▀▄▀ █▀█
█░█ █▀▄
BYOK · local-first · spend-capped · tamper-evident · memory engine · research engine · voice stack · plugin platform · MCP-ready · multi-agent runtime · supervisor workflows · offline-capable · safe computer control · universal provider engine · XR 2.1 Skills Marketplace
You bring the key. We ship none. XR runs on your provider API key or your local model — it costs us $0 to maintain and you $0 to trust.
Status: XR 2.1 is implemented successfully on main and is ready to move forward.
XR 2.1 turns XR from an assistant into an extensible AI operating system with a complete Skill layer:
| Phase | Status | What shipped |
|---|---|---|
| XR 2.1A — Unified Skill Runtime | ✅ Done | xr-skill.json, unified loader, registry, resolver, validator, installer, lifecycle manager, permission manager, dependency resolver, local search index, compatibility adapters for legacy skills / plugin skills / MCP bundles / learned skills / research packs / role packs |
| XR 2.1B — Skill SDK | ✅ Done | xr skill init/create/build/package/validate/publish/doctor/test, production folder scaffolding, docs, examples, tests, icon, changelog, lockfile, build reports |
| XR 2.1C — Marketplace Backend | ✅ Done | local + installed registry state, online registry interface, download engine, dependency solver, updates, rollback snapshots, verification/signing helpers, publisher IDs, version resolution, compatibility checks |
| XR 2.1D — Marketplace UI | ✅ Done | local dashboard Marketplace, website /marketplace, XR logo/avatar brand system, search, filters, categories, Skill inspector, permission viewer, dependency viewer, install command copy |
| XR 2.1E — Official Skill Packs | ✅ Done | 54 official professional Skills hardened with playbooks, diagnostic prompts, operating manuals, permission docs, quality tests, professional examples, quality gates, workflows, commands, and memory templates |
xr skill browse # browse local Skills
xr skills list # unified runtime Skills
xr skill registry list # configured registries
xr skill registry sync # sync online/local registries
xr skill install-online <id> # install from marketplace backend
xr skill updates # check available Skill updates
xr skill rollback-online <id> # rollback registry-installed Skill
xr serve # open local dashboard MarketplaceWebsite:
/marketplace
The website Marketplace now renders the full repository Skill catalog: 65 available Skills including 54 official Skills and 11 legacy compatibility Skills.
XR 2.1 is GOOD TO GO for the next Stage 13 workstream. The architecture is stable enough to build on top of the completed Skill Runtime, SDK, Marketplace Backend, Marketplace UI, and official Skill pack foundation.
# Linux / macOS / Termux / WSL
curl -fsSL https://raw.githubusercontent.com/ahmadrrrtx/xr/main/install.sh | bash# Windows PowerShell
iex (irm https://raw.githubusercontent.com/ahmadrrrtx/xr/main/install.ps1)# After install — first time setup
xr onboarding # guided setup wizard (incl. memory + optional voice)
xr doctor # full health check (incl. memory + research + voice + plugins)
xr plugins search # discover safe, permissioned plugins
xr skill browse # browse the XR Skills Marketplace
xr skill install react_expert # install/enable a professional Skill
xr agents list # inspect the built-in multi-agent workforce
xr agents plan "refactor this repo safely"
xr voice setup # optional local-first voice setup
xr # open the dedicated fullscreen XR shell
xr "hello, XR" # run your first task directly
xr --tui # explicit alias for the fullscreen shell
xr serve # start local dashboard + chat in browser| Most AI agents | XR | |
|---|---|---|
| Provider | locked to vendor | BYOK — any of 20+ providers, or fully local via Ollama, LM Studio, llama.cpp, Jan, LocalAI, vLLM, GPT4All, KoboldCPP, Text Generation WebUI, SGLang |
| Cost | "soft" warnings | hard ceiling enforced in code (checkBeforeStep()) |
| Security | trust us | deterministic injection benchmark, signed block-rate report |
| Audit | scrollback only | SHA-256 hash chain — tamper-evident, offline, free |
| Terminal UI | raw prompts | Claude Code–style TUI — spinner, history, status bar, slash commands |
| Browser UI | cloud dashboard | self-hosted chat + dashboard at localhost:3141 |
| Computer Control | wild west | safe-by-construction — classify → preview → approve → audit |
| Multi-step planner | hidden prompts | typed Action[] schema validated with Zod, every step previewed |
| Plan memory | none | cached deterministic plans — second run skips the LLM |
| Durable memory | silent auto-save, creepy | explicit-by-default — XR only remembers what you ask; live "remember this?" with consent |
| Memory recall | injects everything, opaque | explainable — shows match-% + why; conservative floor, never floods the prompt |
| Memory hygiene | grows forever | TTL/expiry + prune + access tracking — see what's stale, delete permanently |
| Research | answer-first summaries | source-first Research Engine — live discovery, trust/freshness ranking, evidence ledger, claims, contradictions, signed reports |
| Dashboard | cloud-only | 127.0.0.1 only, token-authed, live approvals, Marketplace, no telemetry |
| Voice | silent cloud listener | Stage 8 Voice Stack — disabled by default, push-to-talk default, local Whisper/Piper/Kokoro/system adapters, explicit cloud consent |
| Extensibility | arbitrary packages or hardcoded integrations | XR 2.1 Skills Marketplace + Stage 10 Plugin Platform + Stage 11 MCP Platform — install professional AI capabilities with manifests, permissions, dependencies, SDK, backend registry, updates, rollback, signing hooks, and App Store-style UI |
| Multi-agent orchestration | one big agent with tool spam | Stage 12 Multi-Agent Runtime — supervisor, planner, researcher, builder, reviewer, executor, synthesizer, memory manager, security checker |
| Runtime | procedural script | AI OS Kernel with DI, Lifecycle management, and a persisted multi-agent workflow store |
Stage 5 gives XR a complete, polished UI layer across every user-facing surface. XR now feels like a real product.
xr
# or
xr --tui▀▄▀ █▀█ XR — The AI Agent You Can Actually Trust
█░█ █▀▄ by @rrrtx · local-first · BYOK · spend-capped · secure
Project: my-project Stack: TypeScript, Bun
provider: ollama │ model: qwen2.5:7b │ mode: agent
Type a message to talk to XR. Use /help to see all commands.
