Install
curl | sh on macOS or Linux.
Install →
Seal
seal@runtime:~$
Seal
The cryptographically secured AI coding agent. Designed as a defense against rogue agents, prompt injection, and curl scripts that delete your production database — without slowing the agent down.
Install Read the docsWhat Seal is
Section titled “What Seal is”Seal is an AI coding agent where the agent itself runs inside a WebAssembly sandbox and can only touch your system through cryptographically signed capabilities. The security model isn’t a wrapper around an off-the-shelf agent — it is the design.
Three properties fall out:
- Sandboxed by construction. The agent component has zero WASI imports. Filesystem, network, clock — everything goes through a typed WIT interface to a host daemon, and the daemon enforces the signed manifest.
- Capability-typed. Every tool call carries a typed capability. The dispatcher checks it against
seal.tomlbefore executing — silent allow, prompt, or refuse. Patterns layer cleanly: a broadgit:*prompt can sit alongside narrow silent allows for the specific subcommands you’ve cleared (git status,git diff:*) without either shadowing the other. - Auditable. Every grant is hashed and signed. The signed-manifest hash flips when anything changes, forcing re-approval. Every sandbox-enforced denial lands in the per-session audit log.
Why this matters
Prompt injection in a normal agent means “the model is talked into running a malicious command.” In Seal it means “the model is talked into asking the manifest for a capability it doesn’t have.” The model never has the capability to begin with — the WIT surface is the only door out, and the daemon checks every call.
Getting started
From zero to a first prompt in five minutes. Walk through it →
Permission model
The four-way prompt and how grants accumulate. Learn more →
Manifest reference
Every seal.toml section, generated from the schema.
Read the reference →