βββ ββββββββββββββββββββββββββββββββββββββββββ βββ
β ββ ββ β
ββββ βββββββββββββββ ββββ
ββ βββ βββββββββββ βββ ββ
ββ βββ ββββ Β· β Β· ββββ βββ ββ
ββ β ββββββ β R β β βββββ β ββ
ββ βββ ββββ Β· β Β· ββββ βββ ββ
ββ βββ βββββββββββ βββ ββ
ββββ βββββββββββββββ ββββ
β ββ Β· Β· Β· R - A I - O S KERNEL v2.0 ββ β
βββ ββββββββββββββββββββββββββββββββββββββββββ βββ
A Hardened, LLM-Native OS Kernel for Autonomous Agent Swarms
Vision β’ Security β’ Protocols β’ Modules β’ VS Code β’ Quick Start β’ CLI β’ Roadmap
R-AI-OS is not a CLI tool β it is a Kernel. While traditional operating systems manage hardware, R-AI-OS manages the AI layer: a decentralized swarm of 90+ autonomous specialists running across Claude Code, Gemini CLI, and any MCP-compatible agent.
It solves the fundamental problem of unsupervised agent execution: agents that run unchecked can leak secrets, corrupt files, and make unauthorized network calls. R-AI-OS sits between the human and the swarm as a hardened control plane β enforcing policies, auditing every action, and managing context economics.
Human β [ R-AI-OS Kernel ] β Agent Swarm (Claude / Gemini / MCP)
β
ββββββββββββββββββββββββββββββββββββββββββββββββ
β Security Kernel β Cortex β Swarm Mesh β
β Policy Gate β BM25+V β Lock Mgr β
β Audit Ledger β Sigmap β Factory Modeβ
ββββββββββββββββββββββββββββββββββββββββββββββββ
β TCP :42069 β MCP :42070 β HTTP :42071
The Security Kernel is the core of R-AI-OS. It enforces a zero-trust model for all agent tool calls: every action is policy-gated, logged, and auditable. All 4 phases are implemented and tested.
src/security/
βββ sandbox.rs # Phase 1 β Filesystem Jail (canonicalize + boundary)
βββ policy.rs # Phase 2 β Policy Manager (TOML allow/deny/confirm)
βββ verify_chain.rs # Phase 3 β Audit Chain (SHA-256 hash-chained SQLite)
βββ egress.rs # Phase 4 β Egress Filter (domain allowlist, fail-closed)
Prevents agents from reading or writing outside their designated workspace boundary. Uses path canonicalization to defeat traversal attacks.
# raios-policy.toml
[sandbox]
enabled = true
workspace_root = "/home/user/projects/my-app"Every MCP tool call passes through a policy gate before execution. Rules are defined in raios-policy.toml and evaluated in order. Fail-closed by design: confirm rules in headless mode deny without an interactive prompt.
[tools]
default = "allow"
[[tools.rules]]
tool = "bash"
action = "confirm" # requires human approval
[[tools.rules]]
tool = "write_file"
path_glob = "/etc/**"
action = "deny"Every allow/deny decision is written to a tamper-evident, SHA-256 hash-chained SQLite ledger. Each entry links to the previous entry's hash β any tampering is immediately detectable.
raios verify-chain # verify full chain integrity
raios verify-chain -n 50 # show last 50 entries then verifyDomain-level allowlist/blocklist for HTTP/HTTPS calls made via MCP tools. Fail-closed: unrecognized domains are denied unless explicitly allowed.
[egress]
mode = "allowlist"
allowed = ["api.anthropic.com", "api.openai.com", "*.github.com"]Automatically masks sensitive values (API keys, GCP secrets, PII patterns) before they appear in logs or telemetry. Built on regex with 20+ detection patterns.
All HTTP API calls require a Bearer token stored in the OS config directory under raios/.session_token (SHA-256, 8h TTL). The Host header is additionally validated to block DNS rebinding attacks.