Quick: /ask /plan /model /status /dashboard
xr [agent] › _
What the TUI provides:
- ✦ Claude Code–style star-burst spinner while XR thinks (
· ✻ ✽ ✶ ✳ ✢) - ✦ Command history navigation (↑/↓ arrows, 200 entries)
- ✦ Provider / model / mode / budget status bar on every prompt
- ✦ Structured tool-call display with live status icons
- ✦ Ctrl+C interrupt → safe recovery (not immediate exit)
- ✦
xr.md/.xrrc/CLAUDE.mdproject context auto-load - ✦ Graceful non-TTY degradation
All slash commands — grouped by category:
Chat & Tasks /ask /plan /mode /model /budget
Navigation /dashboard /chat
System /status /doctor /cost /index /help /clear /exit
Tools /memory /shell
Security /attacks /verify-log /export
Local AI /skills
xr serve
# Opens: http://localhost:3141/chat?token=<TOKEN>A full ChatGPT-style chat interface running locally in your browser:
- Streaming SSE responses, token-by-token
- XR branding — not a generic template
- Slash command hint chips:
/plan/status/research/ask/memory/budget - Markdown rendering (code blocks, bold, inline code)
- Typing indicator, clear button, keyboard shortcuts
- Graceful error states with recovery tips
xr serve
# Opens: http://localhost:3141/?token=<TOKEN>A mission-control dashboard with 16 navigation panels:
| Panel | What it shows |
|---|---|
| Dashboard | 4 stat cards (spend, security score, audit chain, skills) + provider health + local AI + memory + recent audit |
| Chat | Full streaming chat UI |
| Sessions | Recent chats/tasks, session detail, step timeline, research runs |
| Status | Complete system health grid |
| Budget | Spend controls, recent cost events, by-model and by-provider usage, soft-cap settings |
| Workspaces | Create and switch isolated XR workspaces |
| Providers | All 12+ providers with status, tier, key configuration, plus provider manager controls |
| Models | Local runtime status, installed models |
| Memory | Health cards (total/expired/never-recalled), live search, all entries with inline delete, expiry badges |
| Research | Research mode quick reference |
| Plugins | Installed plugins, permissions, enabled state, trust, health, catalog search, enable/disable/remove actions |
| Marketplace | XR 2.1 Skills Marketplace — search, categories, collections, installed/verified/update filters, Skill cards, inspector, permissions, dependencies, install/enable/disable actions |
| Voice | Voice control quick reference |
| Security | Injection lab (run-on-demand), egress list, security posture |
| Audit Log | Full SHA-256 chain with integrity badge |
| Settings | Privacy, budget, approval gates, CLI reference |
Dashboard UX features:
- Command palette: press
?or⌘K - Keyboard shortcuts:
g d= Dashboard,g c= Chat,g s= Security,g a= Audit - Live 30-second auto-refresh
- Toast notifications for all async actions
- Zero external dependencies — works fully offline
All terminal styling now routes through a single design-token layer:
src/ui/
theme.ts Brand palette, ANSI codes, CSS variables, spinner frames
spinner.ts Spinner, ProgressBar, StepTracker
layout.ts banner(), kv(), table(), box(), helpPanel(), notify()
index.ts Public re-export
XR brand identity:
- Primary:
#00D4FFcyan - Success / local:
#00FF88green - Warning / cloud:
#F59E0Bamber - Background:
#0A0A0F - Logo:
▀▄▀ █▀█ / █░█ █▀▄(block-char ASCII art spelling XR)
Stage 6 makes XR stateful, personal, and durable — without becoming creepy, noisy, or unsafe. XR now remembers your preferences, projects, workflows, and long-lived context in a way that is transparent and controllable.
- Explicit by default — XR only remembers what you ask it to. No silent auto-save.
- Local-first — all memory lives in
~/.xr/xr.db. Nothing leaves your machine. - Explainable — recall shows the match percentage and why each entry surfaced.
- Reversible — everything is editable, deletable, exportable, and importable.
- Non-creepy — conservative retrieval; session summaries are off by default.
- Private — audit log stores content length only, never raw content; secrets redacted.
- Kill-switch —
XR_MEMORY_DISABLED=1turns memory off completely.
# Inspect
xr memory # status + counts by category
xr memory list [--scope s] [--category c] [--json]
xr memory search "typescript" # keyword search
xr memory recall "what runtime" # EXACTLY what XR would surface + WHY (match %)
xr memory health # expired, never-recalled, by category
xr memory reindex # warm the semantic-recall cache
# Write (explicit, consent-gated)
xr memory add "I prefer TypeScript" --category preference
xr memory add "temp note" --ttl 3600 # expires after 1 hour
xr memory add "tmp" --ttl-days 7 # expires after 7 days
xr memory edit mem_ab12 "new text"
xr memory remove mem_ab12 # permanent
xr memory clear [--scope s] # permanent
# Maintain
xr memory prune # permanently delete expired entries
xr memory summarize [--days 30] # fold old, low-importance entries into compact summaries
# Portability
xr memory export [path] # JSON bundle
xr memory import <path> # merge (dedupes; drops stale entries)In the TUI, chat, and voice, XR intercepts memory intents naturally:
you: remember I prefer dark mode for everything
xr: ✓ remembered: I prefer dark mode for everything (preference)
you: what do you remember about my preferences?
xr: here's what I remember (1):
• I prefer dark mode for everything
you: don't remember my email address
xr: ✓ got it — I won't remember that. # no prompt needed (reduces stored data)
you: forget the note about vim
xr: ✓ forgotten 1 entry.
- Durable adds ask for consent first (
autoSuggest). - "Don't remember" and "forget" never prompt — reducing stored data is always honoured.
- "What do you remember" is read-only recall.
| Category | Use for | Surfaced in recall? |
|---|---|---|
preference |
coding style, provider, tools | ✅ |
project |
long-running project context | ✅ |
workflow |
repeated procedures | ✅ |
fact |
stable long-term facts | ✅ |
exclusion |
do-not-remember rules | ❌ (never surfaced) |
Scopes separate personal memory (global) from project memory (per-directory), so your TypeScript preferences don't leak into a Python project.
- Per-entry TTL —
--ttl/--ttl-daysmake an entry auto-expire. - Expired = forgotten — expired entries are excluded from recall and list (visible only with
--include-expired/xr memory listflag in code). xr memory prune— permanently deletes expired entries.- Access tracking — every entry records
lastAccessedAt+accessCount, soxr memory healthcan show you what's never been used. - Import safety — importing an already-expired entry drops it (no silent resurrection of stale memory).
