Anthropic Announces Trusted Remote Execution (Rex): Policy-Enforced Scripts for AI Agents
Key Takeaways
- ▸Rex separates authorization from script logic: scripts define operations, Cedar policies define what's permitted, enforcing this at runtime rather than through pre-execution constraints
- ▸Every system operation is checked against policy before execution; denied operations return ACCESS_DENIED_EXCEPTION rather than causing unintended side effects or failing silently
- ▸Enables safer autonomous agent deployment by giving system owners full control over agent capabilities—agents can access logs and configs but cannot exceed policy-defined boundaries
Summary
Anthropic announced Trusted Remote Execution (Rex), an open-source scripting runtime that enforces authorization policies on all system operations before they execute. The tool addresses a critical safety gap: when AI agents autonomously generate and execute code, traditional safety mechanisms like code review and approval workflows don't apply. Rex solves this by separating concerns—the script says what to do, while a Cedar policy defines what's allowed—ensuring the host owner retains full control over operations regardless of what an agent requests.
Rex uses Rhai, a lightweight scripting language with no built-in system access. The only way scripts can interact with the host is through Rex's purpose-built SDK of operations (read, write, open, etc.), each of which evaluates the Cedar policy before executing. If the policy denies an operation, the script receives an ACCESS_DENIED_EXCEPTION and the operation never runs, allowing the agent to observe the denial, reason about it, and adjust its behavior.
This approach makes it practical to give AI agents real operational access—reading logs, inspecting configurations, restarting services—while maintaining hard boundaries. The tool is now available open-source under the Apache 2.0 License for Linux and macOS, with getting started guides and an interactive playground.
- Open-source under Apache 2.0 for Linux and macOS, installable via Cargo with interactive playground and getting started guides
Editorial Opinion
Rex represents a pragmatic approach to agentic safety at a critical inflection point: as AI systems increasingly operate on production infrastructure without direct human oversight. Rather than constraining agents themselves, it gives system owners a policy-based control lever that's enforced regardless of what an agent requests. This separation of concerns—script logic vs. host permissions—creates a clean security boundary and practical foundation for confident autonomous system deployment.
