Scrutineer governs autonomous AI agents on Kubernetes: per-session policy, human approvals, and runtime evidence produced outside the agent’s trust domain. A compromised agent can’t bypass the rules or edit the record.
Not an agent framework. You bring your own agent image; Scrutineer wraps it in governance it can’t reach.
How it works
Each run is an AgentSession. The controller starts the agent pod, a per-session
Envoy proxy, and a default-deny NetworkPolicy that makes the proxy the agent’s
only way out — enforced in the kernel, outside the agent’s reach.
flowchart LR agent["agent pod<br/>unprivileged · credential-empty"] proxy["per-session Envoy proxy<br/>own pod · own identity"] up["allowed upstreams"] rep["evidence reporter"] drop["dropped in the kernel<br/>default-deny NetworkPolicy"] agent -->|governed traffic| proxy proxy --> up proxy -->|observed evidence| rep agent -.->|bypass attempt| drop classDef dead stroke:#e5534b,stroke-dasharray:4 3 class drop dead
Every decision lands in the session’s status, labeled by source: observed
(the proxy) or self-reported (the agent). Neither pretends to be the other.
Quick start
git clone https://github.com/grantbarry29/scrutineer.git
cd scrutineer
make quickstart # kind cluster + verified enforcement (~5 min)
make demo # a denial, a dead bypass, the evidence (~2 min)
Start here
Quickstart
One command to a verified install on kind.
Demo
A live denial, a dead bypass, and the evidence.
Install on your cluster
Every command visible, on your own cluster.
Core concepts
Sessions, policies, the two locks, evidence.