Your agents run free.
Your secrets stay put.

Redan runs AI coding agents inside microVMs with network-layer secret injection. Agents get a real dev environment but never see your credentials.

Get started Source code
Redan - a V-shaped fortification protecting a mountain pass
Install curl -L https://github.com/getredan/redan/releases/download/v0.3.1/redan-v0.3.1-linux-x86_64.tar.gz | tar xz

Why redan?

AI agents need API keys to be useful and sandboxes to be safe. Some agents ship built-in sandboxing, but each one does it differently. Redan provides a single, hardened execution layer that works with any agent: Claude Code, Pi, OpenCode, or whatever comes next.

Typical setup

  • Agent sees your API keys in plain text
  • Each agent has its own sandbox (or none at all)
  • No control over which hosts the agent contacts
  • Secrets end up in logs, error messages, LLM context

With redan

  • Agent sees placeholder tokens, never real secrets
  • One runtime for all agents, consistent policy
  • Default-deny networking with explicit allowlist
  • Responses scrubbed before the agent sees them

How it works

A microVM boots in under a second. All network traffic routes through a TLS MITM proxy on the host that injects and scrubs secrets.

๐Ÿ”’

VM isolation

Each session runs in a libkrun microVM with its own kernel. No shared filesystem, no shared memory with the host.

๐Ÿ”‘

Secret injection

Secrets are injected into HTTP headers by the proxy. The guest never sees real values, only placeholders.

๐ŸŒ

Default-deny network

No outbound connections unless you allow them. Wildcard patterns, private IP blocking, domain fronting protection.

๐Ÿ“‹

Audit trail

Every connection, injection, and scrub event is logged. Structured JSON-lines for compliance and debugging.

๐Ÿ”

Discover mode

Don't know what hosts your agent needs? Run once with --discover and redan prints a suggested allowlist.

โšก

Fast boot

Sub-second VM startup via libkrun. No daemon, no background service. Single binary, runs inline.

Architecture

Everything between the agent and the internet is controlled by redan.

Guest VM (libkrun, <1s boot)
  โ”‚
  โ”‚  virtio-fs  (project dir, read-write)
  โ”‚  virtio-net (ethernet over unix socket)
  โ–ผ
smoltcp (userspace TCP/IP on host)
  โ”‚
  โ”œโ”€โ”€ UDP :53   โ†’ synthetic DNS (no queries leave the host)
  โ”œโ”€โ”€ TCP :80   โ†’ rejected (HTTPS only)
  โ””โ”€โ”€ TCP :443  โ†’ TLS MITM proxy
        โ”‚
        โ”œโ”€โ”€ SNI extraction
        โ”œโ”€โ”€ ephemeral cert (per-session CA)
        โ”œโ”€โ”€ secret injection (headers only, host-allowlisted)
        โ”œโ”€โ”€ request forwarded to real upstream
        โ”œโ”€โ”€ response scrubbed of secret values
        โ””โ”€โ”€ streamed back to guest

Get started in 3 commands

Works with Claude Code out of the box. Bring your own agent too.

Terminal

# Generate config and devcontainer
redan init --claude

# Build the image
redan image import myproject --devcontainer .devcontainer/redan

# Run the agent
redan exec

Or configure manually with a redan.toml:

redan.toml

# Already have a Dockerfile?
image = "claude-code"
interactive = true

[network]
allow = ["api.anthropic.com", "*.npmjs.org"]

[secrets.ANTHROPIC_API_KEY]
value = "sk-ant-..."
hosts = ["api.anthropic.com"]

[mount.workspace]
source = "."

Open source

Redan is BSD-3-Clause licensed. The full proxy, VM lifecycle, secret providers (including Vault), and all security logic ship in the open core.

This is alpha software. It works end-to-end, from redan init through interactive Claude Code sessions with network policy enforcement, but has not been through an independent security audit. Read the security model.