Hardened runtime + orchestrator for Agents

AIDO

Secure runtime & MCP Orchestrator.

Two pieces, one harness. aido-runtime executes typed actions under policy. aido-orchestrator is the agent loop & MCP gateway. One plug, full sandbox surface.

propose → simulate → execute, never raw shell.

$ curl -fsSL https://x0ne.co/aido/install.sh | sh

— or build from source —

$ git clone https://github.com/x0ne-labs/aido-runtime &&
    cd aido-runtime &&
    make install

Book a pilot → · Configure MCP →

What happens when your agent acts (AIDO RUNTIME)

Pick an action to see two execution paths, side by side.

↓ click any scenario to compare

⫸ all 130 runtime primitives →

▼ Without AIDO RUNTIME · shell

▼ With AIDO RUNTIME · precision

What happens when your agent acts (AIDO ORCHESTRATOR)

The 14 native tools the orchestrator adds on top of the runtime — plan ledger, pre-execution simulate, persistent goals.

↓ click any scenario to compare

⫸ all 14 orchestrator tools →

▼ Without AIDO ORCHESTRATOR · shell

▼ With AIDO ORCHESTRATOR · agent loop

Why

Shell is broken

Agents execute raw bash.
Mistakes, hallucinations, dataset poisoning can be dangerous.

The harness is the product

SWE-Bench Pro shows a 22-point swing between the same model with a basic scaffold vs. an optimized harness.

The model will be commodity.
The harness determines success.

Security by design

Default deny. Directory whitelists. Command whitelists. Deny patterns. Path traversal prevention. Confirmation mode. Snapshots before every mutation.

Every action is matched against policy rules before execution. rm -rf /, exfiltration, privilege escalation — blocked by pattern, not by luck.

Not bolted on. Built in.

Capabilities

—149 typed actions across 19 categories — math, string, filesystem, git, code search, network, canvas, system, crypto, desktop, filesystem & container snapshots, multi-agent, custom composites, events, MCP gateway primitives. See full catalog ↓
—Policy engine — default deny, path whitelists, command allowlist, deny patterns, confirm mode
—aido_simulate — pre-flight any multi-step plan. The runtime returns per-step allow / deny / confirm decisions plus the full side-effect inventory before any I/O happens. The "EXPLAIN before run" primitive for agents.
—MCP gateway pattern — one plug to Claude Code / Cursor / Cline gives the client both the runtime's typed actions and the orchestrator's native sysaicalls (aido_plan, aido_simulate, aido_plan_execute). Optionally, the runtime spawns inside an Incus / Podman container — same MCP surface, full kernel-level sandbox.
—Structured JSON results — never raw stdout
—Snapshots and rollback before mutations
—Async handles for long-running tasks and event subscriptions
—Desktop control via Wayland (mouse, keyboard, screenshots)
—Works with any model: Claude, GPT, Llama, Gemma, Qwen, Mistral, Deepseek
—Incus / Podman sandbox — agent executes in container, host untouched
—Canvas preview — agent-generated HTML/CSS/JS opens at localhost:7800 via a loopback reverse-proxy; no network port, no host copy, dies with the session
—Two Rust binaries (aido-runtime + aido-orchestrator), zero runtime dependencies — open source (Apache 2.0): auditable, forkable, improvable

Primitive catalog

Every box below is a typed action. The LLM emits one as JSON ({"type":"…"}) and the runtime executes it under policy. Composite actions (Pipeline, Try, If) chain N primitives in a single round-trip. Custom DefinePrimitive lets the LLM build its own reusable composites at runtime. The last category — MCP gateway primitives — only appears when the client plugs aido-orchestrator --mcp as the gateway (vs. plugging aido-runtime directly).

Four ideas worth a name

— mental model · 01

Time travel

Pin a frozen workspace state, mutate freely, roll back in one call. O(1) reflink on btrfs / APFS / zfs — restore is a pointer swap regardless of repo size, typically under 200 ms. Every restore returns files_restored + files_failed. No undo guesswork.

CreateSnapshot RestoreSnapshot Try SafeChange

— mental model · 02

Pre-execution preview

Route a multi-step plan through the policy engine without committing a byte. Returns per-step allow/deny/confirm verdicts plus the full side-effect inventory: paths read, paths written, commands invoked. Compose with aido_plan for the full propose → simulate → review → execute safety loop.

aido_simulate aido_plan aido_plan_execute PolicyCheck

— mental model · 03

Persistent intent

Set a goal once, work toward it across sessions, agents, and host tools. State lives at ~/.aido/goals/ — Claude Code on Tuesday, Codex on Thursday, both see the same active goal with step count, budget, and optional auto-check. Codex got a /goal; AIDO makes it portable.

aido_goal_set aido_goal_step aido_goal_status aido_goal_clear

— mental model · 04

Parallel worlds

Fork the agent into N isolated worlds — each gets its own conversation, token budget, and runtime. Run them in parallel, broadcast a message, wait, collect frozen receipts. The parent context stays clean while the swarm explores.

