Show HN: RiskKernel – a kill switch and budgets for runaway AI agents
RiskKernel is a self-hosted agent reliability runtime providing hard cost, loop, and time budgets, crash-resumable checkpoints, human-approval gates, and memory you own. It integrates with existing agents via a single env var, preventing runaway loops and surprise bills.
Notifications You must be signed in to change notification settings
Fork 5
Star 15
BranchesTags
Open more actions menu
Folders and files
NameName
Last commit message
Last commit date
Latest commit
History
69 Commits
69 Commits
.github
.github
api/v1
api/v1
benchmark
benchmark
cmd/riskkernel
cmd/riskkernel
docs
docs
examples
examples
internal
internal
sdks/python
sdks/python
.dockerignore
.dockerignore
.env.example
.env.example
.gitignore
.gitignore
.goreleaser.yaml
.goreleaser.yaml
ARCHITECTURE.md
ARCHITECTURE.md
CHANGELOG.md
CHANGELOG.md
CODE_OF_CONDUCT.md
CODE_OF_CONDUCT.md
COMPATIBILITY.md
COMPATIBILITY.md
CONTRIBUTING.md
CONTRIBUTING.md
Dockerfile
Dockerfile
LICENSE
LICENSE
Makefile
Makefile
README.md
README.md
SECURITY.md
SECURITY.md
go.mod
go.mod
go.sum
go.sum
Repository files navigation
The risk engine for your AI agents.
Deterministic cost / loop / time budgets · full observability · crash-resumable runs · human-approval gates · a memory you own. Self-hosted. Your keys. No telemetry. Point it at your existing agents — one env var.
A runaway agent, stopped. It loops over a codebase; the deterministic governor halts it at its loop budget with an HTTP 402 — no model call escapes the cap. (runnable example)
The problem
Production AI agents fail in the same handful of ways, every time: runaway loops, surprise token bills, no failure recovery, no observability, no human-in-the-loop, no governance. Agent frameworks (LangGraph, CrewAI, AutoGen) orchestrate the reasoning — but none of them ship the guardrails that keep a run from burning $400 in a midnight loop while you sleep.
RiskKernel is a self-hosted agent reliability runtime — the deterministic, run-level layer that sits in front of your agents and enforces hard limits. The LLM proposes; deterministic Go code disposes. Every irreversible action is gated.
It is not another gateway (LiteLLM/Portkey own routing), not another observability dashboard (Langfuse/Phoenix own traces), and not a content-guardrails engine (Guardrails AI/NeMo own PII/jailbreak). It interoperates with all of those and competes on the one thing nobody ships in a single self-hosted binary: deterministic run controls — the agent SRE layer.
What it does
Capability What it means
💸 Hard cost ceiling per run A run that hits its dollar/token budget is killed cleanly, state persisted. Safe defaults out of the box (the budget contract).
🔁 Hard loop-iteration cap No more infinite agent loops.
⏱️ Hard wall-clock budget Runs that exceed their time budget halt.
💾 Crash-resumable checkpoints kill -9 the daemon mid-run; it reloads with the budget already spent and resumes from the last checkpoint — without re-spending. Guide · demo.
✋ Framework-agnostic approval gates Side-effecting tool calls pause for human approval — CLI, local web, or webhook.
🧠 Memory you own Git-native markdown/YAML on your disk; episodic state in your SQLite.
📡 OpenTelemetry GenAI Emits gen_ai.* spans to your backend (Grafana/SigNoz/Datadog/Langfuse).
Three ways to adopt — pick the one that fits
Proxy (zero code). Set one env var: OPENAI_BASE_URL=http://localhost:7070/v1. Every call is intercepted, budgeted, logged, checkpointed, and forwarded to the real provider with your key.
Python SDK (deep control). Install the SDK (from source today — see the Quickstart), then @governed_run / @governed_tool / runtime.budget(...) / ApprovalGate. Adapters for the Claude Agent SDK, OpenAI Agents SDK, and LangChain.
OpenTelemetry (universal). RiskKernel is an OTLP endpoint and emitter — govern apps already instrumented with OpenLLMetry / the OpenAI Agents SDK, and export to the backend you already run.