Recall is never a black box. Every surfaced entry comes with a score and a reason:
🧠 Recall "what typescript runtime" (1)
mem_177cce4b 27% preference I prefer TypeScript and Bun for backend work
why: lexical match 27% · scope=global
Retrieval uses semantic embeddings (Ollama nomic-embed-text) when available, with an automatic lexical fallback so it always works — even fully offline.
Conversations can fold into compact session summaries, kept in a separate store so the agent never confuses ephemeral chat recaps with durable facts. Off by default (memory.saveSessionSummaries).
The dashboard Memory panel now includes health cards (total / expired / never-recalled), a live search box, expiry badges, and inline delete. xr doctor includes a memory-health row.
Stage 7 turns XR from a chat wrapper into a source-first research system. XR gathers sources before forming conclusions, tracks where every claim came from, marks uncertainty, detects contradictions, and exports signed research artifacts.
- Source-first, not answer-first — sources are discovered, ranked, fetched, and checked before synthesis.
- No fabricated citations — reports only cite collected source IDs like
[s1]; unknown source IDs are stripped. - Evidence ledger — every evidence block tracks source, quote, claim kind, confidence, strength, verification state, and extraction time.
- Claim ledger — supported, weak, unverified, and contested claims are tracked separately from prose.
- Contradiction log — disagreements are surfaced instead of hidden.
- Freshness-aware — sources track
Last-Modifiedor apparent dates, freshness labels, last verification, and refresh history. - Safe live web — default egress allow-list remains fail-closed; broad public fetch requires explicit
--allow-public-web. - Auditable exports — Markdown reports are signed with a SHA-256 footer and paired with a JSON sidecar.
# Run research
xr research "topic" # quick research
xr research quick "topic" # fast source-first pass
xr research deep "topic" # deeper source discovery + synthesis
xr research compare "A vs B" # comparison workflow + matrix
xr research factcheck "claim" # verify a claim against sources
xr research briefing "topic" # briefing-style deep report
# Inspect the workflow
xr research plan "topic" # collaborative research plan
xr research status [id] # session status
xr research sources [id] # source list + trust/freshness
xr research evidence [id] # evidence ledger + quotes
xr research claims [id] # claim ledger
xr research contradictions [id] # contradiction log
xr research list # recent research sessions
# Maintain and export
xr research summarize [id] # regenerate synthesis from evidence
xr research refresh [id] # re-check sources and refresh changed evidence
xr research export [id] [path] # signed Markdown + JSON sidecar
xr research remember [id] # explicitly save finding to durable memoryBy default, XR can search through the configured SearXNG host and fetch only allow-listed domains. To fetch public web pages returned by search, opt in explicitly:
xr research deep "Gemini Deep Research MCP support" --allow-public-web
xr research deep "topic" --allow-public-web --live-sources-only--allow-public-web still blocks localhost, private IP ranges, link-local addresses, unsafe redirects, non-HTTP(S) URLs, and oversized responses.
Every ResearchSession stores:
id,topic,query,mode,status,createdAt,updatedAtplanwith research questions, search queries, strategy, source requirements- ranked
sourceswith trust, relevance, quality, type, freshness, last verification evidence/noteswith quotes, claim kind, confidence, strength, verified flagclaims,contradictions,summary,finalReportreportVersions,refreshHistory, optionalcomparisontags,projectId,lastRefreshedAt,exportPath
xr doctor
xr doctor --jsonDoctor now includes Research Engine health: total sessions, latest session state, and next inspection commands.
Stage 8 gives XR a privacy-respecting voice interface: talk to XR naturally, hear XR respond, interrupt it, and safely trigger XR actions by voice. It is designed as a first-class subsystem, not a toy chatbot mode.
- Disabled by default — XR never silently turns on your microphone.
- Push-to-talk by default — wake-word and always-listen modes are opt-in.
- Local-first — prefers local Whisper / whisper.cpp STT and Piper / Kokoro / system TTS.
- Explicit cloud consent — Groq/OpenAI STT only run when cloud audio is explicitly allowed.
- Safe computer control — voice actions still pass through XR's risk classifier, preview, approval, and audit layers.
- Interruption-aware —
stop,cancel,repeat,say again,mute voice, and barge-in are handled directly. - Private transcripts — voice history is not persisted unless you choose
local-privatetranscript policy. - Text fallback — missing microphones, speakers, STT, or TTS degrade safely back to text mode.
xr voice status # privacy, mode, STT/TTS, device health
xr voice setup # guided optional setup
xr voice devices # list microphones and speakers
xr voice test # record → VAD → STT → TTS loopback
xr voice start # push-to-talk voice loop
xr voice start --wake-word # opt-in wake-word transcript gating
xr voice start --always-listen # explicit confirmation required
xr voice stop # disable voice and always-listen
xr voice config --stt whisper-cli --tts piper
xr speak "hello from XR" # speak text once
xr listen # listen once and print transcript| Layer | Backends |
|---|---|
| Microphone | ffmpeg, arecord, rec |
| Speaker | ffplay, afplay, aplay, paplay, play, PowerShell |
| STT | auto, local HTTP, whisper-cli, whispercpp, explicit groq / openai, disabled |
| TTS | auto, local HTTP, piper, kokoro-cli, system, say, espeak, PowerShell, disabled |
| VAD | local energy VAD now; Silero/openWakeWord-compatible extension points |
| Wake | transcript-side wake phrase now; external openWakeWord-compatible extension point |
// ~/.xr/config.json
{
"voice": {
"enabled": false,
"mode": "push-to-talk",
"inputDevice": "default",
"outputDevice": "default",
"sttBackend": "auto",
"sttModel": "base.en",
"ttsBackend": "auto",
"ttsVoice": "default",
"wakeWord": "hey xr",
"pushToTalkKey": "enter",
"alwaysListen": false,
"interruptionPolicy": "barge-in",
"confirmationPolicy": "always-risky",
"transcriptPolicy": "session",
"fallbackTextMode": true,
"allowCloudStt": false,
"allowCloudTts": false
}
}Voice can route to:
open app,open website,type text,click,scroll,press,focus window- research requests: “research local-first voice assistants”
- memory: “remember I prefer short answers” / “what do you remember about TypeScript?”
- provider/model switching: “switch provider to ollama”, “switch model to qwen2.5:7b”
- budget questions: “what is my budget?”
