Skip to content
/
Tier A A11 Governance

AgentTier

agenttier · agenttier/agenttier · ★ 19 · last commit 2026-05-25

Primitive shape
No installable primitives
00

Summary

AgentTier — Summary

AgentTier is a Kubernetes-native control plane that provisions isolated, persistent sandbox environments for AI agents and human developers, managed declaratively through Custom Resource Definitions (CRDs). Each sandbox is a Kubernetes pod backed by a persistent volume and a per-sandbox NetworkPolicy; stopping a sandbox deletes the pod but preserves the filesystem so work survives across sessions. The platform targets sub-second cold starts (~800 ms) via warm pools, optional immediate PVC binding, and image pre-pull DaemonSets, eliminating the typical 10+ second pod scheduling latency. Security posture is locked-down by default: non-root user, read-only root filesystem, all capabilities dropped, seccomp RuntimeDefault, and optional gVisor RuntimeClass for kernel-level isolation of untrusted LLM-generated code. Agent mode allows a configured entrypoint to be invoked over Server-Sent Events via /invoke, with per-sandbox concurrency throttling, 30-minute per-invoke timeout, and full OpenTelemetry + Prometheus instrumentation. A Go binary (agenttier) and Python SDK (pip install agenttier) provide CLI and programmatic access; a browser-based web dashboard handles sandbox cards, template management, governance policies, and a hierarchical workspace file browser.

Differs from seeds: No seed in the catalog is infrastructure-level; all 11 seeds (superpowers, spec-kit, claude-flow, openspec, BMAD-METHOD, taskmaster-ai, agent-os, kiro, ccmemory, claude-conductor, spec-driver) operate at the agent-loop layer — they inject instructions or tooling into an already-running LLM session. AgentTier sits below the agent loop: it owns lifecycle, auth, transport, audit, and governance of the container/pod that the agent runs inside. The closest structural parallel is kiro's "Closed IDE" archetype (both provide a managed execution environment), but AgentTier is purely infrastructure — it does not prescribe prompts, hooks, or skills; it delegates those to whatever agent framework the operator installs in the sandbox image.

01

Overview

AgentTier — Overview

Origin

AgentTier was created to fill a gap between generic Kubernetes workloads and the specific operational requirements of running AI coding agents (Claude Code, Cursor, Aider, LangGraph agents) at scale. The project emerged in 2024–2025 as organizations found that raw Docker containers lack the combination of persistent workspaces, governance policies, and browser-accessible terminals that agent workflows demand.

Philosophy

The README states the core scope directly:

"The framework owns the loop; AgentTier owns lifecycle, auth, transport, audit, and governance."

This is an explicit architectural division: AgentTier is not an agent framework. It is the platform that agent frameworks run on. The operator chooses the agent (LangGraph, Strands, AutoGen, OpenHands, bare Claude Code); AgentTier handles everything below:

"Bring your own framework or harness — the LangGraph reference template ships in the box; the same shape works for Strands Agents, AutoGen, OpenHands, OpenClaw, or any pip-installable agent library."

Key design choices

  • Declarative CRD lifecycle: Sandboxes are Kubernetes objects (Sandbox, ClusterSandboxTemplate). Create/stop/resume/delete follow standard kubectl apply semantics. The Controller reconciles actual state to desired state with bounded retries and structured events on failure.

  • Stop = preserve, not destroy: Stopping a sandbox deletes the pod but keeps the PVC. Resuming creates a new pod reattached to the same volume — git repos, installed packages, and partial work survive indefinitely.

  • Warm pools as a first-class feature: Templates declare a warm pool size; the Controller pre-provisions pods so the first sandbox from a pool attaches in ~800 ms rather than ~10 s.

  • Agent mode as an opt-in on the same pod: Rather than a separate agent runtime, SandboxMode=agent reuses all existing pod/PVC/NetworkPolicy machinery and adds only /configure and /invoke endpoints routed over SSE.