Quickstart (60 seconds)
Run the daemon with your key (nothing leaves your machine except calls to the provider you choose). Unconfigured, every run gets a safe default budget — $5 / 100 loops / 1 hour — so nothing is ever unbounded; here we set an explicit 50¢ cap (see the budget contract):
docker run --rm -p 7070:7070 -v "$PWD/data:/data" \ -e ANTHROPIC_API_KEY=sk-ant-... \ -e RISKKERNEL_DEFAULT_DOLLARS=0.50 \ ghcr.io/prashar32/riskkernel:latest
Now put your existing OpenAI-compatible app under governance with one env var — no code changes — and point it at a Claude model:
export OPENAI_BASE_URL=http://localhost:7070/v1
your app runs unchanged; every call is metered, priced, budget-enforced
Or hit it directly and watch the governance headers:
curl -s -D- http://localhost:7070/v1/chat/completions \ -H 'content-type: application/json' \ -H 'X-RiskKernel-Run-Id: demo' \ -d '{"model":"claude-sonnet-4-5","messages":[{"role":"user","content":"hi"}]}'
→ X-RiskKernel-Cost-Usd, X-RiskKernel-Tokens, X-RiskKernel-Step …
the run is killed with HTTP 402 the moment it exceeds $0.50.
Inspect and audit, all on your disk:
riskkernel runs list # every governed run riskkernel audit export # the cost ledger as JSON riskkernel audit tools # governed tool calls as JSON
Prefer a native binary to Docker? Install the CLI with one command — no clone needed — and run it:
go install github.com/prashar32/riskkernel/cmd/riskkernel@latest riskkernel init # scaffold a .env + a runnable example in the current dir riskkernel serve # start the daemon (reads .env)
(or make build from a clone). Deeper control (loops, checkpoints, approval gates) is the Python SDK:
pip install riskkernel
See sdks/python. Trace every run in your own backend: examples/otel.
Want to see the headline feature? examples/codebase-qa is a runnable agent that loops over a codebase until the governor kills it on its loop/dollar budget — the deterministic kill, end to end, with a real model.
And the moat: examples/kill-9-resume kill -9s the daemon mid-run and resumes without re-spending — ./demo.sh scripts the whole crash-and-recover and proves the counter doesn't double, key-free.
Brand new to the SDK? examples/wrap-your-agent is the no-key, two-minute version — a generic Python loop the governor caps at a loop budget, the deterministic kill with nothing running but the daemon.
On LangChain? examples/langchain wraps a LangChain loop with the callback handler and caps it at a loop budget — also key-free.
Governing tools over MCP? examples/mcp puts the MCP gateway in front of a stub server and shows a tool blocked by the allowlist, a side-effecting tool held for approval, and the audit trail — key-free.
Design principles
Deterministic core in Go. All enforcement (budgets, kill switches, gating, routing, retries, checkpointing) lives in compiled, statically-typed code — never in an LLM.
No telemetry, ever. Nothing phones home. It's a verifiable promise; see SECURITY.md.
Your keys, your infra. Secrets come from env / .env / OS-keyring, never stored in state, never logged.
Near-zero adoption friction. Every decision is judged by "how few changes must an existing user make?" One env var is the gold standard.
Backwards compatibility is sacred. Self-hosted users can't be force-migrated. See COMPATIBILITY.md.
⭐ If this is useful
RiskKernel is a one-person, build-in-public project. If the idea resonates — or you just want runaway agents to stop quietly burning money — a star genuinely helps: it's how other people find it, and it tells me which parts are worth building next.
And if you actually run it, I'd love to hear where the guardrails are too strict or too loose — open an issue. That feedback shapes the roadmap directly.
Contributing
Contributions are welcome. Start with ARCHITECTURE.md for a map of the codebase (and a "where do I code?" table), then CONTRIBUTING.md for dev setup and the PR flow. We use GitHub Flow — fork, branch off main, open a PR; CI (build & test + CodeQL) and a maintainer review gate every merge.
Good places to start: issues tagged good first issue. Be excellent to each other — see the Code of Conduct.
License
Apache-2.0. The runtime stays permissive, forever.
About
Deterministic cost / loop / time budgets · full observability · crash-resumable runs · human-approval gates · a memory you own. Self-hosted. Your keys. No telemetry. Point it at your existing agents - one env var.
github.com/prashar32/riskkernel
Topics
golang
mcp
reliability
self-hosted
sre
observability
ai-agents
opentelemetry
llms
llmops
agent-governance
guardrails-ai
Resources
Readme
License
Apache-2.0 license
Code of conduct
Code of conduct
Contributing
Contributing
Security policy
Security policy
Uh oh!
There was an error while loading. Please reload this page.
Activity
Stars
15 stars
Watchers
1 watching
Forks
5 forks
Report repository
Releases 6
v0.4.0
Latest
Jun 6, 2026
+ 5 releases
Packages 0
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
Contributors
Uh oh!
There was an error while loading. Please reload this page.
Languages
Go 83.4%
Python 14.3%
Other 2.3%