Skip to main content

A coding agent that jails model commands and uses editable state machines for long-running tasks.

Project description

agent6

A coding agent that jails model commands and uses editable state machines for long-running tasks.

The model can write code and ask to run commands, but those commands go through a jail with restricted filesystem and network access. Long-running workflows can be written, reviewed, edited, resumed, and replayed as declarative state machines instead of being left to an open-ended agent loop.

Full documentation: agent6.dev

The agent6 hub

Features

  • Sandboxed execution for every LLM-chosen child process, jailed individually with Landlock + seccomp; the default strict profile adds namespaces + pivot_root, rebinds .git read-only, and confines egress to your provider
  • Works with Anthropic and any OpenAI-compatible endpoint (OpenAI, OpenRouter, Ollama, vLLM, llama.cpp, LM Studio)
  • Per-step git commits, snapshot-resumable runs, per-turn forkable checkpoints, token budgets with hard stops and a best-effort USD ceiling
  • Plan, run, review, and ask modes; a live terminal dashboard and a zero-dependency browser UI (agent6 web, phone-friendly); persistent transcripts and a searchable run history
  • State machines (agent6 machine) for long-running automated tasks: LLM-drafted, operator-reviewed, journaled, and replayable; a machine can wait indefinitely for a human, be poked with a payload, steer/answer its agent states from any front-end, and notify you when it needs attention
  • Small, fixed LLM tool surface; the only extension point is operator-configured MCP servers, off by default
  • Eight runtime dependencies, no telemetry, no auto-update

Install

From PyPI with uv or pipx:

uv tool install agent6        # or: pipx install agent6

agent6 needs Linux for the sandbox (kernel 6.7+ for TCP rules), Python 3.12+, and an API key for at least one provider. macOS runs unsandboxed behind a warning; on Windows use WSL. See installation for the full requirements and building from source.

Quick start

# Connect a provider once (stored in ~/.config/agent6/, key in a 0600 secrets file).
agent6 connect                # interactive: pick provider, paste API key
agent6 model worker anthropic claude-sonnet-4-6

# Run the agent on a task. agent6 infers a verify command if you haven't set one.
cd your-repo
agent6 run "add a --json output mode to the CLI"

# Watch and drive runs from a terminal, a full-screen TUI, or a browser.
agent6 watch <run-id>         # plain live event stream (default)
agent6 tui                    # full-screen dashboard hub
agent6 web                    # browser UI on http://127.0.0.1:8901 (phone-friendly)

# Audit the effective config, pre-flight the sandbox, resume or fork a run.
agent6 config show
agent6 check
agent6 resume <run-id>
agent6 fork <run-id> --at-turn 7

That is the whole loop. See getting started for the full command tour, the web UI for driving runs from a phone, configuration for every field, and the security model for what the sandbox enforces.

Config is layered: built-in secure defaults, then the global ~/.config/agent6/config.toml, then the per-repo config (out of the workspace, per-machine, not committed), then an explicit --config FILE. Every field has a default; security-sensitive fields default to the safe value (agent_network = "providers", tool_network = "block", run_commands = "ask", protect_git = true, git.allow_* = false), and git_ops.py refuses push, --force, and history rewrites unconditionally.

Benchmarks

Reproducible harnesses live under bench/: real-world SWE-bench-Lite-style tasks, head-to-head runs against Claude Code / opencode / aider, machine create validation, and a perf-optimization harness. See each directory's README for recorded numbers (single runs, no variance measured; re-run before quoting).

Contributing

Read AGENTS.md first. The repo's verify command decides whether a change is landable:

uv run ruff check && uv run ruff format --check && \
  uv run pyright && uv run tach check && uv run pytest

Adding a tool, loosening a security default, dialling a new network destination, or changing the jail (src/agent6/jail/) requires a Security review note: paragraph in the commit message.

License

Apache-2.0.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

agent6-0.0.17.tar.gz (640.4 kB view details)

Uploaded Source

Built Distributions

If you're not sure about the file name format, learn more about wheel file names.

agent6-0.0.17-py3-none-manylinux_2_17_x86_64.musllinux_1_2_x86_64.whl (1.0 MB view details)

Uploaded Python 3manylinux: glibc 2.17+ x86-64musllinux: musl 1.2+ x86-64

agent6-0.0.17-py3-none-manylinux_2_17_aarch64.musllinux_1_2_aarch64.whl (990.4 kB view details)

Uploaded Python 3manylinux: glibc 2.17+ ARM64musllinux: musl 1.2+ ARM64

File details

Details for the file agent6-0.0.17.tar.gz.

File metadata

  • Download URL: agent6-0.0.17.tar.gz
  • Upload date:
  • Size: 640.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for agent6-0.0.17.tar.gz
Algorithm Hash digest
SHA256 03347e4c3a708c11ca2e34274cdcd8ad7ad2ffd3ca374d6c44fde0a397d47d4f
MD5 eb59df92594fe3fed6ed9003dbd77403
BLAKE2b-256 835dea4b520210a585950654856f1122ba13f92217c86010cc00ab58295aa8ff

See more details on using hashes here.

Provenance

The following attestation bundles were made for agent6-0.0.17.tar.gz:

Publisher: pypi.yml on agent6-dev/agent6

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file agent6-0.0.17-py3-none-manylinux_2_17_x86_64.musllinux_1_2_x86_64.whl.

File metadata

File hashes

Hashes for agent6-0.0.17-py3-none-manylinux_2_17_x86_64.musllinux_1_2_x86_64.whl
Algorithm Hash digest
SHA256 51397f95382bfa8edf26c8a67dbf346533e12eaa4ec782e1da0942a97addd42b
MD5 42520293bc6c48ae969505eba2f06093
BLAKE2b-256 827facb5757835bc61c8c60f537f08dcf10ec065047e17b999e5e9259b697885

See more details on using hashes here.

Provenance

The following attestation bundles were made for agent6-0.0.17-py3-none-manylinux_2_17_x86_64.musllinux_1_2_x86_64.whl:

Publisher: pypi.yml on agent6-dev/agent6

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file agent6-0.0.17-py3-none-manylinux_2_17_aarch64.musllinux_1_2_aarch64.whl.

File metadata

File hashes

Hashes for agent6-0.0.17-py3-none-manylinux_2_17_aarch64.musllinux_1_2_aarch64.whl
Algorithm Hash digest
SHA256 8f8210282290bb157cbca163b429ec8fe3a60a35ceb95501e7b4fe46d2b46fa7
MD5 d3e8a09c78e29d08f7eba75aaa7b11e1
BLAKE2b-256 47874fc8c401017836b5a83306850d40574263e3d7516972fcd210fedf922e78

See more details on using hashes here.

Provenance

The following attestation bundles were made for agent6-0.0.17-py3-none-manylinux_2_17_aarch64.musllinux_1_2_aarch64.whl:

Publisher: pypi.yml on agent6-dev/agent6

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page