Kaia is a local-first, zero-trust AI security agent designed to monitor, analyze, and defend Linux systems while treating all LLM output as untrusted input.
Unlike traditional conversational assistants, Kaia is structured as a hardened system administration and security operations layer with strict security invariants, sandboxing containment, and a deterministic policy gate. The objective is to create a guardian-class security platform combining advanced AI reasoning with deterministic authorization, real-time host telemetry, threat intelligence, and human oversight without granting direct, unchecked shell authority to the language model.
Kaia exists to answer a simple question:
Can an AI help defend a Linux system without becoming a security risk itself?
Every structural decision in Kaia's architecture derives from five non-negotiable axioms:
- LLM outputs are completely untrusted. All proposed actions, privileges, and scripts are treated as raw, unverified data streams.
- All actions are schema-validated. A deterministic host process validates structured intents using rigorous Pydantic definitions before evaluation.
- The hostβnot the modelβmakes execution decisions. No LLM is involved in direct execution authorization or environment path matching.
- Security policy and personality are completely decoupled. Permissions and capability boundaries never depend on relationship standing, affinity, or the affective state of the agent.
- Every security boundary fails closed. Any state validation mismatch, IPC disruption, or configuration anomaly halts execution and revokes capability tokens instantly.
Kaia is modeled around its completed architectural state, maintaining stable components alongside active target tracking matrices:
- Policy Gate: Fully implemented. Handles deterministic out-of-process verification over Unix Domain Sockets.
- Intent Validation: Fully implemented. Rigidly enforces Pydantic schemas on incoming JSON payloads.
- Capability Tokens: Fully implemented. Restricts actions dynamically based on signed cryptographic operational permissions.
- Audit Ledger: Fully implemented. Maintains an append-only transaction stream to
security_events.dbandaudit_ledger.json. - Host Telemetry & Observers: Operating via live
fanotifymount-wide monitors and deep eBPF syscall hooks (sys_enter_execve,sys_enter_openat2) to prevent polling latency gaps. - Network Threat Intelligence: Shell-less Layer-2/Layer-3 discovery tracking via native
AF_PACKETsocket interceptors alongside a cache-first, live Shodan InternetDB API synchronization framework.
- File Integrity Monitoring (FIM): Continuous mount-wide event processing via
fanotifybindings with synchronous pre-execution header verification blocks. - Process Observers: Direct eBPF event stream capturing for process lifecycles and real-time execution context derivation.
- Configuration Drift Enforcement: Structural verification of core platform states against established baseline configurations.
- Supply Chain Isolation: Strict namespace tracking over system update hooks and package management transactions.
- Layer-2/Layer-3 Active Mapping: Raw socket processing loops capturing ARP, mDNS, and LLMNR broadcast frames directly from interfaces.
- Unmanaged Device Profiling: Programmatic local area network asset tracking without relying on external wrapped tools or shell utilities.
- Reputation Enrichment: Cache-first, automated lookup cycles utilizing local SQLite stores and live fallback synchronization routines.
- Signature Enforcement: Native compilation and live processing of YARA rules across modified execution targets.
- Internal Honeypots: Low-overhead network tripwires and local configuration honey-tokens designed to isolate internal traversal vectors.
- Telemetry Sanitization: Pre-processing and striping of high-frequency metrics before passing payloads to AI context layers.
- Self Health Monitoring: Independent supervisor daemons verifying the integrity and execution states of core validation processes.
- Tamper Detection: Defensive validation checks looking for runtime interference or alterations within privileged code spaces.
- Fail-Closed Isolation: Native
nftablesruleset flushes dropping all inbound, forward, and outbound packets during an active compromise assertion.
The execution security boundary strictly prevents the model from interacting with the operating system shell directly:
[ User Input / Shell Query ]
β
βΌ
[ Heuristic Intent Classifier ]
β
βΌ
[ LLM Action Plan Planner ]
β
βΌ
[ Structured Intent Payload ]
(JSON: action, args, justification)
β
βΌ
[ Deterministic Policy Gate ] βββ [ Capability Tokens ]
β
βΌ
[ Hardened Host Executor ]
β
ββββββββββββββ΄βββββββββββββ
βΌ βΌ
[ Sandboxed Execution ] [ State Modification ]
(Bubblewrap Sandbox) (Strict Path Validation)
- The user interfaces with the orchestration layer.
- The AI agent proposes an action plan as a structured intent payload.
- The out-of-process, deterministic Policy Gate evaluates the payload against capability tokens and static system constraints.
- The privileged Host Executor consumes the approved schema.
- Target binaries run inside unprivileged Bubblewrap namespaces with isolated filesystems, or apply strict path filters for state changes.
Kaia/
βββ core/
β βββ config.py # Central configuration & base directory logic
β βββ data/ # Data directory for RAG indexing
β βββ personal_context/ # Personal context directory
βββ security/
β βββ policy_gate.py # Deterministic out-of-process validation service
β βββ host_executor.py # Privileged runtime sandboxing and command handler
β βββ telemetry_sanitizer.py # Filters metrics before feeding to the LLM
β βββ db.py # Secure ledger handling
βββ scripts/
β βββ activate_kaia_env.sh # Main setup and daemon activation sequence
βββ tests/
β βββ verify_security.py # Multi-tiered sandbox and lattice constraint tests
β βββ test_heuristics.py # Classifier accuracy validation suite
βββ toolbox/ # System diagnostics utilities
βββ storage/
βββ security_events.db # Append-only security audit ledger
βββ audit_ledger.json # Policy Gate audit ledger
βββ threat_intel/ # Offline threat intelligence databases (SQLite, MMDB, Parquet)
This README.md serves as the absolute, unalterable constitution of the Kaia project. It defines the definitive project goals, non-negotiable security axioms, architectural boundaries, and target capability frameworks.
All detailed design reviews, feature proposals, temporary scratchpads, and execution reports are subordinate to this document. If any conflict arises between implementation artifacts or secondary planning documentation and this constitution, this file takes immediate precedence. Automated coding agents and systems engineers are directed to baseline all development tracking against the criteria defined herein.
sudo pacman -S python python-pip postgresql bubblewrap
sudo systemctl enable --now postgresqlCreate the PostgreSQL database and user:
sudo -u postgres createuser --pwprompt kaiauser
sudo -u postgres createdb -O kaiauser kaiadbAdd credentials to your .env file in the root directory:
export KAIA_DB_USER="kaiauser"
export KAIA_DB_PASS="your_secure_password"
export KAIA_DB_HOST="localhost"
export KAIA_DB_NAME="kaiadb"
export KAIA_CAPABILITY_TOKEN_SECRET="your_signing_secret_key"python -m venv .venv
source .venv/bin/activate
pip install -r requirements.txtConfirm the security boundaries and IPC communications are functioning correctly:
python tests/verify_security.py
python tests/test_heuristics.pyTo enable country annotations on blocked IPs, obtain a free MaxMind license key from https://www.maxmind.com and run:
export MAXMIND_LICENSE_KEY="your_key_here"
./scripts/update_geoip.shWithout this the geo field displays "Unknown" β all other functionality is unaffected.
Initialize all local dependencies (Ollama, Postgres) and launch the CLI session:
./scripts/activate_kaia_env.shLicensed under the MIT License. Third-party dependencies are detailed in NOTICE.md.