v2026.04
Read release notes
exAI Agentic OSexAI
Join the waitlist
§ 01 / 06
Composer · pair programmerPlan · Diff · ApplySenior-engineer review speed.
gateway healthy · 4 providers online
exAI Composer · the AI pair inside the workspace

The pair programmer
that earns reviewer trust.

A plan you can read. A diff you can step through. An apply you authorize. Composer is the AI pair built for engineers who don't click “accept all”.

Composer returns a file-by-file plan before it touches code. Hunks stream in over SSE. Cancel mid-stream and partially apply what you've already accepted. The router picks across claude-opus-4, gpt-5, gemini-2.5-pro, and an on-prem llama-4-405b on cost, latency, and capability — and fails closed if a provider degrades.

Pair with ComposerSee the guardrails · 4 controls
composer · plan #pln_4f82
claude-opus-4
claude-opus-4 · plan ready · 2 hunks · +42 −3review →
src/server/router.ts
@@ −104,2 +104,3 @@
104app.post("/pay", async (req, res) => {
+app.use(idempotency());
return { ok: true };
+return { ok: true, id };
107});
Hunks
0
Added
+0
Removed
0
j / k · stepa · acceptx · reject⌘⏎ · apply
Fig. 01 · plan card · review-firstNothing applied yet
§ 02 / 06
Plan · Diff · Apply · the review flow

Three steps.
Zero surprise edits.

Composer never writes ahead of you. The plan is the contract, the diff is the negotiation, the apply is the signature. Senior engineers run the loop with j/k/a/x. Reviewers see one commit with a message Composer drafted from the plan it just executed.

composer.review · keyboard-driven · 142ms apply
session #ses_91ac · branch composer/idempotent-pay
01Plan
File-by-file proposal

Composer lists every file it intends to touch, every hunk it intends to add, every test it intends to run — before any byte is written.

src/server/router.ts+18 −2
src/server/idempotency.ts+62 −0
src/server/__tests__/router.test.ts+24 −0
claude-opus-4 · plan-id pln_4f82 · 3 files · 8 hunks
02Diff
Per-hunk preview

Every hunk renders with full surrounding context, syntax-aware. You step through with j/k. You reject, edit, or accept on the spot. Nothing is committed yet.

hunk 1 of 8router.ts:42–58
hunk 2 of 8router.ts:104–112
hunk 3 of 8idempotency.ts:1–62
review · 3 accepted · 0 rejected · 5 pending
03Apply
Atomic write

Accepted hunks land as a single working-tree write with a commit message Composer drafted from the plan. Rejected hunks vanish. Your editor stays in sync.

git apply --indexok
post-apply hookslint · typecheck
draft commitfeat: idempotent /pay
applied · 8 / 8 hunks · 142ms · branch composer/idempotent-pay
plan → diff → applyone commit · drafted from the plan
§ 03 / 06
Multi-model router · live

Four providers.
One policy.

Composer routes each request across Anthropic, OpenAI, Google, and a self-hosted Meta deployment based on a policy you write. Capability score, latency budget, cost ceiling, residency. The gateway fails closed when fewer than two providers are healthy — no degraded mode, no silent fallback.

gateway.exai.dev · routing decision · last 30s
412 tokens · weighted score
claude-opus-4
capability 0.94 · latency 1.2s · $0.0041
selected →
gpt-5
capability 0.89 · latency 1.8s · $0.0054
OpenAI
gemini-2.5-pro
capability 0.86 · latency 0.9s · $0.0028
Google
llama-4-405b
capability 0.80 · latency 0.6s · $0.0012 · on-prem
Meta
Policy
capability ≥ 0.90 · latency ≤ 1.5s · $0.005/req
Fallback
fail-closed when < 2 providers healthy
Residency
EU-only on tenants with eu_resident=true
Router contract

Every Composer call carries a typed RouteHint. The router scores live providers, picks a winner, and emits a receipt the workspace stores against the session. Reviewers can audit exactly which model wrote which hunk.

route(hint, {
capability: 0.94,
latency_ms_p50: 1200,
cost_ceiling_usd: 0.005,
residency: "eu",
})
Receipts

Every routing decision lands in the audit log with model, tokens, latency, and cost. Exportable to your SIEM. Queryable from your reviewer's commit page.

