Visual reference

Architecture

How processes, files, and packages connect on a single Mac.

Runtime topologySeparate processes · file IPC · no custom KEXT
macOSEndpoint Security APINetwork Extension APIDNS / Flow metadataEndpoint Security ExtensionProcess governance · file access · ~2msSupply-chain gate · sync enforcementContent Filter ExtensionPolicy drops · behavioral gatesexfil / beacon heuristicsDNS Proxy ExtensionDomain ↔ IP cachePrivacy report enrichmentShared runtime storageSecurity telemetryNetwork telemetryPolicy configVerdict cacheZero-copy verdict bridge · sync reads / async writesPolicyEnginePolicy evaluationEnforcement decisionsBehavioral EngineDetection engineCorrelation graphTemporal AnalysisSession timingNetwork IntelligenceProcess topologyConnection analysisTURITURI · Control planeBehavioral EngineSession ReplayPolicy · ShieldsTelemetry ExportEvent streamVerdict updateAI AgentCursorClaude · MCPexec / file / netSync · blocks before runAsync · graph + verdict

3

System extensions

ES · Content Filter · DNS

1

Shared volume

/Users/Shared

2

Enforcement planes

Sync + async

AUTH_EXEC hot path

Agent spawns

posix_spawn / shell

AUTH_EXEC

ES extension · ~2ms

Governors

Process governance · intent verification

Allow / Deny / HITL

VerdictCache may suspend

JSONL + graph

Behavioral engine correlation

Next syscall

Terminate active execution if threshold exceeded

First occurrence of a multi-step attack may complete on Plane 2; Plane 1 enforces on the next AUTH or via 120s sensitive-read correlation.

Verdict bridge · zero-copy

ACTIVE

Active verdict state

Enforcement decisionsPer-session scores

Standby state

Behavioral engine writes here, then atomically promotes

The verdict bridge connects the asynchronous behavioral engine to the synchronous enforcement layer. Scores and enforcement decisions propagate to the system extension without locks or IPC overhead.

Human-in-the-loop pendingSuspends execution
Critical severity thresholdTerminates session
Multi-signal correlationQuarantine + alert

Shared Swift packages

Extensions+ AppPolicyEngineBehavioralEngineTemporalEngineNetworkIntelligenceProcessTopology

Not a custom KEXT

TURI uses Apple's Endpoint Security and Network Extension APIs inside sandboxed system extensions. Optional mf exec capability tokens exist; ExecGovernor is the default AUTH path for real agents.
Enforcement matrix Runtime pathsLive Observatory

Running AI agents on Mac at scale? We'll tune policy with you.

Design partners →