Manifesto-style statements

"Sub-second cold starts — per-template warm pools, optional immediate PVC binding, and an opt-in image pre-pull DaemonSet take creation from ~10 s down to ~800 ms."

"Locked-down sandboxes by default — non-root user, read-only root filesystem with a writable in-memory /tmp, all capabilities dropped, seccomp=RuntimeDefault, and per-sandbox service accounts with no cluster permissions."

"Hashed share-link tokens — share links store SHA-256 hashes at rest, never the raw secret, with constant-time comparison on validation."

Language and runtime

Written in Go (controller and router) with a Python SDK and a Next.js web UI. Distributed as a Helm chart + container images from ghcr.io/agenttier/*, all cosign-signed with SPDX + CycloneDX SBOMs.

02

Architecture

AgentTier — Architecture

Sandbox primitive

Kubernetes Pod + PVC + NetworkPolicy managed by a custom controller (Kubernetes Operator pattern). NOT microVM — the default runtime is standard container (containerd). Optional gVisor (RuntimeClass: gvisor) provides kernel-level isolation for untrusted workloads.

Startup time claims:

  • Default (no warm pool): ~10 s
  • With warm pool + immediate PVC binding + image pre-pull: ~800 ms

Distribution

  • Helm chart: helm install agenttier agenttier/agenttier --namespace agenttier --create-namespace
  • Python SDK: pip install agenttier (installs both Python SDK and agenttier CLI binary)
  • Go binary: cross-platform (linux/darwin/windows, amd64/arm64) distributed via GitHub Releases
  • Container images: ghcr.io/agenttier/* (controller, router, web-ui)

Installation complexity

multi-step (Helm + Kubernetes cluster required; optionally EKS via ./hack/quickstart.sh)

Directory tree (repo)

agenttier/
├── api/v1alpha1/          # CRD type definitions (Go): Sandbox, SandboxTemplate, ClusterSandboxTemplate
├── cmd/
│   ├── cli/               # `agenttier` Go CLI binary
│   ├── controller/        # Kubernetes operator (reconciles Sandbox CRDs)
│   ├── router/            # API + WebSocket gateway (exec, files, invoke, PTY)
│   └── sandbox-runtime/   # In-pod sidecar
├── config/                # Helm chart values, RBAC, CRD manifests
├── docs/                  # Documentation source
├── examples/              # Example sandbox templates, agent harness YAML
├── helm/                  # Helm chart
├── images/                # Sandbox base images (general-coding, claude-bedrock, minimal, langgraph)
├── pkg/                   # Shared Go packages
├── python-sdk/            # `pip install agenttier` Python client
├── terraform/             # Terraform module (roadmap, not yet shipped)
└── web-ui/                # Next.js dashboard

Required runtime

  • Kubernetes 1.27+ with NetworkPolicy support (any CNI)
  • Container runtime: containerd (gVisor optional via RuntimeClass)
  • Supported cluster targets: EKS, GKE, AKS, self-managed

Components inside a Kubernetes cluster

┌─────────────────────────────────────────────────────────────────┐
│                      Kubernetes Cluster                           │
│  ┌────────────┐  ┌────────────┐  ┌──────────┐  ┌───────────┐  │
│  │ Controller │  │   Router   │  │  Web UI  │  │    etcd    │  │
│  │ (operator) │  │ (API + WS) │  │ (nginx)  │  │ (built-in) │  │
│  └─────┬──────┘  └─────┬──────┘  └──────────┘  └───────────┘  │
│        │                │                                        │
│  ┌─────┴────────────────┴────────────────────────────────────┐  │
│  │                  Sandbox Namespace(s)                       │  │
│  │  ┌──────────┐  ┌──────────┐  ┌──────────┐                │  │
│  │  │Sandbox 1 │  │Sandbox 2 │  │Sandbox N │  ...           │  │
│  │  │Pod + PVC │  │Pod + PVC │  │Pod + PVC │                │  │
│  │  │+ NetPol  │  │+ NetPol  │  │+ NetPol  │                │  │
│  │  └──────────┘  └──────────┘  └──────────┘                │  │
│  └───────────────────────────────────────────────────────────┘  │
└─────────────────────────────────────────────────────────────────┘

