Built with Tauri · Rust · TypeScript

Govern AGENTS,
and make them collaborate.

AgentVis is an easy-to-use, efficient, and governable AI Agent runtime platform.
Multi-agent collaboration · Five-layer security · Sandboxed execution · Visual interaction.

5-Layer Defense in Depth MB + SA Collaboration Visual Enhancer Three-Tier Memory System
Observability

HARNESS, made visible

Closed-loop engineering for full-chain Autonomous Agency

Core Features

Beyond chat,
a complete Agent Runtime

Master Brain + Sub-Agents

Master Brain focuses on decision-making and planning while Sub-Agents execute in loops under Checkpoint supervision. An FSM-driven task loop and Loop Governor controls keep execution bounded.

Five-Layer Security

From prompt-level soft constraints and TypeScript tool interception to Rust hard blocking, sandbox audits, and recoverable deletion through Trash Bin, AgentVis builds a continuous defense chain.

Visual Enhancer

Automatically upgrades text replies into ECharts charts, Mermaid flowcharts, and interactive Widgets so data becomes easier to understand.

Real-Time Diff Review

The Myers Diff algorithm works with four levels of content matching - exact, normalized, fuzzy, and semantic - Review block by block, accept or reject everything, and roll back snapshots.

Project Preview

An embedded Vite Dev Server previews frontend projects generated by Agents instantly. Windows Junction enables zero-cost dependency sharing without leaving the app.

Remote IM Command

Send tasks to Agents through Feishu or Slack, watch reasoning progress in message cards, and stop execution at any time with the Stop Task button.

Security First

Security is not a feature.
It is the foundation.

AgentVis assumes Agents may drift and builds brakes into the system early. Five-layer defense in depth spans soft constraints, hard blocking, runtime sandboxing, and recoverable deletion, with a clear interception boundary at every layer.

Layer 01
LLM Behavior Soft Constraints

Master Brain, Checkpoint, and Sub-Agent constraints form three LLM safety layers. Safety Footer adds behavioral self-checks, and Loop Governor provides five-level circuit breaking.

Layer 02
TypeScript Tool Interception

Tools are authorized by risk level. High-risk exec calls must pass Checkpoint approval, with precise allowlist and denylist matching.

Layer 03
Rust Command Hard Blocking

High-risk operations such as deleting system files, changing permissions, modifying environment variables, or formatting disks are fully blocked, with dangerous scripts scanned before execution.

Layer 04
Process / Network Sandbox

Job Object, AppContainer, broker/proxy, and direct-audit work together to add runtime boundaries and audit trails for shell and Skill execution.

Layer 05
Agent Trash Bin

Deletion is rewritten as a move to Trash Bin and can be restored within 30 days, reducing the blast radius of irreversible mistakes.

vs. competitor

Six high-risk vulnerability classes
and how AgentVis responds

Architecture-Level Immunity AgentVis - a Tauri desktop app that removes the external attack surface by design
Critical Remote Code Execution (RCE), where an attacker can remotely inject and execute arbitrary code
AgentVis - no externally exposed HTTP service port, making the Tauri app unreachable at the architecture level.
Critical UI hijacking / XSS, where an attacker can inject scripts and hijack a user session
AgentVis - no externally accessible gateway. The UI runs inside a local WebView sandbox, so cross-origin attacks have no entry point.
High Instance exposure / unauthorized access, where Agent instances and workspaces can be reached without authentication
AgentVis - runs 100% locally with zero network listening ports, so no instance can be remotely discovered or accessed.
Active Defense Multi-layer interception + AI-driven review
High Skill supply-chain poisoning, where a malicious skill package can steal data or plant a backdoor
AgentVis - LLM-driven ReAct deep security scanning with a 7-dimension Skill review before installation.
Critical Runaway system access or mistaken operations that cause system-level damage
AgentVis - five-layer defense in depth: LLM soft constraints -> TS tool interception -> Rust hard blocking -> sandbox audit -> Trash Bin fallback.
High Token / API key leakage through URL parameters or plaintext storage, which can be captured by logs or intermediaries
AgentVis - API keys are encrypted through Rust crypto/keystore.rs and stored in Windows Credential Manager. They are not passed through URLs and are redacted and audited by the sandbox.
Sandbox Runtime

Let AGENTS take action,
with clear boundaries.

AgentVis sandboxing is not a single switch. It is a runtime security layer across commands, processes, files, network access, and audits. Different tasks can use different permission levels: practical by default, tighter for high-risk work, and auditable when network access is needed.

01 Commands pass through the safety chain first

The TS tool layer classifies risk quickly, while the Rust command layer provides final validation. Dangerous commands, protected paths, and risky script APIs are blocked or require confirmation before execution.

02 Network behavior can be contained

HTTP(S) tasks preferentially enter the broker/proxy audit path. Script Skills can declare brokerOnly for fail-closed networking, while non-HTTP(S) access goes through precise direct-audit authorization.

03 Failures are traceable

SandboxAuditEvent records the mode, network policy, matched rule, decision result, and redacted target information, turning security failures from "blocked" into "understood".

