Today, we’re announcing Trusted Remote Execution (Rex, for short) — an open source scripting runtime where every system operation is authorized by policy.
Scripts are written in Rhai, a lightweight language with no built-in system access. The only way to reach the host is through operations Rex explicitly provides, which are authorized against a Cedar policy upon invocation.
Our Journey
Running operations on production systems is a fact of life when managing software — reading logs, checking disk usage, restarting a service. The problem is that most script execution environments give a script whatever permissions the execution context has. A script intended to read a log file can just as easily delete one.
This gets worse with AI agents. When an agent generates and executes a script autonomously, there’s no human in the loop reviewing each system call. The usual safety nets — code review, approval workflows, allowlisted commands —…