Skip to content
@unicity-astrid

Astrid OS

By Unicity Labs
README.md

Astrid

Run AI agents and the tools they use without having to trust them.

AI agents fail in ways a better prompt cannot fix. A jailbreak, a poisoned tool, or a plain bug, and the agent reaches for access you never meant to give it. Astrid contains that by construction: every agent, and every tool it calls, runs as a sandboxed WebAssembly capsule with only the permissions you granted and the resource budget you set. A compromised agent still cannot read a file, reach a network, or spawn a process outside its grant, and it cannot burn unbounded CPU or memory. Every action it takes flows through a tamper-evident audit chain, so you can prove exactly what ran and why.

Astrid is a user-space microkernel written in Rust. The kernel is a dumb event router: it routes messages, enforces permissions, and owns the sandbox, with no agent logic of its own. Everything an agent can do is a capsule you compose, isolated from the kernel and from every other capsule.

The model

  • The kernel is dumb. It routes IPC events, enforces capabilities, and owns the WebAssembly sandbox. It holds no business logic. All intelligence lives in capsules.
  • Capsules are WASM processes. Each targets wasm32-unknown-unknown, declares its interface and the host resources it needs in a manifest, and reaches the rest of the system only over a typed IPC bus. No ambient authority, no raw syscalls.
  • Permissions only ever narrow. A sub-agent can be granted a smaller slice of access than its parent, never a larger one. Grants are signed capability tokens scoped per principal, so they cannot be forged or escalated.
  • Everything is audited. Host calls and IPC flow through a BLAKE3-linked audit chain, so the record of what an agent did is tamper-evident, not advisory.
  • Defense in depth, fail secure. Input classification, capability checks, sandboxing, approval gates, and audit logging stack in front of every action. When a layer is unsure, it denies.

Start here

  • The Astrid Book. The canonical reference: the kernel, the capsule model, the host ABI, the bus, and the security model.
  • The Contributor Handbook. How to work on Astrid: the polyrepo, the kernel-is-dumb law, the RFC process, and release standards.
  • astrid. The kernel: the daemon, the CLI, and the astrid-* crates.
  • sdk-rust. The Rust SDK for building capsules.
  • sdk-js. The JavaScript and TypeScript SDK for building capsules.

How it is organized

Astrid is a polyrepo. The kernel, the SDKs, the design RFCs, and every capsule are separate repositories.

Repository What it is
astrid Kernel: daemon, CLI, sandbox, capability store, audit chain
sdk-rust Rust capsule SDK and host bindings
sdk-js JavaScript and TypeScript capsule SDK
rfcs Proposals for any change to the kernel-to-user-space contract
capsule-* Capsules: the agent capabilities themselves, each sandboxed and capability-scoped

Frontends such as the CLI and web connect to a running kernel as uplinks over a Unix socket. One daemon, shared audit and capabilities across every connection.

Built by Unicity Labs. Dual-licensed under MIT and Apache 2.0.

Pinned Loading

  1. astrid astrid Public

    An operating system for AI agents.

    Rust 10.4k 127

  2. rfcs rfcs Public

    RFCs for the Astrid agent runtime

    Python 4.3k 8

  3. book book Public

    The canonical reference for Astrid OS: kernel, capsules, host ABI, the bus, and the security model.

    Perl 7.6k 31

  4. handbook handbook Public

    How to work on Astrid: the polyrepo, the kernel-is-dumb law, the RFC trigger, contribution tiers, and the release process.

    7.5k 42

Repositories

Showing 10 of 33 repositories
View all repositories

People

This organization has no public members. You must be a member to see who’s a part of this organization.

Top languages

Loading…

Most used topics

Loading…