OVERVIEW
Brio is a headless micro-kernel that orchestrates AI agents using the WebAssembly (WASM) Component Model. It synthesizes the safety of a database kernel with the speed of a service mesh to provide a secure, high-performance platform for AI agent orchestration. The system runs agents and tools as sandboxed WASM components with zero-copy inter-process communication, copy-on-write filesystem isolation, and capability-based access control. Built-in agents include Coder, Reviewer, Council, Foreman, and Smart Agent, each with specific capabilities and security profiles.
TECHNOLOGIES
KEY FEATURES
- WebAssembly sandboxed components (WASI Preview 2) for secure execution
- Zero-copy IPC via Rust mpsc channels - no HTTP overhead between components
- Copy-on-write VFS sessions with atomic commits and automatic rollback
- 5 built-in agent types: Coder, Reviewer, Council, Foreman, Smart Agent
- Multi-model LLM support (OpenAI, Anthropic, Ollama) with provider fallback
- Capability-based access control with 5-layer security defense
- Branching workflows for parallel execution with conflict resolution
- Type-safe component contracts via WIT interfaces
- Distributed mesh support for multi-node gRPC deployment
- Real-time WebSocket updates with JSON Patch broadcasting
CHALLENGES & SOLUTIONS
Implementing zero-copy communication between WASM components while maintaining security boundaries required careful design of the service mesh layer using tokio mpsc channels and shared memory techniques.
Building a copy-on-write VFS system with atomic commits involved managing complex directory operations, reflink support detection, and ensuring rollback capability on failure across different filesystems.
Designing a capability-based security model that integrates with WASM sandboxing, SQL policy enforcement, and VFS isolation required balancing flexibility with strict access control.
SYSTEM ARCHITECTURE
The kernel consists of 6 core subsystems: BrioHostState (central orchestrator), Service Mesh (zero-copy IPC), VFS Session Manager (atomic file operations), SQL Store (policy-enforced SQLite), Supervisor (task orchestration with branching/merging), and WebSocket Broadcaster (real-time updates). All agents and tools run as WASM components with strictly defined WIT interfaces, communicating through the host-managed mesh.
SECURITY MODEL
Five-layer defense architecture: Layer 1 (WASM Sandbox) provides memory isolation and bounds checking. Layer 2 (VFS Sessions) ensures copy-on-write file isolation. Layer 3 (Capabilities) enforces access control via WIT imports. Layer 4 (SQL Policy) uses prefix-based table scoping. Layer 5 (Tool Validation) implements input sanitization, path traversal protection, and shell command allowlists.
BUILT-IN AGENTS
Five specialized agent types: Coder (code writing with R/W access), Reviewer (read-only code analysis for safety), Council (strategic planning and task decomposition), Foreman (task orchestration and milestone tracking), and Smart Agent (general-purpose with shell execution). Each agent has carefully scoped capabilities - for example, the Reviewer has read-only file access for safe code analysis, while the Smart Agent can execute shell commands from an allowlist.