All three protocols share one event bus and one security kernel:
| Protocol | Port | Purpose |
|---|---|---|
Daemon TCP |
:42069 |
IPC between CLI and background daemon β UUID token auth, mandatory handshake |
MCP-over-TCP |
:42070 |
Agent tool calls β policy-gated, every call logged to audit ledger |
HTTP / WebSocket |
:42071 |
VS Code extension + external integrations β Bearer auth + Host validation |
| Method | Path | Description |
|---|---|---|
GET |
/api/health |
Daemon health + active agent count |
GET |
/api/projects |
All tracked projects from DaemonState |
GET |
/api/tasks |
Tasks from SQLite (grouped by project) |
GET |
/api/usage |
Local usage/quota signals for Codex, Claude, Gemini, Antigravity |
GET |
/api/plans |
Plans from docs/superpowers/plans/*.md with checkbox progress |
GET |
/api/git-status?path=<dir> |
Git branch + dirty/staged/modified/untracked for a workspace |
GET |
/api/swarm |
Active (non-terminal) swarm tasks |
POST |
/api/approve |
Approve a swarm task (merge branch) or pending diff (write file) |
GET |
/api/stream |
WebSocket β real-time kernel event stream |
- Sigmap: Up to 97% token reduction via high-density signature mapping (
SIGMAP.md) - BM25 persistence: Index survives restarts via mtime-based invalidation
- Vector store: Binary SQLite BLOBs β transaction-safe, no JSON drift
- Session memory: Per-agent
memory.mdauto-append
Maps natural-language task descriptions to the right specialist using local BM25 + vector hybrid indexing. Bridges Maestro (39 agents) and ECC (48 agents) ecosystems natively.
Parallel worktree-based agent execution with coordination primitives:
- SwarmStore: SQLite-backed task registry. States:
Initializing β Running β AwaitingReview β Merged / Rejected / Failed - Lock Manager: File and task-level locks with priority levels (User > Agent > Automation)
- Radar Whispers: Real-time context hints pushed to all connected agents
- Factory Mode: Submit heavy jobs async; completion fires broadcast + optional webhook
- Neural Search: Semantic search across 140+ projects with BM25 + embeddings
- Health Scanner: Background scan for
memory.mdcompliance, security leaks, git drift - GitHub Sync: Live star counts and last-commit timestamps
- Auto-Discovery: Detects new workspace directories and updates
entities.json
R-AI-OS ships a native VS Code extension that turns the IDE into a Hybrid UI β the control panel for your agent swarm directly in your sidebar.
vscode-extension/
βββ src/
β βββ extension.ts # Activation + provider wiring
β βββ ipc/
β β βββ DaemonClient.ts # TCP :42069 connection
β β βββ TokenBridge.ts # Session token proxy (XSS-safe)
β β βββ DaemonManager.ts # Auto-spawn aiosd, poll token file
β βββ providers/
β βββ SidebarProvider.ts # Main WebviewView control panel
β βββ StatusBarProvider.ts # Live daemon indicator
β βββ DiagnosticProvider.ts # File-save security scan
β βββ RefactorProvider.ts # Refactor surface analysis
β βββ DiffInboxProvider.ts # Pending diff approvals
| Card | Source | Features |
|---|---|---|
| Git Status | /api/git-status |
Branch name, dirty/clean badge, staged/modified/untracked counts |
| Plans | /api/plans |
Live progress bars per plan file, status chips |
| Tasks | /api/tasks |
Grouped by project, inline completion indicators |
| Swarm | /api/swarm |
Active agent tasks, status dots, inline Approve button for awaiting_review |
| Quick Actions | Extension host | cargo build and cargo test via VS Code terminal |
- TokenBridge proxy: The session token never enters the Webview context β all API calls go through the extension host. XSS in the webview cannot exfiltrate the token.
- Auto-spawn:
DaemonManagerstartsaiosdautomatically if the socket isn't listening. Polls the token file and triggers sidebar refresh when ready. - Host validation: All HTTP calls include the
Host: localhostheader, enforced by the Axum auth middleware.
# From packaged VSIX
code --install-extension vscode-extension/raios-0.5.1.vsix
# Or build from source
cd vscode-extension && npm run compile && vsce package
code --install-extension raios-*.vsixKeyboard shortcuts:
| Action | Windows / Linux | macOS |
|---|---|---|
| Security Scan | Ctrl+Shift+R S |
Cmd+Shift+R S |
| Health Check | Ctrl+Shift+R H |
Cmd+Shift+R H |
| Scan Current File | Ctrl+Shift+R F |
Cmd+Shift+R F |
git clone https://github.com/alazndy/R-AI-OS.git
cd R-AI-OS
cargo install --path . --forceStart the daemon (powers the TUI, MCP server, and HTTP API):
aiosdTune background load in ~/.config/raios/config.toml when needed, especially on Windows:
[daemon]
startup_bm25_indexing = true
startup_cortex_indexing = false
enable_health_worker = true
health_interval_secs = 900
git_interval_secs = 300
enable_sentinel_worker = false
sentinel_interval_secs = 300
enable_port_monitor = true
port_monitor_interval_secs = 30
port_probe_timeout_ms = 75Windows defaults are now intentionally calmer: no eager Cortex indexing, no periodic Sentinel compile loop, slower health/git/port polling.
