Agents run free.
You stay in control.

// The operating system for AI agents.

Download v0.0.1 View on GitHub Read docs
89caps
Typed Capabilities
<1ms
Policy Evaluation
5min
Setup
models
Any Provider
What is KruxOS

A substrate built for agents — not adapted from desktop OS.

Today's agents run on top of operating systems designed for humans typing in terminals. KruxOS flips that: every action an agent can take is a typed capability — a small, declared, auditable function with a known input shape and a policy gate in front of it.

Agents call capabilities. A deterministic policy engine decides whether each call is autonomous, notify, approval-required, or blocked. A human supervises from a dashboard. Every invocation lands in a hash-chained audit log.

No LLMs in the policy path. No prompt-engineered guardrails. Just a kernel-isolated sandbox, a typed gateway, and rules you can read.

agentcode-assistant
callsgit.commit
args{ message: "fix(auth): handle expired tokens" }
policyautonomous
latency0.4 ms
sandboxuid 1100 · landlock · seccomp
auditcbor #94217 · chained · signed
result✓ committed a3f9c12
Live demo

Watch an agent work. Watch yourself decide.

Left: an agent chatting with a model. Right: every capability it touches — green for autonomous, amber for approval, red for blocked. Switch models, switch scenes.

dashboard.kruxos.local:7800
Live
Chat · code-assistant claude-sonnet-4-5
KruxOS Activity 0 events
Quickstart

Two paths. Same dashboard.

Docker if you're evaluating. VM appliance if you're shipping — it's the only path with Code Sessions (per-call fork into a fresh agent VM) because Docker doesn't delegate cgroup v2.

01 / Pull

Grab the appliance.

Docker image or VM file. Signed with cosign. Aarch64 and x86_64.

02 / Configure

Mount your model keys.

Anthropic, OpenAI, Gemini, or point at a local Ollama. Mix and match.

03 / Run

Start the gateway.

Dashboard on 7800. MCP on 7700. Bearer-auth on 7703.

04 / Open

Supervise from the browser.

Self-signed HTTPS. Create an admin passphrase. Mint your first agent.

evaluation · 30s
terminal · zsh
# pull the v0.0.1 image (signed, ~480MB) $ docker pull altvale/kruxos:v0.0.1 # run with all four ports + persistent state $ docker run -d --name kruxos \ -p 7700:7700 -p 7800:7800 -p 7701:7701 -p 7703:7703 \ -v ~/.kruxos:/data/kruxos \ -e ANTHROPIC_API_KEY=$ANTHROPIC_API_KEY \ altvale/kruxos:v0.0.1 # open the dashboard (self-signed cert — accept once) $ open https://localhost:7800
terminal · zsh
# download the qcow2 image (signed, ~128MB) $ curl -LO https://github.com/altvale/kruxos/releases/latest/download/kruxos-x86_64.qcow2 # boot with QEMU/KVM + port-forward the dashboard ports $ qemu-system-x86_64 \ -m 2048 -smp 2 -enable-kvm \ -netdev user,id=n0,hostfwd=tcp::7800-:7800,hostfwd=tcp::7700-:7700,hostfwd=tcp::7703-:7703 \ -device virtio-net,netdev=n0 \ -drive file=kruxos-x86_64.qcow2,if=virtio # or import the .vmdk / .box into VirtualBox / Vagrant / vSphere $ open https://localhost:7800 # full kernel sandbox · cgroup v2 delegation · code sessions enabled
Code Sessions — KruxOS's per-call fork into a fresh agent VM — require the VM appliance. Compare paths in detail →
Architecture

Three layers. One gate.

Agents sit above. Hardware sits below. KruxOS is the typed surface between them — every call typed, every call audited, every call gated.

Layer 01 · Top
AI Models
Bring your own. Frontier or local.
Opus 4.7 GPT-5.5 Gemini 3.1 OpenRouter Local
Layer 02 · KruxOS
Gateway · Policy · Audit
89 typed capabilities across 13 categories. Deterministic policy. Hash-chained audit. Kernel sandbox.
gateway policy audit sandbox vault
Layer 03 · Bottom
Your Hardware
Linux kernel namespaces. Anywhere with cgroup v2.
Mac Mini Server VPS Docker VM
Policy engine

Four tiers. Hot-reloadable YAML.

Every capability call passes through the gate. The gate matches it against your policy — pattern by pattern, arg by arg — and assigns one of four tiers. No LLM in the path. Sub-millisecond eval.

autonomousRuns without asking.
notifyRuns, tells you.
approval_requiredWaits for you.
blockedNever runs.

/data/kruxos/policies/*.yaml — edit, save, reload. No restart.

Live evaluation policy.v0.0.1.yaml
filesystem.read
/workspace/**, /mnt/**
autonomous
git.commit
message != null, scope: workspace
autonomous
network.fetch
domain in allowlist.yaml
notify
email.send
to: external recipient
approval_required
email.bulk_delete
count > 5
approval_required
secrets.read
scope: any
approval_required
process.run
argv matches rm -rf /
blocked
network.bind
port < 1024
blocked
Sandbox

Five-layer kernel isolation.

Agents don't get a chroot and a prayer. Every agent process runs as a low-privilege uid, in its own namespaces, under cgroup v2 limits, with seccomp filtering syscalls and Landlock enforcing mandatory access control over the filesystem. Nftables sits in front of the network.

The AdminAgent is the only path to elevated privilege — and that path is gated by per-agent policy, just like everything else.

Process model

Per-capability fork. No long-lived agent shell. Clean state each call.

default uid1100 · kruxos-agent
namespacesuser · mount · pid · net · uts
AdminAgentuid 0 · host ns · policy-gated
NS
user · mount · pid · net · uts
Linux namespaces — agent sees its own world.
01
CG
cgroup v2
CPU, memory, IO, PIDs — hard caps per agent.
02
SC
seccomp BPF
Syscall allowlist — nothing dangerous compiles.
03
LL
Landlock
Mandatory access control on filesystem reads & writes.
04
NF
nftables
Per-agent egress rules. Default deny.
05
Models

Any model. Anywhere.

Frontier APIs, OpenAI-compatible endpoints, a 200+ model OpenRouter pool, or fully offline via Ollama, vLLM, LM Studio, llama.cpp. Pick per-agent.

Anthropic
claude-opus-4-7
claude-sonnet-4-6
claude-haiku-4-5
OpenAI
gpt-5.5 · gpt-5.5-pro
gpt-5.5-instant
+ compatible APIs
Google Gemini
gemini-3.1-pro
gemini-3-deep-think
gemini-3.1-flash · -flash-lite
OpenRouter
200+ models
DeepSeek · Grok · Mistral
Groq · GLM · Llama
Local
Ollama · vLLM
LM Studio · llama.cpp
Offline-capable
Bring your own
OpenAI-compatible
JSON-RPC bridge
Custom adapters
Community

Open extensions.

Packs, plugins, themes, and public docs are Apache 2.0. Build your own capabilities. Ship them to the registry (v0.0.2).

Open source

Capability Packs

Apache 2.0 surfaces — packs/, plugins/, themes/, docs/public/. Public registry ships in v0.0.2.

github.com/altvale/kruxos →
Discord · live

Talk to the team.

Real humans. v0.0.1 launch channel. Policy patterns, sandbox debugging, capability requests.

discord.gg/VXvQKNv6Jn →
Issues · releases

Ship breakage early.

v0.0.x is shipping live. File issues. Tag releases. Watch the changelog.

github.com/altvale/kruxos/issues →

Built for agents.
Approved by humans.

Download v0.0.1 Read the docs
And that's the Krux of it.