The open-source framework for agentic platforms with guardrails that hold at scale.
Skills teach. Tools do. Modules bundle. Budgets enforce. Audits explain every action.
Anyone can ship one. Install with a click.
npx create-boringos my-appDrag a .hebbsmodonto the shell's Apps screen. Signed bundle, schema migrated, tools registered, UI hot-mounted — your agents know the new domain on the next wake.
crm-0.3.0.hebbsmod ├── module.json # id, version, kind, ui entry, publisher ├── index.mjs # bundled Module — tools + skills + lifecycle ├── skills/deals.md # injected into the agent prompt on wake ├── migrations/0001_init.sql # per-tenant Drizzle ├── ui/index.mjs # React surface, hot-loaded at /modules/crm/ui └── signature # Ed25519 over manifest + code + ui
$ curl -F file=@crm-0.3.0.hebbsmod \ -H "X-API-Key: $KEY" \ https://your-host/api/admin/modules/upload
Every connector, every business app, every internal capability — same manifest, same install pipeline, same HTTP surface. Read it once, write your own.
Behavior, in markdown.
Plain .md files that get concatenated into the agent's system prompt on every wake. Teach the agent when to use a tool, edge cases, your house style. No templating — just words.
Module / persona / agent-instructions / tenant-override sources, prioritised + deduped.
Capability, with types.
Zod-typed callables, dispatched at POST /api/tools/<module>.<name>. Same handler runs from agents, workflows, routines, or your own routes. Every call is audited to tool_calls.
Idempotency + cost hints + permission scopes built in.
Everything, bundled.
One manifest binds skills + tools + schema + workflows + agents + routines + webhooks + OAuth + UI. Built-ins, third-parties, your own — all the same shape. app.module(x) wires the rest.
Three kinds: connector, module, hybrid — UI grouping hint, identical dispatch.
A Module is a TypeScript file with a manifest. Bundle it into a .hebbsmod archive. Upload it. Hosts install it per-tenant. Same flow as a Chrome extension or WordPress plugin — just for agents.
Plain TypeScript. Implement the Module interface. Skills as .md, tools as Zod-typed handlers.
.hebbsmod = signed zip with manifest + ESM entry + skills + migrations + UI. ~100KB–2MB.
Drag it into the shell. Ed25519 signature verified. Bytes content-addressed. Listed for tenants to install.
Tenants opt in. Schema applied. Lifecycle hooks fire. Tools live at /api/tools/<id>.<name>. Agent reads new Skills next wake.
Everything you'd otherwise wire up yourself — already a Module, already installed. Same shape as the one you'll write next.
Tasks, comments, agents, runs
Pluggable cognitive memory
File storage + ACL
DAG runner over the tool registry
Email/Slack/event triage queue
Capability — routes new items to agents
Built-in chat surface for every app
Gmail + Calendar via OAuth
Channels, DMs, slash commands
Agents run with --dangerously-skip-permissionsso they don't stop to ask. That's safe because every byte they read or write goes through Drive — our proxy over the filesystem. Tenants can't see each other. Users keep private files private. Agents can't write to each other's drafts.
<tenantId>/ # isolation root — you cannot escape it
├── shared/... # tenant-wide · agents read+write
├── users/<userId>/... # PRIVATE · agents denied (drive-acl.ts:239)
├── agents/<agentId>/... # agent home · own=rw · others=read-only
├── tasks/<taskId>/... # deliverables · tenant-shared
└── projects/<projectId>/... # long-running · tenant-sharedEvery path is prefixed with the tenant id at the storage layer (manager.ts:56). There is no code path that reads or writes outside the tenant root. Path traversal — .., absolute paths, percent-encoded escapes — rejected before the storage call.
users/<id>/ returns 'users/<id>/ is private — not accessible to agents' on every agent attempt. It is not a permission you forgot to set — it is the default, in the type system, with a literal error string you can grep.
Agents can read each other's working drafts (transparency by default) but can only write to their own agents/<id>/ folder. Cross-agent writes return 'agent may only write to its own agents/<id>/ folder' — enforced before storage, not after.
Reads, writes, lists, deletes — all go through DriveManager. That means tenant scoping, ACL check, audit row, event fan-out, memory-sync index, every time. No side door.