Isolation mechanism

  • Default: Kubernetes namespace isolation + NetworkPolicy (deny-all egress with allow-list)
  • Optional: gVisor RuntimeClass (kernel-level, sandboxes the container's system calls)
  • NO microVM by default (unlike CubeSandbox / CUA)

Target AI tools

  • Claude Code (AWS Bedrock via IRSA/workload identity)
  • Cursor
  • Aider
  • LangGraph agents
  • Strands Agents, AutoGen, OpenHands, OpenClaw (via bring-your-own harness)

Host-OS posture

Minimal host exposure: non-root user, read-only root filesystem, dropped capabilities, seccomp RuntimeDefault, per-sandbox ServiceAccount with no cluster permissions. The Router bypasses the Kubernetes API server for PTY connections (long session resilience).

Config files

  • Sandbox CRD YAML (per-sandbox)
  • ClusterSandboxTemplate CRD YAML (per template)
  • Helm values.yaml (cluster-wide governance, warm pools, optional add-ons)
03

Components

AgentTier — Components

AgentTier is infrastructure, not a prompt/skill framework. Components are runtime services and SDK primitives, not slash-commands or skill files.

Kubernetes CRDs (declarative primitives)

CRD Purpose
Sandbox Single isolated pod+PVC+NetworkPolicy environment; phases: Creating → Running → Stopped → Error → Deleting
SandboxTemplate (namespace-scoped) Blueprint for sandbox creation: image, resources, harness, hooks, warm pool
ClusterSandboxTemplate Cluster-wide template, sharable across namespaces

Runtime services

Service Language Purpose
Controller (operator) Go Reconciles Sandbox/Template CRDs; manages pod lifecycle, retries, events
Router Go REST API + WebSocket gateway; serves exec, files, invoke, PTY, port-forward
Web UI Next.js Browser dashboard: sandbox cards, template editor, governance settings, file browser, activity log
Sandbox Runtime (sidecar) Go In-pod agent serving the /pty endpoint and exec primitives

Agent mode endpoints

Endpoint Method Purpose
/invoke POST Run the configured agent entrypoint; stream back SSE events
/configure POST Write agent configuration into the sandbox before invoke

Python SDK (pip install agenttier)

Class / function Purpose
AgentTierClient Sync client: create_sandbox, list_sandboxes, exec, stop, resume, terminate
AsyncAgentTierClient Async variant
APIKeyAuth, BearerTokenAuth Auth providers
sandbox.exec(cmd) Fire-and-forget or request-response command execution
sandbox.forward_port(port) Port forwarding with preview URL
sandbox.wait_until_running() Blocks until sandbox is running

Go CLI (agenttier)

Installed via pip install agenttier or as a standalone Go binary.

Subcommands cover: sandbox management (create, list, get, stop, resume, delete), template management, file operations, governance.

Optional add-ons (Helm flags)

Add-on Purpose
gVisor RuntimeClass Kernel-level isolation for untrusted workloads
ServiceMonitor Prometheus scrape target
mem0 sidecar Local vector memory for agent sandboxes
Image pre-pull DaemonSet Pre-warm images on all nodes to eliminate pull latency
Headroom Deployment Pause pods at negative priority to keep spare node capacity warm
Cluster Autoscaler Cloud-neutral autoscaling (EKS/GKE/AKS)
OTel Collector OpenTelemetry trace forwarding

Reference sandbox images

Image Purpose
general-coding General development environment
Claude Code on AWS Bedrock Claude Code with cloud-native credential injection (IRSA/workload identity)
minimal shell Minimal image for custom toolchains
LangGraph agent-mode Pre-configured for LangGraph in agent mode

