Show HN: Runeward: Sandboxing AI agents with policy gates Runeward, an open-source governance layer for AI agents, provides isolated sandboxes with deny-by-default egress, tamper-evident audit ledgers, human-in-the-loop policy gates, and cost guardrails. It enforces security policies outside the model via Docker or Kubernetes, supporting REST, MCP, CLI, and a web dashboard. The project aims to prevent agent misbehavior such as data exfiltration or runaway costs. runeward ¶ runeward Governed execution cells for AI agents. Declarative profiles provision isolated sandboxes Docker or Kubernetes with deny-by-default egress, a tamper-evident audit ledger, human-in-the-loop policy gates, and cost/loop guardrails — driven over REST, MCP, a CLI, and a web dashboard. Install ¶ install curl -fsSL https://raw.githubusercontent.com/Runewardd/runeward/main/install.sh | sh Homebrew, container images, and building from source are covered in Install install/ . Then jump to the Quickstart quickstart/ . Why runeward ¶ why-runeward Letting an AI agent run shell commands, edit files, install packages, and hit the network is useful right up until it rm -rf s the wrong directory, exfiltrates a secret, or burns your API budget in a retry loop. Raw isolation "jail the agent in a box" is table stakes. runeward adds the governance layer around the box — enforcing the rules outside the model instead of hoping it was trained to behave why governance, not training why-governance/ : Profiles are a security contract. Everything you don't grant is denied by default, so the blast radius is explicit. Governed, not just isolated. Every action flows through one path — policy, approval gate, guardrails, backend exec, audit ledger — whether it arrives via REST, the dashboard, or MCP. Tamper-evident by construction. An append-only, hash-chained, ed25519-signed ledger records every call and its verdict, and exports as an independently verifiable transcript. Human-in-the-loop where it matters. Per-action allow / deny / require-approval verdicts pause risky operations for an operator. Cost and loop guardrails. Hard caps on wall-clock, exec count, egress requests, and token/spend budgets, plus retry-loop detection. Authenticated, multi-user control plane. Bearer-token auth by default off loopback, optional multi-principal RBAC per-token profile/approval scopes , and per-principal dashboard views with an interactive login. Pluggable backends. Docker/Podman for zero-setup laptop use, or Kubernetes strict L3 egress, CRDs, admission webhook, PSA + NetworkPolicy multi-tenancy for production and fleets. How it compares ¶ how-it-compares | typical agent sandbox | runeward | | |---|---|---| | Isolation container/VM | yes | yes Docker or Kubernetes | | Deny-by-default network egress | sometimes | yes; SNI allowlist, strict L3 on k8s | | Per-action policy + approvals | rare | yes; builtin / CEL / OPA-Rego + HITL gates | | Tamper-evident, signed audit trail | rare | yes; hash-chained + ed25519, verifiable | | Cost / loop guardrails | rare | yes; wall-clock, exec, egress, loop caps | | Multi-agent fleets | rare | yes; N cells + atomic task board | | Control-plane auth + multi-user | rare | yes; bearer token + RBAC principals + per-user views | | Agent-native surface | partial | REST + MCP + CLI + dashboard + SKILL/adapters | | Signed release artifacts | rare | yes; cosign keyless + SBOMs | | Operable as a service | rare | yes; /metrics + structured logs | Where to next ¶ where-to-next - — enforce rules outside the model, not by training it. Why governance why-governance/ - — one-line installer, Homebrew, or from source. Install install/ - — a governed sandbox in ~60 seconds. Quickstart quickstart/ - — sandboxes, fleets, policy, egress, the ledger. Concepts concepts/ - — the declarative security contract. Profiles profiles/ - — LangChain, CrewAI, LlamaIndex, OpenAI Agents SDK, Strands, Vercel AI SDK, LangChain.js. Adapters adapters/ - — what runeward does and does not protect. Security model security-model/ - — metrics, structured logs, and telemetry. Observability observability/ runeward is open source under the Apache License 2.0 https://github.com/Runewardd/runeward/blob/main/LICENSE .