Self-hosted · Policy-first · Matrix-native

Operate AI agents like production services.

Ruriko is a lightweight, distributed control plane for secure, capability-scoped AI agents running over Matrix— with lifecycle control, deterministic policy enforcement, secrets, approvals, and auditable tool access.

Get started Read the docs (README)
Default deny Immutable runtime MCP tool ecosystem Single-binary agents
Ruriko Control Plane
Matrix · Policies · Secrets
Agent: gitai-research
Lifecycle: running · Policy: v12 · Room allowlist
Healthy
mcp.playwright mcp.files approvals:on
Deterministic Policy
First-match wins
Strict, auditable rule evaluation.
Secrets
Scoped + rotated
Never stored in agent config.
Approval required
Tool call: browser.navigate
Guardrails for sensitive actions.

Why Ruriko

Most agent frameworks optimize for demos. Ruriko optimizes for operating agents safely in the real world: deterministic controls, strict capability boundaries, and human-in-the-loop approvals when it matters.

Policy-first

Deterministic capability enforcement with default deny and auditable decisions.

Immutable runtime

Agents can’t self-modify. Behavior is driven by structured configuration.

Secrets + approvals

Centralized secret management, scoped bindings, and explicit human approvals for sensitive actions.

Lifecycle control

Spawn, stop, respawn, update—treat agents like operated services, not chat windows.

Matrix-native

Identity + message bus + collaboration surface, where humans and agents coexist naturally.

Single-binary deploy

Small footprint agents that are easy to ship to VMs, Pi, containers, or clusters.

Architecture

Two core components: the control plane (Ruriko) and the runtime (Gitai). Configuration and policy are expressed as versioned Gosuto YAML.

1) Ruriko — Control Plane
  • • Manages lifecycle and configuration versions
  • • Provisions Matrix identities
  • • Stores/rotates secrets
  • • Maintains audit logs + approvals
2) Gitai — Agent Runtime
  • • Structured envelopes over Matrix
  • • Local policy enforcement
  • • Supervises MCP tool processes
  • • Immutable runtime behavior
Gosuto — Persona & Policy
  • • Allowlisted rooms/senders
  • • Capability rules + constraints
  • • Tool wiring + approvals
  • • Limits: rate/cost/concurrency

Policy is deterministic. Persona is cosmetic.

Security model

Capability-based enforcement, strict allowlists, default deny, and approvals for sensitive tool calls—designed so LLM output never becomes “control logic.”

Deterministic evaluation

Rules are structured; first-match wins; every decision is traceable.

Scoped secrets

Secrets aren’t stored in Gosuto; bindings are explicit and constrained.

Approvals

Sensitive operations require a human “yes” via the same collaboration channel.

Auditable actions

Policies, tool calls, approvals, and outcomes can be logged as an operational record.

Tooling via MCP

Integrate tools through the Model Context Protocol (MCP) with supervised processes and explicit allowlists.

Browser automation

Approval-gated navigation and controlled actions.

Connectors

Files, APIs, internal systems—wired and constrained per agent.

Supervised processes

MCP servers are monitored and reconciled by the runtime.

Bring your agents to production

Use this page as your GitHub Pages landing, and plug in real screenshots or diagrams as the project evolves.

Star / Follow progress See roadmap

Roadmap

Early-stage infrastructure project. These milestones mirror your current direction.

Core control plane

Lifecycle + configuration versions + audit.

Gitai runtime v1

Immutable runtime + local enforcement + supervision.

Secrets + rotation

Central store, scoped bindings, rotation workflows.

Policy engine

Deterministic rules, first-match wins, default deny.

Approval workflow

Human-in-the-loop for sensitive tools.

Template generation

Agent templates to standardize safe deployments.