- normal XR agent tasks
High-risk actions still require confirmation. Unknown or unsafe states fail closed.
xr doctor
xr doctor --jsonDoctor includes Voice Stack health: capture tools, playback tools, device count, STT/TTS adapter status, mode, and privacy posture.
XR has evolved into a True AI Operating System. The v1.0 kernel introduces:
- Service Container (DI) — lightweight dependency injection managing Agent, Budget, Provider, Plugins with a strictly controlled lifecycle
- Lifecycle Management — formal
Bootstrap → Start → Stopsequence - Specialized Store Architecture — Session, Audit, Memory, Cost, Skill stores decomposed from the monolithic DB
- Command Registry — decoupled CLI commands; adding capabilities requires no core router changes
- Event-Driven Core — internal Event Bus for decoupled async service communication
xr control start # opt-in (off by default)
xr control plan "open github.com and search for ahmadrrrtx" --yesFour execution layers, all enforced in code:
- Action schema — every action is a typed, Zod-validated
Actionvariant - Risk classifier — pure function returns
safe | sensitive | destructive - Approval gate — safe runs immediately; sensitive prompts; destructive always prompts
- Hash-chained audit — every plan, exec, denial, memory hit is tamper-evident
Approvals work from both the CLI prompt and the dashboard "Approve / Deny" buttons.
xr control plan "fill the contact form on example.com" # dry-run
xr control plan "fill the contact form on example.com" --step # confirm each
xr control plan "fill the contact form on example.com" --yes # auto-approve sensitivexr control browser status # check Playwright availability
xr control browser install # one-shot: install + chromium (~150 MB)xr control plan "open github notifications" --yes # first run: LLM plans (~$0.002)
xr control plan "open github notifications" --yes # next run: ⚡ recalled, $0.00
xr control memory listxr memory add "I prefer TypeScript and Bun" --category preference
xr memory add "this project is called XR" --category project --scope xr
xr memory list # see everything XR remembers
xr memory recall "what do I prefer?" # shows match % + WHY
xr memory search "bun"
xr memory health # expired, never-recalled, by category
xr memory prune # delete expired entries permanently
xr memory edit mem_ab12 "prefer Bun + Zod"
xr memory remove mem_ab12
xr memory clear # forget everything (asks first)
xr memory export memories.json
xr memory import memories.jsonXR remembers only what you explicitly tell it to. Everything is local-first, inspectable, editable, and permanently deletable. See Stage 6 — The Memory Engine for the full feature set: live capture, explainable recall, TTL/expiry, session summaries, and memory health.
xr models # local AI status
xr models runtimes # detect Ollama, LM Studio, Jan, llama.cpp, vLLM...
xr models recommend [use-case] # hardware-aware recommendation
xr models install [model] # safe Ollama setup/pull with approval
xr models set <runtime> <model>
xr models test [model] # local inference smoke testSupported local runtimes: Ollama (auto-install) · LM Studio · llama.cpp · Jan · LocalAI · vLLM · GPT4All · KoboldCPP · Text Generation WebUI · SGLang · any OpenAI-compatible endpoint.
xr research "compare Rust vs Go for embedded development"
xr research deep "best self-hosted alternatives to Cloudflare Tunnel" --allow-public-web
xr research compare "OpenAI Deep Research vs Gemini Deep Research"
xr research factcheck "Gemini Deep Research supports MCP servers"
xr research evidence # inspect evidence ledger
xr research claims # inspect claim ledger
xr research contradictions
xr research refresh # re-check source freshness
xr research export # signed Markdown + JSON sidecarSee Stage 7 — The Research Engine for the full workflow: live source discovery, trust/freshness ranking, evidence extraction, contradiction detection, comparison matrices, refresh history, and signed reports.
xr plugins search # catalog metadata search
xr plugins inspect ./plugins/github # manifest + permissions, no code execution
xr plugins install ./plugins/github # shows permissions, asks to approve
xr plugins enable github # explicit activation
xr plugin github repo ahmadrrtx/xr # run a plugin command
xr plugins permissions github # requested vs granted permissions
xr plugins doctor # health/trust checkPlugins are opt-in, permissioned, inspectable, and disableable. XR records entrypoint + whole-tree hashes at install, rejects tampered plugins as untrusted, blocks common ambient-authority imports (node:fs, child_process, raw fetch, process.env, dynamic eval), and forces approval for tools from plugins with sensitive grants. Plugins can ship tools, commands, skills, MCP-backed tools, UI metadata, provider adapters, workflow packs, research packs, voice packs, security packs, business packs, and developer packs without editing XR core.
Full spec: docs/PLUGINS.md
xr --computer "open Safari and search for AI agents"Vision-driven: screenshot → LLM reasons → action loop. For open-ended tasks where the planner doesn't know steps in advance.
xr --budget 0.10 "write me a full React app"The agent literally cannot exceed your budget. checkBeforeStep() runs before every model call and blocks if the next step would breach the ceiling.
xr test --attacks --json # signed, publishable block-rate reportxr verify-log # → "✓ Audit chain intact (N entries)"SHA-256 hash chain on every action — git's trick, $0, offline. Any tampering detected instantly.
XR supports 20+ providers. Swap anytime — no restart, no re-config.
