Send a message, review a PR, merge to deploy
Airut is a self-hosted, open-source system that runs Claude Code tasks from email and Slack. Each task gets an isolated container with network allowlisting, surrogate credentials, session persistence, and automatic cleanup.
uv tool install airut && airut install-service # Open http://localhost:5200 to configure
How it works
Email and Slack provide threading, search, notifications, and mobile clients out of the box. No terminal sessions to maintain, no custom clients to install.
Send a message, get an isolated workspace
Describe your task in plain language over email or Slack. Airut creates a dedicated workspace for each conversation, cloning your repository into an isolated environment. Claude Code starts working immediately.
Sandboxed execution with credential isolation
Claude Code runs inside an Airut sandbox. It can iterate with you over email or Slack, modify the workspace, and access the network — but only through a proxy that enforces allowlists and swaps surrogate credentials for real ones. The agent never holds credentials usable outside the sandbox.
Pull request with sandboxed CI
Claude Code pushes a PR when ready. Your CI/CD pipeline runs the agent-authored code — but the untrusted build and test commands execute inside an Airut sandbox too. CI runners are protected from exfiltration just like the workspace.
Review, approve, deploy
Review the PR, leave comments, and iterate via the thread. When satisfied, approve and merge. With CI/CD in place, merging deploys automatically. Multiple conversations run in parallel, each fully isolated.
Key features
Assign a dedicated email address to each repository. Send instructions to start a task; Airut authenticates the sender via DMARC, provisions an isolated workspace, and runs Claude Code. Each email thread maps to a persistent conversation — reply to continue where the agent left off.
Add Airut as an agent in your Slack workspace. Start a task by messaging the app directly; thread replies continue the conversation with full session context. Sender identity is verified at the platform level, with configurable authorization rules per repository.
Define cron schedules to run Claude automatically — daily code reviews, nightly health checks, weekly summaries. Tasks run in the same sandbox as interactive work. Results are delivered via email; recipients can reply to continue the conversation.
Container isolation, network allowlisting, surrogate credentials, and channel authentication work as independent layers. Running Claude Code without interactive approval requires the sandbox to contain execution even if the agent is compromised. Details below.
Monitor running and completed tasks, view streaming network activity logs, and configure repositories, channels, and credentials — all from your browser. Screenshots below.
When an agent pushes a PR, CI runs agent-controlled code on your runners. The airut-sandbox CLI and sandbox-action GitHub Action run build and test commands inside the same container and network sandbox, preventing exfiltration from CI environments.
Deploy on your own Linux server with uv tool install airut. Your code, conversations, and API keys never leave your infrastructure. MIT licensed with 100% unit test coverage enforced in CI.
Security & isolation
Running Claude Code without interactive approval means the sandbox must contain execution even if the agent is compromised.
Each task runs in a dedicated rootless Podman container with its own filesystem and process space. Claude Code runs in fully permissive mode with no interactive approvals. Containers are torn down after completion.
All traffic routes through a transparent proxy enforcing a per-repository allowlist with path and method-level rules. Even a compromised agent can only reach pre-approved hosts. Custom DNS prevents exfiltration. Allowlist changes require a merged PR.
The agent receives format-preserving surrogates instead of real credentials. The proxy swaps surrogates for real values only on allowed hosts. Credential theft from inside the container yields nothing usable. For AWS, the proxy re-signs SigV4 requests.
Email channels use DMARC verification. Slack uses workspace membership. Only authorized senders can trigger tasks.
Network allowlists and container settings are read from the default branch, not the agent workspace. The agent can propose changes via PR, but they only take effect after human review and merge.
When an agent opens a PR, CI runs agent-controlled code on your runners. The airut-sandbox CLI runs CI commands inside the same container and network sandbox, so test suites and build scripts can't exfiltrate secrets. Works with any CI system. For GitHub Actions, sandbox-action provides ready-to-use sandboxing.
Web dashboard
Airut comes with an optional built-in web dashboard for monitoring tasks and configuring the service. Designed to sit behind a reverse proxy.
Get started
Self-hosted on your own Linux server. Claude Code sessions stay on your infrastructure.
# Install Airut and start the service uv tool install airut airut install-service # Open http://localhost:5200 to configure
Prerequisites: Linux, uv, Git, and Podman (rootless). Per-repository setup requires a .airut/ directory with container and network allowlist configuration. See the documentation for full setup instructions.