Observability primitives

  • OpenTelemetry spans across Controller + Router
  • Prometheus /metrics endpoint: sandbox counts, startup histograms, queue depth, error counters, terminal stats, invoke/configure/throttle metrics
  • Kubernetes Events on every sandbox lifecycle transition
  • Trivy CVE scan on every base image push (SARIF to GitHub Security tab)
  • Audit trail: every lifecycle, terminal, credential, share, clone, port-forward event recorded as Kubernetes Event (optional SQL backend for long-term retention)

No agent-loop primitives

  • Commands: 0 (no slash-commands)
  • Skills: 0
  • Hooks: 0 (no Claude Code lifecycle hooks)
  • MCP servers: 0 bundled
05

Prompts

AgentTier — Prompts

AgentTier is an infrastructure platform, not a prompt framework. It ships zero prompt files, skills, commands, or hooks targeting an LLM session. The agent's prompts are entirely the responsibility of the framework running inside the sandbox.

Prompt surface: harness block in templates

The closest AgentTier gets to "prompts" is the harness block in a ClusterSandboxTemplate, which defines the shell, tools, system prompt, hooks, and init scripts for the agent entrypoint. This is a YAML configuration block, not a Markdown prompt file.

Example harness block (from README/docs context):

apiVersion: agenttier.io/v1alpha1
kind: ClusterSandboxTemplate
metadata:
  name: claude-bedrock-agent
spec:
  harness:
    shell: /bin/bash
    tools:
      - claude-code
    systemPrompt: |
      You are a coding agent. Work in the /workspace directory.
      Commit your changes when done.
    initScripts:
      - name: install-deps
        script: |
          pip install -r requirements.txt
  image: ghcr.io/agenttier/claude-bedrock-agent:latest
  resources:
    requests:
      cpu: "1"
      memory: "2Gi"

Prompting technique: This is a configuration injection pattern, not a Claude Code skill or BMAD persona. The harness block passes a system prompt to whatever agent binary is invoked; it does not interact with Claude Code's skill/hook mechanism.

Python SDK "invoke" prompt

When using agent mode, the caller provides the task prompt via the invoke API:

result = await sandbox.invoke(
    prompt="Fix the failing tests in src/tests/. Run the test suite before and after."
)

Prompting technique: Goal-statement injection — the framework passes a freeform task description to the agent entrypoint. No RAG, no persona, no chain-of-thought scaffolding is provided by AgentTier itself.

Note on verbatim prompt files

After full repo inspection, AgentTier ships no Markdown prompt files, no .claude/ directory, no skill files, and no CLAUDE.md. The examples/ directory contains YAML template definitions, not LLM prompts. This is expected for an infrastructure-layer platform.

09

Uniqueness

AgentTier — Uniqueness & Positioning

Differs from seeds

AgentTier is categorically distinct from all 11 seed frameworks. Every seed (superpowers, spec-kit, claude-flow, openspec, BMAD-METHOD, taskmaster-ai, agent-os, kiro, ccmemory, claude-conductor, spec-driver) operates at or above the agent-loop layer — they inject instructions, skills, hooks, or tool-use patterns into a running LLM session. AgentTier operates below the agent loop: it is the Kubernetes control plane that provisions the container the agent runs inside. The closest structural analogue is kiro (a managed execution environment for agents), but kiro is an IDE with prompt/hook primitives; AgentTier has zero prompt primitives and instead exposes Kubernetes CRDs, REST APIs, and SSE streams. AgentTier also has no counterpart in any seed for its warm-pool cold-start optimization, PVC-based workspace persistence, or hierarchical governance policies.

Positioning

AgentTier targets platform/infrastructure teams who need to run AI coding agents at scale within a Kubernetes environment they already operate. It is not a tool for individual developers tuning a single agent session — it is for teams running dozens to thousands of agent sandboxes concurrently with governance, multi-tenancy, and audit requirements.

Closest competitors (not named in README): E2B (cloud sandbox API), Daytona (dev environment automation), Modal (serverless GPU containers). AgentTier distinguishes itself by being self-hosted, Kubernetes-native (CRD-based), and explicitly designed for the stop/resume/persistent-workspace pattern that agent workflows require.

