Show HN: Democr.ai – self-hosted agentic AI runtime with audit and RBAC Democr.ai, a self-hosted agentic AI runtime framework, launched in public beta, offering server-driven UI, OS-level sandboxing, RBAC, and triple-layer audit for production-grade AI applications. The Python-based framework targets environments with compliance and operational constraints, providing an integrated runtime with pluggable model orchestration and multi-tenancy. A Python framework for building agentic AI applications with server-driven UI, native observability, OS-level sandboxing, pluggable model orchestration, and a strict extension boundary — designed for environments where reproducibility, auditability, and operational control matter. Status: Beta 0.0.1b4 — public preview. The core architecture is implemented and actively tested, but APIs and operational behavior may still change before the first stable release. The software ships without warranty. - Website: democr.ai https://democr.ai - Documentation: democr.ai/docs/ https://democr.ai/docs/ Democr.ai is a complete runtime framework for AI applications. It provides: - Server-driven UI for agentic contexts, implementing and extending Google's A2UI protocol - Multi-client rendering of the same UI definition across web and desktop clients - Native multi-tenancy enforced at write time - Cross-platform OS-level sandboxing for engine and extension processes - Triple-layer audit through SQLAlchemy hooks, with sensitive field redaction - RBAC with declarative module manifests - Pluggable AI engine orchestration across local, remote, and distributed runtimes - Engine quotas for request and token governance by engine and subject scope - Knowledge subsystem with vector and graph backends - A strict modular architecture where everything — including authentication — is a module built against the public SDK The framework is designed around a clear boundary between core runtime and extensions. The SDK is the only supported way to build on top. Most AI application stacks combine a chat UI, an LLM client, a workflow library, and separate infrastructure for audit, permissions, sandboxing, and observability. Democr.ai puts those concerns in one runtime contract: - UI is declared server-side and rendered by independent clients. - Modules, engines, and extractors are installable extensions with a public SDK boundary. - Model calls flow through an orchestrator that supports local providers, remote providers, process isolation, quotas, and multi-node execution. - Security and audit are runtime primitives, not application conventions. - Knowledge ingestion, retrieval, media handling, tools, MCP, and agent skills share the same request and observability context. That combination is intentionally broad. The project is still beta, but the architecture is already aimed at production-grade constraints rather than demos or single-chatbot prototypes. Let agents build UI components that render as native application surfaces, not as screenshots or markup fragments. Democr.ai modules describe UI declaratively on the server, then stream structured updates as the agent works. The short demo shows the important part: one backend-declared YAML surface reflected through client renderers, while the backend keeps ownership of behavior, actions, and runtime effects. Democr.ai targets applications where: - The deployment environment has compliance, regulatory, or operational constraints - Observability and reproducibility are required from day one, not added later - Avoiding vendor lock-in is a hard constraint: the framework is fully self-hostable, model-agnostic, and ships no proprietary cloud services - Auditability across user actions, data mutations, and AI calls is required at the deployment level - The team prefers an integrated runtime over assembling separate pieces LLM library + UI framework + observability stack + audit + RBAC + workflow engine It is not a thin wrapper, a model router, or a chat UI library. It is a runtime where modules, engines, extractors, and clients compose into a single coherent system. There are no privileged components. Authentication, system administration, and the demo applications shipped in this repository are all built as modules, using the same SDK that third-party developers use. There are no reserved APIs, no hidden hooks, and no internal-only services. The modules included in this repository auth , system , components are primarily examples of how the framework works and how applications integrate with it. They provide a working baseline, but deployments are not required to use them as-is: teams can replace them, extend them, or build their own domain-specific implementations. - The runtime is fully self-hostable. - AI engines are pluggable: local inference vLLM, llama.cpp and cloud providers OpenAI, Anthropic, Google, and others , or custom integrations. - Storage backends are pluggable for vector sqlite-vec, pgvector, and others , knowledge graph, and core persistence SQLite, PostgreSQL . - No proprietary serialization formats. State is portable across deployments. Observability is not added as later instrumentation — it is part of how the framework expects developers to build. Every action, AI call, and module operation flows through a correlation chain that allows step-by-step reconstruction of any request. Pipelines are observable. The audit subsystem captures mutations at three layers request, ORM, AI invocation automatically, with sensitive field redaction. Reproducibility is achieved through deterministic configuration, structured event logs with stable IDs, and an immutable audit trail. The framework provides security as foundational primitives, not as opt-in features. See Threat model threat-model for the precise boundary between framework guarantees and deployer responsibilities. The UI layer is an extended implementation of Google's A2UI protocol for server-driven UI in agentic contexts. The same UI definition renders consistently across multiple clients with no client-side framework code required from module authors. New clients can be added without changes to existing modules. Democr.ai is composed of distinct subsystems: Core runtime — bootstrap, lifecycle, request handling, dependency graph Network — WebSocket, IPC, HTTP under a unified protocol layer AI engine orchestrator — job-based scheduling, batching, gRPC process isolation, HITL support Knowledge — ingestion queue, projection workers, vector + graph retrieval Sandbox — OS-level isolation Landlock + seccomp + iptables + helper process | seatbelt | Windows Low Integrity + WFP