awesome-agent-runtime-security

Learning something new about runtime security for agents
https://github.com/bureado/awesome-agent-runtime-security

Last synced: 3 days ago
JSON representation

Agent Identity & Credentials
- FAPI / RAR (RFC 9396) - JWT (RFC 9901)](https://datatracker.ietf.org/doc/rfc9901/), [AAuth](https://github.com/dickhardt/AAuth) — IETF Internet-Draft from Dick Hardt (author of OAuth 2.0) defining an agent-native auth protocol with three token types (agent/resource/auth), proof-of-possession, deferred authorization responses, and cross-domain federation between auth servers ([full implementation demo](https://blog.christianposta.com/aauth-full-demo/) with Keycloak + Agentgateway), [Verifiable Intent](https://github.com/agent-intent/verifiable-intent) — Mastercard/Google open spec using three-layer SD-JWT delegation chains (issuer → user → agent) with 8 machine-enforceable constraint types for agent commerce authorization ([blog post](https://shanedeconinck.be/posts/mastercard-verifiable-intent-agents-can-prove-what-you-approved/), [site](https://verifiableintent.dev/)), [AI Agent Auth and Authz (IETF)](https://datatracker.ietf.org/doc/draft-klrc-aiagent-auth/) — Internet-Draft composing WIMSE, OAuth 2.0, Transaction Tokens, and HTTP Message Signatures into a coherent agent auth framework, [CAAM (IETF)](https://datatracker.ietf.org/doc/html/draft-barney-caam-00) — sidecar-based Contextual Agent Authorization Mesh defining a Session Context Object (JWT/CWT with `ctx` claim) that bridges SPIFFE workload identity and IPSIE human identity with ReBAC, RATS attestation, and purpose-bound delegation, [Transaction Tokens](https://datatracker.ietf.org/doc/draft-ietf-oauth-transaction-tokens/), [CAEP and SSF](https://sgnl.ai/whitepaper/caep-best-practices/), [JWT Authorization Grants in MCP](https://github.com/modelcontextprotocol/modelcontextprotocol/discussions/1947), [Token Exchange in MCP](https://github.com/modelcontextprotocol/modelcontextprotocol/issues/214)
- WIMSE - computing/twi), [CoSAI Remote Attestation](https://github.com/cosai-oasis/ws4-secure-design-agentic-systems/blob/mcp/model-context-protocol-security.md#324-cryptographic-integrity-and-remote-attestation)
- AuthZEN - started/automated-least-privilege)
- Trust over IP - labs.github.io/verifiable-trust-spec/), [TRQP](https://www.lfdecentralizedtrust.org/blog/toip-announces-public-review-02-of-the-trust-registry-query-protocol-trqp-specification-v2.0), [Anonymous Credentials (ARC)](https://datatracker.ietf.org/doc/draft-yun-cfrg-arc/)
- Inter-Agent Trust Models - model/blob/main/draft/0.1/pic-model.md) ([edge simulation](https://somethingsubtle.com/projects/vdabbling-edge-identity-pic-protocol/)), [Agent Identity Protocol (AIP)](https://github.com/openagentidentityprotocol/agentidentityprotocol) — open standard proposed to IETF with cryptographic agent identity, AAT tokens, revocation, and policy enforcement ([Go SDK](https://github.com/openagentidentityprotocol/aip-go)), [opena2a agent-identity-management](https://github.com/opena2a-org/agent-identity-management), [Specification Compendium (naftiko)](https://github.com/naftiko-capabilities/interfaces), [CSA Agentic AI IAM Whitepaper](https://cloudsecurityalliance.org/artifacts/agentic-ai-identity-and-access-management-a-new-approach), [AGBAC](https://github.com/kahalewai/agbac) with [reference implementation](https://github.com/kahalewai/dual-auth).
