{"id":50508822,"url":"https://github.com/agentic-research/cloister","last_synced_at":"2026-06-02T18:31:05.328Z","repository":{"id":357930169,"uuid":"1223197070","full_name":"agentic-research/cloister","owner":"agentic-research","description":"Workerd-based hypervisor with a declarative Cap'n Proto manifest. Substrate-level identity, audit, and per-bundle credential scoping. Today's primary application: hosting MCP servers behind one HTTP face.","archived":false,"fork":false,"pushed_at":"2026-05-26T07:17:43.000Z","size":3901,"stargazers_count":5,"open_issues_count":0,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-26T09:19:01.953Z","etag":null,"topics":["capnproto","cloudflare-workers","durable-objects","gateway","hypervisor","mcp","model-context-protocol","rust","typescript","workerd"],"latest_commit_sha":null,"homepage":null,"language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/agentic-research.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"docs/security/adversarial-cycles/2026-05-12.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2026-04-28T05:11:16.000Z","updated_at":"2026-05-26T07:17:49.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/agentic-research/cloister","commit_stats":null,"previous_names":["agentic-research/cloister"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/agentic-research/cloister","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/agentic-research%2Fcloister","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/agentic-research%2Fcloister/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/agentic-research%2Fcloister/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/agentic-research%2Fcloister/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/agentic-research","download_url":"https://codeload.github.com/agentic-research/cloister/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/agentic-research%2Fcloister/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33833277,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-02T02:00:07.132Z","response_time":109,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["capnproto","cloudflare-workers","durable-objects","gateway","hypervisor","mcp","model-context-protocol","rust","typescript","workerd"],"created_at":"2026-06-02T18:31:04.241Z","updated_at":"2026-06-02T18:31:05.320Z","avatar_url":"https://github.com/agentic-research.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# cloister\n\nCloister hosts AI tools (MCP servers, today) behind one HTTPS\nendpoint. You declare what to host in a config file; the same bundle\nruns locally on your machine for development and on Cloudflare Workers\nin production — no rewrites, no deployment-specific code.\n\n```sh\ntask serve:local # → http://localhost:8787\ncurl http://localhost:8787/health\n```\n\n**What you get for free:**\n\n- **Sandboxed tools.** Each hosted tool runs in its own isolate with\n its own scoped credentials. A compromised tool can't reach the\n others' secrets.\n- **Identity without bearer tokens.** Tools authenticate to each\n other via short-lived certificates rather than long-lived API\n keys — nothing to rotate, nothing to leak.\n- **Signed audit trail.** Every state-changing call leaves a\n hash-chained, signed receipt. A third party can verify what\n happened offline, with only the master public key.\n\n**Three entry points depending on what brought you here:**\n\n- **Run it locally** → [GETTING-STARTED.md](GETTING-STARTED.md)\n- **Understand the architecture** → [docs/ARCHITECTURE.md](docs/ARCHITECTURE.md)\n- **Verify the security claims** → [docs/security/load-bearing-claims.md](docs/security/load-bearing-claims.md)\n\n## Architecture\n\nCloister is a v8-isolate hypervisor on `workerd` with a declarative\nCap'n Proto manifest. Routes, backends, and per-bundle credential\nscopes are substrate concerns — identity (Interlace), audit (signed\nreceipts), and credential isolation are wired in at the substrate, not\nbolted on per-tenant. It's offline-first: runs locally on `workerd`\nwith no cloud account required, and the same TypeScript bundle deploys\nto Cloudflare Workers when you want a public endpoint.