Send a message, review a PR, merge to deploy
Airut is a self-hosted, open-source system that runs Claude Code tasks from your existing communication tools. It handles workspace provisioning, container isolation, network sandboxing, session persistence, and cleanup — a secure foundation for autonomous agentic development.
How it works
Email and Slack provide threading, search, notifications, and mobile clients out of the box. No terminal sessions to maintain, no custom clients to install.
Send a message
Describe your task in plain language over email or Slack. Airut provisions an isolated workspace, runs Claude Code, and delivers results back in the same thread.
Review the pull request
The agent pushes a PR when configured to do so. Review the changes, leave comments, and reply in the thread — the agent reads your feedback and iterates. Conversation context persists across messages.
Merge and deploy
Approve and merge when ready. With CI/CD in place, merging deploys automatically. Multiple conversations run in parallel, each with isolated workspaces, session state, and credentials.
Security & isolation
Agentic workflows require running Claude Code without interactive approval for each step. Airut's robust sandboxing approach and security model make this safe, containing execution even if the agent is compromised.
Each task runs in a dedicated rootless Podman container with its own filesystem and process space. Isolated execution enables safe fully permissive mode for end-to-end autonomous operation. Automatic teardown after completion.
All traffic routes through a transparent proxy enforcing a per-repository allowlist with path and method-level rules. Even a compromised agent can only reach pre-approved hosts. Custom DNS prevents exfiltration. Allowlist changes require a merged PR.
Real credentials never enter the container — the agent receives format-preserving surrogates that the proxy swaps for real values only on scoped hosts. Even a compromised agent cannot exfiltrate usable credentials. For AWS, the proxy re-signs SigV4 requests transparently.
Email channels use DMARC verification. Slack uses workspace membership. Only authorized senders can trigger tasks.
Network allowlists and container settings are read from the default branch, not the agent workspace. The agent can propose changes via PR, but they only take effect after human review and merge.
Monitor running tasks, view network activity logs, and track execution history through a built-in web interface.
Get started
Self-hosted on your own Linux server. Claude Code sessions stay on your infrastructure.
# Install Airut uv tool install airut # Generate configuration airut init # Edit ~/.config/airut/airut.yaml with your # email or Slack credentials and repository settings # Validate and start the service airut check airut install-service
Prerequisites: Linux, uv, Git, and Podman (rootless). Per-repository setup requires a .airut/ directory with container and network allowlist configuration. See the documentation for full setup instructions.