Skip to main content

AI and Agents

AI agents in ElastOS Runtime are not special. They run under the same capability system as every other capsule and every human user. An agent must hold valid, scoped tokens for every action it takes. It cannot silently read your files, make network calls, or invoke services without explicit grants.

Agent Capsule Type

Agents are one of the four capsule types. An agent capsule combines:

  • LLM -- a language model for reasoning and decision-making
  • Memory -- persistent state for context across interactions
  • Tools -- capabilities to interact with the runtime's resources

The runtime routes AI model access through the elastos://ai/ provider contract using LLM inference (llama.cpp based). This is not a raw API endpoint; it is a structured contract that the runtime mediates:

  • Agents interact with models through the provider contract, not by holding API keys directly
  • The runtime routes model requests according to the contract's rules
  • Access to the elastos://ai/ provider requires a valid provider capability token

Scoped Access in Practice

The capability system prevents agents from receiving account-wide access. Instead, agents get precisely the access they need for a specific task:

Read-Only Access to a Specific Area

An agent that needs to check your calendar might receive:

read token: localhost://Users/self/Documents/Calendar/*

This grants read access to calendar entries. The agent cannot read Documents outside the Calendar directory, cannot read Pictures, and cannot write anything.

Read and Write with Separate Scopes

An agent that summarizes notes and saves drafts might receive:

read token:  localhost://Users/self/Documents/Notes/*
write token: localhost://Users/self/Documents/Drafts/*

The agent can read existing notes and write new content to Drafts. It cannot modify the original notes, cannot write outside Drafts, and has no access to other areas.

Time-Limited Tokens

An agent performing a one-time task receives a token that expires: "you can read this one file for 30 minutes." When the task is done or the time expires, the access disappears.

Integration with the Capability Model

  • No ambient access. An agent starts with nothing and receives only what it needs.
  • Short-lived tokens. Tokens can expire after a single use or a time window, limiting exposure.
  • Revocable at any time. If an agent misbehaves, its tokens can be revoked immediately. The epoch mechanism can invalidate all tokens at once.
  • Full audit trail. Every token grant and exercise is logged by the runtime.

For the full capability model, including 12-step validation and the epoch mechanism, see Capability System. For the shell's planned evolution toward intelligent permission management, see the Roadmap.