| Provider | Type | Notes |
|---|---|---|
| Ollama | Local | Auto-detect, model pull, free |
| Claude (Anthropic) | Cloud | claude-opus-4, claude-sonnet-4 |
| OpenAI | Cloud | gpt-4o, o3 |
| Gemini (Google) | Cloud | gemini-2.5-pro |
| Groq | Cloud | llama-3.3-70b, ultra-fast |
| DeepSeek | Cloud | deepseek-r2, reasoning |
| Together AI | Cloud | Open models, batch |
| Mistral | Cloud | mistral-large-2 |
| Cohere | Cloud | command-r-plus |
| Cerebras | Cloud | llama-3.3-70b, fast |
| OpenRouter | Cloud | 100+ models, unified |
| AWS Bedrock | Cloud | Enterprise |
| + any OpenAI-compatible endpoint | Local/Cloud | Custom base URL |
xr providers list # all providers + status
xr providers set openai
xr providers add claude # enter API key (masked, stored in OS keychain)
xr providers test # test all configured providers liveEvery security feature is code-enforced, not a suggestion:
| Feature | How |
|---|---|
| Hard budget ceiling | checkBeforeStep() blocks — no exceptions |
| Tamper-evident audit | SHA-256 hash chain, offline, xr verify-log |
| Plugin trust | Explicit permissions, tree hashes, static scan, health checks, disable/remove |
| Injection defense | 10-attack benchmark, signed block-rate report |
| Egress allow-list | Only configured domains receive data |
| Approval gates | write_file, delete, shell, send need consent |
| API key redaction | Keys never appear in audit log |
| Local-first | Nothing leaves your machine by default |
| Dashboard security | 127.0.0.1 only, bearer token, X-Frame-Options: DENY |
xr install --mode minimal # core only
xr install --mode local # local/free, no API key required
xr install --mode byok # cloud keys you own
xr install --mode hybrid # cloud primary + local fallback
xr install --mode full # all optional packsxr/
├── src/
│ ├── ui/ # Stage 5: design system
│ │ ├── theme.ts # brand palette, ANSI codes, CSS vars
│ │ ├── spinner.ts # Spinner, ProgressBar, StepTracker
│ │ ├── layout.ts # terminal layout primitives
│ │ └── index.ts
│ ├── interfaces/ # all user-facing surfaces
│ │ ├── tui.ts # interactive terminal UI (Claude Code–style)
│ │ ├── cli.ts # CLI output helpers
│ │ ├── onboard.ts # setup wizard
│ │ ├── providers.ts # provider management UI
│ │ └── models.ts # local AI model UI
│ ├── commands/ # CLI command handlers
│ │ ├── memory.ts # xr memory — the Memory Engine (Stage 6)
│ │ ├── help.ts # xr help [topic]
│ │ ├── budget.ts
│ │ ├── config.ts
│ │ ├── doctor.ts # includes memory + research + voice + plugin health
│ │ ├── plugins.ts # xr plugins / xr plugin command adapters
│ │ └── ...
│ ├── daemon/ # local server
│ │ ├── server.ts # xr serve — dashboard + chat + API
│ │ ├── plugin-api.ts # plugin management API
│ │ └── dashboard.ts # full SPA: 12 panels, chat, command palette
│ ├── core/ # agent runtime
│ ├── providers/ # 20+ provider adapters
│ ├── memory/ # durable memory + RAG
│ ├── security/ # injection lab, audit, egress
│ ├── control/ # computer control, planner
│ ├── local/ # local AI runtime manager
│ ├── plugins/ # Stage 10 plugin platform: manifests, registry, host, loader, lifecycle
│ ├── research/ # Stage 7 Research Engine
│ ├── voice/ # Stage 8 Voice Stack
│ ├── cost/ # budget governor
│ └── config/ # configuration
├── bin/ # CLI entry point
├── plugins/ # built-in plugins
├── skills/ # learned skills
├── docs/ # PLUGINS.md, etc.
├── website/ # Next.js marketing site
└── test/ # test suite
# One-shot tasks
xr "write a README for this project"
xr "explain this codebase" --mode ask
xr "refactor auth module" --budget 0.25
xr "build a REST API" --mode plan # plan only
# Interactive TUI
xr # full terminal workspace
xr --tui # explicit alias for the fullscreen shell
# Browser interfaces
xr serve # dashboard + chat at localhost:3141
# Local AI
xr models # status
xr models recommend # hardware-aware recommendation
xr models install # install recommended model
# Providers
xr providers list
xr providers set ollama
xr providers add claude
# Memory
xr memory add "I prefer TypeScript" --category preference
xr memory add "temp" --ttl 3600 # expires after 1h
xr memory list
xr memory recall "what do I prefer?" # match % + why
xr memory health
xr memory prune # delete expired
xr memory clear
# Research
xr research "topic"
xr research deep "topic" --allow-public-web
xr research compare "A vs B"
xr research factcheck "claim"
xr research evidence
xr research refresh
xr research export
# Plugins (Stage 10)
xr plugins search
xr plugins inspect ./plugins/hello
xr plugins install ./plugins/hello --yes
xr plugins enable hello
xr plugin hello greet Ahmad
xr plugins doctor
# Voice (Stage 8, opt-in)
xr voice status
xr voice setup
xr voice devices
xr voice test
xr voice start # push-to-talk
xr voice start --wake-word # opt-in wake phrase
xr speak "hello"
xr listen
# Computer control (opt-in)
xr control start
xr control plan "open browser and go to github.com"
# Security
xr verify-log
xr attacks
# Help
xr help # full command reference
xr help tui # TUI guide
xr help security # security guide
xr help providers # providers guide
xr help memory # memory engine guide| Platform | Status |
|---|---|
| Linux (Ubuntu, Debian, Fedora, Arch) | ✅ Full support |
| macOS (Apple Silicon + Intel) | ✅ Full support |
| Windows (PowerShell, WSL) | ✅ Full support |
| Android (Termux) | ✅ Full support |
Runtime: Bun (required) — install with curl -fsSL https://bun.sh/install | bash
| Stage | Name | Status |
|---|---|---|
| Stage 1 | Core Agent | ✅ Done |
| Stage 2 | Security + Audit | ✅ Done |
| Stage 3 | Research + Plugins | ✅ Done |
| Stage 4 | Local AI Runtime | ✅ Done |
| Stage 5 | User Interfaces | ✅ Done |
| Stage 6 | Memory Engine | ✅ Done |
| Stage 7 | Research Engine | ✅ Done |
| Stage 8 | Voice Stack | ✅ Done |
| Stage 9 | Computer Control Engine | ✅ Done |
| Stage 10 | Plugin Platform | ✅ Done |
| Stage 11 | MCP Platform | ✅ Done |
| Stage 12 | Multi-Agent + Advanced Orchestration | ✅ Done |
| Stage 13 | Advanced Runtime / Visual Orchestration / Background Workers | ✅ Done |
| Stage 14 | XR Shield — Security & Privacy Layer | ✅ Done |
Stage 12 turns XR from a powerful single-agent shell into a professional multi-agent operating layer.
