KilneOS Universal - a sandboxed desktop for AI agents
Give an agent a real
computer, not root.
KilneOS Universal is a desktop you run as an ordinary app. Hand an AI agent a real desktop to drive - windows, a terminal, files, the web - while deny-by-default brokers keep it inside a sandbox and a replayable audit records every move.
~/.kilne $ agent open --app terminal
[broker] file scope: ~/.kilne/ (deny-by-default)
[broker] net: 80/443 ok - RFC1918 denied
[audit] session.jsonl - append-only
~/.kilne $ ls
apps notes.md session.json
~/.kilne $

What it gives an agent
A real desktop, wrapped in a sandbox.
Six things KilneOS puts in front of an agent - one short line each, no jargon. The depth behind each is further down, under the hood.
The desktop
A GPU-native desktop
A real desktop drawn on your GPU - windows, a terminal, files and the web - running as one ordinary app.
The boundary
A capability sandbox
Deny-by-default file and network brokers scope every app to ~/.kilne/ and public ports 80 and 443. Nothing else.
The record
A replayable audit
Every allow and every deny is appended to a JSON-Lines log you can replay, action by action.
How it runs
Host GPU, no VM
Draws straight to Metal, Vulkan or DX12 on your machine. No virtual machine, no dual-boot, no GPU passthrough.
Out of the box
Real desktop, real apps
Ships with a multi-app window manager and system apps: terminal, text editor, file manager and image viewer.
Designed - not built
Agent control
A typed control path for an external agent to drive the desktop - gated, redacted and audited. Designed, not yet built.
The sandbox flow
Every action runs the same gate.
Nothing reaches your machine unchecked. An agent asks, the broker rules on it against a deny-by-default policy, and the outcome - allow or deny - runs sandboxed and lands on a replayable record.
01
An agent asks
Read a file, open a port
02
The broker checks
Against a deny-by-default policy
03
Allow or deny
Scoped to ~/.kilne/ and ports 80 / 443
04
The action runs
Sandboxed on the real desktop
05
Written to the audit
Append-only, replayable JSON-Lines
The problem
Do not give an agent root on your laptop.
- The agent drives a real desktop, not your host machine
- Deny-by-default brokers gate every file read and network call
- Your home directory, LAN and localhost stay off-limits
SandboxThe record
Every action stays on the record.
- Append-only log - allows and denies both recorded
- Replay any session in order, action by action
- Runs as a light app today; scales to dedicated hardware later
AuditHow it compares
Give an AI agent a computer, safely.
Every option below can put an agent behind a keyboard. They differ on what happens when the agent misbehaves. KilneOS is the only one that pairs a real desktop with a deny-by-default sandbox and a replayable record.
Each neighbour keeps its real strengths - a root shell is fast to wire up, a VM isolates a whole guest OS, an Electron shell ships a familiar app. KilneOS trades some of that for a real desktop that stays inside a broker-enforced sandbox, with every action on a replayable record.
Under the hood
How the sandbox actually holds together.
The story above is the plain version. For evaluators, here is the mechanism - KilneOS is a thin composition layer on the Rune runtime, with app logic on the Arth bytecode VM via detir-arth.
A deny-by-default sandbox
Three brokers govern every action. The file and network brokers ship today with tests, wired into the shell's sandbox layer; each verdict - allow or deny - lands in the audit.
A replayable audit
The audit logger appends one JSON-Lines record per action - timestamp, agent id, target app, action type and the broker's verdict. Nothing is overwritten. Today the agent is the shell itself, so the record reads agent_id "kilneos-shell".
{"timestamp":"2026-07-09T14:22:01.104Z","agent_id":"kilneos-shell","target_app":"terminal","action_type":"app.launch","result":{"status":"ok"}}
{"timestamp":"2026-07-09T14:22:07.882Z","agent_id":"kilneos-shell","target_app":"terminal","action_type":"file.write","result":{"status":"ok"}}
{"timestamp":"2026-07-09T14:22:09.417Z","agent_id":"kilneos-shell","target_app":"terminal","action_type":"file.read","result":{"status":"denied","reason":"outside ~/.kilne/"}}
{"timestamp":"2026-07-09T14:22:15.220Z","agent_id":"kilneos-shell","target_app":"browser","action_type":"net.connect","result":{"status":"ok"}}
{"timestamp":"2026-07-09T14:22:18.061Z","agent_id":"kilneos-shell","target_app":"browser","action_type":"net.connect","result":{"status":"denied","reason":"private network (RFC1918)"}}
# replay:read_session_log(path)
Runs on your GPU, not in a VM
A small per-platform binary opens one window and a wgpu surface, then draws the whole desktop directly on your GPU through Metal, Vulkan or DX12. The real build is close to the ~49MB Lite size, because live web content renders through the host's native WKWebView - not a bundled Chromium.
Agent control - designed, not yet built
The agent-protocol server does not exist yet - the kilneos-agent crate is not built. The sandbox that will contain a real external agent is already shipping; this is the control path it is being built toward. When it lands, an external agent connects over this typed path - gated by capabilities, filtered by redaction, and recorded in the same audit.
Typed-IR control path
plannedFor native apps: a deterministic, typed intermediate representation the agent drives directly - no screen-scraping, no pixel guessing.
Accessibility-tree path
plannedFor web content, a separate path drives the app through its accessibility tree.
Capability gating
plannedPer app, per agent: read versus actuate. An agent that can observe is not automatically allowed to act.
Redaction
plannedPasswords, secrets and host paths are redacted before they ever reach the agent.
One honest edge: the brokers fully govern file access and app-initiated network calls, but live web pages render through the host's native WKWebView, which sits outside the Rust network broker - so file and app-network enforcement is strong, and live web egress is thinner today.
Private - early access
A real desktop for your agent - and a sandbox it cannot leave.
KilneOS Universal runs as an ordinary app on the machine you already have. It scopes every app to ~/.kilne/, denies your LAN and localhost by default, and records everything in a replayable audit. It is early, v0.1.0, and access is private - no public download yet. Request an invite and we will compare notes with you.