Show HN: Runeward: Sandboxing AI agents with policy gates

tha_infra_guy1 pts0 comments

runeward

Skip to content

Initializing search

Runewardd/runeward

Why governance

Install

Quickstart

Concepts

Profiles

Bring your own model

Fleets

CLI reference

REST API

Adapters

Security model

Observability

Testing

runeward¶

Governed execution cells for AI agents.

Declarative profiles provision isolated sandboxes (Docker or Kubernetes) with<br>deny-by-default egress, a tamper-evident audit ledger, human-in-the-loop policy<br>gates, and cost/loop guardrails — driven over REST, MCP, a CLI, and a web<br>dashboard.

Install&para;

curl -fsSL https://raw.githubusercontent.com/Runewardd/runeward/main/install.sh | sh

Homebrew, container images, and building from source are covered in<br>Install. Then jump to the Quickstart.

Why runeward&para;

Letting an AI agent run shell commands, edit files, install packages, and hit the<br>network is useful right up until it rm -rfs the wrong directory, exfiltrates a<br>secret, or burns your API budget in a retry loop. Raw isolation ("jail the agent<br>in a box") is table stakes. runeward adds the governance layer around the box —<br>enforcing the rules outside the model instead of hoping it was trained to behave<br>(why governance, not training):

Profiles are a security contract. Everything you don't grant is denied by<br>default, so the blast radius is explicit.

Governed, not just isolated. Every action flows through one path — policy,<br>approval gate, guardrails, backend exec, audit ledger — whether it arrives via<br>REST, the dashboard, or MCP.

Tamper-evident by construction. An append-only, hash-chained, ed25519-signed<br>ledger records every call and its verdict, and exports as an independently<br>verifiable transcript.

Human-in-the-loop where it matters. Per-action allow / deny /<br>require-approval verdicts pause risky operations for an operator.

Cost and loop guardrails. Hard caps on wall-clock, exec count, egress<br>requests, and token/spend budgets, plus retry-loop detection.

Authenticated, multi-user control plane. Bearer-token auth by default off<br>loopback, optional multi-principal RBAC (per-token profile/approval scopes),<br>and per-principal dashboard views with an interactive login.

Pluggable backends. Docker/Podman for zero-setup laptop use, or Kubernetes<br>(strict L3 egress, CRDs, admission webhook, PSA + NetworkPolicy multi-tenancy)<br>for production and fleets.

How it compares&para;

typical agent sandbox<br>runeward

Isolation (container/VM)<br>yes<br>yes (Docker or Kubernetes)

Deny-by-default network egress<br>sometimes<br>yes; SNI allowlist, strict L3 on k8s

Per-action policy + approvals<br>rare<br>yes; builtin / CEL / OPA-Rego + HITL gates

Tamper-evident, signed audit trail<br>rare<br>yes; hash-chained + ed25519, verifiable

Cost / loop guardrails<br>rare<br>yes; wall-clock, exec, egress, loop caps

Multi-agent fleets<br>rare<br>yes; N cells + atomic task board

Control-plane auth + multi-user<br>rare<br>yes; bearer token + RBAC principals + per-user views

Agent-native surface<br>partial<br>REST + MCP + CLI + dashboard + SKILL/adapters

Signed release artifacts<br>rare<br>yes; cosign keyless + SBOMs

Operable as a service<br>rare<br>yes; /metrics + structured logs

Where to next&para;

Why governance — enforce rules outside the model, not by training it.

Install — one-line installer, Homebrew, or from source.

Quickstart — a governed sandbox in ~60 seconds.

Concepts — sandboxes, fleets, policy, egress, the ledger.

Profiles — the declarative security contract.

Adapters — LangChain, CrewAI, LlamaIndex, OpenAI Agents SDK, Strands, Vercel AI SDK, LangChain.js.

Security model — what runeward does and does not protect.

Observability — metrics, structured logs, and telemetry.

runeward is open source under the Apache License 2.0.

Back to top

runeward loop rare install egress policy

Related Articles