What It Does — Claude Code Without the Terminal
Airut is a self-hosted, open-source bridge between your communication tools (email, Slack) and Claude Code's agentic capabilities. Instead of running claude code in your terminal, you describe a task in plain language via an email or Slack message. Airut creates a dedicated, isolated workspace for that conversation thread, clones your repository into it, and lets Claude Code start working immediately.
The core value proposition is asynchronous, auditable agent workflows. Email and Slack provide the threading, search, notifications, and mobile clients. You get a persistent conversation log for each task without maintaining terminal sessions or installing custom clients.
Setup — Install and Configure in Minutes
Installation is straightforward using the modern Python toolchain:
uv tool install airut
airut install-service
# Then open http://localhost:5200 to configure
Configuration involves connecting your communication channels (email via DMARC verification, Slack via workspace membership) and defining your target repositories. The security model is configured via the repository's default branch, not the agent's workspace, ensuring the agent cannot modify its own security rules.
The Security Model — Sandboxed Execution with Surrogate Credentials
This is where Airut shines for production use. Each task runs in a dedicated rootless Podman container with its own filesystem and process space, torn down after completion. Claude Code runs in fully permissive mode inside this sandbox.
Network traffic routes through a transparent proxy that enforces a per-repository allowlist with path and method-level rules. Even a compromised agent can only reach pre-approved hosts. Custom DNS prevents exfiltration.
Credential isolation uses format-preserving surrogates. The agent receives tokens that look real but are useless outside the sandbox. The proxy swaps these surrogates for actual credentials only when making requests to allowed hosts. For AWS, it re-signs SigV4 requests. Credential theft from inside the container yields nothing usable.
The Complete Workflow — From Message to Deployment
- Trigger: Send a task description via email or Slack (e.g., "Add user audit logging to the auth service").
- Isolation: Airut creates a container, clones the repo, and starts Claude Code.
- Iteration: Claude Code works, asks questions, and modifies code within the thread.
- PR Creation: When ready, Claude Code pushes a Pull Request.
- Sandboxed CI: Your CI pipeline runs, but the agent-authored build/test commands execute inside an Airut sandbox (
airut-sandboxCLI), protecting your runners. - Review & Merge: You review the PR in the thread, comment, and iterate. Merge to deploy.
Multiple conversations run in parallel, each fully isolated. The security settings (network allowlists, container config) are read from the default branch. The agent can only propose changes via PR, which require human review and merge to take effect.
When To Use It — Specific Workflow Advantages
Use Airut when you want:
- Asynchronous collaboration: Let Claude Code work on tasks while you're offline or in meetings.
- Audit trails: Every agent action is tied to a message thread with full history.
- Mobile workflows: Review and guide Claude Code work directly from your phone.
- Enhanced security: For tasks requiring access to credentials or sensitive environments.
- Parallel tasking: Run multiple independent Claude Code sessions without terminal management overhead.
Avoid it for quick, exploratory terminal sessions where immediate back-and-forth is needed. This is for managed, production-adjacent work.
gentic.news Analysis
Airut represents a significant evolution in how developers orchestrate Claude Code, moving it from a purely interactive terminal tool to an asynchronous, workflow-integrated agent. This follows the broader trend of Claude Code gaining workflow automation capabilities, as seen with the recent preview of Auto Mode and integration with tools like Conductor. It directly complements the new Channels feature for persistent agents by providing the communication layer and security isolation.
The focus on security via containerization and credential surrogates addresses a critical concern for teams adopting AI coding agents in production environments. This aligns with increasing developer caution, highlighted by a recent critical bug report about production data deletion risks with Claude Code. Airut's model—where security rules are defined in the default branch and agents operate in sandboxes—provides a pragmatic guardrail.
As Claude Code appears in 155 articles this week (trending sharply upward), the ecosystem is rapidly maturing beyond basic code generation. Tools like Airut, MCP servers, and specialized agents (like Weaviate Agent Skills) are creating a layered toolchain. Airut's use of email/Slack as the interface is particularly clever, leveraging ubiquitous, battle-tested tools for notification, threading, and access control instead of building yet another dashboard.
