ᛟ ᚺ ᛊ ᛏ ᛒ ᛖ ᚹ ᛗ ᛚ ᛝ ᛟ

ᚱ ᚢ ᚾ ᛖ

Zero-Trust AI Agent

High-performance. Single binary. Sandboxed by default. Triple mode: CLI agent, CI resource, and self-hosted wiki.

⚡ View on GitHub Get Started
ᛟ ᚺ ᛊ ᛏ ᛒ ᛖ ᚹ ᛗ ᛚ ᛝ ᛟ

⚔️ Features

🛡️

5-Layer Sandbox

cgroups v2, Network namespace (or net-guard), Seccomp BPF, Landlock, DNS allowlist. Every tool call is isolated.

🔧

10 Built-in Tools

read_file, write_file, list_dir, execute_cmd, fetch_url, inspect_process — all sandboxed.

📚

Skills System

Load contextual abilities via @skill_name. Frontmatter-driven, multi-path search.

🤖

Multi-Provider

GitHub Copilot (auto refresh), OpenRouter, Google Gemini, any OpenAI-compatible endpoint.

🔌

MCP Client

Stdio JSON-RPC client for Model Context Protocol servers. Extend without recompiling.

🚀

Concourse CI

Same binary doubles as a Concourse CI resource type via symlink routing. Zero extra deps.

🧠

Thinking / Reasoning

Adjustable reasoning depth: off, low, medium, high, xhigh. Compatible with Claude and o-series models.

🔍

Semantic Skill Search

Embedding-powered skill discovery. Skills matched by meaning, not just @name references.

🧩

Automatic Allowlist Expansion

Strace-based exploratory analysis that suggests safe policy expansions; human-reviewed before applying.

💬

Custom System Prompt

Override the default system prompt via CLI flag, env var, or config. AGENTS.md context is always appended.

📝

Rune Notes

AI-powered Markdown wiki served from the same binary. Real-time collaboration, public sharing, KaTeX math, Mermaid diagrams, syntax highlighting, role-based auth (admin/user/guest).

✨ Demo

rune
ᚱ› Get weather for Taoyuan from wttr.in
⚙ fetch_url({"url":"https://wttr.in/Taoyuan"})
Execute? [Y/n] Y
approved
fetch_url...ok
────────────────────────────────────────
Taoyuan: ☁️ 27°C, Humidity 79%, Wind WNW 8km/h
────────────────────────────────────────
⚡ [2 steps | 1049 tokens | 1 tool calls]

🔐 Security Model

Rune Security Model — layered protection wards Five concentric protection circles forming a runic ward: cgroups, net-guard, seccomp, landlock, and the protected core. ᚠ ᚢ ᚦ ᚨ ᚱ ᚲ ᚷ ᚹ ᚺ ᚾ ᛁ ᛃ ᛇ ᛈ ᛉ ᛊ ᛏ ᛒ ᛖ ᛗ ᛚ ᛝ ᛞ ᛟ ᚠ ᚢ ᚦ ᚨ ᚱ ᚲ ᚷ ᚹ ᚺ ᚾ ᛁ ᛃ ᛊ ᛏ ᛒ ᛖ ᛗ ᛚ ᛝ ᛞ ᛟ ᚠ ᚢ ᚦ ᚨ ᚱ ᚲ ᚷ ᚹ ᚺ ᚾ ᛁ ᛃ ᛇ ᛈ ᛉ ᚱ ᚢ ᚾ ᛖ · ᛊ ᛖ ᚲ ᚲ ᛟ ᛗ ᛈ · ᚠ ᛁ ᛚ ᛏ ᛖ ᚱ ᛚ ᚨ ᚾ ᛞ ᛚ ᛟ ᚲ ᚲ · ᚠ ᛊ CORE cgroups v2 — Resource Ward net-guard Network isolation Seccomp BPF Syscall filter Landlock Filesystem seal Protected Core Zero-trust agent runtime
1. cgroups v2 Memory 512MB · max 64 processes
2. net-guard / netns Seccomp user-notif network filter · domain allowlist
3. Seccomp BPF Blocks ptrace, mount, kexec_load, bpf, setns
4. Landlock Filesystem restriction · only allowed paths
Core Protected zero-trust agent runtime

📝 Rune Notes — Self-Hosted Wiki

A full-featured, AI-powered Markdown wiki served from the same Rune binary. Zero extra dependencies.

🌐

Web UI Included

Full browser-based editor and viewer. Start the notes server with rune notes --serve. No separate process needed.

🔒

Role-Based Auth

Three roles: admin (full control), user (read/write own notes), guest (public read-only access). Per-file visibility settings.

🤝

Real-Time Collaboration

Multiple users can edit notes simultaneously. Changes sync in real time via WebSocket — no page refresh needed.

🔗

Public Sharing

Mark any note as public and share a direct URL. Guests can read without logging in. Great for public docs or personal wikis.

🧮

Rich Rendering

KaTeX math rendering, Mermaid diagrams, syntax-highlighted code blocks, and standard Markdown — all rendered in the browser.

🤖

AI Chat Integration

Ask questions about your notes using the same AI models as the CLI. Context-aware answers grounded in your own wiki content.

🚀 Concourse CI — Quick Start

Use Rune as a Concourse CI resource type. Minimal weather pipeline:

Resource type definition
resource_types:
  - name: rune-agent
    type: registry-image
    source:
      repository: ghcr.io/fourdollars/rune
      tag: latest
Resource — weather check with sandbox policy
resources:
  - name: weather
    type: rune-agent
    check_every: 1h
    source:
      api_key: ((copilot-pat))
      model: gpt-4o-mini
      prompt: "Fetch the weather for Taoyuan from wttr.in using curl."
      policy:
        allowed_commands: ["curl"]
        allowed_domains: ["wttr.in"]
Job — trigger on new versions
jobs:
  - name: weather-check
    plan:
      - get: weather
        trigger: true

🐳 Docker — No Install Required

Run Rune instantly via Docker. Three image variants available:

Available Images
# Alpine — smallest image (~15 MB), musl-based
docker pull ghcr.io/fourdollars/rune:alpine

# Debian (Bookworm) — glibc-based, broad compatibility
docker pull ghcr.io/fourdollars/rune:debian

# Ubuntu (24.04) — familiar environment
docker pull ghcr.io/fourdollars/rune:ubuntu

# Latest tag (defaults to Debian)
docker pull ghcr.io/fourdollars/rune:latest
First-time setup (rune init via Docker)
# Initialize config — mounts ~/.config/rune for persistence
docker run -it --rm \
  -v ~/.config/rune:/home/rune/.config/rune \
  ghcr.io/fourdollars/rune init
Interactive mode
# Start an interactive session
docker run -it --rm \
  -v ~/.config/rune:/home/rune/.config/rune \
  -v "$PWD":/workspace -w /workspace \
  ghcr.io/fourdollars/rune
Pipe mode (scripting)
# One-shot query without local installation
echo "Explain what Landlock is" | docker run -i --rm \
  -v ~/.config/rune:/home/rune/.config/rune \
  ghcr.io/fourdollars/rune --json --yes
Shell alias for convenience
# Add to ~/.bashrc or ~/.zshrc
alias rune='docker run -it --rm \
  -v ~/.config/rune:/home/rune/.config/rune \
  -v "$PWD":/workspace -w /workspace \
  ghcr.io/fourdollars/rune'

📦 Build from Source

Build from source
git clone https://github.com/fourdollars/rune.git
cd rune
cargo build --release
cp target/release/rune ~/.local/bin/
First-time setup
rune init
Pipe mode (scripting)
echo "Get weather for Tokyo" | rune --json --yes