\n\nToday's primary application is hosting MCP servers behind one HTTP\nface. `bead_*`, `mache_*`, `lsp_*`, lifecycle\n(`reparse`/`enrich`/`status`), and the Interlace identity bridge are\nthe first tenants — but the contract is\n[`cloister.capnp`](cloister.capnp): anything HTTP-shaped plugs into\nthe same route table without touching the substrate. See\n[ADR-0004](docs/adr/0004-capnp-manifest.md) for the manifest shape,\n[ADR-0009](docs/adr/0009-compute-substrate-portability.md) for the\nsubstrate-portability claim, and\n[ADR-0011](docs/adr/0011-hypervisor-bundle-boundary.md) for what lives\nat the hypervisor layer vs the bundle layer.\n\n```mermaid\ngraph TB\n Client[\"external client\u003cbr/\u003e(MCP / curl / browser /\u003cbr/\u003eanother cluster's bundle)\"]\n\n subgraph host [\"Host runtime — workerd today (CF Workers in prod);\u003cbr/\u003eFirecracker / WASI per ADR-0009\"]\n subgraph hyp [\"Hypervisor layer — cloister-router bundle\"]\n ROUTER[\"Router\u003cbr/\u003edeclarative EdgeRoute table\u003cbr/\u003e(from cloister.capnp)\"]\n MCP[\"MCP face\u003cbr/\u003e/mcp (JSON-RPC + SSE)\"]\n IDENT[\"/identity/*\u003cbr/\u003e(Interlace lease verification,\u003cbr/\u003eper ADR-0007)\"]\n WK[\".well-known/\u003cbr/\u003einterlace/index.json\u003cbr/\u003e(capability discovery)\"]\n HLT[\"/health\"]\n end\n\n subgraph state [\"Cluster state\"]\n DO[\"BeadStore DO\u003cbr/\u003e(per-repo SQLite)\"]\n TRUST[\"TrustStore DO\u003cbr/\u003e(singleton, per ADR-0012)\u003cbr/\u003epeer_lease_counters,\u003cbr/\u003epeer_attestations\"]\n BLOB[(\"BlobStore DO\u003cbr/\u003e(singleton, per ADR-0003)\u003cbr/\u003econtent-addressed bytes\")]\n VAULT[(\"CredentialVault DO\u003cbr/\u003e(singleton, per ADR-0013)\u003cbr/\u003eHKDF+AES-GCM envelope,\u003cbr/\u003eallowedSubs gate\")]\n end\n\n subgraph siblings [\"Sibling bundles (intra-cluster — service bindings, unforgeable)\"]\n NOTME[\"notme-identity\u003cbr/\u003eSigningAuthority master,\u003cbr/\u003eborn-in-CF, never leaves\"]\n COMP[\"cloister-companion\u003cbr/\u003e(Rust sidecar — IPC seam,\u003cbr/\u003eper ADR-0005 amendment)\"]\n HELPER[\"leyline-sign-helper\u003cbr/\u003e(Rust host binary — sign-only,\u003cbr/\u003eper ADR-0019)\"]\n end\n end\n\n EXT[\"external services\u003cbr/\u003e(rosary / mache / LLO / signet —\u003cbr/\u003eNOT bundles; reached via httpForward)\"]\n\n Client --\u003e|HTTPS| ROUTER\n ROUTER --\u003e MCP\n ROUTER --\u003e IDENT\n ROUTER --\u003e WK\n ROUTER --\u003e HLT\n MCP --\u003e|state writes| DO\n MCP --\u003e|state writes| TRUST\n MCP --\u003e|canonical bytes| BLOB\n MCP --\u003e|credential reads| VAULT\n VAULT -.-\u003e|\"KEK_HELPER fetch\"| HELPER\n IDENT --\u003e|svc binding| NOTME\n MCP --\u003e|svc binding| COMP\n COMP -.-\u003e|\"leyline-net wire\u003cbr/\u003e(real network)\"| EXT\n\n style hyp fill:#dde7ff,color:#000\n style state fill:#fff5e1,color:#000\n style siblings fill:#fff5e1,color:#000\n style EXT fill:#f5f5f5,color:#000\n```\n\n## Quickstart\n\nFive-minute three-terminal smoke. For the full walkthrough (toolchain,\nports, auth setup, plugin install), see\n[GETTING-STARTED.md](GETTING-STARTED.md).\n\n```bash\n# Terminal 1 — ley-line-open daemon (for lsp_* + reparse/enrich/status)\nleyline daemon --mcp-port 8384\n\n# Terminal 2 — cloister\npnpm install \u0026\u0026 task dev:bootstrap \u0026\u0026 task dev # → http://localhost:8787\n\n# Terminal 3 — notme (optional, for /identity/*)\ncd ../notme/worker \u0026\u0026 wrangler dev --port 8788\n```\n\nSmoke test:\n\n```bash\ncurl -s -X POST http://localhost:8787/mcp \\\n -H 'Content-Type: application/json' \\\n -d '{\"jsonrpc\":\"2.0\",\"method\":\"tools/list\",\"id\":1}' \\\n | jq '.result.tools[].name'\n```\n\nWire Claude Code:\n\n```jsonc\n{\n \"mcpServers\": {\n \"cloister\": { \"transport\": \"http\", \"url\": \"http://localhost:8787/mcp\" }\n }\n}\n```\n\nClient-specific wiring (Cursor, raw curl, auth, common failure modes)\nis in [docs/integration/mcp-client.md](docs/integration/mcp-client.md).