@boringos/core/src/modules/drive-acl.ts.Agents delegate, escalate, and hand off to humans. Any task can route to the best runtime by policy, with fallback chains and shared memory across runs.
CEO sets the goal. CTO breaks it down. Engineers execute. QA validates. next_actor state machine routes work between agents and humans.
Every agent remembers. Every run builds context. Pluggable provider — Hebbs out of the box, or your own.
Cost tracked per run, including Anthropic cache tokens. Limits per agent, per task, per tenant. No runaway spend.
DAG that dispatches every node through the tool registry — same handlers your agents call. Persisted runs, live SSE, replay, fork-from-here, budget gates, and pause-on-approval keep autonomy controlled without slowing teams down.
Each block resolves to a Tool. Same Zod validation, same audit log, same handler whether the call comes from an agent, a workflow, or a routine.
Every block transition streams via SSE. Watch the DAG light up — no polling, no reconstruction.
Re-execute past runs. Fork from any block. Compare two runs side-by-side.
The host (@boringos/core) ships budget governance, runtime routing, auditable execution, and operations controls alongside the admin API, auth, SSE bus, and module install pipeline.
Define spend caps by tenant, workflow, agent, or task. Choose hard stops or soft alerts, inspect incidents, and keep autonomous execution inside guardrails.
Every tool call, mutation, approval, and run transition is logged with actor, timestamp, and payload context. Replay and forensic traceability come built in.
Route tasks to Claude, Codex, Gemini, Ollama, command, or webhook runtimes. Set quality/cost/speed policy and automatic fallback chains per workload.
Pause-on-approval and wait-for-human blocks create safe handoffs for high-risk actions, while still letting low-risk paths run autonomously.
Track success rate, retries, cost-per-outcome, and regression risk across agent changes. Compare runs and tighten quality before production rollout.
Generate evidence bundles for internal review, security audits, and customer due diligence. Export machine-readable logs plus human-readable summaries.
Ship and install signed .hebbsmod packages with integrity verification, content-addressing, and predictable lifecycle hooks per tenant.
Monitor queue pressure, run health, failures, and incident timelines from one operational view. Diagnose quickly and recover without guesswork.
You set the goal. The AI team figures out the rest. Every action is a Tool call. Every Tool call is audited.
Built-ins are already there. Click-install third-party .hebbsmod packages. Each one adds skills the agent reads and tools the agent can call.
Create a task. Assign to the CEO, CTO, or any role. Defaults route through Chief of Staff.
The agent reads its skills, picks tools, breaks the goal into subtasks, assigns each to the right teammate. Workflow runs orchestrate where needed.
Each agent spawns a CLI (Claude / Codex / Gemini / Ollama). Skills shape behavior, tools execute capability. Budget enforced. Memory shared.
next_actor flips between agent and human cleanly. Approvals route through the dashboard. Done tasks auto-post results as comments. Memory persists.
You don't install BoringOS. You tell your coding agent to. Open Cursor / Claude Code / Codex / Gemini CLI inside any empty folder, paste the prompt — it clones, installs, builds, boots Postgres, and brings up the shell at localhost:3000.
Cursor, Claude Code, Codex, Gemini CLI, Aider — any agentic coding tool. The prompt is the install script.
No Docker. No external DB. No Redis. Boot once, you have an admin API, a tool registry, an SSE bus, a queue.
Inbox, Drive, Workflows, Agents, Copilot, Modules screen — all the built-in Modules already registered, all UI live.
npx create-boringos my-appThe framework underneath. Modules sit on top of these; you usually only depend on @boringos/core and @boringos/module-sdk.
The copilot Module is built in. Chat surface, session naming, can call any registered tool, can edit your code. Zero config.
Budgeting, auditability, runtime flexibility, and policy guardrails are not add-ons. They are first-class primitives in the execution path.
Track who did what, when, and why across agents, workflows, and humans.
Detect spend spikes early and route incidents to the right owner with context.
Set org defaults once, then allow scoped tenant exceptions where required.
Export decision history and run artifacts for enterprise audits and customer security reviews.
One prompt. One minute. Your own agentic OS on localhost.
npx create-boringos my-app