KilneOS Universal - a sandboxed desktop for AI agents

Give an agent a real
computer, not root.

KilneOS Universal is a desktop you run as an ordinary app. Hand an AI agent a real desktop to drive - windows, a terminal, files, the web - while deny-by-default brokers keep it inside a sandbox and a replayable audit records every move.

KilneOS Universalsandboxed
terminal - zsh (pty)

~/.kilne $ agent open --app terminal

[broker] file scope: ~/.kilne/ (deny-by-default)

[broker] net: 80/443 ok - RFC1918 denied

[audit] session.jsonl - append-only

~/.kilne $ ls

apps notes.md session.json

~/.kilne $

A corridor between rows of servers in a data center
A data-center corridor. Photo is illustrative.

What it gives an agent

A real desktop, wrapped in a sandbox.

Six things KilneOS puts in front of an agent - one short line each, no jargon. The depth behind each is further down, under the hood.

The desktop

A GPU-native desktop

A real desktop drawn on your GPU - windows, a terminal, files and the web - running as one ordinary app.

The boundary

A capability sandbox

Deny-by-default file and network brokers scope every app to ~/.kilne/ and public ports 80 and 443. Nothing else.

The record

A replayable audit

Every allow and every deny is appended to a JSON-Lines log you can replay, action by action.

How it runs

Host GPU, no VM

Draws straight to Metal, Vulkan or DX12 on your machine. No virtual machine, no dual-boot, no GPU passthrough.

Out of the box

Real desktop, real apps

Ships with a multi-app window manager and system apps: terminal, text editor, file manager and image viewer.

Designed - not built

Agent control

A typed control path for an external agent to drive the desktop - gated, redacted and audited. Designed, not yet built.

The sandbox flow

Every action runs the same gate.

Nothing reaches your machine unchecked. An agent asks, the broker rules on it against a deny-by-default policy, and the outcome - allow or deny - runs sandboxed and lands on a replayable record.

01

An agent asks

Read a file, open a port

02

The broker checks

Against a deny-by-default policy

03

Allow or deny

Scoped to ~/.kilne/ and ports 80 / 443

04

The action runs

Sandboxed on the real desktop

05

Written to the audit

Append-only, replayable JSON-Lines

The problem

Do not give an agent root on your laptop.

The quickest way to give an AI agent a computer is a root shell - and it is the most dangerous. The agent inherits your real files, your LAN and every running process, with nothing to replay when it goes wrong. KilneOS inverts that: the agent gets a genuine desktop to drive, but everything it touches is scoped to ~/.kilne/.
  • The agent drives a real desktop, not your host machine
  • Deny-by-default brokers gate every file read and network call
  • Your home directory, LAN and localhost stay off-limits
A dark screen of source codeSandbox
Source code on a dark screen. Illustrative photo.

The record

Every action stays on the record.

Every move an app makes - each allow and each deny - is appended to a JSON-Lines audit that is never overwritten. Read it back with read_session_log and replay a session in order, so you can see exactly what happened. Start on the laptop you have; deploy on bare metal when you are ready.
  • Append-only log - allows and denies both recorded
  • Replay any session in order, action by action
  • Runs as a light app today; scales to dedicated hardware later
Rows of server racks in a data centerAudit
A row of server racks. Illustrative photo.

How it compares

Give an AI agent a computer, safely.

Every option below can put an agent behind a keyboard. They differ on what happens when the agent misbehaves. KilneOS is the only one that pairs a real desktop with a deny-by-default sandbox and a replayable record.

KilneOSAn agent with rootA VM / dual-bootAn Electron shell
What the agent can touchOnly ~/.kilne/ and public ports 80 / 443Your whole machineA full guest OSWhatever the app exposes
IsolationDeny-by-default file and network brokersNoneA hypervisor - heavy to runProcess or renderer only
Runs asAn ordinary app on the host GPUA shell on your OSA virtual machineA bundled Chromium app
AuditReplayable JSON-Lines recordShell history at bestGuest-definedApp-defined
SetupInstall and launch, a light appInstant, but unsafeProvision and boot a guestPer app

Each neighbour keeps its real strengths - a root shell is fast to wire up, a VM isolates a whole guest OS, an Electron shell ships a familiar app. KilneOS trades some of that for a real desktop that stays inside a broker-enforced sandbox, with every action on a replayable record.