- DIF Trusted Agents WG
- Progressive Authentication - SQL Safety Envelopes](https://openreview.net/forum?id=7c1S9NWmq5), [Permission Protocol](https://github.com/permission-protocol/docs) — fail-closed authority receipts for agent actions with SHA-256 input hashing, human-in-the-loop escalation, and CI gate templates
- Andrew Green's overview of agent auth solutions
- DCR for MCP - mcp-oauth-clients-with-spiffe/), [Verifiable Credentials for AI](https://blog.identity.foundation/building-ai-trust-at-scale/), [Continuous Authorization](https://www.linkedin.com/pulse/identity-security-mcp-agents-four-layer-continuous-model-poreddy-mpnvc/), [Delegated Authorization](https://glama.ai/blog/2025-11-27-securing-enterprise-ai-agents-with-unique-identities-in-the-model-context-protocol-mcp), [Delegation patterns](https://blog.christianposta.com/agent-identity-impersonation-or-delegation/), [Cedar delegation for OpenClaw subagents](https://www.windley.com/archives/2026/03/delegation_as_data_applying_cedar_policies_to_openclaw_subagents.shtml), [Riptides](https://riptides.io/blog-post/introducing-riptides-conditional-access-fine-grained-time-aware-security-policies), [Encoding User Intent](https://www.linkedin.com/pulse/complexity-encoding-user-intent-agentic-ai-systems-george-fletcher-xuape/), [ID-JAG](https://www.linkedin.com/pulse/mcp-focus-providing-flexibility-cross-application-atul-tulshibagwale-xvekc/), [OAuth Limitations for Agents](https://kontext.dev/blog/oauth-for-mcp-agents), [Qualified VDRs](https://medium.com/spherity/qualified-verifiable-data-registries-qvdr-as-the-foundational-component-of-digital-public-7a698acfd020), [Agents and Payments Identity](https://sphericalcowconsulting.com/2025/12/23/web-payments-and-digital-identity/), [Ambient Mesh](https://www.linkedin.com/pulse/trust-model-ambient-mesh-microsegmentation-async-flows-nicola-gallo-uplef/), [Token-Based Access Control](https://www.linkedin.com/pulse/mobile-multi-token-challenge-mike-schwartz-nlxtc/), [Applicability of Standards](https://www.authlete.com/developers/api_protection/), [Chaining and Nesting for Lineage](https://www.youtube.com/watch?v=EiemfsbUtgs), and [FGA for Agent Authorization](https://workos.com/blog/agents-need-authorization-not-just-authentication).
- AAuth - hardt-aauth-protocol/), [full implementation demo](https://blog.christianposta.com/aauth-full-demo/) with Keycloak + Agentgateway; [real world implementation](https://markmhendrickson.com/posts/know-which-of-your-agents-wrote-what/) of AAuth + RFC 9421 HTTP Message Signatures)
- Verifiable Intent - verifiable-intent-agents-can-prove-what-you-approved/), [site](https://verifiableintent.dev/))
- AI Agent Auth and Authz (IETF)
- Agent Native Authorization (IETF)
- CAAM (IETF) - bound delegation)
- PIC Model - edge-identity-pic-protocol/))
- Nanda Unified Architecture - 1](https://github.com/kadikoy1/ais-1)
- Agent Identity Protocol (AIP) - go))
- opena2a agent-identity-management
- AGBAC - auth)
- Intent-Based Access Control for Agentic AI
- ZeroID
- CSA Agentic AI IAM Whitepaper - mcp-oauth-clients-with-spiffe/), [Verifiable Credentials for AI](https://blog.identity.foundation/building-ai-trust-at-scale/), [Continuous Authorization](https://www.linkedin.com/pulse/identity-security-mcp-agents-four-layer-continuous-model-poreddy-mpnvc/), [Delegated Authorization](https://glama.ai/blog/2025-11-27-securing-enterprise-ai-agents-with-unique-identities-in-the-model-context-protocol-mcp), [Delegation patterns](https://blog.christianposta.com/agent-identity-impersonation-or-delegation/), [Cedar delegation for OpenClaw subagents](https://www.windley.com/archives/2026/03/delegation_as_data_applying_cedar_policies_to_openclaw_subagents.shtml), [Riptides](https://riptides.io/blog-post/introducing-riptides-conditional-access-fine-grained-time-aware-security-policies), [Encoding User Intent](https://www.linkedin.com/pulse/complexity-encoding-user-intent-agentic-ai-systems-george-fletcher-xuape/), [ID-JAG](https://www.linkedin.com/pulse/mcp-focus-providing-flexibility-cross-application-atul-tulshibagwale-xvekc/), [OAuth Limitations for Agents](https://kontext.dev/blog/oauth-for-mcp-agents), [Qualified VDRs](https://medium.com/spherity/qualified-verifiable-data-registries-qvdr-as-the-foundational-component-of-digital-public-7a698acfd020), [Agents and Payments Identity](https://sphericalcowconsulting.com/2025/12/23/web-payments-and-digital-identity/), [Ambient Mesh](https://www.linkedin.com/pulse/trust-model-ambient-mesh-microsegmentation-async-flows-nicola-gallo-uplef/), [Token-Based Access Control](https://www.linkedin.com/pulse/mobile-multi-token-challenge-mike-schwartz-nlxtc/), [Applicability of Standards](https://www.authlete.com/developers/api_protection/), [Chaining and Nesting for Lineage](https://www.youtube.com/watch?v=EiemfsbUtgs), and [FGA for Agent Authorization](https://workos.com/blog/agents-need-authorization-not-just-authentication).