Tokens · avg / req
0
P50 latency
0.0 s
Gateway uptime
0.00 %
Provider retention
0-day
§ 04 / 06
Guardrails · four controls

The model is untrusted.
The system is not.

Composer treats the model the way you treat a contractor with shell access on day one — capable, watched, sandboxed. Four controls are wired into every session, enforced at the kernel, the gateway, and the prompt boundary. None of them are toggles you forget to flip.

G1enforced

Untrusted read-only mode

External repositories — pulled-in dependencies, third-party clones, anything not on your tenant's allow-list — open in a read-only Composer session. No writes, no shell, no network egress. Reviewer trust is the default state, not the opt-in.

$ composer.policy = read-only · external-repo: github.com/*
G2enforced

Shell sandbox · per-tenant allow-list

Every shell tool call routes through a per-tenant allow-list compiled from your security policy. Commands outside the list fail closed with a structured error the reviewer sees. No silent escalation, no implicit sudo.

$ exec.allow = [pnpm, jest, tsc, eslint, prettier, git status]
G3enforced

Secret scrubbing · pre-prompt

Before any prompt leaves the workspace VM, a deterministic scrubber walks the payload against tenant-supplied secret patterns and 142 default rules. Matches are replaced with stable placeholders. The redaction map never reaches the model.

$ scrub.rules = 142 default + tenant.kms.list() · placeholders stable
G4enforced

Egress allowlist · per-VM

Each Composer microVM ships with a per-VM egress allowlist enforced at the kernel boundary. The model gateway is on it. Your private registry is on it. Everything else is denied — including DNS — and logged with the calling agent's typed identity.

$ egress.allow = gateway.exai.dev · registry.tenant.local · denylog=on
§ 05 / 06
Streaming · cancellation

Cancel any time.
Keep what you accepted.

The model writes character-by-character into a hunk that opens and closes around it. You can stop it mid-paragraph. Already- accepted hunks land. Pending hunks vanish. No half-applied state ever reaches your working tree.

Composer streams over Server-Sent Events. Tokens land first, then hunk-readyevents fire as soon as a hunk parses cleanly. You can accept hunks the moment they appear — you don't wait for the whole plan to finish.

Mid-stream cancel sends one byte upstream. The gateway acks within the next event boundary, the model billing stops, and the session moves to partial=true. Any hunks you already accepted commit as a single working-tree write. Any pending hunks are discarded. No retries you didn't ask for.

The protocol is open: every event has a stable shape, an id, and a typed payload. The workspace, the CLI, and your CI all replay the same stream.

Time-to-first-byte
0 ms
Cancel-ack window
0 event
Partial-apply safe
0 %
GET /v1/composer/stream · text/event-stream
strm_a4c2 · live
event: connected
data: stream-id strm_a4c2 · model claude-opus-4 · plan-id pln_4f82
event: token
data: delta="export const idempotency = ("
event: token
data: delta=") =>\n async (req, _res, next) => {"
event: hunk-ready
data: hunk-id hk_01 · file=src/server/idempotency.ts · +62 −0
event: token
data: delta=" const key = req.header('Idempotency-Key');"
event: hunk-ready
data: hunk-id hk_02 · file=src/server/router.ts · +18 −2
event: cancel-ack
data: reason=user · partial=true · accepted=2 · pending=6
event: complete
data: tokens=412 · ttfb=180ms · total=1180ms · cost=$0.0041
stream closed · 8 events · 0 retries
events
8
hunks-ready
2 / 8
partial-apply
yes
Fig. 02 · SSE event log · cancel mid-stream2 hunks land · 6 discarded
§ 06 / 06
Pair with Composer · keyboard-first

Your reviewers won't
notice the difference.
Until they do.

Plan-diff-apply review. Multi-model router with fail-closed policy. Guardrails enforced at the kernel, the gateway, and the prompt boundary. The AI pair built for the engineer who reads every line before it lands.

Pair with ComposerRead the security brief
SOC 2 Type IIISO 270010-day retentionBYO model gatewayAir-gapped install