SpawnWorld WaitAgent BroadcastAgents ListAgents

Latest — Apr 2026

—Multi-model wire-format parity — Anthropic, Ollama, OpenAI-compat (LiteLLM, vLLM, Groq, OpenRouter). Same Message struct, three native serializers. Vision per backend (multi-part blocks / images array / data-URL blocks). Locked by 13 integration tests.
—Multi-agent orchestration — SpawnAgent / WaitAgent / ListAgents / BroadcastAgents. Sub-agents share the LLM connection pool with isolated conversations. Broadcast returns structured receipts (delivered_to, failed_targets with reasons).
—Repeated-action circuit breaker — 5 identical-signature failures → loop_detected, dispatch blocked (retryable: false). Counter resets on success or args/error change. Stops runaway agents at the harness layer.
—Lenient wrapper parser — accepts args / input / parameters / arguments / payload field-wrappers commonly emitted by Mistral 7B and other small local models. One-shot deprecation nudge per session — canonical format remains the contract.
—Validation-error enrichment — every validation_error now ships sent, expected_schema, and a natural-language diff. Drops LLM repair-cycles from 3-4 turns to 1.
—Anthropic prompt caching — cache_control: ephemeral on the last user message. UsageTracker reports cache reads / writes separately. ~90% cheaper after the first call on prefix-stable conversations.
—Pipeline tally + source tagging — pipeline results carry {total, ok, failed, failed_at}. Each step is tagged source: "core" | "orchestrator". ActionStats exposes a by_source breakdown.
—Plan auto-approval gating — sub-agent Plan calls can no longer silently self-approve. Each decision is logged with decision_source (tty_yes / tty_enter_default / env_auto_approve / rejected_non_interactive) for audit.
—Test harness — 4 offline integration suites (demo scenario, classroom-survival on Mistral 7B, multi-model parity, loop breaker) + 991 unit / integration tests, runs in seconds.

MCP — works with any client

Claude Desktop

~/.config/Claude/claude_desktop_config.json

Claude Code

.mcp.json (project) or ~/.claude/settings.json

Cursor

.cursor/mcp.json or global MCP settings

Continue.dev

~/.continue/config.json → mcpServers

Cline / Zed / Windsurf

MCP settings or context_servers

Any MCP client

stdio / JSON-RPC 2.0 over MCP 2024-11-05

Two ways to plug AIDO. Same wire format, different surface.

① Runtime direct — the typed-action surface only. ~125 tools (filesystem, exec, git, math, snapshots, desktop, …). Simplest path.

{ "mcpServers": { "aido": { "command": "aido-runtime", "args": ["--mode", "mcp"] } } }

② Orchestrator gateway — adds 5 native sysaicalls (aido_plan, aido_simulate, aido_plan_execute, aido_list_agents, aido_orchestrator_info) and proxies the runtime surface beneath. The propose → simulate → execute safety loop, plus optional sandbox isolation via --downstream-prefix.

{ "mcpServers": { "aido": { "command": "aido-orchestrator", "args": [ "--mcp", "--downstream-runtime", "aido-runtime" ] } } }

③ Gateway + Incus sandbox — same gateway, but the runtime spawns inside an Incus container. Same MCP surface to the LLM client; full kernel-level isolation underneath. Works with Podman / SSH / any process-launcher via --downstream-prefix.

{ "mcpServers": { "aido": { "command": "aido-orchestrator", "args": [ "--mcp", "--downstream-prefix", "incus exec aido-sandbox --", "--downstream-runtime", "/opt/aido-runtime", "--downstream-config", "/etc/aido/runtime.toml" ] } } }

Tip: pair option ② or ③ with a hardened readonly TOML (e.g. aido-runtime-mcp-readonly.toml in the repo) and the LLM gets a sandbox-isolated, policy-checked execution surface from a single MCP plug.

For teams

Your agents act on real systems.
AIDO makes that safe.

If your team uses Cursor, Claude Code, or MCP tools in production workflows, agent actions hit your infrastructure without guardrails.

AIDO sits between the model and your systems — adding policy enforcement, human approvals, and a full audit trail to every action.

We run a 2-week pilot with your team to integrate AIDO into your existing stack. No commitment, no vendor lock-in — it's open source.

Book a 30-min intro →

❱ Policy engine — default deny, path whitelists, command allowlists. Every action checked before execution.

❱ Human-in-the-loop — granular approval gates per action, per scope, per risk level. Auto-approve safe reads, confirm writes.

❱ Audit trail — every action logged with structured traces. Who did what, when, and what the policy decided.

❱ MCP-native — drop-in for Cursor, Claude Desktop, Continue, Zed, Windsurf. One config line.

❱ Open source — Apache 2.0. Single Rust binary. Runs on your infra, air-gapped if needed.

Shell is broken

The harness is the product

Security by design

Your agents act on real systems.AIDO makes that safe.

Your agents act on real systems.
AIDO makes that safe.