https://github.com/rybkr/bridge-keeper

Security constrained agent runtime environment
https://github.com/rybkr/bridge-keeper

Last synced: 3 months ago
JSON representation

Security constrained agent runtime environment

• Host: GitHub
• URL: https://github.com/rybkr/bridge-keeper
• Owner: rybkr
• Created: 2026-02-02T22:26:49.000Z (5 months ago)
• Default Branch: main
• Last Pushed: 2026-03-25T15:54:20.000Z (3 months ago)
• Last Synced: 2026-03-26T17:41:16.265Z (3 months ago)
• Language: Go
• Homepage:
• Size: 131 KB
• Stars: 0
• Watchers: 0
• Forks: 0
• Open Issues: 2
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# Bridgekeeper

A security-constrained agent runtime that enforces capability-based security for tool use.

Bridgekeeper treats the agent as an untrusted program: it can propose tool calls, but the runtime mediates execution through a policy engine, local sandbox validation, human approval for `ask` decisions, and structured audit logging. Tool inputs are normalized before execution, and sensitive tool output is redacted before it is handed back to the model.

Current state:

- Policy evaluation for tool/action/capability matching is implemented.

- Local sandbox enforcement currently focuses on workspace-bounded filesystem access, argument validation, and output-size limits.

- Audit logging is structured JSONL.

- Sensitive output redaction and simple taint detection are implemented.

- Network sandboxing and deeper information-flow controls are still incomplete.

## Project Structure

```

bridgekeeper/

├── cmd/bridgekeeper/       # CLI entrypoint

├── internal/

│   ├── agent/              # Provider-specific agent adapters (Gemini, etc.)

│   ├── runtime/            # Core mediation and runtime loop

│   ├── policy/             # Policy engine and YAML loader

│   ├── tools/              # Typed tool implementations grouped by capability

│   ├── sandbox/            # Workspace and payload validation below policy

│   ├── redact/             # Secret redaction and sensitivity classification

│   ├── audit/              # Structured audit trail logging

│   └── hitl/               # Human-in-the-loop approval

├── policies/               # YAML policy files

├── testdata/

│   ├── adversarial/        # Prompt injection and adversarial fixtures

│   └── workflows/          # End-to-end workflow scripts

└── docs/                   # Design doc and evaluation report

```