---
title: "agentsh — Execution-Layer Security for AI Agents"
description: "agentsh (agent shell) — Execution-Layer Security for AI agents. Intercept file, network, and process activity at runtime. Allow, deny, approve, or steer—with full audit logs."
doc_version: "1.0"
last_updated: "2026-05-01"
canonical: "https://agentsh.org/"
---

# agentsh — Execution-Layer Security for AI Agents

> Intercept file, network, and process activity at runtime. Allow, deny, approve, or steer — with full audit logs.

agentsh (agent shell) is an execution-layer security model for AI agents. Instead of relying on prompt engineering or model-side guardrails, agentsh enforces deterministic, OS-level policy on what agent processes can read, write, execute, or send over the network — and produces a tamper-evident audit log.

## Why prompt-side controls aren't enough

Telling an agent "don't run rm -rf" is advice, not enforcement. A jailbroken prompt, an indirect prompt injection, or a confused-deputy MCP tool can cause the agent to issue any command its process is allowed to make. agentsh sits between the agent process and the kernel. If the policy says no, the syscall doesn't happen — regardless of what the model decided.

See [What Is Execution-Layer Security?](https://agentsh.org/execution-layer-security/) for the full threat model.

## What agentsh gives you

- **Prompt-proof enforcement.** Deterministic policy at the syscall layer. No "the model agreed" failure mode.
- **See everything.** Every file read, network connection, and process spawn is logged and replayable.
- **Approval gates.** Pause an agent at risky operations and require human approval before continuing.
- **Steer, don't just block.** Rewrite, redirect, or annotate operations rather than failing them.
- **Audit-grade logs.** HMAC-chained entries support SOC 2, NIST AI RMF, and ISO 27001.

## Drop-in execution-layer gateway

agentsh runs in three modes:

1. **CLI** — `agentsh wrap <command>` for one-shot agent runs.
2. **Daemon** — long-lived enforcement with session reports.
3. **SDK** — wrap a hosted sandbox (Vercel, E2B, Daytona, Cloudflare Containers, Modal, Sprites, Blaxel, Runloop, exe.dev, Freestyle).

Install:

```bash
curl -fsSL https://agentsh.org/install.sh | sh
```

Or use the SDK:

```bash
npm install @agentsh/secure-sandbox
# or
pip install agentsh-secure-sandbox
```

## Start in under a minute

```bash
# Wrap an agent run with a starter policy pack
agentsh wrap --pack code-edit -- claude code "fix the failing test"
```

agentsh ships with starter policy packs for common workloads (`code-edit`, `dev-server`, `data-science`, `mcp-tool`). Customize when you're ready by writing your own `policy.yaml` — see the [Policy Reference](https://agentsh.org/docs/policy-reference/).

## Containers isolate. agentsh governs.

A container blocks a process from leaving its filesystem. agentsh decides whether the process should have made that syscall in the first place — and gives you the audit trail to prove what happened.

## Glossary

For a definition of execution-layer security, deterministic enforcement, ptrace mode, policy signing, and the rest of the terminology used across the docs, see the [Glossary](https://agentsh.org/docs/glossary/).

## Sitemap

### Top-level pages

- [Homepage](https://agentsh.org/)
- [What Is Execution-Layer Security?](https://agentsh.org/execution-layer-security/)
- [Secure Sandbox](https://agentsh.org/secure-sandbox/)
- [Examples & Integrations](https://agentsh.org/examples/)

### Documentation

- [Docs index](https://agentsh.org/docs/)
- [Setup & Integration](https://agentsh.org/docs/setup/) ([.md](https://agentsh.org/docs/setup/index.md))
- [Features](https://agentsh.org/docs/features/) ([.md](https://agentsh.org/docs/features/index.md))
- [Policy Reference](https://agentsh.org/docs/policy-reference/) ([.md](https://agentsh.org/docs/policy-reference/index.md))
- [Secure Sandbox SDK](https://agentsh.org/docs/secure-sandbox/) ([.md](https://agentsh.org/docs/secure-sandbox/index.md))
- [MCP Security](https://agentsh.org/docs/mcp-security/) ([.md](https://agentsh.org/docs/mcp-security/index.md))
- [Secrets](https://agentsh.org/docs/secrets/) ([.md](https://agentsh.org/docs/secrets/index.md))
- [Observability](https://agentsh.org/docs/observability/) ([.md](https://agentsh.org/docs/observability/index.md))
- [Glossary](https://agentsh.org/docs/glossary/) ([.md](https://agentsh.org/docs/glossary/index.md))

### Discovery files

- [llms.txt](https://agentsh.org/llms.txt)
- [llms-full.txt](https://agentsh.org/llms-full.txt)
- [AGENTS.md](https://agentsh.org/AGENTS.md)
- [sitemap.md](https://agentsh.org/sitemap.md)
- [sitemap.xml](https://agentsh.org/sitemap.xml)
- [robots.txt](https://agentsh.org/robots.txt)