Built for Real Systems
Tactus is a language + runtime for building tool-using agents that can run safely in production.
Built for real systems
The headline feature is not a keyword — it’s the control surface: sandboxing, capability control, durable HITL, and a secretless broker boundary (so even if something breaks in, there’s nothing valuable inside to steal).
Docker sandbox by default
Procedures run in a Lua sandbox inside a Docker container: keep the monkey in the box, and keep sensitive information out of the box.
Networkless by default
Keep the sandbox on network: none. This reduces the blast radius: the agent can’t download arbitrary code or steal data directly from inside the runtime environment.
API keys stay outside the sandbox
API keys never live in the runtime container, and never get passed into model prompts. The agent gets answers, not credentials.
Brokered tools
Tools that need secrets or privileged access can run outside the sandbox via a broker, streaming back results so the agent gets answers, not credentials.
Least privilege controls
Give the right tools and context at the right time: default-deny capabilities, per-step tool access, and approval gates.
Durable + testable
Checkpoint long workflows, add HITL where needed, and measure reliability with specs + evaluations.
Human-in-the-loop approvals
Approvals are a first-class primitive. When a workflow reaches an approval, it can suspend and wait—without hacks like “keep a process alive.”
local approved = Human.approve({
message = "Deploy to production?",
timeout = 3600,
default = false
})
if approved then
deploy()
endTransparent durability
Long-running workflows are durable: they can pause, resume, and survive restarts. The key is transparency—the workflow’s durable “waiting” points are explicit in code and visible in behavior.
-- A durable workflow can pause...
local approved = Human.approve({
message = "Publish these findings?",
timeout = 3600,
default = false
})
-- ...and resume later, without losing state.Docker sandbox by default
Procedures run in a Lua sandbox inside a Docker container: keep the monkey in the box, and keep sensitive information out of the box.
agent = Agent {
model = "openai/gpt-4o",
-- Runs in an isolated container by default
}Networkless by default
Keep the sandbox on network: none. This reduces the blast radius: the agent can’t download arbitrary code or exfiltrate data directly from inside the runtime environment.
-- In production, keep the runtime container networkless.
-- Model calls and tool calls happen through controlled host transports.Brokered tools (secrets stay out of prompts)
Some tools need secrets or privileged access. Tactus supports a brokered model: sensitive tools run outside the sandbox, and the agent receives results—not credentials.
-- The broker can call privileged tools...
-- ...while keeping secrets outside the agent runtime.
-- The agent gets outputs, not API keys.Capability control (least privilege)
Agents only get the tools you explicitly provide. The default posture is deny-by-default: no ambient access to files, shell, or network—only what you grant.
-- Tools are explicit; nothing is implicit.
agent = Agent {
model = "openai/gpt-4o",
tools = {
create_contact,
-- no other tools granted
}
}Specifications (executable behavior)
Specifications define what must be true. They help you test workflows, catch regressions, and build confidence before you run unattended in production.
Specifications([[
Feature: Safe deployments
Scenario: Requires approval
Given a deployment request
When the workflow runs
Then it should wait for approval
And not deploy without confirmation
]])Validation built in
Procedures declare typed inputs and outputs. The runtime validates inputs at the boundary, structures outputs, and makes failures explicit instead of silently drifting.
Procedure {
input = {topic = field.string{required = true}},
output = {approved = field.boolean{required = true}},
function(input)
-- ...
end,
}Ready to start building?
Follow a short walkthrough and build your first tool-using agent workflow.