# IronCurtain — Secure Runtime for AI Agents > IronCurtain is a runtime boundary for agents: it treats the model as untrusted and enforces policy for tool calls, writes, and network effects. ## Install Save the content below to `.claude/skills/` or append to your `CLAUDE.md`: ## Quick Use 1. Install / set up: ```bash npm install -g @provos/ironcurtain ``` 2. Start / smoke test: ```bash ironcurtain setup && ironcurtain start "Summarize the files in ./src" ``` 3. Verify: - Confirm the policy engine prompts/escalates for risky actions and the session completes without uncontrolled side effects. ## Intro IronCurtain is a runtime boundary for agents: it treats the model as untrusted and enforces policy for tool calls, writes, and network effects. - **Best for:** teams running autonomous agents who need enforced guardrails beyond prompt-level instructions - **Works with:** Node.js 22+, Docker (recommended), LLM provider API keys (Anthropic/Google/OpenAI) - **Setup time:** 18 minutes ## Practical Notes - Enforces policy at the boundary (not by trusting the model to follow instructions) - Supports both a Docker-mediated mux mode and a builtin sandboxed mode (per README) - GitHub stars/forks (verified): see Source & Thanks When an agent is autonomous, the biggest failure mode isn’t “bad answer” — it’s uncontrolled side effects. IronCurtain’s framing is useful even if you don’t adopt it fully: - Assume the model is untrusted. - Put enforcement outside the model (policy engine + controlled tool boundary). - Make risky operations explicit and reviewable (writes, pushes, network calls). A pragmatic adoption path: 1. Use the built-in agent mode first for small tasks. 2. Move to Docker-mediated mux mode when you want stronger isolation. 3. Treat policies as code: version them, review them, and keep a default-deny posture for mutations. ### FAQ **Q: Is it a model or a wrapper?** A: It’s a runtime/policy boundary that runs an agent and mediates tool calls. **Q: Do I need Docker?** A: Docker is strongly recommended for the strongest isolation, but some modes run without it. **Q: What should I lock down first?** A: Network access and write operations: make them explicit and require approval/escalation. ## Source & Thanks > Source: https://github.com/provos/ironcurtain > License: Apache-2.0 > GitHub stars: 399 · forks: 52 --- ## 快速使用 1. 安装 / 设置: ```bash npm install -g @provos/ironcurtain ``` 2. 启动 / 冒烟测试: ```bash ironcurtain setup && ironcurtain start "Summarize the files in ./src" ``` 3. 验证: - 确认对高风险动作会触发策略提示/升级流程,并能完成一次受控会话而非无约束副作用。 ## 简介 IronCurtain 是面向自治 Agent 的安全运行边界:把模型视为不可信,在工具调用、写操作与网络副作用的边界处强制执行策略与升级流程,减少越权写入与失控副作用风险,并让高风险操作可审计可升级。 - **适合谁:** 需要超越 prompt 约束、在系统层强制护栏的自治 Agent 团队 - **可搭配:** Node.js 22+、Docker(推荐)、LLM provider API key(Anthropic/Google/OpenAI) - **准备时间:** 18 分钟 ## 实战建议 - 在边界处强制执行策略,而不是“相信模型会听话” - README 描述支持 Docker 介导的 mux 模式与内置 sandbox 模式 - GitHub stars / forks(已核验):见「来源与感谢」 自治 Agent 最大的失败模式不是“回答不好”,而是“不受控的副作用”。 IronCurtain 的思路即使不完全采用,也值得借鉴: - 把模型视为不可信; - 把强制执行放到模型之外(策略引擎 + 受控工具边界); - 高风险动作必须显式、可审查(写文件、push、网络请求等)。 更务实的落地路径: 1. 先用内置模式跑小任务; 2. 需要更强隔离时再上 Docker 介导的 mux; 3. 把 policy 当代码管理:版本化、审查化,对写操作保持 default-deny。 ### FAQ **它是模型还是封装器?** 答:它是运行时/策略边界:运行 Agent 并在工具调用处做强制控制。 **必须用 Docker 吗?** 答:最强隔离推荐 Docker,但部分模式可不依赖 Docker。 **优先该锁什么?** 答:先锁网络与写操作:显式声明并走审批/升级流程。 ## 来源与感谢 > Source: https://github.com/provos/ironcurtain > License: Apache-2.0 > GitHub stars: 399 · forks: 52 --- Source: https://tokrepo.com/en/workflows/ironcurtain-secure-runtime-for-ai-agents Author: Script Depot