Multi-tenancy — write-time enforcement with materialized scope filters RBAC — declarative access policies in module manifests Modules — framework extension surface, via SDK Engines — pluggable AI inference providers Extractors — pluggable knowledge extraction providers Clients — independent rendering surfaces for web, desktop, and mobile-oriented clients Platform — agents, skills, tools, MCP, UI builder Detailed subsystem documentation is available at democr.ai/docs/ https://democr.ai/docs/ . | Capability | Status | Notes | |---|---|---| | Server-driven UI extended A2UI | Implemented | websocket and ipc transport | | Multi-client rendering | Implemented | Web, Qt desktop, Tauri, React variants | | Multi-tenancy | Implemented | Write-time enforcement | | RBAC | Implemented | Declarative manifests | | AI engine orchestration | Implemented | Job-based, gRPC isolated | | Knowledge subsystem vector + KG | Implemented | Hybrid retrieval | | Audit triple layer | Implemented | Sensitive field redaction | | OS sandbox Landlock + seccomp + iptables | Implemented | | | OS sandbox on macOS | Implemented | Seatbelt | | OS sandbox on Windows | Implemented | Low Integrity + WFP; egress enforcement uses an elevated helper | | Local AI inference | Implemented | vLLM, llama.cpp, ONNX, Ollama, and others | | Cloud AI providers | Implemented | OpenAI, Anthropic, Google, and others | | Multi-node engine orchestration | Implemented | Shared queue, node registry, Redis response streams | | mTLS for internal gRPC services | Roadmap | Server-side TLS + service JWT first | | Context budget guard | Implemented | Heuristic guard for oversized prompt messages and tool outputs, scaled by model context settings | | Multi-node tuning | Roadmap | Distributed fine-tuning workflows | | Mobile clients | Experimental | React Native client exists but is not certified | | Engine quotas | Implemented | Request and token limits by engine and subject scope | | Request observability | Implemented | Correlation chain across layers | The following numbers are local stress-test snapshots for the authenticated request path: login, session handling, and server-side rendering of the server-driven UI route /components/ effects/yaml . They document observed behavior under concurrent load on one machine; they are not universal performance claims or comparisons with other frameworks. Environment: - CPU: Intel Core i9-14900K - RAM: 64 GB - GPU: NVIDIA RTX 3090 Suprim, not used by this benchmark path - OS: Ubuntu 24 - Python: 3.12.3 - Providers: remote providers | Instances | Workers / instance | Clients / worker | Duration | Requests | Errors | Throughput | Avg latency | p95 latency | |---|---|---|---|---|---|---|---|---| | 4 | 4 | 4 | 303.69s | 468,840 | 0 | 1,543.83 req/s | 33.28ms | 47.05ms | | 8 | 4 | 4 | 302.39s | 718,050 | 0 | 2,374.55 req/s | 43.30ms | 47.94ms | Command shape: PYTHONPATH=. .venv/bin/python scripts/multi core benchmark.py \ --instances 4 \ --workers 4 \ --clients 4 \ --duration-seconds 300 \ --profile custom \ --profile-log-summary For the 4-instance run, aggregate resource usage was: | Metric | Value | |---|---| | Avg total CPU | 1326.9% | | Peak RSS | 7092.1 MB | | Peak USS | 5936.8 MB | | Peak PSS | 5986.8 MB | RSS can overstate standalone memory use because shared pages are counted more than once. The framework offers security as foundational primitives: OS-level sandboxing, immutable audit, RBAC, scoped data access, and at-rest encryption of secrets stored in the database. Modules operate within these primitives according to the policies they declare sandbox allow-lists, RBAC permissions, access scope . The threat model covered by the framework is accidental supply-chain compromise — a third-party module with a bug or compromised dependency must not be able to harm the system beyond its declared scope. The threat model not covered is a deliberately malicious module installed consciously by the deployer. The selection of modules to install and the configuration of security policies are deployer responsibilities. The framework's config.yaml is plaintext and is generated locally by the setup wizard. It is not designed to be deployed. Secrets are encrypted at rest only when stored in the database. - Python =3.12,<3.14 - Linux is the most tested environment for full security features - Optional: NVIDIA GPU with CUDA for local inference From the repository root: ./setup venv.sh alternatively, install and run desktop mode with ./run.sh For the React web clients and the Tauri desktop client, install frontend dependencies before running them. Tauri also requires Cargo. yarn --cwd clients/webclient install yarn --cwd clients/reactbootstrap install yarn --cwd clients/reactfluent install yarn --cwd clients/tauri install Default startup is desktop mode with the Qt client: python main.py Equivalent explicit form: python main.py --mode desktop --client qtdesktop python main.py --mode server --host 127.0.0.1 --port 8000 Desktop mode uses IPC by default. Add --http to also expose HTTP/WebSocket: python main.py --mode desktop --http --client qtdesktop Web clients are independent React applications. The runner launches them with yarn dev : python main.py --mode server --client webclient python main.py --mode server --client reactbootstrap Web clients are independent React applications. The runner launches them with yarn dev : python main.py --client tauri On first run, the framework starts a setup wizard via the connected client. The wizard configures the database, AI providers, and the initial administrator user. The resulting configuration is generated locally and not designed to be deployed. Initial setup can also run from the core CLI: python main.py setup path/to/setup.yaml The setup YAML contains admin credentials and the runtime config payload. If admin.password is omitted, the command prompts for it interactively; in non-interactive runs use an environment variable such as ${DEMOCRAI ADMIN PASSWORD} . The command only runs before an application config exists and will not overwrite an existing installation. | Command | Purpose | |---|---| python main.py | Default desktop mode | python main.py --mode server | Server mode HTTP + WebSocket | python main.py --mode desktop | Desktop mode IPC transport | python main.py --http | Also expose HTTP in desktop mode | python main.py migrate all | Run all pending database migrations | python main.py migration-status all | Show migration status | python main.py create-migration db -m "desc" --autogenerate | Create a new core DB migration | python main.py create-migration data --module