Skip to content

runeward

runeward

Governed execution cells for AI agents.

Declarative profiles provision isolated sandboxes (Docker or Kubernetes) with deny-by-default egress, a tamper-evident audit ledger, human-in-the-loop policy gates, and cost/loop guardrails — driven over REST, MCP, a CLI, and a web dashboard.

Install

curl -fsSL https://raw.githubusercontent.com/Runewardd/runeward/main/install.sh | sh

Homebrew, container images, and building from source are covered in Install. Then jump to the Quickstart.

Why runeward

Letting an AI agent run shell commands, edit files, install packages, and hit the network is useful right up until it rm -rfs the wrong directory, exfiltrates a secret, or burns your API budget in a retry loop. Raw isolation ("jail the agent in a box") is table stakes. runeward adds the governance layer around the box — enforcing the rules outside the model instead of hoping it was trained to behave (why governance, not training):

  • Profiles are a security contract. Everything you don't grant is denied by default, so the blast radius is explicit.
  • Governed, not just isolated. Every action flows through one path — policy, approval gate, guardrails, backend exec, audit ledger — whether it arrives via REST, the dashboard, or MCP.
  • Tamper-evident by construction. An append-only, hash-chained, ed25519-signed ledger records every call and its verdict, and exports as an independently verifiable transcript.
  • Human-in-the-loop where it matters. Per-action allow / deny / require-approval verdicts pause risky operations for an operator.
  • Cost and loop guardrails. Hard caps on wall-clock, exec count, egress requests, and token/spend budgets, plus retry-loop detection.
  • Authenticated, multi-user control plane. Bearer-token auth by default off loopback, optional multi-principal RBAC (per-token profile/approval scopes), and per-principal dashboard views with an interactive login.
  • Pluggable backends. Docker/Podman for zero-setup laptop use, or Kubernetes (strict L3 egress, CRDs, admission webhook, PSA + NetworkPolicy multi-tenancy) for production and fleets.

How it compares

typical agent sandbox runeward
Isolation (container/VM) yes yes (Docker or Kubernetes)
Deny-by-default network egress sometimes yes; SNI allowlist, strict L3 on k8s
Per-action policy + approvals rare yes; builtin / CEL / OPA-Rego + HITL gates
Tamper-evident, signed audit trail rare yes; hash-chained + ed25519, verifiable
Cost / loop guardrails rare yes; wall-clock, exec, egress, loop caps
Multi-agent fleets rare yes; N cells + atomic task board
Control-plane auth + multi-user rare yes; bearer token + RBAC principals + per-user views
Agent-native surface partial REST + MCP + CLI + dashboard + SKILL/adapters
Signed release artifacts rare yes; cosign keyless + SBOMs
Operable as a service rare yes; /metrics + structured logs

Where to next

  • Why governance — enforce rules outside the model, not by training it.
  • Install — one-line installer, Homebrew, or from source.
  • Quickstart — a governed sandbox in ~60 seconds.
  • Concepts — sandboxes, fleets, policy, egress, the ledger.
  • Profiles — the declarative security contract.
  • Adapters — LangChain, CrewAI, LlamaIndex, OpenAI Agents SDK, Strands, Vercel AI SDK, LangChain.js.
  • Security model — what runeward does and does not protect.
  • Observability — metrics, structured logs, and telemetry.

runeward is open source under the Apache License 2.0.