AI AGENTS WILL GET COMPROMISED.
WHAT HAPPENS NEXT SHOULD BE PREDICTABLE.
From zero to prod in seconds
Install hlyn package
$ pip install hlyn
Resolving dependencies... ✓ hlyn 2.0 installed ✓ hlyn-core, hlyn-enforce, hlyn-audit
$ hlyn activate environment
Detecting host capabilities...
✓ seccomp-bpf: supported
✓ landlock-lsm: supported (kernel 5.13+)
✓ network namespaces: supported
✗ non-rootless container runtime — Landlock needs unprivileged exec
Kernel enforcement: PARTIAL
Run `hlyn doctor` to see required host changes. Configure your environment
environment.py
from hlyn import Environment
env = Environment(
name="production",
agent="agent-environment-01",
isolation="kernel",
trace=True
)
env.status()
# > boundary: ACTIVE
# > integrity: 100% Set environment policy
containment.policy.yaml
# containment.policy.yaml
environment: production
enforcement:
seccomp: strict
landlock:
filesystem: read-only
deny_paths: ["env.secrets", "env.credentials"]
network:
namespace: isolated
egress: deny
allow_hosts: []
binary_identity: verify
process_isolation: true
audit:
log: true
retention_days: 90 Deploy environment
$ hlyn deploy --policy containment.policy.yaml
Applying kernel-level enforcement... ✓ seccomp BPF filters loaded ✓ Landlock LSM rules applied ✓ Network namespace isolated ✓ Binary identity tracking active ✓ Audit trail: LOGGED ✓ Escape vector: NONE Environment sealed. Blast radius capped. ENV: hlyn-prod · STATUS: ACTIVE_CONTAINMENT
From zero to prod in seconds
$ pip install hlyn
Resolving dependencies... ✓ hlyn 2.0 installed ✓ hlyn-core, hlyn-enforce, hlyn-audit
$ hlyn activate environment
Detecting host capabilities...
✓ seccomp-bpf: supported
✓ landlock-lsm: supported (kernel 5.13+)
✓ network namespaces: supported
✗ non-rootless container runtime — Landlock needs unprivileged exec
Kernel enforcement: PARTIAL
Run `hlyn doctor` to see required host changes. environment.py
from hlyn import Environment
env = Environment(
name="production",
agent="agent-environment-01",
isolation="kernel",
trace=True
)
env.status()
# > boundary: ACTIVE
# > integrity: 100% containment.policy.yaml
# containment.policy.yaml
environment: production
enforcement:
seccomp: strict
landlock:
filesystem: read-only
deny_paths: ["env.secrets", "env.credentials"]
network:
namespace: isolated
egress: deny
allow_hosts: []
binary_identity: verify
process_isolation: true
audit:
log: true
retention_days: 90 $ hlyn deploy --policy containment.policy.yaml
Applying kernel-level enforcement... ✓ seccomp BPF filters loaded ✓ Landlock LSM rules applied ✓ Network namespace isolated ✓ Binary identity tracking active ✓ Audit trail: LOGGED ✓ Escape vector: NONE Environment sealed. Blast radius capped. ENV: hlyn-prod · STATUS: ACTIVE_CONTAINMENT
Frequently
asked
questions
hlyn is a runtime containment layer for building and shipping MCP (Model Context Protocol) applications. It handles the boilerplate of defining tools, resources, and prompts — auto-discovering them from your project — so you can focus on functionality and ship AI tools on top of the MCP ecosystem.
Hlyn is the Icelandic word for maple, representing growth and a strong protective shell. It provides a lightweight containment shell for AI execution.
Yes, hlyn is fully open source under the MIT license. You can view the code, contribute tools, and self-host the runtime containment layer.
hlyn is developed by a dedicated team of systems programmers and security researchers focused on building robust containment layers for autonomous AI agents and language models.
Unlike heavy container virtualization, hlyn runs directly on the host using native Linux kernel sandboxing (Landlock LSM, seccomp-bpf, and network namespaces). This provides near-instant boot times (<10ms) and zero resource overhead while strictly capping the process blast radius.
Policies are declared in a simple YAML configuration. During deployment, the hlyn runtime parses this file and compiles it into kernel-level BPF filters and filesystem isolation rules, enforcing read-only paths, network blocklists, and binary signature verification.
hlyn leverages kernel-enforced sandboxing via Landlock LSM and seccomp filters. By blocking system calls like
execve and isolating namespaces, even a compromised agent cannot access host credentials or run arbitrary binaries outside the defined boundary.
hlyn utilizes modern Linux features: Landlock LSM (introduced in kernel 5.13) for path containment, seccomp-bpf for syscall filtering, and unprivileged user namespaces. If your system runs an older kernel, hlyn will fall back to standard namespaces where possible.
The quickest way is
pip install hlyn, which scaffolds a project and lets you pick a package manager, transport (HTTP or STDIO), and which components (tools, prompts, resources) to include. To add hlyn to an existing app, install manually with pip install hlyn.
Currently, hlyn has first-class SDKs for Python and TypeScript/Node.js, allowing you to wrap any Python function or JS module as a secure MCP tool.
You can run hlyn locally, or deploy it as a microservice using standard orchestrators. Simply run
hlyn deploy --policy containment.policy.yaml to seal the environment and start the service.
Absolutely. You can define custom rules in your YAML policy file to whitelist specific local directories, allow connections to verified external API hosts, or block access to particular system resources.