Summary

IronCurtain provides a secure runtime for autonomous AI agents, translating human-readable constitutions into enforced security policies. It addresses the "ambient authority" problem of current agents, enabling them to operate autonomously within defined boundaries without risking data exfiltration or malicious actions, targeting developers and researchers.

How It Works

The system treats agents as untrusted, compiling natural language constitutions into deterministic runtime policies via an LLM pipeline. This policy is enforced through semantic interposition: all tool calls (filesystem, git, network) are mediated by a policy engine before execution. Defense-in-depth is achieved via V8 isolates for agent code and strict control over all external interactions.

Quick Start & Requirements

• Prerequisites: Node.js 22-25, Docker (recommended), LLM API key (Anthropic, Google, OpenAI).
• Install: npm install -g @provos/ironcurtain (CLI).
• Setup: Configure API keys (env var or ~/.ironcurtain/config.json), then run ironcurtain setup for guided configuration.
• Running: ironcurtain mux offers an interactive TUI with inline escalation. ironcurtain start launches the built-in agent in various modes.
• Docs: Internal docs like SANDBOXING.md, DEVELOPER_GUIDE.md, RUNNING_MODES.md provide details.

Highlighted Details

• Policy Compilation: Translates constitutions into verifiable, deterministic rules via annotation, LLM compilation, list resolution, scenario generation, and verification.
• Multi-Agent Workflows: Orchestrates multiple agents with role-specific policies and human gates.
• Personas: Pre-defined profiles for distinct agent roles, bundling policies, workspaces, and memory.
• Skills: Extensible SKILL.md packages enhance agent capabilities.
• Built-in MCP Servers: Supports Filesystem, Git, Fetch, GitHub, Google Workspace, and Memory operations, all policy-governed.
• Network Passthrough (Docker Mode): Mediates external network access, requiring explicit user approval for new domains.

Maintenance & Community

No specific details on maintainers, sponsorships, or community channels (e.g., Discord/Slack) are provided.

Licensing & Compatibility

• License: Apache-2.0.
• Compatibility: Permissive, suitable for commercial use.

Limitations & Caveats

This is an early-stage research prototype with potential for API/architecture changes. Limitations include LLM policy compilation fidelity issues, potential V8 exploits in Code Mode, lack of outbound content inspection, and risk of user escalation fatigue.