Deny-by-default security for agent execution. Define what your agents can and cannot do with simple, composable band files.
Agents are powerful but unpredictable. Bands give you fine-grained control over what they can access, enforce, and produce.
Nothing is allowed unless explicitly granted. Agents start with zero permissions and build up from there.
Three permission modes give you precise control. Allow specific tools, deny dangerous patterns, insist on required behaviors.
Stack multiple bands together. Permissions compose with clear precedence rules. Deny always wins over allow.
Run agents in isolated environments. Lima VMs for macOS, Cloudflare Workers for V8 isolates, or local with full access.
Cap turns, tokens, and tool calls. Prevent runaway agents with hard limits that terminate execution.
Define JSON schemas for agent output. Enforce structured responses so downstream systems can rely on the shape of the data.
From band file to sandboxed execution in three steps.
Create a BAND.md file with YAML frontmatter defining permissions, limits, and execution target. The markdown body becomes the agent's system prompt.
The bands runtime loads your band, applies permissions, and launches the agent in the specified execution environment with enforced constraints.
The agent runs within its permission boundaries. Output is validated against contracts. Limits are enforced. No surprises.
Choose the right isolation level for your use case.
Full access to your local machine. Use only for trusted agents or development. No sandboxing.
Lightweight Linux VMs on macOS. File system isolation with shared directories. Good balance of security and capability.
Dynamic Workers for on-demand V8 isolates. Maximum isolation for untrusted code. Fast cold starts, no file system access.
Open source. Deny by default. Ship agents you can trust.
View on GitHub