Kernel-enforced safety for autonomous AI agents
Containment enforced by the operating-system kernel - not by the model's willingness to follow a prompt. The agent keeps full apparent access; the kernel refuses to let it touch your real workspace except through a reviewed gate.
The failure that keeps happening
The PocketOS incident, April 2026: an AI agent with explicit safety rules in its prompt destroyed a company's production data in seconds.
And it isn't a one-off - the same root cause keeps surfacing across tools and models.
- The safety rules - prompt, skills, .md configs - were all advisory.
- The kernel had no awareness of them and enforced nothing.
- Once the agent held a shell at the user's UID, no boundary stopped a destructive syscall.
- This is a structural class of failure - and prompt-level safety cannot close it.
Advisory safety vs. enforced safety
System prompts, CLAUDE.md / AGENTS.md, skills, tool configs, "read-only" flags.
- Every one lives at the same privilege as the agent.
- Nothing is enforced below the model - a jailbreak or injection ignores all of it.
- Status: advisory.
Docker, VMs, branches.
- Heavy; copy data in and out.
- No per-agent identity; docker -v /:/host escapes.
- git's working tree is mutable - rm -rf still bites.
Kagmus.
- The destructive call never lands. It hits a throwaway layer - your data was never reachable.
- Identity is attested by the kernel, not claimed on the wire.
- Enforced and logged: the kernel's EACCES is the receipt.
assert Safety that depends on the model behaving is not safety. Kagmus turns misbehavior into a denied, logged syscall - your data is never touched.
Same agent, same prompt - one wrapper different
- Destruction hits your real tree and your real data.
- Recovery = backups and luck.
- Files & file-DBs (SQLite, DuckDB) land in copy-on-write; networked DBs & cloud (DynamoDB, Cosmos, Firestore) go through the broker - the agent never holds the raw credential, egress is host-allowlisted, every call logged.
- Nothing reaches your base until you review the diff. Recovery = discard the branch.
> The whole migration: wrap your agent in ws branch sh. No change to the agent, the repo, or the prompt - and it runs where your agents already do: Linux, or the Lima / WSL2 VM on a Mac or Windows laptop.
How it works, in one diagram
The agent works against real paths with real tools. Its writes land in a copy-on-write layer - your base is reached only through the reviewed promotion gate.
Five kernel primitives, one guarantee
Copy-on-write branches
Each agent writes to its own copy-on-write layer over a read-only base.
Privilege separation
A small trusted component holds the sensitive privilege; the agent never does.
Kernel-anchored identity
An agent's identity is attested by the kernel, not claimed on the wire.
Filesystem confinement
The agent's reachable filesystem is fenced by the kernel before it runs.
Gated promotion
Changes reach your base only through a typed, audited check.
The guarantee
Even a jailbroken, injected, or actively hostile agent cannot reach your base except through review - and cannot impersonate anyone at the gate.
Nobody else solves this problem
| Solution | What it gives agents | What it doesn't |
|---|---|---|
| E2B - Morph | Isolated ephemeral execution per agent | Persistent shared workspace; concurrent multi-agent; promotion |
| Modal - RunPod | Serverless compute | Shared state, ownership, or promotion of any kind |
| GitHub Actions / CI | Pipeline isolation | Runtime agent isolation; concurrent writes; diff-gated promotion |
| Kata - gVisor | Strong VM-level isolation per workload | Multi-agent shared base; per-change conflict detection; audit |
| git | Version history, branching | Structural enforcement; agent identity; concurrent multi-agent |
| Kagmus | N agents on one real codebase - kernel-isolated, identity-bound, reviewed promotion | by design doesn't trust the agent, the prompt, or the wire - nothing to jailbreak, inject, or forge; misbehavior returns EPERM, not a refusal. |
Cloud sandboxes solve "one agent, one throwaway box." Kagmus solves "N agents, one real persistent codebase, kernel-enforced separation, with a reviewed path back."
Pay for what runs, not what sits idle
One meter: peak concurrent agents - the work actually running in parallel, measured by the kernel. Not invocation count, not idle time, not per-seat.
// all-in-one - one box, start in minutes
A single isolated box for one developer. Self-serve, month-to-month.
[get started]For power users running several agents in parallel on one box.
[get started]Maximum parallelism on a single box before you need the org product.
[get started]// teams and enterprise - your infrastructure
Fleet-scale, deployed on infrastructure you choose.
contact usLarge fleets; uncapped Custom and Site licenses on request.
contact usnote Air-gapped / fully offline is available on Business and above, with compliance audit rights. Pricing is set per deployment - contact us.
All prices subject to change. Monthly plans are month-to-month; annual commitments lock your rate for the term.
A real system, running today
31 crates - tens of thousands of lines of Rust. Real I/O, real kernel calls.
Four real frontier-model agent CLIs run in parallel; one is given a destructive prompt.
A hostile process forges another agent's identity at the gate.
Contain every agent. Trust every change.
Kernel-enforced isolation, unforgeable identity, and reviewed promotion - so an AI agent keeps its usefulness and loses its ability to do harm.
- Run your own agents in Kagmus branches against a real codebase.
- Watch destructive actions stay contained - and review every change before it lands.
- Concurrent multi-agent on one VM; flat cost, no per-agent metering.
- Deploys on your infrastructure - cloud VM, Kubernetes, or a laptop via Lima or WSL2.
- Agentic coding is going multi-agent - the safety boundary has to move below the model.
- The category is open: no one offers kernel-isolated concurrent agents with reviewed promotion.
- Patent-pending system; working reference implementation today.