cd /news/ai-agents/show-hn-runeward-sandboxing-ai-agent… · home topics ai-agents article
[ARTICLE · art-56088] src=runewardd.github.io ↗ pub= topic=ai-agents verified=true sentiment=↑ positive

Show HN: Runeward: Sandboxing AI agents with policy gates

Runeward, an open-source governance layer for AI agents, provides isolated sandboxes with deny-by-default egress, tamper-evident audit ledgers, human-in-the-loop policy gates, and cost guardrails. It enforces security policies outside the model via Docker or Kubernetes, supporting REST, MCP, CLI, and a web dashboard. The project aims to prevent agent misbehavior such as data exfiltration or runaway costs.

read3 min views1 publishedJul 12, 2026

Governed execution cells for AI agents.

Declarative profiles provision isolated sandboxes (Docker or Kubernetes) with deny-by-default egress, a tamper-evident audit ledger, human-in-the-loop policy gates, and cost/loop guardrails — driven over REST, MCP, a CLI, and a web dashboard.

Install #

curl -fsSL https://raw.githubusercontent.com/Runewardd/runeward/main/install.sh | sh

Homebrew, container images, and building from source are covered in Install. Then jump to the Quickstart.

Why runeward #

Letting an AI agent run shell commands, edit files, install packages, and hit the network is useful right up until it rm -rf

s the wrong directory, exfiltrates a secret, or burns your API budget in a retry loop. Raw isolation ("jail the agent in a box") is table stakes. runeward adds the governance layer around the box — enforcing the rules outside the model instead of hoping it was trained to behave (why governance, not training):

Profiles are a security contract. Everything you don't grant is denied by default, so the blast radius is explicit.Governed, not just isolated. Every action flows through one path — policy, approval gate, guardrails, backend exec, audit ledger — whether it arrives via REST, the dashboard, or MCP.Tamper-evident by construction. An append-only, hash-chained, ed25519-signed ledger records every call and its verdict, and exports as an independently verifiable transcript.Human-in-the-loop where it matters. Per-actionallow

/deny

/require-approval

verdicts risky operations for an operator.Cost and loop guardrails. Hard caps on wall-clock, exec count, egress requests, and token/spend budgets, plus retry-loop detection.Authenticated, multi-user control plane. Bearer-token auth by default off loopback, optional multi-principal RBAC (per-token profile/approval scopes), and per-principal dashboard views with an interactive login.Pluggable backends. Docker/Podman for zero-setup laptop use, or Kubernetes (strict L3 egress, CRDs, admission webhook, PSA + NetworkPolicy multi-tenancy) for production and fleets.

How it compares #

typical agent sandbox runeward
Isolation (container/VM) yes yes (Docker or Kubernetes)
Deny-by-default network egress sometimes yes; SNI allowlist, strict L3 on k8s
Per-action policy + approvals rare yes; builtin / CEL / OPA-Rego + HITL gates
Tamper-evident, signed audit trail rare yes; hash-chained + ed25519, verifiable
Cost / loop guardrails rare yes; wall-clock, exec, egress, loop caps
Multi-agent fleets rare yes; N cells + atomic task board
Control-plane auth + multi-user rare yes; bearer token + RBAC principals + per-user views
Agent-native surface partial REST + MCP + CLI + dashboard + SKILL/adapters
Signed release artifacts rare yes; cosign keyless + SBOMs
Operable as a service rare yes; /metrics + structured logs

Where to next #

— enforce rules outside the model, not by training it.Why governance - — one-line installer, Homebrew, or from source.Install - — a governed sandbox in ~60 seconds.Quickstart - — sandboxes, fleets, policy, egress, the ledger.Concepts - — the declarative security contract.Profiles - — LangChain, CrewAI, LlamaIndex, OpenAI Agents SDK, Strands, Vercel AI SDK, LangChain.js.Adapters - — what runeward does and does not protect.Security model - — metrics, structured logs, and telemetry.Observability

runeward is open source under the Apache License 2.0.

── more in #ai-agents 4 stories · sorted by recency
── more on @runeward 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/show-hn-runeward-san…] indexed:0 read:3min 2026-07-12 ·