XR now supports a supervisor / worker runtime with:
- Supervisor / Coordinator
- Planner
- Researcher
- Builder / Developer
- Reviewer
- Executor
- Synthesizer
- Memory Manager
- Router / Model Selector
- Security Checker
- Agent registry with explicit roles, capabilities, permissions, memory scopes, and tool scopes
- Persisted workflow graphs (
agent_workflows+agent_tasks) for inspectability, resume, and auditability - Task decomposition with dependency tracking, parallel branches, handoffs, and review checkpoints
- Role-scoped execution so reviewer agents stay read-only while builder/executor agents get narrow side-effect lanes
- Memory boundaries via a dedicated memory-manager brief instead of broad memory injection into every worker
- Security and critique gates that can block downstream execution with
CHANGES_REQUESTEDorREJECTED - Live CLI progress for
xr agents run, so you can see which agent is active and what it is doing
xr agents list
xr agents status
xr agents status <workflowId>
xr agents inspect <agentId|workflowId>
xr agents plan "implement this safely"
xr agents run "implement this safely" --dry-run
xr agents delegate <workflowId> <agentId> "investigate X"
xr agents review <workflowId>
xr agents synthesize <workflowId>
xr agents stop <workflowId>
xr agents resume <workflowId>- Not one giant agent
- Supervisor owns the flow
- Workers stay narrow
- Review is separate from generation
- Synthesis is separate from execution
- Memory and tools are scoped per role
- High-risk execution must pass through security/review gates
- Everything important is persisted and inspectable
src/agents/registry.ts— built-in agent workforcesrc/agents/planner.ts— deterministic workflow/task graph compilersrc/services/multi-agent-service.ts— supervisor runtimesrc/state/stores/workflow-store.ts— persisted workflow/task storagesrc/commands/agents.ts— CLI surface
Stage 9 turns XR from a chat assistant into a safe, vision-capable AI operator. XR can now operate your computer exactly like a human assistant, with full transparency and permission gates.
- Safe-by-construction — all actions are Zod-validated against a strict schema.
- Human-in-the-loop — risk classifier checks every step. Sensitive actions prompt; destructive actions always prompt.
- Vision-assisted — XR uses screenshots and Vision LLMs to navigate modern UIs, not just shell commands.
- Transparent — every click, keystroke, and scroll is logged to the tamper-evident audit chain.
- Kill-switch —
xr control stopdisables the engine immediately.
# Setup & Status
xr control status # check tools (keyboard, mouse, browser)
xr control start # enable control engine
xr control stop # disable control engine
xr control browser install # setup Playwright + Chromium
# Automation
xr control plan "task" # plan and execute multi-step workflow
xr control computer "task" # vision-driven agentic loop (screenshot -> act)
xr control test # run a safety/capability self-test
# Primitive Actions
xr control app "VS Code" # launch application
xr control open "https://..." # open URL or file
xr control click 640,480 # click coordinates
xr control type "hello" # type text
xr control key "cmd+tab" # press keys
xr control scroll down 5 # scrollThe xr control computer command starts a JARVIS-level loop:
- Observe: Captures a high-res screenshot.
- Reason: A Vision LLM (like Claude 3.5 Sonnet) analyzes the UI state.
- Act: XR sends a mouse/keyboard action.
- Repeat: Loop continues until the task is marked
DONE.
| Platform | Keyboard | Mouse | Apps | Browser |
|---|---|---|---|---|
| macOS | osascript |
cliclick |
open |
Playwright |
| Linux | xdotool |
xdotool |
xdg-open |
Playwright |
| Windows | PowerShell | .NET Native | Start-Process |
Playwright |
Stage 11 turns XR into a true standardized integration platform using the Model Context Protocol (MCP 2025-06-18).
MCP servers expose tools, resources, and prompts in a uniform way. XR can now safely consume any compliant MCP server (GitHub, databases, browsers, filesystems, workflows, etc.) without bespoke glue code.
- Opt-in only — servers are never auto-discovered or enabled
- Inspect before activate —
xr mcp inspectshows capabilities + declared permissions - Explicit permissions — 15 permission scopes (fs:read, fs:write, net, secrets, control, shell, etc.)
- Always approval-gated — every MCP tool/resource call requires explicit user approval
- Audit + budget inheritance — all calls go through XR's existing safety rails
- Clean lifecycle — enable / disable / remove actually stops access
- Fail closed — broken servers are isolated and never crash XR
xr mcp list
xr mcp add github stdio npx @modelcontextprotocol/server-github
xr mcp add postgres http http://127.0.0.1:8765/mcp
xr mcp inspect github
xr mcp enable github
xr mcp disable github
xr mcp tools github
xr mcp resources github
xr mcp prompts github
xr mcp health
xr mcp permissions github
xr mcp remove github
xr mcp doctorMCP tools/resources/prompts automatically appear in the agent as namespaced tools:
mcp.github.create_issuemcp.postgres.query- etc.
All are wrapped with requiresApproval: true, full audit, and budget checks.
stdio(local processes)http/sse/streamable-http(remote)
- Never stores raw API keys (only
apiKeyEnv) - All calls go through XR approval + egress + audit
- Remote servers are treated as higher trust risk
- Disable/remove actually stops execution
xr doctor
# includes: MCP platform (X installed, Y enabled, Z healthy)MCP servers will appear in future dashboard updates (core is complete).
See xr mcp --help for the full surface.
Stage 10 makes XR extensible without making core a monolith. Plugins are capability bundles that can add tools, skills, integrations, MCP connectors, workflow packs, research packs, voice packs, security packs, business packs, developer packs, and UI metadata through a strict manifest and explicit permission model.
- Opt-in install and opt-in enable — XR never silently installs or activates plugins.
- Manifest-first —
xr plugins inspectshows identity, version, permissions, capabilities, source, trust, skills, and MCP declarations without executing code. - Explicit permissions — a plugin receives only permissions it declares and the user grants.
- No ambient authority by default — plugin scanning blocks direct
node:fs,child_process, rawfetch,process.env, Bun host APIs, eval/dynamic Function, and symlinks. - Tamper detection — XR records entrypoint and full plugin-tree SHA-256 hashes at install; changed code fails closed as
untrusted. - Budget/security inheritance — plugin provider calls, network calls, memory, secrets, MCP tools, and computer-control paths still pass through XR gates.
