Omni
A privacy-first, open-source AI agent platform. 9-crate Rust workspace with a Tauri + React desktop UI, WASM-sandboxed extensions via Wasmtime/WASI, multi-provider LLM orchestration with streaming, a 4-layer Guardian anti-injection security pipeline, 30+ messaging integrations, and deny-by-default capability-based permissions.
System Design
Nine crates, one workspace. A modular Rust runtime with a capability-secured extension layer.
Core Runtime
In-process event-driven message router. Assembles prompts with extension context and conversation history, streams LLM responses through Guardian scanning, and dispatches tool calls to the Extension Host via a broadcast event bus.
Extension Host
Manages extension lifecycle in isolated WASM sandboxes via Wasmtime/WASI. Deny-by-default permissions with explicit capability imports. JSON-RPC IPC broker, hot-reload manifest system, and 27 native host tools.
LLM Bridge
Multi-provider adapter layer with async streaming. Supports OpenAI, Anthropic, Google, Ollama, Bedrock, and custom endpoints. OS keychain credential storage with automatic rotation and provider fallback chains.
Desktop Shell
Tauri v2 desktop application with a React + TypeScript frontend. Chat panel with streaming markdown, real-time action feed, permission dashboard, and extension manager. Connected to the Rust backend via type-safe Tauri commands and events.
Under the Hood
The technical details that make Omni different from existing AI agent platforms.
Extensions run in isolated WebAssembly sandboxes via Wasmtime with WASI. No filesystem, network, or system access unless explicitly granted through the capability permission system. No Docker dependency required.
A novel 4-layer security pipeline that scans all LLM input and output. Signature matching, heuristic analysis, ML-based classification via ONNX Runtime, and policy enforcement. Blocks prompt injection attacks in real time.
Unified adapter trait for OpenAI, Anthropic, Google, Ollama, Bedrock, and custom endpoints. Async streaming with tool call parsing, automatic credential rotation, and configurable provider fallback chains.
Every extension action passes through a deny-by-default permission manager. Scoped capabilities with per-extension policies, runtime prompts, audit logging, and a global kill switch for instant revocation.
30+ messaging platform integrations including Discord, Telegram, Slack, and Nostr. Each runs as a sandboxed extension with the channel capability, connecting external services to the agent runtime securely.
All data stays on-device in an encrypted SQLCipher database. API keys stored in the OS keychain. Network access is an explicit, permissioned action. Every permission check and extension call is logged to a local audit trail.