- WebBotAuth WG - meunier-web-bot-auth-architecture/) (HTTP Message Signatures for automated traffic), [signatures directory](https://datatracker.ietf.org/doc/draft-meunier-http-message-signatures-directory/), [anonymous bot auth with rate limiting](https://datatracker.ietf.org/doc/draft-rescorla-anonymous-webbotauth/)
- AGTP Composition
- Verifiable Trust
- TRQP
- Anonymous Credentials (ARC)
- Directory (dir)
- DNS-AID - dnsaid](https://datatracker.ietf.org/doc/draft-mozleywilliams-dnsop-dnsaid/))
- DAWN
- Identity Management for Agentic AI (OpenID Foundation)
- Delegated Authorization Constrained to Semantic Task-to-Scope Matching
- Authorization Propagation in Multi-Agent AI
- PIC Model - edge-identity-pic-protocol/))
- Vega (Microsoft Research)
Provenance, Instrumentation & Observability
- aflock - toto, provenance, policy | Signed policy files that constrain agent behavior and produce verifiable attestations derived from model, environment, tools, policy, and parent. Facilitates key separation, SPIFFE-modeled workload attestation, and in-toto-inspired sublayouts for delegated sub-agent constraints. |
- cupcake
- mandible - agent coordination framework with built-in cryptographic provenance: bridge attestations create linked chains of custody across environments. Seeks to implement output-level provenance and causal lineage tracking as first-class primitives. |
- sage - based reputation APIs, local YAML threat heuristics, and supply-chain package analysis. |
- AgentSentinel - time defense framework for monitoring and constraining agent behavior using eBPF instrumentation. See also the [research paper](https://arxiv.org/abs/2509.07764). |
- AgentSight (eBPF) - based observability tool providing kernel-level tracing of agent runtime behavior without modifying the agent code. |
- membrane - filtering | Agent-agnostic sandbox with eBPF tracing (via Tracee sidecar) logging all file, network, and process activity as structured JSONL, hostname-allowlisted egress filtering with continuous DNS refresh, filesystem masking/read-only patterns, and unprivileged Docker-in-Docker via Sysbox. |
- tapes - addressable | Transparent agentic telemetry proxy (same author as stereOS): intercepts agent↔inference API traffic, stores every session as content-addressable turns in SQLite with vector embeddings, OpenTelemetry instrumentation, deterministic replay via session checkout, and semantic search across conversation history. |
- agentgateway
- rover (instrumentation) - focused agent framework with built-in tracing, policy enforcement, and sandboxed tool execution. |
- ClawShield - in-depth security proxy for AI agents with optional eBPF syscall monitoring, note the cross-layer event bus that helps tighten policies across layers. |
- SentinelGate - platform userspace firewall for AI agents that intercepts MCP tool calls (as an aggregating proxy), shell commands, file access, and HTTP requests, enforcing RBAC and CEL-powered policies (same engine as Kubernetes/Envoy) |
- carapace - proxy, MCP | Cedar policy enforcement for AI agents with an LLM proxy that intercepts model responses and strips denied tool calls before the agent sees them — the agent never holds the real API key. Gates MCP tools, shell commands, and API domains via Cedarling WASM (<6ms). See also [OVID-ME](https://github.com/clawdreyhepburn/ovid-me), the mandate evaluation layer for delegated agent authority: Cedar policies in JWT `authorization_details` (RFC 9396 RAR), SPIFFE-style Ed25519 signature chains with stepwise scope narrowing enforced via SMT subset proofs, and an AuthZEN-compliant PDP. |
- ibac - parsing, policy | Intent-Based Access Control: derives per-request FGA tuples from the user's stated intent (one extra LLM call), then checks them against OpenFGA before every tool invocation (~9ms). Default-deny, no framework changes. 100% injection blocking on AgentDojo (strict mode). |
- gryph - trail | Local-first audit trail for AI coding agents that hooks into tool calls and logs every file read/write and command execution. |
- Arize Phoenix Tracing
- agentry - to-agent interactions. |
- dapr-a2a - to-Agent protocol providing service mesh-style observability and policy for inter-agent communication. |
- toolhive provenance
- Virtual MCP Server (Stacklok)
- Agent Governance Toolkit - language (Python, TypeScript, .NET). |
- agent-trace
- Infisical Agent Sentinel
- MCPSpy - based real-time monitor that intercepts MCP traffic at the kernel level. Includes ML-based prompt injection detection on the wire. |
- Claw Patrol - separation, policy | Routs agent traffic through WireGuard/Tailscale tunnels: terminates TLS, parses inner protocol, injects credentials the agent never sees and evaluates HCL/CEL rules per request. Approval chains compose LLM judges and human-in-Slack. See [blog post](https://deno.com/blog/clawpatrol). |
- guardians - analysis | Implementation of Erik Meijer's ["Guardians of the Agents"](https://cacm.acm.org/practice/guardians-of-the-agents/). See also [CaMeL](https://arxiv.org/abs/2503.18813) . |
- hooksy - analysis | Claude Code hooks inspector with LLM-augmented dynamic analysis. |