- Recoverable lifecycle — disable/remove actually stops loaded contributions and deletes installed files.
xr plugins list # installed state + health
xr plugins search [query] # catalog metadata search
xr plugins inspect <id|path> # manifest + permissions; no code runs
xr plugins install <path|catalog-id> # review and approve permissions
xr plugins enable <id>
xr plugins disable <id>
xr plugins update <id> [path] # blocks new permissions until reinstall approval
xr plugins remove <id>
xr plugins permissions <id> # requested/granted permissions
xr plugins skills # skills contributed by enabled plugins
xr plugins doctor # health/trust check
xr plugin <id> <command> [args...] # run plugin CLI commandxr-plugin.json supports:
id,name,version,author,description,type,entrypointpermissions,capabilities,dependencies,compatibility,apiVersionsource,sourceUrl,updateSource,trustLevel,trust.signature,trust.sha256,trust.treeSha256uiHooks,commandHooks,toolHooks,mcpServers,skillPaths- plugin types:
tool,skill,integration,provider,memory,research,automation,ui,mcp,voice,security,business,developer,workflow
The local dashboard Plugins panel now shows installed plugins, version, type, enabled state, health, trust level, requested/granted permissions, capabilities, catalog search, and enable/disable/remove actions.
See docs/PLUGINS.md for the full authoring and security contract.
Stage 14 integrates XR Shield — an AI-powered Endpoint Detection, Response, Privacy Protection, and System Integrity layer directly into XR.
XR Shield is NOT a replacement for commercial antivirus software. It is an agentic, local-first security layer that helps users understand, detect, and respond to potential vulnerabilities, malware indicators, and privacy exposures, keeping with XR's principles of absolute transparency and fail-closed safety.
- Threat Detection Engine: Scans active processes, autoruns, crontabs, and scheduled tasks for signatures matching known miners, backdoors, Trojan spoof files, and dangerous LOLBins (dual-use system binaries).
- Malware Assistant Agents: Integrates specialized AI agents (Process Inspector, Startup Inspector, Crypto Miner Detection Agent, Download Inspector, and Forensics Assistant) to contextualize and explain anomalies in natural language with structured confidence scores.
- Crypto Miner Detection: Identifies sustained, unauthorized background miner indicators through CPU/GPU utilization audits and known block-mining pool connections (e.g., nanopool, supportxmr).
- Privacy Controls Gating: Runs diagnostics on browser mic/camera permissions, OS and VS Code telemetry trackers, and active clipboard dumps to warn if secrets or passwords sit in unsafe caches.
- Ad & Tracker Protection: Uses a permission-gated hosts-file sinkholing tool to map over 50,000 corporate diagnostic tracking endpoints to
0.0.0.0(fully local DNS filter lists). - Chronological Audit Ledger: Writes all scans, isolations, restores, whitelists, and toggles into XR's cryptographically linked, tamper-evident SHA-256 SQLite hash chain.
# General Status & Self-Diagnostics
xr shield status # show protection modules, score, and outstanding threats
xr shield doctor # run integrity diagnostics on files, state, and logs
# System Scans
xr shield quick-scan # fast heuristics scan of processes and autorun registries
xr shield full-scan # deep scan including downloads, extensions, and tasks
xr shield processes # list running processes highlighting signature verification
xr shield startup # audit persistence (registry run keys, launchd plists, desktop autostarts)
xr shield downloads # check Downloads folder for double extensions (.pdf.exe) and Trojan spoof names
xr shield browser # check extensions safety profiles, secure cookies, and permissions
# Quarantine & Remediations
xr shield explain <threat-id> # get agentic risk analysis, details, and remedy recommendations
xr shield quarantine-review # interactively review, permanently delete, or restore isolated items
xr shield adblock [on|off] # enable/disable DNS hosts tracker blocking (requires root/elevation)
xr shield logs # view chronological security operations chain from databaseThe Security (XR Shield) control cockpit is completely integrated into the web dashboard, providing a highly visual interface for:
- Privacy Score Card: Shows a dynamic 0..100 security rating based on system checklist validations.
- Threat Timeline & Feeds: Shows chronological heuristics feeds with deep explanation modals.
- System Processes Explorer: Search and filter running processes with live CPU/Memory stats and signature certifications.
- Auto-Hardening Settings: One-click remediation buttons to safely quarantine scripts, terminate risky processes, and activate tracker blocking.
Status: XR 15 is implemented on main and ready for use.
XR 15 transforms XR from an AI agent into an AI Business Operating System. It unifies CRM, Sales, Marketing, Support, Projects, Knowledge, Finance, HR, Analytics, Automation, Scheduling, Communication, Documents, Meetings, and AI Workers — all behind one intelligent AI platform.
| Phase | Status | What shipped |
|---|---|---|
| XR 15A — Business Core | ✅ Done | Organization management, workspace isolation, RBAC (6 roles), unified contact model, sales pipeline engine, business event bus, SHA-256 audit trail with hash chain verification, encrypted credential vault (AES-256-GCM) |
| XR 15B — Business Modules | ✅ Done | 15 production modules: CRM, Sales, Marketing, Support, Projects, Knowledge, Finance, HR, Analytics, Automation, Scheduling, Communication, Documents, Meetings, AI Workers — each with full CRUD, pagination, filtering, search, and statistics |
| XR 15C — AI Business Team | ✅ Done | 11 specialized AI Workers: CEO Advisor, Sales Director, Marketing Director, Financial Analyst, HR Manager, Project Manager, Support Manager, Operations Manager, Legal Assistant, Research Analyst, Growth Strategist — each with system prompts, capability matrices, permission sets, and live business context |
| XR 15D — Integration Layer | ✅ Done | 30+ optional BYOK integrations: Gmail, Outlook, Slack, Discord, Teams, Telegram, WhatsApp, Google Calendar, Cal.com, GitHub, GitLab, Jira, Linear, Google Drive, OneDrive, Dropbox, Nextcloud, HubSpot, Salesforce, ERPNext, Twenty, Stripe, PayPal, Plausible, PostHog, Shopify, WooCommerce, n8n, Activepieces, Coolify, Docker — OAuth2 flow manager, credential vault |