Key architectural bets

  1. Kubernetes CRDs as the programming model — operators already managing k8s clusters get sandbox lifecycle for free via kubectl/GitOps.
  2. Stop ≠ destroy — the persistent PVC model matches how agent workflows actually run (long tasks paused overnight, resumed next morning).
  3. Warm pools beat cold starts — pre-provisioned pods eliminate the #1 latency complaint with k8s-based sandboxes.
  4. Agent mode as a thin overlay — reusing all pod/PVC/NetworkPolicy machinery for agent mode avoids a separate runtime surface area.

Observable failure modes

  • gVisor incompatibility: some language runtimes or system calls are blocked by gVisor's seccomp policy; operators must test sandbox images before enabling RuntimeClass: gvisor.
  • Warm pool over-provisioning: warm pools consume cluster resources even when idle; incorrect pool sizing wastes money.
  • PVC cost accumulation: stopped sandboxes retain PVCs indefinitely until explicitly deleted; without governance TTLs, storage costs grow unbounded.
  • API server bypass risk: the Router's direct /pty endpoint bypasses the Kubernetes API server for long sessions — this is by design (resilience) but means those connections are not governed by standard k8s RBAC.
  • Inter-sandbox networking gap: the roadmap item for inter-sandbox networking is not yet shipped; multi-agent coordination requires external orchestration.

Cross-references

  • Explicitly supports Claude Code, Cursor, Aider, LangGraph, Strands, AutoGen, OpenHands, OpenClaw as agent harnesses
  • Competes in the same space as E2B, Daytona, Modal at the infrastructure layer
  • The mem0 sidecar integration positions it to compete with ccmemory (seed) for agent memory
04

Workflow

AgentTier — Workflow

Sandbox lifecycle phases

Create → Running → Stop (pod deleted, PVC preserved) → Resume (new pod, same PVC) → Delete (all removed)

Phase-to-artifact map

Phase Artifact / Output
Helm install Controller + Router + Web UI pods; CRDs registered; RBAC created
Template creation ClusterSandboxTemplate CRD in etcd; warm pool pods spun up
Sandbox create Sandbox CRD; pod scheduled; PVC bound; NetworkPolicy applied
Running PTY accessible; exec/file/port-forward endpoints live; audit events flowing
Stop Pod deleted; PVC preserved; Sandbox CRD phase = Stopped
Resume New pod created; same PVC reattached; phase returns to Running
Agent invoke SSE stream returned; OTel span emitted; audit event written
Delete Pod + PVC + NetworkPolicy removed; Sandbox CRD deleted

Approval gates

AgentTier is infrastructure — there are no human approval gates in the agent-loop sense. Governance is enforced programmatically:

Gate Mechanism
Governance policy violations Controller returns structured response listing failing field(s); create/resume rejected
Per-IP / per-user rate limiting Token-bucket on Router endpoints; 429 + Retry-After
Per-sandbox concurrency cap /invoke returns 429 with Retry-After when cap exceeded
Template allow-list Cluster/namespace policies restrict which templates can be used
Image registry allow-list Governance policy restricts which registries are approved

Interactive (Code) mode workflow

  1. User creates sandbox via kubectl apply, CLI, Python SDK, or dashboard
  2. Controller reconciles: schedules pod, binds PVC, applies NetworkPolicy
  3. User accesses browser terminal (PTY over WebSocket) or calls exec API
  4. User runs any tool — Claude Code, Cursor, vim — inside the sandbox
  5. Stop: pod deleted, PVC retained; Resume reattaches same PVC in seconds

Agent (invoke) mode workflow

  1. Operator configures sandbox template with mode: agent and entrypoint command
  2. Client calls POST /configure to write agent-specific config into sandbox
  3. Client calls POST /invoke — agent entrypoint runs inside pod; SSE streams back
  4. AgentTier enforces concurrency cap, timeout (default 30 min), and audit event
  5. Connection close cancels the in-pod process

Multi-agent workflow

Multiple sandboxes can run concurrently. Inter-sandbox networking is on the roadmap (not yet shipped). Current pattern: each agent gets its own sandbox; coordination happens at the caller/orchestrator level.