- AgentTrust - judge | Real-time semantic safety interception between agent and tools. 170 YAML policy rules, <1ms rule latency. See [paper](https://arxiv.org/abs/2605.04785). |
- micromize - LSM, IMA, execution-integrity, Kubernetes | BPF-LSM enforcement of container boundaries built on [Inspektor Gadget](https://github.com/inspektor-gadget/inspektor-gadget). Execution integrity via SBOM + runtime binary hash validation using `bpf_ima_file_hash`. |
References
- Linux security technologies
- Risks & mitigations frameworks
  - OWASP Top 10 Agentic - ai-agent-security/), [AWS Agentic AI Security Matrix](https://aws.amazon.com/blogs/security/the-agentic-ai-security-scoping-matrix-a-framework-for-securing-autonomous-ai-systems/), [AARTS](https://github.com/gendigitalinc/aarts/blob/main/standard.md) — open standard (v0.1 draft) defining lifecycle hook points, a common data model, and behavioral requirements so security vendors can provide consistent, feature-parity protection across all compliant agent host platforms (IDEs, frameworks, orchestrators), [Attack and Defense Landscape of Agentic AI](https://arxiv.org/abs/2603.11088) — comprehensive survey (USENIX Security 2026) cataloging 51 attack methods and 60 defenses from 128 papers, with 7 design dimensions that determine attack surface and a cascading risk model from entry points through model failures to real-world consequences (see also the [Weather Report analysis](https://theweatherreport.ai/posts/agentic-ai-attack-defense/)), [AARM: Autonomous Action Runtime Management](https://arxiv.org/abs/2602.09433) — open specification formalizing runtime interception of agent actions with threat models for prompt injection, confused deputy, and intent drift, plus four implementation architectures (protocol gateway, SDK instrumentation, kernel eBPF, vendor integration)
  - SAFE-MCP - oasis/ws4-secure-design-agentic-systems/blob/mcp/model-context-protocol-security.md), [SoK: MCP Ecosystem Security](https://arxiv.org/abs/2512.08290), [Enterprise MCP Security Frameworks](https://arxiv.org/abs/2504.08623), [Securing MCP: Risks, Controls, Governance](https://arxiv.org/abs/2511.20920), [MCP Server Security Standard](https://github.com/mcp-security-standard/mcp-server-security-standard), [SEP-1933: Workload Identity Federation for MCP](https://github.com/modelcontextprotocol/modelcontextprotocol/pull/1933) — open PR proposing SPIFFE-style workload identity as an optional MCP extension
  - Security of AI Agent Communication Protocols - driven case study on wrong-provider tool execution
  - Atlas ML Provenance - cli)), [OpenSSF GPU Model Integrity](https://github.com/ossf/ai-ml-security/issues/41), [OpenSSF Model Lifecycle Provenance](https://github.com/ossf/ai-ml-security/issues/40)
  - Meta: Practical AI Agent Security
  - AWS Agentic AI Security Matrix
  - AARTS
  - Attack and Defense Landscape of Agentic AI
  - Weather Report analysis
  - AARM: Autonomous Action Runtime Management
  - SoK: MCP Ecosystem Security
  - Enterprise MCP Security Frameworks
  - Securing MCP: Risks, Controls, Governance
  - MCP Server Security Standard
  - SEP-1933: Workload Identity Federation for MCP
  - CoSAI Signing ML Artifacts
  - SAFE-M-2 Tool Description Integrity - M-30 Data Source Integrity](https://github.com/SAFE-MCP/safe-mcp/blob/main/mitigations/SAFE-M-30/README.md), [SAFE-M-34 Model Integrity](https://github.com/SAFE-MCP/safe-mcp/blob/main/mitigations/SAFE-M-34/README.md)
  - AARM: Autonomous Action Runtime Management
  - AGCP: Agentic Governance Control Plane
  - Distributed Trust Framework (DTF)
  - Zones of Distrust (ZoD)
  - Execution Outcome Attestation (IETF)
Sandboxing & Isolation
- nono - protected configuration and OS-native secrets management, making it one of the most holistic agent sandboxing solutions. See also [kubefence](https://github.com/bpradipt/kubefence), an NRI plugin that transparently injects nono sandboxing into Kubernetes containers and Kata VMs. |
- e2b - based agent sandbox infrastructure using [Firecracker](https://github.com/firecracker-microvm/firecracker) MicroVMs for strong hardware-level isolation between agent workloads. |
- Zeroboot - fork | Sub-millisecond VM sandboxes (0.8ms spawn) via Firecracker snapshot copy-on-write forking — each fork is a real KVM VM with hardware-enforced memory isolation at ~265KB per sandbox. No networking inside forks (serial I/O only). |
- Beams - identity, zero-secrets | Teleport's agent runtime using Firecracker VMs (200ms startup) with delegated short-lived identity certificates, zero secrets in the sandbox, policy-controlled egress proxy, and inference endpoint routing that injects backend credentials without exposing API keys to the agent. |
- krunai - built agent sandbox running AI agents inside [libkrun](https://github.com/containers/libkrun) KVM microVMs, transparent user-space networking via [gVisor](https://github.com/google/gvisor) netstack. |
- stereOS - built NixOS for AI agents, support for QEMU/KVM with sub-3s boot, gVisor included for in-VM sandboxing, and vsock-based secret injection via tmpfs. See also [agentd](https://github.com/papercomputeco/agentd). |