| XR 15E — Automation Engine | ✅ Done | Workflow engine with event/schedule/webhook/manual triggers, conditional steps, retry logic, error handling (stop/skip/retry). 12 pre-built templates: Lead Qualification, Sales Follow-up, Meeting Preparation, Proposal Generation, Invoice Generation, Customer Onboarding, Weekly Reports, Competitor Monitoring, Market Research, Content Calendar, Email Campaign, Support Ticket Routing |
| XR 15F — Security & CLI | ✅ Done | 7 security policies (least privilege, workspace isolation, export approval, integration consent, credential protection, automation budget, worker permission approval). Full CLI: xr biz with 40+ subcommands. Migration guide, architecture docs, test suite |
src/business/ # Business OS core
├── core/ # 10 files: types, schema, database, org, rbac, contacts, pipeline, bus, audit, index
├── modules/ # 15 modules, each with full implementation
│ ├── crm/ # Contact management, companies, notes, activity feed
│ ├── sales/ # Pipeline, deals, stages, forecasting
│ ├── marketing/ # Campaigns, content calendar, lead scoring
│ ├── support/ # Tickets, SLA, messages, routing
│ ├── projects/ # Projects, tasks, milestones, time tracking
│ ├── knowledge/ # Wiki, SOPs, articles, search
│ ├── finance/ # Invoices, expenses, P&L, tax
│ ├── hr/ # Employees, time-off, directory
│ ├── analytics/ # Dashboards, widgets, reports, KPIs
│ ├── automation/ # Workflow engine with triggers and conditions
│ ├── scheduling/ # Calendar, events, availability
│ ├── communication/ # Email, chat, notifications, templates
│ ├── documents/ # Create, edit, version, templates
│ ├── meetings/ # Schedule, attendees, notes, transcript
│ └── ai-workers/ # 11 AI business roles with full XR integration
├── index.ts # Unified BusinessOS API
└── cli.ts # 40+ CLI commands
src/integrations/ # Integration layer
├── registry.ts # 30+ connector definitions
├── oauth.ts # OAuth2 flow manager
└── credentials.ts # AES-256-GCM encrypted credential vault
src/security/
└── policies.ts # 7 security policies for business operations
src/schemas/
└── business-os.skill.json # XR Skill definition
src/templates/workflows/ # 12 automation templates
├── lead-qualification.json
├── sales-followup.json
├── meeting-prep.json
├── invoice-generation.json
├── customer-onboarding.json
├── weekly-reports.json
├── competitor-monitoring.json
├── market-research.json
├── content-calendar.json
├── email-campaign.json
└── support-routing.json
src/tests/
└── business.test.ts # Full test suite
docs/
├── XR-15-BUSINESS-OS-ARCHITECTURE.md
└── MIGRATION-GUIDE.md
| Existing XR System | Business OS Integration |
|---|---|
| Provider Engine | AI Workers use it for LLM calls. No new providers. |
| Memory Engine | Business entities stored with business schema. |
| Research Engine | AI Workers use for market analysis, competitor monitoring. |
| Voice Stack | Meeting transcription via STT. Voice-enabled workers. |
| Computer Control | Workers generate reports, take screenshots. |
| Plugin Platform | Gmail, Slack, Discord connectors are Plugins. |
| MCP Platform | HubSpot, Salesforce, ERPNext via MCP. |
| Skill Runtime | Each module registers as an XR Skill (15 skills). |
| Dashboard | Business UI served through daemon. |
| CLI | xr biz commands via command registry. |
| Multi-Agent Runtime | AI Workers are XR Agents (11 agents). |
| XR Shield | All operations pass through policy engine. |
Nothing is duplicated. Everything delegates to existing XR engines.
# Initialize Business OS
xr biz init
# Enable modules
xr biz enable all
# Deploy AI Workers
xr biz workers deploy --all
# Connect integrations (optional, BYOK)
xr biz connect gmail
xr biz connect slack
xr biz connect stripe
# Use it
xr biz contacts add --name "John Doe" --email john@example.com
xr biz deals add --title "Big Deal" --value 50000
xr biz tickets add --subject "Help needed" --priority high
xr biz kpis| Worker | Role | Capabilities |
|---|---|---|
| 👔 CEO Advisor | Strategic advisor | KPIs, reports, risk flagging, board prep |
| 💼 Sales Director | Pipeline manager | Deals, forecasting, follow-ups, coaching |
| 📣 Marketing Director | Campaign strategist | Campaigns, content, lead scoring, ROI |
| 📊 Financial Analyst | Finance monitor | P&L, invoices, expenses, cash flow |
| 👥 HR Manager | People operations | Directory, time-off, engagement |
| 📋 Project Manager | Delivery manager | Tasks, milestones, sprints, status |
| 🎧 Support Manager | Customer support | Tickets, SLA, knowledge base, routing |
| ⚙️ Operations Manager | Process optimizer | Workflows, automation, efficiency |
| ⚖️ Legal Assistant | Legal support | Contracts, compliance, risk |
| 🔍 Research Analyst | Intelligence analyst | Market research, competitors, trends |
| 🚀 Growth Strategist | Growth driver | Funnels, CAC/LTV, experiments |
| Category | Services |
|---|---|
| Communication | Gmail, Outlook, Slack, Discord, Teams, Telegram, WhatsApp |
| Calendar | Google Calendar, Outlook Calendar, Cal.com |
| Development | GitHub, GitLab, Jira, Linear |
| Storage | Google Drive, OneDrive, Dropbox, Nextcloud |
| CRM/ERP | HubSpot, Salesforce, ERPNext, Twenty |
| Payments | Stripe, PayPal |
| Analytics | Plausible, PostHog |
| Commerce | Shopify, WooCommerce |
| Automation | n8n, Activepieces |
| Infrastructure | Coolify, Docker |
XR is MIT licensed. Contributions welcome.
git clone https://github.com/ahmadrrrtx/xr
cd xr
bun install
bun testMIT — LICENSE
▀▄▀ █▀█
█░█ █▀▄
XR — built by @rrrtx · xr-gules.vercel.app · MIT
Local-first. Spend-capped. Tamper-evident. Yours.
XR is now a first-class MCP-native platform.
MCP (Model Context Protocol) lets XR connect to any compliant server for tools, resources, and prompts using a single standard — no more bespoke integrations.
Core capabilities delivered:
- Full MCP 2025-06-18 client (tools/list, tools/call, resources, prompts)
- 4 transports: stdio, http, sse, streamable-http
- Persistent registry + complete lifecycle (
add/enable/disable/remove/inspect) - Explicit permission model (15 scopes) + trust levels
- Every MCP invocation is approval-gated, audited, budget-aware, and egress-controlled
- MCP tools/resources/prompts surface automatically into the agent as
mcp.<server>.<name> - Health checks +
xr mcp doctor - Clean fail-closed behavior
Quick start
xr mcp add github stdio npx @modelcontextprotocol/server-github
xr mcp enable github
xr mcp inspect github
xr mcp tools github
xr "list my open PRs using the github MCP server"All safety rails from previous stages still apply. MCP servers are never trusted by default.
See xr mcp --help for the full surface.