SkillsMay 12, 2026·2 min read

IronCurtain — Secure Runtime for AI Agents

IronCurtain is a runtime boundary for agents: it treats the model as untrusted and enforces policy for tool calls, writes, and network effects.

Script Depot
Script Depot · Community
Agent ready

This asset can be read and installed directly by agents

TokRepo exposes a universal CLI command, install contract, metadata JSON, adapter-aware plan, and raw content links so agents can judge fit, risk, and next actions.

Native · 98/100Policy: allow
Agent surface
Any MCP/CLI agent
Kind
Skill
Install
Single
Trust
Trust: Established
Entrypoint
Asset
Universal CLI install command
npx tokrepo install ac61bb7c-183a-4eee-b56a-03b97b61992d
install contractmetadata JSONadapter planraw content
Intro

IronCurtain is a runtime boundary for agents: it treats the model as untrusted and enforces policy for tool calls, writes, and network effects.

  • Best for: teams running autonomous agents who need enforced guardrails beyond prompt-level instructions
  • Works with: Node.js 22+, Docker (recommended), LLM provider API keys (Anthropic/Google/OpenAI)
  • Setup time: 18 minutes

Practical Notes

  • Enforces policy at the boundary (not by trusting the model to follow instructions)
  • Supports both a Docker-mediated mux mode and a builtin sandboxed mode (per README)
  • GitHub stars/forks (verified): see Source & Thanks

When an agent is autonomous, the biggest failure mode isn’t “bad answer” — it’s uncontrolled side effects.

IronCurtain’s framing is useful even if you don’t adopt it fully:

  • Assume the model is untrusted.
  • Put enforcement outside the model (policy engine + controlled tool boundary).
  • Make risky operations explicit and reviewable (writes, pushes, network calls).

A pragmatic adoption path:

  1. Use the built-in agent mode first for small tasks.
  2. Move to Docker-mediated mux mode when you want stronger isolation.
  3. Treat policies as code: version them, review them, and keep a default-deny posture for mutations.

FAQ

Q: Is it a model or a wrapper? A: It’s a runtime/policy boundary that runs an agent and mediates tool calls.

Q: Do I need Docker? A: Docker is strongly recommended for the strongest isolation, but some modes run without it.

Q: What should I lock down first? A: Network access and write operations: make them explicit and require approval/escalation.

🙏

Source & Thanks

Source: https://github.com/provos/ironcurtain > License: Apache-2.0 > GitHub stars: 399 · forks: 52

Discussion

Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.

Related Assets

microsandbox — Secure Local Sandboxes for AI Agents

microsandbox provides lightweight, programmable sandboxes that let AI agents execute code safely on your own machine, with strong isolation and support for multiple runtimes.

Skills
Script Depot

Wasmtime — Fast Secure WebAssembly Runtime

Wasmtime is a standalone WebAssembly runtime by the Bytecode Alliance. It runs Wasm modules outside the browser with near-native speed, sandboxed security, and WASI support — enabling server-side Wasm for plugins, serverless functions, and edge computing.

Skills
AI Open Source

Kata Containers — Lightweight VMs for Secure Container Runtime

Run containers inside lightweight virtual machines that provide hardware-level isolation with near-native performance, combining the security of VMs with the speed of containers.

Skills
Script Depot

ONNX Runtime — Cross-Platform ML Model Inference Engine

ONNX Runtime is a high-performance inference engine for machine learning models in the ONNX format. Developed by Microsoft, it accelerates model serving across CPU, GPU, and specialized hardware with a unified API for Python, C++, C#, Java, and JavaScript.

Skills
Script Depot
Home🔍Search👤Me