- capsem - kernel, air-gapped | macOS-native sandbox running agents in Linux VMs via Apple Virtualization.framework. Custom kernel compiled with `CONFIG_INET=n` (no IP stack) and `CONFIG_MODULES=n` (no loadable modules), read-only rootfs, BLAKE3 boot asset integrity, no systemd. |
- Docker Sandboxes - built sandbox for coding agents. See also [NanoClaw on Docker Sandboxes](https://nanoclaw.dev/blog/nanoclaw-docker-sandboxes/) for micro VM-based per-agent isolation. |
- sandbox-runtime - level isolation. |
- matchlock - language SDK for running agents in ephemeral Firecracker microVMs with host-boundary secret injection through a MITM proxy. |
- Cleanroom - hosted agent sandbox using Firecracker with host-side [gateway](https://github.com/buildkite/cleanroom/blob/main/docs/gateway.md) credential injection and digest-pinned OCI images. |
- boxlite - based sandbox for coding agents using KVM virtualization via [libkrun](https://github.com/containers/libkrun), providing strong hardware-enforced isolation. |
- brood-box - isolation, egress-control, MCP-authz | CLI for running AI coding agents (Claude Code, Codex, OpenCode) inside [libkrun](https://github.com/containers/libkrun) KVM microVMs with COW snapshot isolation, DNS-aware egress policies, and Cedar-based MCP authorization. Built on [go-microvm](https://github.com/stacklok/go-microvm). |
- Agent Sandbox (k8s) - containers/kata-containers) for sandboxing AI agents in cloud-native environments. |
- OpenSandbox - purpose sandbox platform for AI agents with multi-language SDKs, per-sandbox egress controls, ingress gateway, and secure container runtimes ([gVisor](https://github.com/google/gvisor), [Kata](https://github.com/kata-containers/kata-containers), Firecracker). |
- Gondolin - VMs. See also the [security design](https://earendil-works.github.io/gondolin/security/) and [repo](https://github.com/earendil-works/gondolin). |
- k7 - containers/kata-containers) to add MicroVM-backed security boundaries to agent execution. |
- Hyperlight - nanvix-bringing-multi-language-support-for-extremely-fast-hardware-isolated-micro-vms) | MicroVM, syscall interposition | Hardware-isolated VMs via KVM or Hyper-V with millisecond cold starts and no guest OS — combined with host-side syscall interposition for 150+ syscalls via the Nanvix Rust microkernel. See also [hyperlight-sandbox](https://github.com/hyperlight-dev/hyperlight-sandbox), the Python SDK (v0.1) for running sandboxed code in Hyperlight VMs (KVM/MSHV) or WASM backends. |
- Authority Nanos - based agent execution environment built on Nanos with 14 custom syscalls for agent communication and a secondary WASM sandbox for capability-gated tool execution. |
- Leash
- secimport - based module-level Python sandbox that uses USDT probes to track which Python module is executing at each syscall boundary and nsjail seccomp profile generation. |
- sandlock - notif | Process sandbox combining Landlock (filesystem + network + IPC), seccomp-bpf (syscall filtering), and seccomp user notification (resource limits, IP enforcement, /proc virtualization, port virtualization). No root, no cgroups, no containers. COW fork enables O(1) memory scaling — parent loads model once, children share via copy-on-write. See also the [architecture blog post](https://multikernel.io/2026/03/14/introducing-sandlock/). |
- ironclaw - injection | WASM-sandboxed tools (capability-based permissions, endpoint allowlisting), host-boundary credential injection where secrets never enter WASM memory. |
- amla-sandbox - based agent sandbox using wasmtime with a capability-based security model that enforces per-tool method constraints, call limits, and parameter validation before any tool invocation leaves the sandbox. |
- OpenFang - tracking | Uses a WASM dual-metered sandbox: wasmtime with both fuel metering and epoch interruption, backed by a watchdog thread that force-kills runaway code. Seeks to implement information flow taint tracking (secrets labelled from source to sink), Ed25519-signed agent manifests, and other techniques. |
- smolVM - binary VMs. |
- clampdown - capability agent (cap-drop=ALL), Landlock V3 filesystem isolation, ~115 blocked syscalls via seccomp, mandatory OCI hooks enforcing security policy on every tool container the agent spawns and SELinux/AppArmor confinement. |
- IronCurtain - layer agent sandbox: Code Mode runs TypeScript in a V8 isolate with zero host access, Docker Mode runs external agents (Claude Code, Goose) in network-disabled containers. Plain-English [constitution](https://www.provos.org/p/ironcurtain-secure-personal-assistant/) compiled into deterministic policy rules enforced on every MCP tool call, plus bubblewrap-sandboxed MCP servers. |
- monty - generated code with no host access by default — filesystem, network, and env are only available via explicitly provided external functions, with sub-microsecond startup and serializable execution state. |
- yolo-cage - branch isolation, a fail-closed mitmproxy egress proxy with LLM-Guard secret scanning and GitHub API operation blocking, TruffleHog pre-push hooks, and Kubernetes NetworkPolicy. |
