v0.18 · self-host or cloud

Run AI agents like services.

PaiRun is the platform AI builders use to ship agents to production — with the primitives Kubernetes gives services. Declarative specs, identity, budgets, audit. No glue code.

Quickstart → Read the docs
terminal pai v0.2.0
Platform Capabilities

Everything agents need
to run in production

Integrated capability planes purpose-built for the demands of agentic AI workloads — from lifecycle and auto-scaling to zero-trust security and full observability.

Lifecycle & Auto-scaling

Declarative agent specs, controller-driven reconciliation, and metric-driven autoscaling. Scale on token rate, JIRA backlog depth, or any HTTP endpoint — no HPA required.

Observability

Token consumption and tool calls logged per workload. Tamper-evident cryptographic audit chain queryable via the CLI. Budget enforcement with hard daily cutoffs per agent.

Security

Non-root execution, seccomp syscall filtering, Landlock filesystem confinement, and a cryptographic audit chain on every agent. AI-specific threat detection built in.

Identity Management

Every agent gets a cryptographic SPIFFE identity. Secrets injected at runtime, agents never hold credentials. Platform-brokered OAuth to third-party services.

LLM Gateway

A unified, OpenAI-compatible endpoint for all agents. Route across OpenRouter, Anthropic, OpenAI, and local models with fallback chains, cost limits, and semantic caching.

Service Bindings

Connect agents to Jira, GitHub, Slack, and more. Each binding carries its own access control policy. Agents get exactly the permissions they need, nothing more.

Browser Control

Bridge your local Chrome to a remote agent over an encrypted WebSocket relay. Agents can browse, screenshot, and interact with any page — without a headless browser running in the cluster.

Task Agents

Run agents without a container image. Define a system prompt, tools, and skills in an Agent template — the platform harness handles the runtime. Each task gets an isolated, ephemeral container with a full event stream.

Deploy as Code

Every agent is a
declarative manifest

No scripts, no manual wiring. One YAML for persistent long-running agents — bring your own image. Or use task mode: declare a system prompt and tools in an Agent template, skip the container entirely.

modelBindings Pin to one or more models. Swap LLM providers without touching agent code.
providers Declare Jira and GitHub access. The platform brokers auth — the agent never holds credentials.
autoscaling Scale replicas automatically based on token rate, JIRA backlog depth, or any HTTP metric endpoint.
tokens.maxPerDay Hard budget cap enforced by the LLM Gateway. No runaway spend.
filesystem Kernel-level write restrictions via Landlock LSM. Protect config files and system paths from a compromised agent.
agent.yaml persistent mode 
apiVersion: pai.io/v1
kind: Agent
metadata:
  name: research-agent
spec:
  type: service
  image: registry.internal/openclaw:v1.2.0
  modelBindings: [claude-sonnet-4-6, gemini-flash]
  providers: [jira-read-comment, github-pr-writer]
  autoscaling:
    minReplicas: 1  maxReplicas: 5
    metrics:
      - type: tokenRate  targetValuePerReplica: 500
  tokens:
    maxPerDay: 50000  maxPerRequest: 8192
  filesystem:
    readOnlyPaths: [/etc, /home/node/.config]
agent-template.yaml template mode — no image 
apiVersion: pai.io/v1
kind: Agent
metadata:
  name: code-reviewer
spec:
  modelBindings: [claude-sonnet-4-6]
  system: |
    You are a senior code reviewer.
    Review PRs for correctness and security.
  tools:
    - type: bash
    - type: read
    - type: web_fetch
  providers: [github-pr-writer]
  packages:
    pip: [pygithub]
---
kind: Agent
  type: task
spec:
  agentDefinition: code-reviewer
  task: "Review PR #142 for security issues"
Security

Embedded at every layer

Four domains, zero gaps. From continuous risk assessment through runtime, identity, and data — including AI-specific threats no existing platform understands.

Continuous Risk Assessment

  • Live risk score per workload, updated in real time as new CVEs are published
  • Workloads exceeding configured risk thresholds are automatically blocked or flagged
  • SBOM generated at push time; the basis for all ongoing risk calculations
  • Embedded secret detection in image layers before admission
  • Image signing enforced via Cosign / Sigstore
  • Compliance posture mapped to SOC2, ISO 27001, NIST AI RMF

Runtime Protection

  • Kernel-level syscall filtering blocks dangerous operations platform-wide — no configuration required
  • Per-path filesystem confinement — declare which paths an agent can write to; the kernel enforces it
  • Every subprocess launched by an agent is recorded in a tamper-evident audit log
  • Root execution is rejected at deploy time, not discovered at runtime
  • No privilege escalation possible — enforced at the platform level, not by the agent
  • Agents can only reach services they have been explicitly granted access to — all other traffic is blocked

