runestone labs
Gatekeeper →

ABOUT

A controlled boundary between agents and the real world.

Most of the interesting agent work right now happens on someone's laptop, not in a SaaS console. Developers are wiring Claude and GPT into shell access, file systems, browsers, internal APIs — and finding out, usually around the third time an agent runs rm -rf in the wrong directory, that "just trust the prompt" is not a policy.

Runestone Labs builds the layer that sits between an agent and the thing it wants to do. Every tool call goes through a decision — allow, require human approval, or deny — evaluated against a policy the agent itself can't override. Every decision lands in an append-only audit log. Nothing leaves your machine unless you say so.

What we believe

Local-first. Tool call metadata is sensitive. Arguments, paths, URLs, memory contents — this isn't the kind of data you route through a third-party SaaS for "observability." Gatekeeper runs on your hardware. Logs stay on your disk. If you ever want a hosted version, you can run the same container on infrastructure you control.

Allow / approve / deny, not allow / deny. Binary allow-or-deny policy is why people disable security tools: any rule strict enough to catch real misuse also blocks the legitimate 5% of work. Gatekeeper's third option — pause, ping a human, resume on a signed approval link — is the difference between a policy engine developers actually leave on and one they wrap in try/except: pass by Thursday.

Honest threat models. Gatekeeper catches some classes of agent misuse and doesn't catch others. The README and threat-model doc say which is which. You won't find vague "AI safety" claims here — we'd rather tell you what we don't protect against than pretend we do.

OSS, Apache-2.0, no bait-and-switch. The gatekeeper is the product. No "community edition" that's missing the thing you need. No feature-gated audit log. If we ever build a hosted tier, it's on top of the OSS core, not instead of it.

Where we're at

Gatekeeper is at v0.3.1 on npm (@runestone-labs/gatekeeper-client), 268 tests, Apache-2.0. Used in production inside Runestone's own personal-assistant stack (which is what keeps the sharp edges honest). External design partners welcome — see the early-access page.

If you want to talk — about using Gatekeeper, integrating with it, breaking it, or building the next thing — the contact page has the real addresses.