\n\n## What cloister is NOT\n\nSo you can decide whether to keep reading, here's what cloister\n*explicitly isn't*:\n\n- **Not an MCP server.** MCP is the most visible tenant today, but\n cloister is a substrate (edge router + bundle host + auth\n middleware). The identity-format-shifting bridge (OIDC / WebFinger /\n NIP-05) at `/.well-known/*` is another tenant; adding further tenants\n (gRPC, WebSocket, anything HTTP-shaped) plugs into the same\n `EdgeRoute` table without touching the substrate\n (per [ADR-0002](docs/adr/0002-edge-router-protocol-agnostic-backends.md)).\n- **Not Kubernetes.** cloister's cluster shape (`cluster.toml` →\n multi-container pod) targets containerd / podman / nerdctl / kubelet,\n but it doesn't replace them. You bring your container runtime;\n cloister provides the manifest + the wiring. The operator surface\n is TOML (`cluster.toml` at the repo root, see\n [ADR-0025](docs/adr/0025-bidi-toml-pipeline.md)); capnp remains the\n substrate schema authority.\n- **Not a service mesh.** No Envoy sidecar per service. The lease\n middleware lives in cloister-router itself — one gate at the cluster\n edge, not N gates at N sidecars.\n- **Not a database.** Durable Objects hold bead/trust/blob/vault state,\n but they're an integration point, not the system of record. Replicas\n + multi-region storage are an ADR-0010 follow-on.\n- **Not a build tool.** apko / melange build the OCI images; cloister\n consumes those artifacts via the manifest. The container ecosystem\n is BYO.\n- **Not a replacement for Cloudflare Workers.** workerd runs on CF\n Workers identically; cloister cluster-in-a-pod is for self-hosters\n who don't want a CF account. Same code, different host.\n\n## Load-bearing claims\n\nFive security properties cloister publishes are defended by running\ncode + tests + cross-implementation byte-equality. The full prose with\nstatus, test pointers, and honest caveats is at\n[docs/security/load-bearing-claims.md](docs/security/load-bearing-claims.md);\nthe gate at [docs/security/threat-model.md](docs/security/threat-model.md)\nis where the test-vs-claim accounting lives.\n\nEach row is a one-line summary; the [full doc](docs/security/load-bearing-claims.md) carries the prose, test pointers, and honest caveats.\n\n| Claim | Where it lives | Status |\n|---|---|---|\n| **§13.2 \"silence is evidence\" — request side**: every authenticated request advances a hash-chained counter. | [ADR-0007](docs/adr/0007-interlace-substrate.md); [`src/storage/peer-lease-counters.ts`](src/storage/peer-lease-counters.ts) | Shipped 0.1.0. |\n| **§13.2 \"silence is evidence\" — response side**: every state-boundary write advances an attestation chain (Interlace 0.2.0 receipts). | [ADR-0007](docs/adr/0007-interlace-substrate.md); [`interlace-spec/0.2.0-draft/RECEIPTS.md`](interlace-spec/0.2.0-draft/RECEIPTS.md) | Phase 1 shipped 2026-05-12 (emit-but-don't-enforce). Phase 2 cutover (peers fail-closed) is operator action. |\n| **§9.4.b constant-time 404** — the disclosure endpoint can't be used as a peer-enumeration oracle. | [`src/routes/disclosure.ts`](src/routes/disclosure.ts) + `TrustStore.peerHasChain` | Bench-pinned ([`docs/perf/2026-05-10-disclosure-endpoint.md`](docs/perf/2026-05-10-disclosure-endpoint.md)). Pre-fix delta 17×; post-fix 60µs inside workerd's quantization floor. **CLOSED** (re-verified 2026-05-12 by oracle-friend). |\n| **Slice-grant via V8 isolate + service-binding-as-syscall** — a compromised tool bundle cannot exfiltrate credentials outside its `allowedSubs`. Plaintext credential bytes never cross the RPC boundary. | [ADR-0013](docs/adr/0013-slice-grant-enforcement.md); [`src/vault-store.ts`](src/vault-store.ts) | Prompt-injection demo at [`test/security/prompt-injection.test.ts`](test/security/prompt-injection.test.ts) (19 cases). Per-bundle DO design (ADR-0021) Proposed not Implemented. |\n| **Trust-anchor-helper sign-only protocol** — `leyline-sign-helper` holds master_sk; only `POST /sign` exposes signing; key bytes never leave the helper. | [ADR-0019](docs/adr/0019-sign-only-helper-protocol.md); [`rs/crates/sign/`](rs/crates/sign/) | 5-cycle adversarial review 2026-05-12 closed 6 of 7 §15 invariants; supervisor binary-attestation deferred. `rs/crates/sign/tests/host_adversarial.rs` (5 tests). |\n| **Substrate overhead bounded + measured** — lease pipeline \u003c1ms p50 / 1ms p99 / 3ms p99 (post-batching). 