# Show HN: Runeward: Sandboxing AI agents with policy gates

> Source: <https://runewardd.github.io/runeward/>
> Published: 2026-07-12 09:35:29+00:00

# runeward[¶](#runeward)

**Governed execution cells for AI agents.**

Declarative profiles provision isolated sandboxes (Docker or Kubernetes) with deny-by-default egress, a tamper-evident audit ledger, human-in-the-loop policy gates, and cost/loop guardrails — driven over REST, MCP, a CLI, and a web dashboard.

## Install[¶](#install)

```
curl -fsSL https://raw.githubusercontent.com/Runewardd/runeward/main/install.sh | sh
```

Homebrew, container images, and building from source are covered in
[Install](install/). Then jump to the [Quickstart](quickstart/).

## Why runeward[¶](#why-runeward)

Letting an AI agent run shell commands, edit files, install packages, and hit the
network is useful right up until it `rm -rf`

s the wrong directory, exfiltrates a
secret, or burns your API budget in a retry loop. Raw isolation ("jail the agent
in a box") is table stakes. runeward adds the governance layer *around* the box —
enforcing the rules outside the model instead of hoping it was trained to behave
([why governance, not training](why-governance/)):

**Profiles are a security contract.** Everything you don't grant is denied by default, so the blast radius is explicit.**Governed, not just isolated.** Every action flows through one path — policy, approval gate, guardrails, backend exec, audit ledger — whether it arrives via REST, the dashboard, or MCP.**Tamper-evident by construction.** An append-only, hash-chained, ed25519-signed ledger records every call and its verdict, and exports as an independently verifiable transcript.**Human-in-the-loop where it matters.** Per-action`allow`

/`deny`

/`require-approval`

verdicts pause risky operations for an operator.**Cost and loop guardrails.** Hard caps on wall-clock, exec count, egress requests, and token/spend budgets, plus retry-loop detection.**Authenticated, multi-user control plane.** Bearer-token auth by default off loopback, optional multi-principal RBAC (per-token profile/approval scopes), and per-principal dashboard views with an interactive login.**Pluggable backends.** Docker/Podman for zero-setup laptop use, or Kubernetes (strict L3 egress, CRDs, admission webhook, PSA + NetworkPolicy multi-tenancy) for production and fleets.

## How it compares[¶](#how-it-compares)

| typical agent sandbox | runeward | |
|---|---|---|
| Isolation (container/VM) | yes | yes (Docker or Kubernetes) |
| Deny-by-default network egress | sometimes | yes; SNI allowlist, strict L3 on k8s |
| Per-action policy + approvals | rare | yes; builtin / CEL / OPA-Rego + HITL gates |
| Tamper-evident, signed audit trail | rare | yes; hash-chained + ed25519, verifiable |
| Cost / loop guardrails | rare | yes; wall-clock, exec, egress, loop caps |
| Multi-agent fleets | rare | yes; N cells + atomic task board |
| Control-plane auth + multi-user | rare | yes; bearer token + RBAC principals + per-user views |
| Agent-native surface | partial | REST + MCP + CLI + dashboard + SKILL/adapters |
| Signed release artifacts | rare | yes; cosign keyless + SBOMs |
| Operable as a service | rare | yes; `/metrics` + structured logs |

## Where to next[¶](#where-to-next)

-
— enforce rules outside the model, not by training it.[Why governance](why-governance/) -
— one-line installer, Homebrew, or from source.[Install](install/) -
— a governed sandbox in ~60 seconds.[Quickstart](quickstart/) -
— sandboxes, fleets, policy, egress, the ledger.[Concepts](concepts/) -
— the declarative security contract.[Profiles](profiles/) -
— LangChain, CrewAI, LlamaIndex, OpenAI Agents SDK, Strands, Vercel AI SDK, LangChain.js.[Adapters](adapters/) -
— what runeward does and does not protect.[Security model](security-model/) -
— metrics, structured logs, and telemetry.[Observability](observability/)

runeward is open source under the [Apache License 2.0](https://github.com/Runewardd/runeward/blob/main/LICENSE).