- OpenShell - injection | NVIDIA's agent sandbox runtime using K3s (Kubernetes inside Docker) with four policy domains: filesystem, L7 network policy (HTTP method + path enforcement, hot-reloadable), process constraints, and a privacy router that strips agent credentials and injects backend credentials for LLM API calls. |
- agentsh - bpf with user-notify for signal interception and syscall blocking. |
- fence - platform agent sandbox using bubblewrap with Landlock, seccomp, and eBPF monitoring on Linux. |
- ai-jail - layer agent sandbox: bubblewrap namespaces (PID/UTS/IPC/net) + Landlock V3/V4 (filesystem + network) + seccomp-bpf (~30 blocked syscalls) + resource limits. Lockdown mode mounts project read-only with no network and clearenv. Sensitive dirs (`.gnupg`, `.aws`, `.ssh`) never mounted; per-project `.ai-jail` TOML config. macOS via `sandbox-exec`. |
- dyana - based sandbox for loading, running, and profiling untrusted files (ML models, Pickle, ELF, JS) with hardened containers (cap-drop ALL, no-new-privileges, network disabled, ipc-none, mem/pid limits, tmpfs noexec) monitored by an Aqua Tracee eBPF sidecar that traces 40+ security events (fileless execution, ld_preload, code injection, syscall hooking) scoped to the target container. |
- shai - development/) model for controlled agent-driven code changes, scoping changes to discrete units. |
- Rover Sandbox - focused agent framework. See also the [sandbox implementation code](https://github.com/endorhq/rover/tree/171a5b0eb277f2f1029062167a762a7f14a9b184/packages/cli/src/lib/sandbox). |
- Veto (Ona) - addressable | Content-addressable kernel enforcement using BPF LSM: blocks executables by SHA-256 hash of binary content (not path), pre-execution with no TOCTOU gap. The [deep dive on agent evasion of path-based controls](https://ona.com/stories/how-claude-code-escapes-its-own-denylist-and-sandbox) is a good read for anyone working with `bubblewrap`. |
- The Agent Sandbox Taxonomy
- ExitBox - sandboxes](https://github.com/datalayer/code-sandboxes), [Kilntainers](https://github.com/Kiln-AI/Kilntainers) (MCP server routing agent tool calls to Docker/Podman, E2B, Modal, or WASM sandboxes — the agent communicates with the sandbox over MCP so credentials never enter it), [nanoclaw](https://github.com/qwibitai/nanoclaw), [yolobox](https://github.com/finbarr/yolobox), [agentbox](https://github.com/rcarmo/agentbox), [construct-cli](https://github.com/EstebanForge/construct-cli), and [ctenv](https://github.com/osks/ctenv) all rely on standard Linux container isolation. [try](https://github.com/binpash/try) and [usand](https://github.com/richfelker/usand) use Linux namespaces via `unshare` to let commands run in a contained environment. [nsjail](https://nsjail.dev/) is Google's lightweight process isolation tool combining Linux namespaces, cgroups, and seccomp-bpf. [sandbox (Cloudflare)](https://github.com/cloudflare/sandbox) provides a seccomp library for syscall filtering. [systemd's exec security settings](https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html) and [setpriv](https://github.com/util-linux/util-linux/blob/master/sys-utils/setpriv.1.adoc) serve as convenient declarative frontends for composing namespaces, seccomp, and capabilities.
- bubblewrap - better-way-to-limit-claude-code-and-other-coding-agents-access-to-secrets/) or [OpenCode](https://blog.gpkb.org/posts/ai-agent-sandbox/), with [nixwrap](https://github.com/rti/nixwrap) providing a Nix-declarative wrapper, [sandbox-run](https://github.com/sandbox-utils/sandbox-run) a minimal CLI around it, and [Grauwolf's sandbox-run](https://codeberg.org/Grauwolf/sandbox-run) a per-project wrapper that isolates file writes, tmp, and tool state.
- Landlock - lsm/island) is the go-to sandbox tool. [landrun](https://github.com/Zouuup/landrun) and [rstrict](https://github.com/creslinux/rstrict) are CLI tools for restricting process access. [Litterbox](https://litterbox.work/) combines Landlock with Linux namespaces, and [Cursor Agent Sandboxing](https://cursor.com/blog/agent-sandboxing) uses Landlock, noting 40% fewer approval interruptions after teaching agents about their sandbox constraints.
- gVisor - containers/kata-containers) provide lightweight virtual machines with a standard container interface. [libkrun](https://github.com/containers/libkrun) is a library for running lightweight KVM-backed VMs that serves as the hypervisor isolation layer for boxlite, brood-box, krunai, and several other agent sandboxes in this list. [go-microvm](https://github.com/stacklok/go-microvm) is a Go framework for running OCI images as microVMs via libkrun. [styrolite](https://github.com/edera-dev/styrolite) is Edera's container runtime engine that runs containers inside VM guests via a type 1 paravirtualized hypervisor (see the [Edera hypervisor paper](https://arxiv.org/abs/2501.04580)). [microvm.nix](https://github.com/microvm-nix/microvm.nix) is a Nix Flake for declaratively building and running NixOS MicroVMs across hypervisors (cloud-hypervisor, Firecracker, QEMU, crosvm, etc.) The [OpenClaw MicroVM walkthrough](https://buduroiu.com/blog/openclaw-microvm/) is a practical blog post demonstrating MicroVM-based agent sandboxing using cloud-hypervisor, with network egress logging via nftables/unbound and secret injection through virtiofs mounts.
