// technology

How aim works,
all the way down.

The interception architecture, the rule language, and the egress wall.

01// architecture

A proxy between the agent
and the metal.

01

Intercept

all calls

02

Match

request type

03

Decide

to allow or deny

04

Replay

whenever

// agent ⇄ aim ⇄ systemfig 01.01
rules
~/.aim/triggers
globs · scopes · ttl
agent
claude-code
pid 31821 · cwd
aim
local proxy · :7821
match → decide
system
kernel · libc
fs · net · exec
prompt
user decides
⏎ allow · ␛ deny
audit
event stream
~/.aim/audit.jsonl
agent
claude-code · pid 31821
request
aim
local proxy · :7821
├─ rules ~/.aim/triggers├─ prompt ⏎ allow · ␛ deny└─ audit ~/.aim/audit.jsonl
allow
system
kernel · fs · net · exec
request decision tree approved · executes
02// permission rules

Block by default.
Allow with precise scope.

Policy-driven access for files and the web. Anything not covered by a rule surfaces as a one-keystroke prompt: accept once, this session, or forever.

~/.config/aim/rules.aim● saved
files:
allow
├─read
├─~/projects/**
├─~/.config/aim/**
└─package.json
└─write
└─~/projects/**
ask
├─write
└─package.json
└─exec
└─~/projects/**
deny
└─any
├─~/.ssh/**
└─/etc/**
web:
allow
├─GET
├─api.github.com/*
└─raw.githubusercontent.com
└─any
└─*.openai.com
ask
└─POST
├─api.github.com/*
└─hooks.slack.com/*
deny
└─POST
└─raw.githubusercontent.com
live activity18 events · last 4m
  • 14:23readsrc/index.ts
  • 14:23execgit status
  • 14:24writepackage.jsondeny
  • 14:24readtsconfig.json
  • 14:24execnpm test
  • 14:25GETapi.github.com
  • 14:25read.env.example
  • 14:25read~/.ssh/id_ed25519
  • 14:26POSTraw.gh.com
  • 14:26POSThooks.slack.comallow
  • 14:26readsrc/components/
  • 14:27writesrc/auth.ts
  • 14:27GET*.openai.com
  • 14:28execgit diff
  • 14:28write.env.localdeny
  • 14:28readREADME.md
  • 14:29execrm -rf node_modules
  • 14:29GETapi.anthropic.com
  • 14:23readsrc/index.ts
  • 14:23execgit status
  • 14:24writepackage.jsondeny
  • 14:24readtsconfig.json
  • 14:24execnpm test
  • 14:25GETapi.github.com
  • 14:25read.env.example
  • 14:25read~/.ssh/id_ed25519
  • 14:26POSTraw.gh.com
  • 14:26POSThooks.slack.comallow
  • 14:26readsrc/components/
  • 14:27writesrc/auth.ts
  • 14:27GET*.openai.com
  • 14:28execgit diff
  • 14:28write.env.localdeny
  • 14:28readREADME.md
  • 14:29execrm -rf node_modules
  • 14:29GETapi.anthropic.com
~/.aim/audit.jsonl · streaming
03// network

Your code stays in.
Your keys stay out.

Restrict the network and the agent reaches only the hosts you allow. Everything else is blocked at the kernel. A compromised agent has nowhere to leak your data.

// agent ⇄ aim ⇄ internetfig 03.01
agent
claude-code
outbound → localhost only
aim
egress proxy
:7821
CONNECTapi.anthropic.com:443
CONNECTregistry.npmjs.org:443
GETgithub.com/acme/**
CONNECTpastebin.com:443
CONNECT169.254.169.254:80
GETget.evil.sh/install.sh
// every connection logged~/.aim/audit.jsonl
01

Sensitive data stays in

Source, secrets, and customer data can only reach hosts you allow.

02

Bad downloads blocked

No install scripts from random hosts. No poisoned mirrors.

03

Keys never enter the box

API keys stay in your keychain. The agent only talks to localhost.

04

Metadata locked out

Cloud metadata IPs stay denied. DNS rebinding too.

04// technical faq

Under the hood.

A centralized proxy mediates the network for every seat, and a per-device binary shims stdio tools (Claude Code, Codex, Cursor MCP) and routes outbound HTTP/S through it.

On Linux, a microVM with seccomp and Landlock on the box. On macOS, agents run in a Linux VM spun up by Apple’s container machine, so the same kernel enforcement applies. Blocked syscalls and connections stop at the kernel, and even a compromised agent has no route around aim.

No, when you inject them through aim. Keys stay in the OS keychain and aim swaps them in as it forwards each request upstream. The agent talks to localhost and never holds the real secret.

Yes. Rules live in plain-text files, designed to be committed, code-reviewed, and shared as rule packs. Org policies distribute the same way, signed and read-only on each seat.

Anything that speaks HTTP/HTTPS, MCP, or POSIX can run behind aim. An OpenAPI hook covers custom agents you build yourself.

05// demo

Stop choosing between
velocity and compliance.

// or join the waitlist

deploys on-prem · macOS / linux·30-minute call