Launch the TUI:
raiosBootstrap your AI factory (replicates 90+ agents and 180+ skills):
raios bootstrap| Command | Description |
|---|---|
raios health |
Portfolio health dashboard β scans all projects |
raios health <project> |
Single-project health scan |
raios usage |
Show local usage/quota signals across AI tools |
raios search "<query>" |
Semantic search across portfolio |
raios new "ProjectName" |
Scaffold a new project (follows MASTER rules) |
raios task "<description>" |
Route task to best agent |
raios bootstrap |
Replicate AI factory on a new machine |
| Command | Description |
|---|---|
raios verify-chain |
Verify audit log hash-chain integrity |
raios verify-chain -n <N> |
Show last N entries then verify |
raios security |
OWASP security scan |
| Command | Description |
|---|---|
raios swarm start |
Start a parallel agent worktree |
raios swarm list |
List active swarm tasks |
raios swarm approve <id> |
Approve a pending swarm diff (merge branch) |
| Command | Description |
|---|---|
raios git status |
Git status across portfolio |
raios git log |
Recent commits |
raios git commit |
Intelligent bulk commit |
| Command | Description |
|---|---|
raios build |
Build current project |
raios test |
Run test suite |
raios deps |
Dependency audit |
raios env |
Environment variable scan |
raios usage intentionally separates exact quota data from local auth metadata. If a provider does not expose remaining/reset counters locally, R-AI-OS prints unknown instead of guessing.
src/
βββ bin/
β βββ raios.rs # CLI entrypoint
β βββ aiosd.rs # Daemon entrypoint
βββ app/
β βββ events/ # Event handling (actions, keyboard, commands)
β βββ keyboard/ # Keyboard module (6 sub-modules)
βββ cli/ # CLI command implementations
βββ core/
β βββ build/ # Build logic (language-specific, 10 sub-modules)
β βββ deps/ # Dependency management (10 sub-modules)
βββ cortex/ # Vector store, BM25 index, session memory
βββ daemon/ # aiosd background daemon
βββ intelligence/ # Agent routing, instinct engine, RBJ
βββ mcp/ # MCP server β policy-gated tool call handler
βββ search/ # Neural search (BM25 + vector hybrid)
βββ security/ # Security Kernel (sandbox, policy, chain, egress)
βββ sentinel/ # Redaction engine, Sentry integration
βββ server/ # HTTP/WebSocket server (Axum, :42071)
βββ swarm/ # Parallel worktree agent management + SQLite store
βββ ui/
βββ panels/ # TUI panels (13 modules β dashboard, security, etc.)
vscode-extension/
βββ src/
β βββ extension.ts # Extension activation
β βββ ipc/ # DaemonClient, TokenBridge, DaemonManager
β βββ providers/ # Sidebar, StatusBar, Diagnostics, Refactor, Diffs
β βββ commands/ # CommandBridge
β βββ bridge/ # JumpToCode
βββ icon.svg # Master logo (512Γ512, source of truth)
βββ icon.png # Extension marketplace icon (512Γ512)
βββ icon128.png # Extension sidebar icon (128Γ128)
- Phase 1β7: Core TUI, workspace mapping, health dashboard, BM25 search
- Phase 8: Universal Kernel β Tri-protocol, Lock Manager, Radar Whispers, Factory Mode
- Phase 9: Refactor & Modularization β all large files split into focused modules
- Phase 10: Hardened Kernel Alpha β Sentry, Redaction Engine, Audit Ledger
- Phase 10B: Security Kernel (Phases 1β4) β Sandbox + Policy + Audit Chain + Egress
- Phase IDE: VS Code Extension β Sidebar WebView + TokenBridge + DaemonManager + Refactor Tree
- Phase IDE v0.5: Sidebar v2 β Git Status card, Swarm card with Approve, Quick Actions
- Phase 11: Tool Pinning & Drift Detection β SHA-256 manifest pin,
-32028on mismatch,raios pin-reset / pin-status - Phase 12: Secret Leasing β
raios secret grant <tool> <ENV_VAR>with TTL-based auto-revoke - Phase 13: Rate Limiting β Fixed-window counter per tool,
-32029on exceed,raios rate-status - Phase 14: Quarantine Mode β Pattern-matched quarantine queue,
-32027on block,raios quarantine list/approve/deny - Phase 15: Write-Back Bridge β Sidebar Kanban β
memory.mdtask state sync
R-AI-OS is the bridge between human creativity and autonomous execution.