runestone labs gatekeeper

INSTALL

Install Gatekeeper before your agent touches real tools.

Start with the TypeScript client and a local Gatekeeper server. The agent calls Gatekeeper; Gatekeeper evaluates policy, optionally asks for approval, executes the tool, and writes the audit trail.

Open npm package Read docs

1. Install the client

npm i @runestone-labs/gatekeeper-client

2. Run Gatekeeper locally

docker run -p 3847:3847 \
  ghcr.io/runestone-labs/gatekeeper:latest

You can also run it from source when you want to edit policy, storage, or local integration behavior directly.

3. Start with a small policy

version: 1

tools:
  http.request:
    allowed_domains: ["api.github.com"]
    allowed_methods: ["GET"]
    decision: allow

  shell.exec:
    allowed_cwd_prefixes: ["/workspace/"]
    deny_patterns: ["rm -rf", "git push --force"]
    decision: approve

principals:
  local_dev:
    allowedTools: ["http.request", "shell.exec"]
    requireApproval: ["shell.exec"]

4. Route a tool call through Gatekeeper

import { GatekeeperClient } from "@runestone-labs/gatekeeper-client";

const gatekeeper = new GatekeeperClient({
  baseUrl: "http://127.0.0.1:3847",
  agentName: "local-agent",
  agentRole: "local_dev",
});

const result = await gatekeeper.httpRequest({
  method: "GET",
  url: "https://api.github.com/repos/Runestone-Labs/gatekeeper",
});

Next steps

Architecture

Request flow, approvals, audit log, and budgets.

Repo docs

README, policy guide, approval flow, and client source.

Pilot/support

Get help fitting policy to a real agent stack.