- langchain-sandbox - based library sandboxing for isolating untrusted components within a process; [wassette](https://microsoft.github.io/wassette/latest/concepts.html) applies WASM at fine-grained component boundaries. [V8 Isolates](https://blog.cloudflare.com/safe-in-the-sandbox-security-hardening-for-cloudflare-workers/) offer a lightweight per-request isolation model as an alternative to containers or VMs — see also Cloudflare's [Dynamic Worker Loader](https://blog.cloudflare.com/dynamic-workers/) for on-demand per-agent V8 sandboxes with capability-scoped env bindings and optional network blocking. [Deno Deploy Sandbox](https://deno.com/deploy/sandbox) is a managed sandbox API that gives each execution a dedicated Firecracker microVM.
- agentOS - OS, formally-verified | Real bootable OS on the [seL4 microkernel](https://sel4.systems/) — the world's only formally verified, capability-secured microkernel — designed ground-up for AI agents. Agents run in hardware-enforced isolated address spaces with unforgeable capability tokens (ToolCap, ModelCap, NetCap, SpawnCap); capabilities are delegatable but never escalatable. Ed25519 identity is badged at the kernel IPC level. seL4 runs at ARM EL2 as the hypervisor. Alpha; boots on QEMU AArch64/x86_64. |
- Freestyle - virt | Managed agent-scale sandbox infrastructure: full Linux KVM VMs (not containers) with nested virtualization, real root access, sealed multi-user isolation inside each VM, git repos per agent with bidirectional GitHub sync, scales to 10k+ concurrent agents. |
- Sprites - restore | Fly.io's managed Firecracker-based persistent Linux VMs for running coding agents or arbitrary code; checkpoint/restore in ~300ms, pre-installed with Claude Code and Codex CLI, API and CLI access. |
- InstaVM - filtering, secrets-injection | Managed microVM sandboxes for AI agents: dedicated kernel per sandbox, default-deny egress with domain/CIDR allowlists, proxy-based secret injection (agents never see API keys), full execution logs and network traces. |
- tilde.run - filesystem, egress-filtering | SaaS agent sandbox with a versioned POSIX filesystem (mounting code from GitHub, data from S3, documents from Drive as a single ~/sandbox), container-isolated runs with atomic commit-on-clean-exit/rollback-on-failure semantics, network policy with per-outbound-call audit log, and human approval gates. |
- shuru - proxy | macOS-primary agent sandbox using Apple Virtualization.framework with ephemeral rootfs (resets on every run), host-allowlisted egress, VirtioFS mounts with overlay (guest writes never touch host by default), and a secrets proxy that injects placeholder tokens into the VM substituting real values only on outbound HTTPS to specified hosts — secrets never enter the VM. TypeScript SDK + agent skill. |
- Bromure Agentic Coding - proxy, approval-gating | macOS (Apple Silicon) app running agents in Linux VMs with selective folder sharing. Credential stub-and-swap proxy — real tokens substituted at the hypervisor boundary, never written to VM disk/env/memory. ssh-agent forwarded via macOS Keychain socket (no key files in VM). Human-in-the-loop approval popups before sensitive credentials are substituted. Live Trace Inspector. Free and open source. |
- bentorun - sandboxed container on Google Cloud Run — Sentry (user-space Go kernel intercepts syscalls) + Gofer (filesystem proxy), per-session isolation, configurable package allowlist. |
- syva - enforcement | eBPF programs loaded per node that enforce zone-based boundaries between container groups — intercepts and denies cross-zone `open()`, `exec()`, `mmap()`, `ptrace()`, and `kill()` at the kernel level before they happen. Fills the gap namespaces leave: containers share a kernel, and namespaces alone don't stop cross-container ptrace or bind-mount file access. Declarative TOML policy (capabilities, memory/PID limits, network zones, filesystem paths, syscall deny list). No sidecar, no proxy. |
- Hazmat - native runtime containment for AI agents and coding-agent workflows using isolated macOS users, Seatbelt sandboxing (`sandbox_init` via a privileged helper), PF firewall controls, DNS blocklists, backup/rollback, and a TLA+-checked design (44,795+ states across nine specs covering setup/rollback ordering, seatbelt policy, migration, tier policy equivalence, and helper fd isolation) to reduce host and network blast radius. |
- secure-exec - based Node.js sandboxing. Bridges real Node.js APIs (fs, http, child_process) into the isolate. |
Secrets Management & Isolation
- agent-creds - interception, Docker, credential-injection | Network-isolated Docker sandbox with iptables-enforced traffic routing through an Envoy TLS-intercepting proxy, where a vault service validates Macaroon tokens (scoped by host, method, path, and expiry) and injects real API credentials server-side. |