Execution Pipeline
TS Tool Layer
Rust Validation Layer
Process / Network Sandbox
Audit and Recovery
Controlled Network currently presents a broker/proxy-first, audit-oriented model. Script Skill brokerOnly is the stricter fail-closed path: scripts must send HTTP(S) requests through the broker helper or main-process broker. Full-protocol hard isolation such as WFP remains an advanced experiment and diagnostic path, not a default promise.
LocalAudit

Local Audit Mode

Best for everyday Agent work, local automation, and browser tasks. It is not limited to one workspace and includes multiple defense and audit constraints: system and custom path protection, denylisted command interception, high-risk command blocking, and safe moves to Trash Bin.

Practical by Default Protected Paths Recoverable Deletion
ControlledNetwork

Controlled Network Mode

Operates in local file space by default and grants Agent-browser CDP Runtime permissions. It inherits the multiple defenses of Local Audit. HTTP(S) traffic is preferentially routed through broker/proxy for security auditing, and any required direct connection must be explicitly authorized.

broker/proxy direct-audit agent-browser
OfflineIsolated

Offline Isolated Mode

Uses AppContainer containerized execution with strict file boundaries and hard network disconnection. It blocks direct network access and all operations outside the workspace, and strictly forbids desktop automation control. It is ideal for untrusted scripts and high-risk tasks.

Workspace Boundary Hard Network Ban High-Risk Tasks
Product Overview

Everything in One Window

From Agent creation, settings, decisions, execution, and human intervention to project binding, file preview, and review management - all visible in one place.

AgentVis interface overview
Intelligent Augmentation

Text is automatically upgraded,
and data becomes clear at a glance.

The Visual Enhancer post-processing layer automatically detects data patterns in Agent replies - percentages, trends, flows, and comparisons - and turns plain text into ECharts charts, Mermaid flowcharts, and interactive Widget components, making results more visual, reducing information-density fatigue, and improving understanding and decision support.

8 ECharts chart types Mermaid flowcharts Widget choice cards Widget decision trees 5-signal heuristic trigger Light/dark adaptive
Diff & Fast Apply

Every line of change
stays under your control.

A four-level content matching engine based on an XML edit protocol works with Myers Diff to visualize changes down to each line. Review block by block, accept or reject everything, and roll back snapshots.

Exact matching Normalized matching Fuzzy matching with Levenshtein Semantic matching with embeddings Snapshot rollback x10 Undo/Redo x50
AgentVis Diff preview panel
Hub & Agent Collaboration

Your AGENTS collaborate like a team,
while decision power stays with you.

Create team workspaces through Hubs. Each Agent has independent context and capabilities; members can see each other but do not share memory. Users guide collaboration through @mentions, discussions, and task assignment instead of letting Agents communicate automatically - more control, less uncertainty.

Hub discussion - multi-Agent references and @ cross-review
Hub discussion - references + @Agent cross-review
Independent Agent window - each Agent has full independent capabilities
Independent Agent window - each Agent has complete capabilities

Hub Team Workspace

Create multiple Hubs from the top tabs. Each Hub is an independent team workspace with its own discussion area, where users can @Agent to start discussions and reference Agent-window conversations for cross-role review.

Context Isolation

Agents do not share chat history. They know each other by name and workspace, but cannot access one another's conversation context. This prevents context pollution at the root and keeps each Agent independently focused on its own role.

User-Led Collaboration

You decide when, who, and what to discuss. Assign tasks to Agents, summon them into Hub discussions, let them reference one another for cross-review, and even allow Agents to inspect each other's work directories when needed.

Shared Projects

Bind multiple Agents to the same project directory so they can work independently in their own windows on the same codebase. Open collaboration scope as needed - from isolated tasks to shared engineering work.

Scenario A

Multi-role PRD collaboration

Create BA, Architect, and UX Agents, each working in its own window on requirements analysis, architecture design, and experience planning.

User @Architect in Hub to review requirements -> Architect responds with a clean context -> user quotes the BA window conversation into Hub -> cross-role discussion begins
Scenario B

Correcting wrong output

Architect generates an incorrect technical plan in an independent window, and the user corrects it from the Hub.

User finds the incorrect paragraph in Architect window -> right-clicks "Quote to Hub" -> types "@Architect this plan has an issue; please reconsider..." -> Architect revises based only on the quoted content and new instruction
Scenario C

Expert Agent advice

A Hub discussion gets stuck and needs a fresh perspective unaffected by the earlier debate history.

User types "@UX please objectively evaluate the current plan from a UX perspective" -> UX gives advice from a clean perspective without prior debate baggage
Memory & Skills

Persistent collaboration for long-running AGENTS

A three-tier memory architecture, Agent-Log, and layered context management let Agents maintain durable memory in the same conversation window, grow with the user, and stay aligned. Freely scheduled Skills and security review systems expand Agent capabilities safely.

