AI coding agent runtime security

Secure runtime for AI coding agents.

A secure runtime sits between autonomous coding agents and sensitive systems so file reads, terminal commands, network calls, Git operations, and secret exposure can be evaluated before harm happens.

On this page Why runtime security matters Runtime controls First slice V1 limits

Why AI coding agents need a runtime boundary

AI coding agents now operate in the same environment where developers keep source code, `.env` files, SSH keys, package credentials, Git remotes, and cloud CLIs. A policy written in a handbook does not stop an agent from running `cat .env`, `curl unknown | bash`, `terraform destroy`, or `git push --force`.

The runtime boundary is where intent becomes behavior. It should observe the actual action, attach agent identity and session context, evaluate policy, enforce the decision, and record evidence.

Do not trust the agent's stated intention. Evaluate actual behavior at the action boundary.

Core runtime controls

Filesystem controls

Block reads of `.env`, private keys, cloud credentials, database URLs, and other secret-like paths. Resolve symlinks and hardlinks before making a policy decision.

Terminal controls

Deny destructive commands, detect shell chains, inherit policy across subprocesses, and prevent background processes from escaping the session.

Network controls

Route outbound requests through an allowlisted proxy, flag unknown endpoints, detect uploads, and classify model/tool destinations.

Git controls

Deny direct protected-branch pushes, force pushes, tag deletion, and secret-containing pushes. Approval-gate sensitive path changes.

The AgentGuard first slice

Securie AgentGuard is pre-alpha. The repository currently contains the CLI shell only. The first working runtime slice is deliberately narrow and testable:

  • Reading `.env` is denied and logged.
  • Running `rm -rf` is denied and logged.
  • Reading normal source files and writing a summary is allowed and logged.
  • Reading a file with an AWS key is allowed, but the audit log contains `[REDACTED:aws-access-key]`, never the raw key.
  • A report command renders JSON and markdown audit evidence for the session.

V1 limits are explicit

The V1 threat actor is the honest hallucinating agent: an agent that is trying to help but may misread instructions, dereference secrets, chain unsafe commands, or follow injected content from tool output. V1 should not be marketed as sandbox-grade isolation against a malicious operator.

That honesty matters for security buyers. It keeps the product credible, makes tests meaningful, and gives future tiers a clear path: stronger process sandboxing, sealed network proxying, content provenance, kernel-level controls, and attestation.

Pressure-test the first secure runtime slice with us.

Join as a design partner