Send a message, review a PR, merge to deploy
Airut is a self-hosted, open-source system that runs Claude Code tasks from email and Slack. Each task gets an isolated container with network allowlisting, surrogate credentials, session persistence, and automatic cleanup.
How it works
Email and Slack provide threading, search, notifications, and mobile clients out of the box. No terminal sessions to maintain, no custom clients to install.
Send a message
Describe your task in plain language over email or Slack. Airut provisions an isolated workspace, runs Claude Code, and delivers results back in the same thread.
Review the pull request
The agent pushes a PR when configured to do so. Review the changes, leave comments, and reply in the thread — the agent reads your feedback and iterates. Conversation context persists across messages.
Merge and deploy
Approve and merge when ready. With CI/CD in place, merging deploys automatically. Multiple conversations run in parallel, each with isolated workspaces, session state, and credentials.
Security & isolation
Running Claude Code without interactive approval means the sandbox must contain execution even if the agent is compromised.
Each task runs in a dedicated rootless Podman container with its own filesystem and process space. Claude Code runs in fully permissive mode with no interactive approvals. Containers are torn down after completion.
All traffic routes through a transparent proxy enforcing a per-repository allowlist with path and method-level rules. Even a compromised agent can only reach pre-approved hosts. Custom DNS prevents exfiltration. Allowlist changes require a merged PR.
The agent receives format-preserving surrogates instead of real credentials. The proxy swaps surrogates for real values only on allowed hosts. Credential theft from inside the container yields nothing usable. For AWS, the proxy re-signs SigV4 requests.
Email channels use DMARC verification. Slack uses workspace membership. Only authorized senders can trigger tasks.
Network allowlists and container settings are read from the default branch, not the agent workspace. The agent can propose changes via PR, but they only take effect after human review and merge.
When an agent opens a PR, CI runs agent-controlled code on your runners. The airut-sandbox CLI runs CI commands inside the same container and network sandbox, so test suites and build scripts can't exfiltrate secrets. Works with any CI system. For GitHub Actions, sandbox-action provides ready-to-use sandboxing.
Get started
Self-hosted on your own Linux server. Claude Code sessions stay on your infrastructure.
# Install Airut uv tool install airut # Generate configuration airut init # Edit ~/.config/airut/airut.yaml with your # email or Slack credentials and repository settings # Validate and start the service airut check airut install-service
Prerequisites: Linux, uv, Git, and Podman (rootless). Per-repository setup requires a .airut/ directory with container and network allowlist configuration. See the documentation for full setup instructions.