06

Memory Context

AgentTier — Memory & Context

Persistent workspace (primary memory mechanism)

AgentTier's primary "memory" is the persistent volume (PVC) attached to each sandbox. When a sandbox is stopped, the pod is deleted but the PVC survives — preserving the entire filesystem: git repos, installed packages, .claude/ directories, cached models, and partial work. Resume reattaches the same PVC in seconds.

This is filesystem-level memory, not LLM-session memory. The agent's context window is managed entirely by the agent framework running inside the sandbox.

State persistence

Layer What persists Duration
PVC (workspace) All files: code, packages, git state, agent config Until sandbox is deleted
Kubernetes etcd Sandbox CRD spec + status, template definitions Until cluster wipe
Kubernetes Events Every lifecycle, terminal, credential, share, clone, port-forward event Kubernetes event TTL (default 1 h; longer with optional SQL backend)
Optional SQL backend Audit events for long-term retention Configurable

Optional mem0 sidecar

A Helm flag adds a mem0 sidecar container next to the agent pod. This provides a local vector memory store for agent sessions. External memory options documented: Pinecone, Postgres + pgvector, AgentCore Memory.

Session handoff

Because the PVC persists across stop/resume cycles, the agent's working directory, git branches, and any CLAUDE.md or settings files survive session boundaries. This is a form of cross-session handoff at the filesystem level — the agent does not need explicit serialization; it reads from disk where it left off.

Context compaction

AgentTier has no built-in context compaction logic. Compaction is delegated to the agent framework (e.g., Claude Code's native compaction). The platform's contribution is ensuring the compaction artifacts (files written to disk) persist on the PVC.

Memory type classification

  • Primary: file-based (PVC)
  • Optional: vector-db (mem0 sidecar, Pinecone, pgvector)
  • No built-in SQLite, Neo4j, or proprietary store
07

Orchestration

AgentTier — Orchestration

Multi-agent support

AgentTier supports running multiple sandboxes concurrently, each hosting an independent agent. This is horizontal parallelism at the infrastructure level, not a coordinator-worker protocol within a single LLM session.

  • Each sandbox is an independent pod with its own PVC, NetworkPolicy, and (in agent mode) its own invoke endpoint.
  • The caller/orchestrator (external to AgentTier) is responsible for task decomposition and result integration.
  • Inter-sandbox networking is on the roadmap, not yet shipped. Current sandboxes cannot directly communicate.

Orchestration pattern

None (AgentTier itself does not orchestrate agents). The operator provides orchestration at the application layer by calling /invoke on multiple sandboxes. AgentTier provides the infrastructure primitives (concurrency caps, SSE streams, audit events) that enable parallel execution.

Isolation mechanism

Mechanism Default Optional
Kubernetes NetworkPolicy ✅ deny-all egress + allow-list
Namespace isolation
gVisor (kernel-level) ✅ (RuntimeClass)

NOT microVM. NOT git-worktree. NOT process isolation within a shared OS.

Execution mode

Event-driven (agent mode: triggered via /invoke) + interactive (code mode: user drives terminal). Not a continuous-loop daemon on the platform side — the agent inside the sandbox may run continuously.

Multi-model routing

None at the platform level. Model selection is entirely the responsibility of the agent framework running inside the sandbox. AgentTier facilitates credential injection (AWS Bedrock via IRSA, Kubernetes Secrets as env vars or files) but does not route model calls.

Consensus mechanism

None. AgentTier is infrastructure; it does not coordinate opinions between agents.

Crash recovery

Yes — bounded retries on infrastructure failures; sandbox enters Error phase after retry budget exhausted; structured Kubernetes Events on every failure. The pod is rescheduled automatically within the retry budget. Resume from Stopped state is manual (user-initiated).

