astrid: a modular OS for AI agents that enforces security through WASM sandboxing and cryptographic capabilities

astrid: a modular OS for AI agents that enforces security through WASM sandboxing and cryptographic capabilities

What it solves

Agent frameworks often rely on prompts to ensure security, which is insufficient when agents have access to sensitive files, networks, and credentials. Unicity Astrid OS replaces prompt-based trust with a runtime-enforced security boundary, treating AI agents like isolated processes in an operating system to prevent jailbreaks, poisoned tools, or bugs from accessing unauthorized resources.

How it works

Astrid uses a small, "dumb" kernel that manages an event bus and enforces capabilities without holding any business logic or model state. AI capabilities (models, memory, tools) are implemented as sealed WebAssembly (WASM) "capsules" that run in a sandbox with no ambient authority.

Communication happens via IPC events over a bus, and every external action (file access, network calls) must be a capability-checked host call. The system employs a multi-layered security approach including cryptographic capability tokens (ed25519), WASM sandboxing, manifest-based allow-lists, and a signed, hash-linked audit chain to ensure all actions are verifiable and isolated.

Who it’s for

Developers building AI agents who require OS-grade security, strict resource isolation between different agent identities (principals), and the ability to hot-swap agent capabilities without restarting the system.

Highlights

  • WASM Capsule Architecture: Modular capabilities packaged as WASM components that can be installed, updated, or removed live.
  • Cryptographic Capability Model: Resource access is governed by signed, scoped, and revocable grants rather than model instructions.
  • Per-Principal Isolation: Complete tenant isolation for identities, including separate secrets, home directories, and audit chains.
  • Hardened Security: Features an SSRF airlock, local-egress consent, and a five-layer security gate to prevent unauthorized host access.

Sources