Under the hood

How the sandbox actually holds together.

The story above is the plain version. For evaluators, here is the mechanism - KilneOS is a thin composition layer on the Rune runtime, with app logic on the Arth bytecode VM via detir-arth.

A deny-by-default sandbox

Three brokers govern every action. The file and network brokers ship today with tests, wired into the shell's sandbox layer; each verdict - allow or deny - lands in the audit.

app actionfile broker + network brokersession.jsonl
FILEwrite ~/.kilne/notes.mdALLOW
FILEread ~/.ssh/id_rsaDENY
NETGET api.example.com:443ALLOW
NETconnect 192.168.1.10:22DENY
NETconnect 127.0.0.1:5432DENY

A replayable audit

The audit logger appends one JSON-Lines record per action - timestamp, agent id, target app, action type and the broker's verdict. Nothing is overwritten. Today the agent is the shell itself, so the record reads agent_id "kilneos-shell".

~/.kilne/data/audit/session-1720535000.logJSON-Lines - append-only

{"timestamp":"2026-07-09T14:22:01.104Z","agent_id":"kilneos-shell","target_app":"terminal","action_type":"app.launch","result":{"status":"ok"}}

{"timestamp":"2026-07-09T14:22:07.882Z","agent_id":"kilneos-shell","target_app":"terminal","action_type":"file.write","result":{"status":"ok"}}

{"timestamp":"2026-07-09T14:22:09.417Z","agent_id":"kilneos-shell","target_app":"terminal","action_type":"file.read","result":{"status":"denied","reason":"outside ~/.kilne/"}}

{"timestamp":"2026-07-09T14:22:15.220Z","agent_id":"kilneos-shell","target_app":"browser","action_type":"net.connect","result":{"status":"ok"}}

{"timestamp":"2026-07-09T14:22:18.061Z","agent_id":"kilneos-shell","target_app":"browser","action_type":"net.connect","result":{"status":"denied","reason":"private network (RFC1918)"}}

# replay:read_session_log(path)

Runs on your GPU, not in a VM

A small per-platform binary opens one window and a wgpu surface, then draws the whole desktop directly on your GPU through Metal, Vulkan or DX12. The real build is close to the ~49MB Lite size, because live web content renders through the host's native WKWebView - not a bundled Chromium.

KilneOS shellcompositor, window manager, brokers
Rune runtimedetir-scene - detir-platform - detir-app-runtime
jag-drawthe GPU canvas
wgpuone portable graphics API
Metal / Vulkan / DX12your platform's native backend
Your GPUno VM, no dual-boot, no passthrough

Agent control - designed, not yet built

The agent-protocol server does not exist yet - the kilneos-agent crate is not built. The sandbox that will contain a real external agent is already shipping; this is the control path it is being built toward. When it lands, an external agent connects over this typed path - gated by capabilities, filtered by redaction, and recorded in the same audit.

Typed-IR control path

planned

For native apps: a deterministic, typed intermediate representation the agent drives directly - no screen-scraping, no pixel guessing.

Accessibility-tree path

planned

For web content, a separate path drives the app through its accessibility tree.

Capability gating

planned

Per app, per agent: read versus actuate. An agent that can observe is not automatically allowed to act.

Redaction

planned

Passwords, secrets and host paths are redacted before they ever reach the agent.

One honest edge: the brokers fully govern file access and app-initiated network calls, but live web pages render through the host's native WKWebView, which sits outside the Rust network broker - so file and app-network enforcement is strong, and live web egress is thinner today.

Private - early access

A real desktop for your agent - and a sandbox it cannot leave.

KilneOS Universal runs as an ordinary app on the machine you already have. It scopes every app to ~/.kilne/, denies your LAN and localhost by default, and records everything in a replayable audit. It is early, v0.1.0, and access is private - no public download yet. Request an invite and we will compare notes with you.