ostk
Run AI agents like production infrastructure.
Local-first, audited, and filesystem-coordinated. Adopt the open-source sandboxing library, the drop-in prompt cache, the context-drift memory engine, or the full integrated CLI suite.
Integrated CLI Suite
Complete CLI and supervisor daemon. Orchestrates multi-agent concurrency, manages state WAL logging, enforces Landlock/Seatbelt isolation, and maintains the GPG audit trail.
Memory Engine
Hybrid vector + BM25 search server using LanceDB and SQLite. Tracks codebase context changes via filesystem watcher socket (recall.sock) with debouncing.
Transparent Proxy
Port 8080 L1.5 cache proxy for Anthropic & OpenAI wire formats. Implements synthetic projection mutations, kernel-ipc cache rebuild signals, and a 4-tier soft-cap reduction pipeline.
Userspace Client
Lightweight library for secure JSON-RPC communication over UNIX socket (.ostk/ostk.sock). Handles cryptographic envelope signature verification, GPG key checking, and background audit-tailing.
macOS (universal arm64+x86_64), Linux musl arm64/x86_64, Windows x86_64 zip. All on GitHub releases, GPG-signed. ~30 seconds.
ostk is one layer down from the AI coding tools you already use.
Cursor · Claude Code · Continue · Aider · your CLI · local models (Ollama, MLX)
ostk: state envelope · CAS writes · audit chain · capability pins · identity · fleet coordination
your codebase · your filesystem · your machine
The agent surface is what you type into. The kernel is what keeps multiple of them from stepping on each other, what signs every action, and what ensures your agents stay oriented across thousands of turns. ostk doesn't replace your editor or your model. It sits underneath them.
Real ostk sessions, live-typed and on-device. Not screenshots. Not reenactments.
Day one: ostk init
then
ostk boot.
Fresh repo to validated kernel in seven seconds.
Real session. No edits. Bottom-text annotation by the kernel itself.
Local model on Apple silicon. Ternary-Bonsai-8B-mlx-2bit lazy-spawns mlx_lm.server, returns a real response. Zero API keys.
Kernel has a clock. Session, swap, audit events, focus.
Kernel as language. Every tack expression resolves to a typed verb.
Audit chain integrity. Hash-chained rows, signed seals, Merkle continuity.
Three failure modes show up the moment LLM agents touch real codebases. ostk addresses each one structurally — at the kernel layer, in the envelope you saw above — not as application-layer hacks bolted onto a chat loop.
They collide.
Two agents edit the same file. Last write wins. Silently. Kernel-mediated CAS writes catch every conflict before it lands. Nothing disappears; the second writer sees a clean error.
→ Read whyThey drift.
Each agent has its own context. They re-discover the same things. They forget what was decided. Every syscall returns the working state envelope, so the agent re-grounds each turn — the project develops a memory the fleet shares.
→ Read whyThey leave no trace.
You can't replay, audit, or prove what shipped. The kernel records every action in an append-only, hash-chained, Ed25519-signed audit trail. Replay any session, byte for byte.
→ Read whyWant the substrate spec underneath all of this? Read the canonical specifications →
Containers gave processes isolation. They didn't ship coordination. ostk does.
Not a wrapper around containers. Containers contain processes; ostk contains agents.