AIOS is the governance and audit layer for AI working with your codebase. Every AI-generated commit gets reviewed before it lands. Pass, warn, block, or override: every decision is logged in a permanent audit trail. You ship faster with AI, and you can still answer for what it did. Free for 30 days.
jwt.sign() uses a short hardcoded string. Move secret to env var and use 256-bit minimum. See rule AUTH-007.
Watch Haylo review it. Every line. Policy, secrets, drift, all checked. Every verdict signed and logged.
A pre-commit hook sends the file to the critic layer. Critics run in parallel and return a verdict. The verdict is signed and appended to a hash-chained audit log. No LLM calls. No external data.
A git hook runs before your commit is created. It sends the changed file content to the critic server. Takes under 10ms to dispatch.
14 domain critics run in parallel: crypto, secrets, OWASP, supply-chain, auth, compliance, privacy, LLM safety, and more. Pattern-based, deterministic.
The server returns a verdict with the rule ID, a plain-English fix, and the domain that flagged it. GATE blocks the commit. WARN logs it and lets through. PASS is silent.
Every verdict is signed with a key bound to your account and appended to a hash-chained log. Tamper-evident. Exportable. Verifiable offline with aios verify.
AI assistants don't know your security policies or compliance posture. AIOS looks for the fingerprints those mistakes leave in the code. Same file in, same verdict out, every time.
Catches hardcoded API keys, MD5/SHA1 usage, hardcoded IVs, and Math.random() used for tokens. AI pulls these patterns from training data full of textbook insecure examples.
signToken(). Replace with SHA-256.SQL concatenation into queries, eval(userInput), command injection via shell exec. These show up constantly in AI-generated code and are easy to miss in a busy PR.
Unpinned dependency versions, missing lockfiles, packages flagged for known CVEs. AI recommends packages by popularity and training data recency, not by current vulnerability status.
lodash unpinned. Pin to an exact version in package.json.Hardcoded JWT secrets, weak signing algorithms, OAuth scope misconfigurations, missing httpOnly on session cookies. Auth bugs are cheap at commit time and expensive after deployment.
jwt.sign() uses a hardcoded string. Move to a 256-bit env var.Plus data & privacy, LLM governance, infra & config, observability, and compliance risk patterns. See FAQ for how critics work.
No new workflow. AIOS hooks into your existing git commits. PASS is quick + quiet, WARN flags a finding without blocking, GATE stops a real problem before it ships.
npm install -g https://aios.visnryentertainment.com/package.tgz to install, then aios --key sk-aios-... in your repo. Hook installed.
Per-file verdicts in about a second. PASS allows the commit, WARN allows + flags, GATE blocks until you fix or override.
$ git commit -m "add payment flow"
[aios] governing 3 files...
PASS src/billing/checkout.js
PASS src/crypto/keys.js
GATE src/auth/session.js
AUTH-007: jwt.sign() uses hardcoded secret.
Move to env var (256-bit minimum).
Override: aios-allow
[aios] 1 gate -- commit blocked
Every verdict in the dashboard, by file, by author, by domain. Run aios verify to confirm the audit chain is intact.
Every governance decision is deterministic. Same file in, same verdict out. You can audit why a commit was blocked without trusting a model's judgment.
Critics are code, not models. md5( in a crypto file is always a flag. No hallucinations, no false negatives from a bad prompt day. The rule either matches or it doesn't.
The critic server runs your patterns locally. No call to a third-party LLM on every commit. Verdicts come back in under 500ms. Your git workflow doesn't notice.
Every verdict is hash-chained. Run aios verify and get a pass/fail on the chain's integrity. No black box. No vendor trust required. The log is yours.
AIOS governance is triggered by git, not by your AI assistant. Copilot, Cursor, Claude Code, or none of them: whatever wrote the code, the same critic layer runs before it lands.
AIOS is in open beta. Try the product for free for 30 days.
Everything in the product. Run it on a real codebase and see if the verdicts hold up.
Full product. No credit card. See if it works for you.
Individual devs and solo founders. Every commit reviewed.
Startups and small teams shipping AI code daily.
Regulated orgs and larger teams. Compliance-ready audit trail.
Verdicts come back in about a second. Most engineers don't notice it ran. They only notice when something needs fixing.
Mostly deterministic. That means pattern matching, AST analysis, and schema validation. A few rules use an LLM as a judge (clearly labeled as such). The deterministic rules give the same verdict for the same input, every time.
Source transits our server only during critic evaluation. It is not retained on disk, in databases, in backups, or in our audit log. Only verdict metadata (rule ID, file path, severity) is persisted.
Not yet. The rule set is curated and maintained by us. Custom rule authoring is on the roadmap (see projected pricing). For now, you tune which domains run via your project type.
Language-agnostic where rules are pattern- or AST-based, so it works on any text-based source. Some domains are language-specific, most apply broadly.
For genuine emergencies there's a bypass flag, and every use of it is recorded in the audit log. No silent skips.
Where this is going
AIOS today catches the structural mistakes that have a known fingerprint. AIOS tomorrow governs every layer of autonomous AI computation: generation, execution, memory, deployment. The critic mesh and audit chain you're using now are the foundation of that system.