Three-Tier Memory Architecture

  • Short-term buffer - sliding window with waterline-triggered compression to avoid chat buildup
  • State summaries - topics / decisions / open questions with semantic recall
  • Long-term facts - written after stability verification so transient noise does not become memory
  • Task experience - task_experience enters the Master Brain decision chain independently

Skill Ecosystem

  • Global Skills with free toggles - all Agents share Skills loaded on demand
  • Per-Agent Skills - each Agent can use Pinned Skill Mode to bind role-specific capabilities
  • AI-driven security review - seven-dimension scanning before installation
  • Install once, refresh to apply - hot-load without restart

Layered Context Management

When Agents execute long task chains, the context window can keep growing with tool results. AgentVis uses the MB + SA layered architecture to maintain separate context pipelines, with multi-level compression and artifact persistence so interrupted tasks can recover and Sub-Agents stay context-healthy across hundreds of steps - no forgetting, no repetition, no runaway loops. MB decision-round limits make long-horizon tasks more stable.

3 Levels Progressive compression
Unlimited Context resets
200 Tool-call safety valve
Three-level progressive compression

L2 context reset proactively cleans up -> L1 gradient compression acts as a high-water fallback -> L3 budget warnings guide wrap-up. Supports unlimited resets without resetting the total budget.

MB strategic continuity

SA reports use semantic fences to prevent misinterpretation, while MB decision rationale is injected across rounds so strategy continuity is not broken by SA rotation.

Cross-SA artifact persistence

Task Artifact Store automatically extracts tool results - search, files, commands - and uses FIFO eviction to keep a fixed budget, so new SAs do not repeat work.

Session-round isolation

SA tool results are not written into the parent Session. Tool messages are cleaned each round, while cross-round knowledge transfer is handled by memory, keeping the session channel clean.

Human-in-the-Loop

Pause anytime to correct course or adjust requirements.

Unlike binary approve / deny HITL gates, where an Agent pauses only at sensitive operations and shows Allow or Deny, AgentVis defense in depth gives HITL a new path: you can actively pause at any step of Agent execution, type a natural-language adjustment, and let the Agent continue in a new direction immediately.

Active pause, not passive approval

Click pause and the Agent suspends as soon as the current tool call finishes. No predefined "sensitive operation list" is needed; when the direction feels wrong, pause with one click.

Natural-language intervention

After pausing, type an adjustment such as "try another approach, do not use recursion" or "check the docs before editing". The Agent picks up your intent in the next LLM call and changes direction.

Intervention persists across rounds

Your intervention is written to Task Artifact so every later SA round can see it. Even if Agents rotate, your intent is preserved.

Live Preview

From code to browser,
zero-latency preview.

Vite Dev Server is embedded in the app so frontend projects generated by Agents render instantly. Windows Junction enables zero-cost dependency sharing, and Tailwind CSS is automatically downgraded when needed.

React / Vue / Vanilla Windows Junction Tailwind auto downgrade localhost secure binding
AgentVis Live Preview
Remote & Automation

Remote control, local automation.

Send remote-computer tasks to Agents through Feishu or Slack, send messages back to users, and transfer local files. Built-in desktop and browser automation tools help Agents explore more local automation workflows.

Guides

Four guides,
from first launch to stable operation.

Organized around the real onboarding path: Quick Start, Skills, sandbox security, and IM bot configuration. Run your first task chain first, then expand the Agent capability boundary step by step.

FAQ

FAQ

No. After one-click installation, the system automatically creates the runtime environment and installs related dependencies. The first setup takes a moment. Then open the Settings panel find API Keys and Cloud Services, enter your API keys, then return to the main screen and create a Hub and Agent to begin collaborating with Agents. AgentVis includes practical Skills for browser and desktop automation, data scraping, GitHub lookup, arXiv paper search, news RSS, Yahoo Finance, email assistance, video-data analysis summaries, and HTML-to-PPT/PDF/DOCX/XLSX workflows. Agents can guide you through using them.

AgentVis is built on Tauri and runs 100% locally. All chat history, file operations, and memory data are stored on your local disk, with one-click backup and restore. They are not uploaded to any cloud server. API keys are encrypted through Windows Credential Credential Manager.

AgentVis supports OpenAI, Anthropic, Gemini, and providers or models compatible with their protocols, including Zhipu, MiniMax, DeepSeek, Xiaomi, StepFun, Agnes, Volcengine, OpenRouter, and more. You can also configure a local custom API endpoint, which will be routed to the matching compatible protocol. You can freely switch providers and models in Settings, add custom models yourself, or let an Agent add models for you.

No. AgentVis uses long-lived WebSocket connections to communicate with Feishu and Slack, so no public IP or reverse proxy is required. Configure Feishu or Slack bot credentials, then control Agents remotely from your phone. By default, each platform supports up to 10 bots connected to 10 Agents running remote tasks at the same time.

Yes. Describe what you need and let an Agent use skill-creator to write and install a Skill, then refresh the Skill list in Settings. If you import a local Skill package or paste a GitHub Skill package link, AgentVis starts a review. Before installation it runs an AI-driven seven- dimension security review. AgentVis is compatible with common Skill packages and provides two Skill modes. See the AgentVis Skills Guide for details.

The current version is a Windows desktop app. Tauri itself supports cross-platform builds, and macOS and Linux versions are planned.