent sandbox<br>runeward
Isolation (container/VM)<br>yes<br>yes (Docker or Kubernetes)
Deny-by-default network egress<br>sometimes<br>yes; SNI allowlist, strict L3 on k8s
Per-action policy + approvals<br>rare<br>yes; builtin / CEL / OPA-Rego + HITL gates
Tamper-evident, signed audit trail<br>rare<br>yes; hash-chained + ed25519, verifiable
Cost / loop guardrails<br>rare<br>yes; wall-clock, exec, egress, loop caps
Multi-agent fleets<br>rare<br>yes; N cells + atomic task board
Control-plane auth + multi-user<br>rare<br>yes; bearer token + RBAC principals + per-user views
Agent-native surface<br>partial<br>REST + MCP + CLI + dashboard + SKILL/adapters
Signed release artifacts<br>rare<br>yes; cosign keyless + SBOMs
Operable as a service<br>rare<br>yes; /metrics + structured logs
Where to next¶
Why governance — enforce rules outside the model, not by training it.
Install — one-line installer, Homebrew, or from source.
Quickstart — a governed sandbox in ~60 seconds.
Concepts — sandboxes, fleets, policy, egress, the ledger.
Profiles — the declarative security contract.
Adapters — LangChain, CrewAI, LlamaIndex, OpenAI Agents SDK, Strands, Vercel AI SDK, LangChain.js.
Security model — what runeward does and does not protect.
Observability — metrics, structured logs, and telemetry.
runeward is open source under the Apache License 2.0.
Back to top