85% of cost is DO RPCs. | [`docs/perf/2026-05-10-lease-pipeline.md`](docs/perf/2026-05-10-lease-pipeline.md) | Bench-pinned; reproduce via `task bench:lease`. |\n\nThe wire protocol is **documented standalone** at\n[`interlace-spec/0.1.0/`](interlace-spec/0.1.0/README.md) — formal CDDL\nschemas, 27 deterministic test vectors. The Python reference impl\npasses the same vectors as cloister's TypeScript runtime; that's the\ncross-check mechanism. The spec exists for cloister's rigor, not as a\ncampaign to standardize externally.\n\n## How it's shaped\n\n**At the hypervisor layer** (per\n[ADR-0011](docs/adr/0011-hypervisor-bundle-boundary.md) — code is\nhypervisor-layer if it mediates between bundles, multi-bundle blast\nradius if compromised, singleton per cluster):\n\n- **Routing** — `Router` + `EdgeRoute` dispatch over `/mcp`, `/health`,\n `/identity/*`, `/.well-known/*`, `/interlace/peers/{fp}`.\n- **Lease verification** — verify Signet ephemeral certs against the\n pinned master + freshly-fetched epoch bundle. Bundles see only the\n verified cert + resolved scope.\n- **Capability distribution** — credential reads gate through the\n `CredentialVault` DO; per-credential `allowedSubs` glob lists filter\n against the caller's identity. Enforcement is **V8 isolate +\n service-binding-as-syscall** (ADR-0013), not signed slice tokens.\n- **State-boundary attestation** — bead writes go through the cross-DO\n orchestrator at\n [`src/routes/bead-create-orchestrator.ts`](src/routes/bead-create-orchestrator.ts)\n per ADR-0012's four-step handoff.\n\n**At the bundle layer**: HTTP-shaped tenants registered in\n`cloister.capnp` (today: `bead_*`, `mache_*`, `lsp_*`, lifecycle, the\nidentity bridge). Sibling bundles reach cloister-router via UDS service\nbindings — the full cluster bundle map (tier + transport + purpose) is\n[`docs/reference/bundle-topology.md`](docs/reference/bundle-topology.md).\n\nRead [docs/ARCHITECTURE.md](docs/ARCHITECTURE.md) for the runtime\nmodel + component map + sequence diagrams.\n\n## Run it\n\nThree local paths, same code:\n\n```bash\ntask dev # Path A — wrangler dev hot-reload, easiest\ntask serve:local # Path B — workerd serve dist/config.capnp (no CF account)\ntask cluster:dev # Path C — mac-native cluster topology with UDS bindings\n```\n\nPath B is closest to the production OCI image and writes to `/data/do`\nby default (matches the apko image's mount point). Create the dir\nonce on Linux: `sudo mkdir -p /data/do \u0026\u0026 sudo chown \"$USER\" /data/do`.\n**On macOS or any host where `/data` isn't writable**, set\n`CLOISTER_DO_PATH` to a writable absolute path before `task build:local --force` —\nper [ADR-0023](docs/adr/0023-host-path-resolution.md). Path A\n(`task dev`) uses `.wrangler/state/` (already in `.gitignore`) and\nneeds no setup. Full walkthrough:\n[GETTING-STARTED.md](GETTING-STARTED.md).\n\n\u003e **⚠️ DO SQLite is unencrypted at rest.** Whichever path you pick\n\u003e (`/data/do`, `.wrangler/state/`, `$XDG_DATA_HOME/cloister/do` via\n\u003e `CLOISTER_DO_PATH`, or `$HOME/.cache/cloister-dev/do/` for\n\u003e `cluster:dev`), the DO SQLite databases — beads, trust state,\n\u003e blob digests, vault ciphertext metadata — live on disk in plaintext\n\u003e SQLite files. The vault ciphertexts *inside* those files ARE\n\u003e AES-GCM-encrypted (per ADR-0013/0014); the bead/trust/blob tables\n\u003e are not. Don't drop production-sensitive data into a dev install;\n\u003e if you need on-disk encryption-at-rest of the SQLite files\n\u003e themselves, that's an open follow-on (no ADR yet — file one if you\n\u003e need it).