free tier · sign up in a minute

The agent shell, secured.

A real Linux sandbox the agent owns. Secrets stay behind a server-side proxy — the sandbox never sees them, and every action is logged.

Managed · audit-logged · no setup

Powered by Anthropic Claude MCP
Use cases

Point it at the work you keep putting off.

One agent, a real shell, and your tools wired in safely. Here's what people run it for.

Ops & on-call

Restart a deployment, check metrics, tail logs. The agent runs real commands in its own sandbox; calls to your APIs go through the credential proxy. Every action lands in the audit log.

shell · kubectl · curl

Scheduled reports

A cron the agent owns. Pull numbers from Stripe or your database every Monday, format them, and deliver — without a key ever touching the sandbox.

schedules · integrations

Data wrangling

Drop a CSV or PDF in /workspace and ask. The agent slices it with jq, csvkit, or pandas and hands back the answer. Files persist across restarts.

/workspace · jq · pandas

Integration glue

Connect any HTTP API or MCP server once. Ask in plain English; the agent composes the calls and the proxy injects the secret only for the bound host.

http proxy · mcp
How it works

Secrets stay server-side. The agent never sees them.

A credential proxy sits between the sandbox and the outside world. The secret is injected only on calls to the host it's bound to — so a prompt can't trick the agent into exfiltrating it.

01

The sandbox

A real Linux box with a persistent /workspace. The agent owns it — but no credentials ever land here.

# inside the sandbox
$ echo $STRIPE_KEY
(empty)
02

The proxy

Holds the credentials. Injects them server-side, but only on calls to the hostname bound to each integration. The secret never enters the agent's environment.

# on the way out
Authorization: Bearer sk_live_••••
↑ injected only for the bound host
03

The audit row

Every call leaves a trail — actor, tool, target, status. Sandbox shells, integration calls, schedule fires, role changes — same shape.

# every call, server-side
 jess · http · api.stripe.com · 200
Features

Everything it does. No sales call required.

The workspace

what you use
  • Threaded chat with the agent

    Every chat belongs to whoever started it. The conversation is persistent and you can come back to it later.

  • A real Linux sandbox

    Shell, filesystem, package manager. /workspace is persistent across restarts. The agent installs what it needs and remembers what it learned.

  • Skills

    Reusable prompt presets you write once and pin to the workspace. Edits are audit-logged.

Security & governance

the rails
  • Secure integrations

    Store an API key once. The agent calls through a server-side proxy that injects the secret only on requests to the bound host — never into the sandbox env.

  • RBAC + per-resource grants

    Owner / admin / member / viewer. Grant specific members access to specific integrations and conversations. Least privilege by default.

  • Audit everything

    Every tool call, credential use, member change, RBAC mutation, schedule fire — logged with actor and structured metadata.

Operations

leaving things running
  • Schedules

    Cron and one-shot tasks the agent owns. Daily standups, weekly cleanup, on-call reports.

  • Per-message debugging

    Owners and admins can click any agent message to see the exact tool calls, token counts, latency, and full system prompt.

  • MCP server support

    Plug in any MCP-compatible tool server. Existing internal tooling becomes available to the agent.

Why Runvault

The shell is the easy part. The guardrails aren't.

You could wire an LLM to a container yourself. The security model — keeping the secret out of the sandbox and logging every call — is where it gets expensive.

Roll your own Runvault
Real Linux sandbox, persistent /workspace Containers + volumes to wire up Built in
Secrets kept out of the agent's env Agent reads env vars and files Server-side proxy — never in the sandbox
Credential scoped to one host Manual, easy to get wrong Injected only for the bound host
Audit trail · actor · tool · target · status Build and store it yourself Every call, queryable
RBAC + per-resource grants Build it owner / admin / member / viewer + grants
Schedules, skills, MCP servers Glue each one Included
Time to a useful agent Days to weeks Under a minute
Pricing

Start free. No card, no API key.

The whole product is on the free tier. Paid plans add seats and governance when your team needs them.

Free Live

$0 / forever

Everything on this page, for one person.

  • 1 workspace, 1 seat
  • 2,500 model credits / month
  • Sandbox + persistent /workspace
  • Credential proxy + integrations
  • Up to 5 schedules and 5 skills
  • Full audit log
Get started

Team Coming soon

Coming soon

For teams that need seats, SSO, and governance.

  • Multiple seats + shared workspaces
  • SSO / SAML sign-in
  • Custom roles
  • Longer audit retention + export
  • Priority support
Talk to us
FAQ

Common questions.

How does the credential proxy actually work?
When the agent makes an outbound HTTP call, the request goes through Runvault's egress proxy. The proxy matches the destination hostname against your configured integrations and, on a match, injects the secret as a bearer token or header on the way out. The sandbox process never has the raw secret in its environment, on disk, or in any log it can read. Calls to hosts that don't match any integration go through unauthenticated — so a prompt injection can't redirect a token to an attacker-controlled host.
Is the workspace really persistent?
Yes. /workspace is a persistent volume that survives sandbox restarts and agent upgrades — writes propagate live to durable storage. Anything outside /workspace is treated as ephemeral. Use it like a real engineer would — stash venvs, cache, scratch repos, notes.
What's in the audit log?
Every tool call (sandbox shell commands, integration HTTP calls, schedule fires), every credential set / rotated / used, every member invite / role change, every RBAC mutation, every skill edit. Each row carries actor, resource, status, and structured metadata. Logs are queryable from the dashboard and via API.
Which model runs the agent?
Anthropic's Claude Haiku 4.5 — wired up out of the box, no API key to configure. Model usage runs on credits, and every tier has a monthly cap; the free tier includes 2,500. You won't get a separate Anthropic bill.
What's in the free tier?
One workspace, one seat (you), 2,500 model credits a month, up to 5 schedules, up to 5 skills, and the full Claude Haiku 4.5 agent. Everything you see on this page — the sandbox, the credential proxy, integrations, the audit log — is in the free tier. No credit card.
Can I invite teammates?
Not yet — the free tier is a single-seat workspace today. Team invites and shared workspaces are on the way; if you need them now, drop us a note.
What about Slack / Telegram / Discord?
Coming. The adapters are built and running in our staging environment; we're holding them back from the public launch until the abuse-mitigation story is tight. If chat-app delivery is critical, tell us — it informs sequencing.
Can I self-host?
No. Runvault is a managed product. The agent runtime, credential proxy, and audit pipeline run on our infrastructure so we can keep them tight. If a self-hosted target is a hard requirement, drop us a note via the contact form and we'll let you know if our roadmap changes.
Contact

Talk to the team.

Want a walkthrough, have a question, or need something we don't ship yet? Tell us what you're building and we'll get back within 48 hours.

We'll only use your details to reply about your request.
No credit card · no API key

Give your agent a shell — not your secrets.

Sign in with Google and you're running in under a minute.