Identity & Access Management

  • Every agent gets a cryptographic SPIFFE workload identity — unique, short-lived, auto-rotated
  • Human operators authenticate via SSO (OIDC / SAML) with platform-scoped RBAC
  • Just-in-time access: elevated permissions granted for a bounded window, then revoked
  • Non-human identity governance: all machine credentials inventoried and lifecycle-managed
  • Federation with corporate IdP (Okta, Azure AD, Ping)
  • Admin-level actions require approval workflow and are fully logged

Data Protection

  • Encryption at rest (AES-256) with platform-managed or customer-managed keys (BYOK)
  • mTLS on all internal traffic; TLS 1.3 minimum for external communication
  • PII detection and configurable masking on agent inputs, outputs, and logs
  • Data classification labels (public to restricted) enforced through access policies
  • Data residency controls — workloads and data pinned to specific regions
  • Secrets rotation schedules, expiry, and automatic revocation on workload termination

Cryptographic Audit Chain & AI-Specific Threat Detection

  • Every agent action — LLM calls, tool calls, service requests, process launches, and policy denials — is written to a tamper-evident audit chain
  • Chain integrity can be verified at any time, even after the agent is gone
  • Access policies can be updated on running agents instantly, without a restart
  • Shadow mode: validate new policies against live traffic before switching to enforcement
  • Prompt injection detection on inbound tool results before feeding to the agent
  • Runaway token consumption is caught and cut off at the gateway before it becomes a cost incident
LLM Gateway

One endpoint. Every model.
Full control.

Agents target a ModelBinding, not a provider. The gateway handles routing, fallback, cost enforcement, and credential isolation.

Agent
OpenAI-compatible API
single endpoint
Pai LLM Gateway
AuthN/Z ModelPolicy Router Rate Limiter Semantic Cache Cost Tracking Telemetry
routed by ModelBinding
Anthropic
Gemini
OpenAI
OpenRouter
Why not call providers directly?

Credential isolation

API keys live in the platform secret store. Agents have zero knowledge of provider credentials.

Cost attribution

Token consumption tracked and budgeted per agent. Hard cutoffs prevent runaway spend before it hits your bill.

Audit trail

Every LLM call logged with model, tokens, latency, cost, and the agent identity that made it.

Smart fallback

Platform-aware failover chains. If quota is exceeded or a provider is down, route to the next option seamlessly.

Provider agnostic

Switch models or providers without touching agent code. Your agents target an abstraction — the platform handles the rest.

Service Bindings

Connect agents to
your enterprise tools

Every binding to an external system carries its own access control policy. Agents get exactly the permissions they need. Nothing more.

jira-read-comment
Jira · mycompany.atlassian.net
issues:read issues:comment projects:admin
github-pr-writer
GitHub · org/repo-a, org/repo-b
pulls:create issues:read admin:*
slack-post-only
Slack · #alerts, #deployments
messages:post channels:read users:list
pagerduty-trigger
PagerDuty · ops-team service
incidents:create schedules:*

Per-binding access control — a first-class primitive

Action-level policies

Each binding declares an explicit allow/deny list of actions. An agent can have read-only access to Jira and write access to GitHub simultaneously — no shared policy surface.

Credential isolation

API keys, OAuth tokens, and app credentials live in the platform secret store. The agent process never sees them. All requests are proxy-brokered using short-lived scoped tokens.

Scope restrictions

Go beyond action policies — restrict a GitHub binding to specific repositories, a Jira binding to specific projects, or a Slack binding to specific channels.

Full audit trail

Every API call through a binding is logged: calling agent identity, timestamp, action, target resource, and outcome. Compliant by default.

Instant revocation

Disable a binding platform-wide in one operation. All agents using it lose access immediately — no redeployment required.

Architecture

Built on Kubernetes.
Extended for agents.

Pai extends Kubernetes with AI-native CRDs and a control plane that understands agent semantics, not just containers.

Control Plane
Lifecycle Controller Autoscaler Loop LLM Gateway API Server Provider Policy Engine DNS + TLS Provisioner Audit Chain Store
reconciles & manages
Agent Pod
Agent Container Provider Proxy (sidecar) Exec Audit (LD_PRELOAD) Landlock LSM
Agent Pod
Agent Container Provider Proxy (sidecar) Exec Audit (LD_PRELOAD) Landlock LSM
Agent Pod
Agent Container Provider Proxy (sidecar) Exec Audit (LD_PRELOAD) Landlock LSM
Get Started

Deploy your first agent
in under 5 minutes

Install Pai, connect your LLM provider, and deploy an AI agent with full observability and zero-trust security.

Quickstart Read the docs
$helm install pai pai/pai $pai create -f agent.yaml