- wardgate - injection, SSH, IMAP, SMTP, containers, approval-workflow | Security gateway isolating credentials; agents authenticate to the gateway with their own key while real credentials are injected server-side — combined with "conclaves" (isolated containers with per-command policy, pipeline parsing, and tool/data/network isolation) |
- Riptides on-the-wire credential injection - injection | Kernel-space interception of outbound agent requests with on-the-wire injection of Vault/OpenBao-sourced credentials via SPIFFE workload identity, ensuring secrets never materialize in agent user space. |
- clawshell - keys, DLP, Unix-permissions | Drop-in sidecar proxy for OpenClaw that maps virtual API keys to real provider credentials (stored in a Unix-permission-protected config), with regex-based DLP scanning that can block or redact PII in request/response bodies before they reach upstream LLM APIs. |
- secretless-ai - injection, keychain | Keeps credentials out of AI context windows, esp. for Claude Code it installs a `PreToolUse` hook that intercepts every file read, grep, glob, bash, write, and edit before execution. Supports multiple secret backends (local AES-256-GCM, OS keychain, 1Password). |
- enject - isolation, CLI, subprocess-injection | Rust CLI (formerly enveil) that replaces `.env` plaintext values with `en://` placeholder references while real values are stored in an Argon2id-derived AES-256-GCM encrypted local store. Decrypts, resolves references, injects real values into the subprocess environment, then zeroizes key material. Deliberately omits `get`/`export` commands to prevent AI-readable secret leakage. |
- airut masked secrets - secrets, network-allowlist, AWS-SigV4 | mitmproxy transparently intercepts all HTTPS traffic, generates format-preserving surrogate tokens, injects them into the container's environment, and the proxy swaps surrogate → real value in outgoing request headers only for scoped hosts. |
- Tailscale Aperture - injection, Tailscale, observability | Alpha LLM API gateway running on a tailnet, extracts the model name from each request body, routes to the correct provider and injects provider authentication headers server-side. |
- latchkey - injection, curl, browser-login, agent-skills | TypeScript CLI that injects stored credentials into `curl` requests to known third-party APIs (Slack, GitHub, Discord, Linear, Google Workspace, AWS, Stripe, and ~25 more). Credentials are encrypted under `~/.latchkey` using the OS keyring. |
- sops
- iron-proxy - proxy, egress, secret-injection, DNS, SSRF | MITM egress proxy with built-in DNS server: default-deny at the network boundary (domain/CIDR allowlist, everything else gets a 403), boundary-level secret injection (workloads use proxy tokens worthless outside the proxy — real creds swapped in at egress), upstream IP deny list closing SSRF/DNS-rebinding gaps (IMDS blocked by default), per-request structured JSON audit trail, streaming-aware (WebSocket/SSE). Single binary, single YAML. |
- authsome - store, token-refresh | Local credential layer for AI agents: log in once via OAuth2 or API key, authsome keeps tokens fresh (auto-refresh, expiry handling) across scripts, cron, CI, and parallel pipelines. Single encrypted store for all providers; agents call it at runtime instead of reading env vars. |
- authproxy - injection, OAuth2, audit | Embeddable open-source iPaaS HTTP proxy: application sends requests without credentials, authproxy injects the appropriate auth (OAuth2 bearer, API key), auto-refreshes expired tokens, logs every request for auditability. Declarative YAML connector definitions, pre-built admin UI, connector marketplace. |
- Warden - brokering | Broker where agent presents JWT or TLS cert (SPIFFE SVID), Warden injects real credentials per-request — agent never holds secrets. Per-call role switching for mid-task least privilege, discovery protocol (agents introspect allowed roles/providers/skills). |
- kloak - interception, Kubernetes, secret-injection | Kubernetes eBPF secret injector that hooks TLS writes via uprobes (OpenSSL, BoringSSL, Go): applications only see hashed placeholder tokens, real secrets exist solely in eBPF maps and are swapped in-kernel before encryption. |
- onecli - injection, per-agent-tokens | Rust gateway, agents use placeholder keys, gateway swaps real credentials at request time matched by host/path patterns. AES-256-GCM at rest, per-agent scoped access tokens. |
- LEASH - execution, zero-exposure, connection-contracts | Proposed companion standard to MCP for secret handling. Vault executes operations on the agent's behalf using secrets and returns only results. Platform-bound credentials + binary attestation of the connector process. |

Programming Languages

Go 15 Rust 13 Python 8 C 5 TypeScript 3 Makefile 1 JavaScript 1

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Awesome

awesome-agent-runtime-security

Agent Identity & Credentials

Provenance, Instrumentation & Observability

References

Linux security technologies

Risks & mitigations frameworks

Sandboxing & Isolation

Secrets Management & Isolation