runestone labs

ABOUT

A controlled boundary between agents and the real world.

Most of the interesting agent work right now happens on someone's laptop, not in a SaaS console. Developers are wiring Claude and GPT into shell access, file systems, browsers, internal APIs — and finding out, usually around the third time an agent runs rm -rf in the wrong directory, that "just trust the prompt" is not a policy.

Runestone Labs builds the layer that sits between an agent and the thing it wants to do. Every tool call goes through a decision — allow, require human approval, or deny — evaluated against a policy the agent itself can't override. Every decision lands in an append-only audit log. Nothing leaves your machine unless you say so.

What we believe

Local-first. Tool call metadata is sensitive. Arguments, paths, URLs, memory contents — this isn't the kind of data you route through a third-party SaaS for "observability." Gatekeeper runs on your hardware. Logs stay on your disk. If you ever want a hosted version, you can run the same container on infrastructure you control.

Allow / approve / deny, not allow / deny. Binary allow-or-deny policy is why people disable security tools: any rule strict enough to catch real misuse also blocks the legitimate 5% of work. Gatekeeper's third option — pause, ping a human, resume on a signed approval link — is the difference between a policy engine developers actually leave on and one they wrap in try/except: pass by Thursday.

Honest threat models. Gatekeeper catches some classes of agent misuse and doesn't catch others. The README and threat-model doc say which is which. You won't find vague "AI safety" claims here — we'd rather tell you what we don't protect against than pretend we do.

OSS, Apache-2.0, no bait-and-switch. The gatekeeper is the product. No "community edition" that's missing the thing you need. No feature-gated audit log. If we ever build a hosted tier, it's on top of the OSS core, not instead of it.

Where we're at

Gatekeeper is at v0.3.2 on npm (@runestone-labs/gatekeeper-client), 359 tests, Apache-2.0. Used in production inside Runestone's own personal-assistant stack (which is what keeps the sharp edges honest). Pilot/support requests welcome — see the pilot-support page.

Behind Runestone Labs

Founded by Evan Vandegriff — software engineer, ~15 years across startups, recent focus on AI in regulated environments.

Engineering roles include early years at TripleLift and SevenRooms, both since acquired in $1B+ exits, then co-founder and CTO of GreenSpark Software (now an emerging category leader in scrap-industry SaaS). Currently advising and consulting on production AI deployment at a healthcare-AI consultancy, where the work involves real LLM systems running against regulated patient data — which is exactly the use case Gatekeeper's threat model is built for.

Runestone Labs is a bootstrapped C Corp. Independent, multi-year runway, no fundraising clock. Built to make the right decisions for the people who depend on this layer, not for an exit timeline.

If you want to talk — about using Gatekeeper, integrating with it, breaking it, or building the next thing — the contact page has the real addresses.

And if you want the longer bet behind all of this, the mission page has it.