Streaming output

Yes — /invoke streams SSE events back to the caller. PTY sessions stream over WebSocket with reconnect.

Prompt chaining

Not applicable at the infrastructure layer. AgentTier does not chain prompts.

08

Ui Cli Surface

AgentTier — UI & CLI Surface

Dedicated CLI binary

Yes — binary name: agenttier

  • Installed via pip install agenttier (Python package includes the Go binary on PATH) or as a standalone Go binary (linux/darwin/windows, amd64/arm64)
  • Is not a thin wrapper over claude/codex CLI — it is a full REST client for the AgentTier API
  • Subcommand surface covers: sandbox CRUD, template management, file operations, governance
  • Subcommand count: unknown exact count (README lists functional areas, not a complete --help tree)

Local web dashboard

Yes — Next.js web application

  • Port: configurable via Helm values (no fixed default documented in README)
  • Tech stack: Next.js (React), served via nginx container
  • Features:
    • Sandbox cards: name, status, mode (Code/Agent), key metadata
    • One-click lifecycle actions: Open Terminal, Stop, Resume, Delete
    • Browser-based terminal (full PTY over WebSocket, reconnect, tmux wrap, alt-screen stripped)
    • Per-sandbox settings page: ports, files, agent invoke, governance overrides
    • YAML template editor
    • Hierarchical workspace file browser (click into folders, breadcrumb, download file/folder/workspace as .zip)
    • Warm pool management: add/remove entries, see ready/pending/target counts per pool
    • Time-ordered activity log with filters
    • Live metrics + monthly cost estimator
    • Cluster glance: live node + pod counts, headroom spare, warm-pool size, autoscaler status

IDE integration

None — AgentTier is infrastructure. The agent inside the sandbox may run any IDE (Claude Code, Cursor, VS Code), accessed via the browser PTY or exec API.

Observability

  • OpenTelemetry: distributed traces across Controller + Router; trace context in structured JSON logs
  • Prometheus /metrics: sandbox counts, startup histograms, queue depth, error counters, terminal stats, invoke/configure/throttle metrics
  • Kubernetes Events: structured events on every lifecycle transition
  • SARIF CVE scan: Trivy output pushed to GitHub Security tab on every image push
  • Audit log: every lifecycle, terminal, credential, share, clone, port-forward event; optional SQL backend for long-term retention

API surface

REST API documented endpoints: sandboxes, templates, governance, audit, sharing, port forwarding, files, archive (workspace as zip), configure, invoke.

Python SDK surface (v0.1.1)

  • create_sandbox, list_sandboxes, get_sandbox, stop, resume, terminate, exec, wait_until_running, status
  • forward_port, list_ports, remove_port
  • list_templates, get_template
  • current_user

Related frameworks

same archetype · same primary tool · same memory type

OpenHarness ★ 13k
A11 Governance

Open-source Python agent runtime providing complete harness infrastructure: tools, memory, governance, swarm coordination, and…

Trae Agent ★ 12k
A11 Governance

Research-friendly open-source CLI coding agent by ByteDance, designed for academic ablation studies and modular LLM provider…

Sweep AI ★ 7.7k
A11 Governance

Autonomous GitHub bot that converts issues to pull requests using a sequential multi-agent pipeline.

Agent Governance Toolkit (microsoft) ★ 2.3k
A11 Governance

Enterprise-grade AI agent governance: YAML policy enforcement, 12-vector prompt injection defense, zero-trust identity,…

TDD Guard ★ 2.1k
A11 Governance

Mechanically enforces the Red-Green-Refactor TDD cycle by blocking file writes that violate TDD principles via a PreToolUse hook…

Agentic Coding Flywheel Setup (ACFS) ★ 1.5k
A11 Governance

Take a complete beginner from laptop to three AI coding agents running on a VPS in 30 minutes via an idempotent manifest-driven…