astrid: a capability-secure OS for composable AI agent software using WASM sandboxing
astrid: a capability-secure OS for composable AI agent software using WASM sandboxing
What it solves
Astrid provides a secure, portable runtime for AI agents. It addresses the security risk of running untrusted agent code on a local machine by replacing prompt-based trust with an OS-grade security boundary. It ensures that agents cannot access files, networks, or credentials unless explicitly granted permission through a cryptographic capability model.
How it works
Astrid operates as a "dumb" kernel that manages a set of isolated WebAssembly (WASM) components called capsules. These capsules contain the logic for providers, tools, and orchestrators.
- Isolation: Capsules run in a Wasmtime sandbox with no ambient authority (no direct syscalls or file access).
- Communication: Capsules communicate via an event bus using an IPC protocol. The kernel enforces a capability-based Access Control List (ACL) to route these events.
- Capability Model: Access to resources (files, network hosts) is managed via signed ed25519 grants that are principal-bound and revocable.
- Uplinks: Frontends like the CLI or HTTP gateway connect to the kernel as "uplinks" to send and receive events.
Who it’s for
It is designed for developers building composable AI agent software who need strict security guarantees, per-principal isolation, and the way to hot-load and update tools without restarting the system.
Highlights
- Cryptographic Capabilities: Every resource access requires a signed grant, preventing unauthorized access even if a capsule is compromised.
- WASM Sandboxing: Uses the WebAssembly component model to ensure code is isolated from the host system.
- Per-Principal Isolation: Each agent identity has its own isolated secrets, home directory, and audit chain.
- Hot-Loading: Capsules can be installed, upgraded, or removed from a running daemon without requiring a restart.
- Signed Audit Chain: Maintains a hash-linked, signed log of all decisions and calls for independent verification.
Sources
- undefinedastrid-runtime/astrid