How aim works,
all the way down.
The interception architecture, the rule language, and the egress wall.
A proxy between the agent
and the metal.
Intercept
all calls
Match
request type
Decide
to allow or deny
Replay
whenever
Block by default.
Allow with precise scope.
Policy-driven access for files and the web. Anything not covered by a rule surfaces as a one-keystroke prompt: accept once, this session, or forever.
~/projects/**~/.config/aim/**package.json~/projects/**package.json~/projects/**~/.ssh/**/etc/**api.github.com/*raw.githubusercontent.com*.openai.comapi.github.com/*hooks.slack.com/*raw.githubusercontent.comYour code stays in.
Your keys stay out.
Restrict the network and the agent reaches only the hosts you allow. Everything else is blocked at the kernel. A compromised agent has nowhere to leak your data.
Sensitive data stays in
Source, secrets, and customer data can only reach hosts you allow.
Bad downloads blocked
No install scripts from random hosts. No poisoned mirrors.
Keys never enter the box
API keys stay in your keychain. The agent only talks to localhost.
Metadata locked out
Cloud metadata IPs stay denied. DNS rebinding too.
Under the hood.
A centralized proxy mediates the network for every seat, and a per-device binary shims stdio tools (Claude Code, Codex, Cursor MCP) and routes outbound HTTP/S through it.
On Linux, a microVM with seccomp and Landlock on the box. On macOS, agents run in a Linux VM spun up by Apple’s container machine, so the same kernel enforcement applies. Blocked syscalls and connections stop at the kernel, and even a compromised agent has no route around aim.
No, when you inject them through aim. Keys stay in the OS keychain and aim swaps them in as it forwards each request upstream. The agent talks to localhost and never holds the real secret.
Yes. Rules live in plain-text files, designed to be committed, code-reviewed, and shared as rule packs. Org policies distribute the same way, signed and read-only on each seat.
Anything that speaks HTTP/HTTPS, MCP, or POSIX can run behind aim. An OpenAPI hook covers custom agents you build yourself.
Stop choosing between
velocity and compliance.
// or join the waitlist
deploys on-prem · macOS / linux·30-minute call