\n\n## Tasks\n\n```bash\ntask lint # tsc + worker tests + plugin tests + lint:* — ~10s\ntask verify # lint + wire roundtrip + leyline-stub smoke\ntask smoke # spins up leyline + cloister, exercises full chain\ntask test # vitest in real workerd (real DOs, real SQLite)\ntask manifest # cloister.capnp → src/generated/manifest.ts\ntask build:local # bundle for workerd (depends on `manifest`)\ntask dev # wrangler dev hot-reload\ntask serve:local # workerd serve dist/config.capnp\ntask helper:start # leyline-sign-helper foreground on 127.0.0.1:8786\ntask apk # build APK via melange (signed)\ntask image # compose distroless OCI image via apko\ntask image:check # validate melange.yaml + apko.yaml without a real build\ntask bench:lease # opt-in perf bench (or :dispatch / :trust-store / :disclosure / :cold-start / :all)\n```\n\nFull task surface: `task --list-all`.\n\n## Hardening + plugin\n\n- **`ALLOWED_ORIGINS`** — CORS allowlist (env var, comma-separated).\n Default is wildcard echo for dev. Set to e.g.\n `http://localhost:*,https://app.example.com` for prod. Supports a\n trailing `:*` port wildcard per entry; no general globs.\n- **`VAULT_KEK_SOURCE`** — picks where the vault DO resolves its\n envelope-encryption KEK from. Schemes: `keychain://`,\n `apple-password://`, `keyring://`, `op://`, `secret-tool://`,\n `file://`, `env://`, `http(s)://`. See\n [ADR-0014](docs/adr/0014-pluggable-kek-source.md) +\n [GETTING-STARTED §9](GETTING-STARTED.md#vault-kek--keep-it-out-of-plaintext-bindings).\n- **`LEYLINE_SIGN_CALLER_TOKENS`** + `--require-auth` —\n trust-anchor-helper auth (production deploys MUST set; ADR-0019).\n Additional helper env vars frozen in ADR-0019 reqs 14–18:\n `LEYLINE_SIGN_RESOLVE_ALLOW`, `LEYLINE_SIGN_SIGN_ALLOW`,\n `LEYLINE_SIGN_OP_BIN`, `LEYLINE_SIGN_SECURITY_BIN`,\n `LEYLINE_SIGN_RESOLVE_TTL_MS`, `LEYLINE_SIGN_RESOLVE_CACHE_MAX`.\n- **Container** — `task image` produces a distroless OCI image\n (`cloister.tar`), workerd + bundle only, no shell/pkgmgr, runs as\n uid `65532`. Mount `/data` for DO SQLite persistence.\n\n**Claude Code plugin.** The repo doubles as a CC plugin (root\n`.claude-plugin/plugin.json`). Install:\n\n```sh\nclaude plugin add ~/path/to/cloister\n```\n\nRegisters a `PostToolUse` hook that fires `reparse` against cloister\nso `lsp_*` tools stay accurate inside long sessions. Config + tests:\n[hooks/README.md](hooks/README.md).\n\n## Ecosystem\n\n| Service | Runtime | Role |\n| ------------------------------------------------------------ | -------------------- | --------------------------------------------- |\n| cloister | workerd / CF Workers | Edge router (this repo) |\n| [notme](https://github.com/agentic-research/notme) | workerd / CF Workers | Identity authority + UDS-front for daemons |\n| [ley-line-open](https://github.com/agentic-research/ley-line-open) | Rust daemon | Tree-sitter parse + LSP enrichment + MCP HTTP |\n| rosary | Rust binary | Orchestration, bead tracking, dispatch |\n| mache | Go binary | Code intelligence FUSE |\n| signet | Go binary | Key exchange |\n\n## Where to go next\n\n- **Operator setup** — [GETTING-STARTED.md](GETTING-STARTED.md) (install, run, wire upstreams, plugin)\n- **Substrate description** — [docs/ARCHITECTURE.md](docs/ARCHITECTURE.md) (runtime model, sequence diagrams, bindings, component map)\n- **All `docs/`** — [docs/README.md](docs/README.md) (orientation map for the 8 subdirs)\n- **Architectural decisions** — [docs/adr/](docs/adr/) (29 numbered ADRs; 0001–0029, with ADR-0022 added by `cloister-9443f0` as the schema-bridge + substrate-IDL positioning ADR, ADR-0027 added by `cloister-1b59a2` as the substrate-as-kernel capability matchmaker, ADR-0028 added by `cloister-224917` as the capability-identifier-scheme reconciliation, and ADR-0029 added by `cloister-7c0a0b` as the per-repo membership boundary for the OCI registry surface; start with 0001 → 0002 → 0007 → 0011 for the core mental model). Per-ADR status table in [`docs/STATUS.md`](docs/STATUS.md).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fagentic-research%2Fcloister","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fagentic-research%2Fcloister","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fagentic-research%2Fcloister/lists"}