Kagmus Kagmus
Kernel-Enforced AI Safety

Kernel-enforced safety for
autonomous AI agents

> EPERM, not a refusal.

Containment enforced by the operating-system kernel - not by the model's willingness to follow a prompt. The agent keeps full apparent access; the kernel refuses to let it touch your real workspace except through a reviewed gate.

Request a pilot See how it works
isolated write branches kernel-anchored identity kernel confinement multi-cloud credential broker reviewed promotion
Why this matters

The failure that keeps happening

9s
to delete a production database - and its backups

The PocketOS incident, April 2026: an AI agent with explicit safety rules in its prompt destroyed a company's production data in seconds.

And it isn't a one-off - the same root cause keeps surfacing across tools and models.

"I violated every principle I was given."
- the agent, after the incident
  • The safety rules - prompt, skills, .md configs - were all advisory.
  • The kernel had no awareness of them and enforced nothing.
  • Once the agent held a shell at the user's UID, no boundary stopped a destructive syscall.
  • This is a structural class of failure - and prompt-level safety cannot close it.
The inflection

Advisory safety vs. enforced safety

Prompt-layer controls

System prompts, CLAUDE.md / AGENTS.md, skills, tool configs, "read-only" flags.

  • Every one lives at the same privilege as the agent.
  • Nothing is enforced below the model - a jailbreak or injection ignores all of it.
  • Status: advisory.
Containers & git

Docker, VMs, branches.

  • Heavy; copy data in and out.
  • No per-agent identity; docker -v /:/host escapes.
  • git's working tree is mutable - rm -rf still bites.
Kernel-anchored system

Kagmus.

  • The destructive call never lands. It hits a throwaway layer - your data was never reachable.
  • Identity is attested by the kernel, not claimed on the wire.
  • Enforced and logged: the kernel's EACCES is the receipt.

Safety that depends on the model behaving is not safety. Kagmus turns misbehavior into a denied, logged syscall - your data is never touched.

What it looks like

Same agent, same prompt - one wrapper different

Today - the agent runs as you
~/your-repo - your shell, your keys
$ claude  # on your real checkout, AWS keys in env
  ...one bad prompt later...
$ rm -rf . && dropdb prod
# files gone - DB dropped - nothing to undo
  • Destruction hits your real tree and your real data.
  • Recovery = backups and luck.
With Kagmus - the agent runs in a branch
kagmus branch - real paths, brokered creds
$ ws branch create feat
$ ws branch sh --branch feat --tty --fs-sandbox -- claude
$ rm -rf . && dropdb prod
# hit the branch layer - base byte-identical - logged
$ ws branch accept feat  # review the diff, then promote
  • Files & file-DBs (SQLite, DuckDB) land in copy-on-write; networked DBs & cloud (DynamoDB, Cosmos, Firestore) go through the broker - the agent never holds the raw credential, egress is host-allowlisted, every call logged.
  • Nothing reaches your base until you review the diff. Recovery = discard the branch.
>
The whole migration: wrap your agent in ws branch sh. No change to the agent, the repo, or the prompt - and it runs where your agents already do: Linux, or the Lima / WSL2 VM on a Mac or Windows laptop.
The system

How it works, in one line

UNTRUSTED
AI agent
full apparent filesystem access
->
KERNEL BOUNDARY
Kagmus
writes contained - identity attested
->
PROTECTED
Your workspace
untouched until you approve
isolated write branches privilege separation kernel-anchored identity kernel confinement gated promotion

The agent works against real paths with real tools. Its writes land in a copy-on-write layer - your base is reached only through the reviewed promotion gate.

The system

Five kernel primitives, one guarantee

01

Copy-on-write branches

Each agent writes to its own copy-on-write layer over a read-only base.

rm -rf hits the copy, never your files
02

Privilege separation

A small trusted component holds the sensitive privilege; the agent never does.

minimal blast radius
03

Kernel-anchored identity

An agent's identity is attested by the kernel, not claimed on the wire.

identity cannot be forged
04

Filesystem confinement

The agent's reachable filesystem is fenced by the kernel before it runs.

out-of-bounds = EACCES
05

Gated promotion

Changes reach your base only through a typed, audited check.

no silent writes
=

The guarantee

Even a jailbroken, injected, or actively hostile agent cannot reach your base except through review - and cannot impersonate anyone at the gate.

How we compare

Nobody else solves this problem

Solution What it gives agents What it doesn't
E2B - Morph Isolated ephemeral execution per agent Persistent shared workspace; concurrent multi-agent; promotion
Modal - RunPod Serverless compute Shared state, ownership, or promotion of any kind
GitHub Actions / CI Pipeline isolation Runtime agent isolation; concurrent writes; diff-gated promotion
Kata - gVisor Strong VM-level isolation per workload Multi-agent shared base; per-change conflict detection; audit
git Version history, branching Structural enforcement; agent identity; concurrent multi-agent
Kagmus N agents on one real codebase - kernel-isolated, identity-bound, reviewed promotion -

Cloud sandboxes solve "one agent, one throwaway box." Kagmus solves "N agents, one real persistent codebase, kernel-enforced separation, with a reviewed path back."

Pricing

Pay for what runs, not what sits idle

Cloud agent sandboxes

Metered per invocation or per sandbox-hour. One box per agent.

You pay for time x count. Every invocation and every idle sandbox-hour keeps metering.
Kagmus - Enterprise

One meter: peak concurrent isolation - the work actually running in parallel.

You pay for sustained peak, not idle time or invocation count. Runs on infrastructure you choose - your cloud VM, Kubernetes, or a developer's laptop.

You pay for sustained peak concurrency - measured by the kernel, not by invocation count.

Enterprise-tiered, deployed on your infrastructure. Pricing is set per pilot - request one and we'll scope it to your fleet.

Proof

A real system, running today

Reference implementation
1,200+
tests in the suite

31 crates - tens of thousands of lines of Rust. Real I/O, real kernel calls.

The incident, restaged

Four real frontier-model agent CLIs run in parallel; one is given a destructive prompt.

=
The base is byte-identical before and after.
Forgery, defeated

A hostile process forges another agent's identity at the gate.

x
The kernel overwrites the claim; the attack is refused; both identities logged.
Claude Code OpenAI Codex CLI GitHub Copilot CLI Gemini CLI

Contain every agent.
Trust every change.

Kernel-enforced isolation, unforgeable identity, and reviewed promotion - so an AI agent keeps its usefulness and loses its ability to do harm.

What a pilot looks like
  • Run your own agents in Kagmus branches against a real codebase.
  • Watch destructive actions stay contained - and review every change before it lands.
  • Concurrent multi-agent on one VM; flat cost, no per-agent metering.
  • Deploys on your infrastructure - cloud VM, Kubernetes, or a laptop via Lima or WSL2.
Why now
  • Agentic coding is going multi-agent - the safety boundary has to move below the model.
  • The category is open: no one offers kernel-isolated concurrent agents with reviewed promotion.
  • Patent-pending system; working reference implementation today.
Request a pilot hello@kagmus.dev