{"slug": "show-hn-runeward-sandboxing-ai-agents-with-policy-gates", "title": "Show HN: Runeward: Sandboxing AI agents with policy gates", "summary": "Runeward, an open-source governance layer for AI agents, provides isolated sandboxes with deny-by-default egress, tamper-evident audit ledgers, human-in-the-loop policy gates, and cost guardrails. It enforces security policies outside the model via Docker or Kubernetes, supporting REST, MCP, CLI, and a web dashboard. The project aims to prevent agent misbehavior such as data exfiltration or runaway costs.", "body_md": "# runeward[¶](#runeward)\n\n**Governed execution cells for AI agents.**\n\nDeclarative profiles provision isolated sandboxes (Docker or Kubernetes) with deny-by-default egress, a tamper-evident audit ledger, human-in-the-loop policy gates, and cost/loop guardrails — driven over REST, MCP, a CLI, and a web dashboard.\n\n## Install[¶](#install)\n\n```\ncurl -fsSL https://raw.githubusercontent.com/Runewardd/runeward/main/install.sh | sh\n```\n\nHomebrew, container images, and building from source are covered in\n[Install](install/). Then jump to the [Quickstart](quickstart/).\n\n## Why runeward[¶](#why-runeward)\n\nLetting an AI agent run shell commands, edit files, install packages, and hit the\nnetwork is useful right up until it `rm -rf`\n\ns the wrong directory, exfiltrates a\nsecret, or burns your API budget in a retry loop. Raw isolation (\"jail the agent\nin a box\") is table stakes. runeward adds the governance layer *around* the box —\nenforcing the rules outside the model instead of hoping it was trained to behave\n([why governance, not training](why-governance/)):\n\n**Profiles are a security contract.** Everything you don't grant is denied by default, so the blast radius is explicit.**Governed, not just isolated.** Every action flows through one path — policy, approval gate, guardrails, backend exec, audit ledger — whether it arrives via REST, the dashboard, or MCP.**Tamper-evident by construction.** An append-only, hash-chained, ed25519-signed ledger records every call and its verdict, and exports as an independently verifiable transcript.**Human-in-the-loop where it matters.** Per-action`allow`\n\n/`deny`\n\n/`require-approval`\n\nverdicts pause risky operations for an operator.**Cost and loop guardrails.** Hard caps on wall-clock, exec count, egress requests, and token/spend budgets, plus retry-loop detection.**Authenticated, multi-user control plane.** Bearer-token auth by default off loopback, optional multi-principal RBAC (per-token profile/approval scopes), and per-principal dashboard views with an interactive login.**Pluggable backends.** Docker/Podman for zero-setup laptop use, or Kubernetes (strict L3 egress, CRDs, admission webhook, PSA + NetworkPolicy multi-tenancy) for production and fleets.\n\n## How it compares[¶](#how-it-compares)\n\n| typical agent sandbox | runeward | |\n|---|---|---|\n| Isolation (container/VM) | yes | yes (Docker or Kubernetes) |\n| Deny-by-default network egress | sometimes | yes; SNI allowlist, strict L3 on k8s |\n| Per-action policy + approvals | rare | yes; builtin / CEL / OPA-Rego + HITL gates |\n| Tamper-evident, signed audit trail | rare | yes; hash-chained + ed25519, verifiable |\n| Cost / loop guardrails | rare | yes; wall-clock, exec, egress, loop caps |\n| Multi-agent fleets | rare | yes; N cells + atomic task board |\n| Control-plane auth + multi-user | rare | yes; bearer token + RBAC principals + per-user views |\n| Agent-native surface | partial | REST + MCP + CLI + dashboard + SKILL/adapters |\n| Signed release artifacts | rare | yes; cosign keyless + SBOMs |\n| Operable as a service | rare | yes; `/metrics` + structured logs |\n\n## Where to next[¶](#where-to-next)\n\n-\n— enforce rules outside the model, not by training it.[Why governance](why-governance/) -\n— one-line installer, Homebrew, or from source.[Install](install/) -\n— a governed sandbox in ~60 seconds.[Quickstart](quickstart/) -\n— sandboxes, fleets, policy, egress, the ledger.[Concepts](concepts/) -\n— the declarative security contract.[Profiles](profiles/) -\n— LangChain, CrewAI, LlamaIndex, OpenAI Agents SDK, Strands, Vercel AI SDK, LangChain.js.[Adapters](adapters/) -\n— what runeward does and does not protect.[Security model](security-model/) -\n— metrics, structured logs, and telemetry.[Observability](observability/)\n\nruneward is open source under the [Apache License 2.0](https://github.com/Runewardd/runeward/blob/main/LICENSE).", "url": "https://wpnews.pro/news/show-hn-runeward-sandboxing-ai-agents-with-policy-gates", "canonical_source": "https://runewardd.github.io/runeward/", "published_at": "2026-07-12 09:35:29+00:00", "updated_at": "2026-07-12 10:05:48.280145+00:00", "lang": "en", "topics": ["ai-agents", "ai-safety", "ai-infrastructure", "ai-tools", "ai-policy"], "entities": ["Runeward", "Docker", "Kubernetes", "LangChain", "CrewAI", "LlamaIndex", "OpenAI", "Vercel"], "alternates": {"html": "https://wpnews.pro/news/show-hn-runeward-sandboxing-ai-agents-with-policy-gates", "markdown": "https://wpnews.pro/news/show-hn-runeward-sandboxing-ai-agents-with-policy-gates.md", "text": "https://wpnews.pro/news/show-hn-runeward-sandboxing-ai-agents-with-policy-gates.txt", "jsonld": "https://wpnews.pro/news/show-hn-runeward-sandboxing-ai-agents-with-policy-gates.jsonld"}}