{"id":51198006,"url":"https://github.com/hixie/llmdevsilo","last_synced_at":"2026-06-27T22:03:45.123Z","repository":{"id":364426807,"uuid":"1267869291","full_name":"Hixie/llmdevsilo","owner":"Hixie","description":"llmdevsilo sandboxed LLM coding harness","archived":false,"fork":false,"pushed_at":"2026-06-13T00:10:10.000Z","size":2301,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-13T02:13:11.570Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Hixie.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"docs/SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-06-12T23:44:52.000Z","updated_at":"2026-06-13T00:10:14.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/Hixie/llmdevsilo","commit_stats":null,"previous_names":["hixie/llmdevsilo"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/Hixie/llmdevsilo","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Hixie%2Fllmdevsilo","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Hixie%2Fllmdevsilo/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Hixie%2Fllmdevsilo/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Hixie%2Fllmdevsilo/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Hixie","download_url":"https://codeload.github.com/Hixie/llmdevsilo/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Hixie%2Fllmdevsilo/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34869005,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-27T02:00:06.362Z","response_time":126,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-06-27T22:03:44.523Z","updated_at":"2026-06-27T22:03:45.112Z","avatar_url":"https://github.com/Hixie.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# llmdevsilo\n\nA harness for running LLM coding agents in a *safe* environment: the agent\ngets real tools (a shell, the project source, compilers and test runners,\nthe Internet, subagents, the ability to install and run programs) while the\nhost machine, the user's data, and the user's credentials stay out of\nreach. The security comes from static sandboxing — not from permission\nprompts, which fatigue users into rubber-stamping.\n\nThe full requirements document is [docs/DESIGN.md](docs/DESIGN.md); the\nimplementation map is [docs/ARCHITECTURE.md](docs/ARCHITECTURE.md); the\nsecurity model is [docs/SECURITY.md](docs/SECURITY.md).\n\n\u003e **Read this before using llmdevsilo.**\n\u003e The sandbox does not protect the *contents of the workspace* or anything\n\u003e you explicitly grant access to. The design assumes that **all code being\n\u003e developed is or will be open source**, that any credentials reachable by\n\u003e the agent (for example tokens the proxy injects for GitHub access) are\n\u003e **temporary, scoped development credentials**, and that **production data\n\u003e and environments are never exposed** to the agent. Do not point a harness\n\u003e at a workspace containing secrets.\n\n## What's in the box\n\n| Component | What it is |\n| --- | --- |\n| `silo` | The harness binary: runs an LLM agent (and its subagents) against a locked workspace inside a sandbox, with all network egress through a filtering, credential-injecting proxy. |\n| `silo-tui` | An interactive, colorful terminal client that connects to a running harness. |\n| `apps/silo_app` | A Flutter app (desktop, mobile, web) that connects to one or more harnesses, locally or remotely. |\n\nOne harness = one workspace + one sandbox + one LLM backend (plus\nsubagents) + one frontend (interactive WebSocket server, headless, or mock\nfor tests).\n\n## Quick start\n\nBuild everything (Rust 1.85+):\n\n```sh\ncargo build --release\n```\n\nLock a directory as a workspace and start an interactive harness with the\nAnthropic backend and a macOS sandbox:\n\n```sh\nexport ANTHROPIC_API_KEY=sk-ant-...\ntarget/release/silo workspace lock ~/dev/myproject\ntarget/release/silo run \\\n    --workspace ~/dev/myproject \\\n    --llm anthropic --model claude-sonnet-4-6 \\\n    --sandbox auto \\\n    --allow-read /usr/bin --allow-read /bin --allow-read /opt/homebrew \\\n    --allow-domain docs.rs --allow-domain crates.io --allow-domain '*.github.com' \\\n    --quota-usd 20\n```\n\nThen connect a client:\n\n```sh\ntarget/release/silo-tui            # picks up the local harness automatically\n```\n\nRun a one-shot background task instead (no UI; the agent calls the Exit\ntool when done):\n\n```sh\ntarget/release/silo run --workspace ~/dev/myproject \\\n    --frontend headless --prompt \"Fix the failing tests\" \\\n    --llm anthropic --sandbox auto --allow-read /usr/bin --quota-usd 5\n```\n\nWhen you want your files back, unlock. The harness is terminated, and you\nget a review of *everything* that changed while the workspace was locked —\nwith changes to auto-exec surfaces (git hooks, `.envrc`, `.vscode`\nconfiguration, `package.json` scripts, `build.rs`, …) flagged first:\n\n```sh\ntarget/release/silo workspace unlock ~/dev/myproject\n```\n\nWork inside the same sandbox the agent uses (same filesystem and network\nrestrictions — this is the safe way to run the code the agent wrote,\nbecause anything malicious it planted is still confined):\n\n```sh\ntarget/release/silo shell --workspace ~/dev/myproject --allow-read /usr/bin\n```\n\nThis works while a harness is running in the workspace: the shell shares\nthe workspace mount, so you can inspect the agent's work live. When the\nharness is running and you pass no sandbox flags, the shell mirrors the\nharness's access policy by default — the same sandbox kind, the same\nread allowlist, and the same allowed domains, read from the harness's\nrun file. Explicit `--allow-read`, `--allow-domain`, or `--sandbox`\nflags always win (with a printed note that the shell's policy differs\nfrom the harness's). Credential injection is never mirrored: only\ncredentials you pass to the shell with `--inject-credential` are\ninjected.\n\nPair a phone or another machine: in any connected client request a pairing\ncode (TUI: `/pair`), or start the harness with `--pairing-code`. Enter the\naddress, code, and certificate fingerprint in the remote client; it\ngenerates a key pair and authenticates with signatures from then on.\n\nBrowsers (the web build of the Flutter client) cannot pin the harness's\nself-signed certificate the way the other clients do. Either open\n`https://host:port` in the browser once and accept the certificate warning\n— the harness answers with a small confirmation page, and the web client\ncan connect from then on — or start the harness with `--tls-cert` and\n`--tls-key` pointing at a PEM certificate and key the browser already\ntrusts (for development, [mkcert](https://github.com/FiloSottile/mkcert)\ngenerates such certificates).\n\n## Installation\n\nThe quick start above runs the binaries straight out of\n`target/release`. To install them properly, see\n[docs/INSTALL.md](docs/INSTALL.md), which covers a system-wide install\n(`scripts/install.sh`, binaries plus man pages under `/usr/local`), a\nper-user install under `~/.local` needing no root, the self-contained\nmacOS disk image with `Silo.app` and the command-line tools embedded,\nand the relocatable tarball and Debian package builds.\n\n## Choosing a sandbox\n\n| Backend | Platform | Status | Use case |\n| --- | --- | --- | --- |\n| `sandbox-exec` | macOS | Implemented, integration-tested | Native macOS development (the only practical option for building macOS programs). Seatbelt profile: read-only allowlist, read/write workspace+scratch, network only to the egress proxy. |\n| `gvisor` | Linux | Implemented; runtime validation on a Linux host pending | Strong syscall isolation via runsc; egress only through a relay to the harness proxy. |\n| `linux-vm` | macOS | Designed, scaffolded — not yet runnable | Linux development from a Mac via Virtualization.framework; see docs/SANDBOX-BACKENDS.md. |\n| `microvm` | Linux | Designed, scaffolded — not yet runnable | Firecracker-style hardware isolation; see docs/SANDBOX-BACKENDS.md. |\n| `mock` | any | Implemented | Tests: nothing executes, tool calls are validated and answered from a script. |\n\nThese are not interchangeable: they have different security tradeoffs,\ndocumented in [docs/SANDBOX-BACKENDS.md](docs/SANDBOX-BACKENDS.md).\n\n## LLM backends\n\n`--llm anthropic` (Messages REST), `--llm openai` (Responses REST),\n`--llm openai-ws` (Realtime WebSocket, text only), `--llm local` (a\nlocally hosted OpenAI-compatible server, optionally spawned and managed by\nthe harness — for example llama.cpp's `llama-server`), `--llm mock`\n(scripted, for tests).\n\nCloud backends meter usage in tokens and dollars, enforce session quotas\n(`--quota-tokens`, `--quota-usd`), and report ongoing cost to every\nconnected client.\n\n## Replay testing\n\nEvery session writes a journal (under `~/.llmdevsilo/journals/`) recording\nall module interactions: prompts, full LLM requests and responses, every\ntool execution, and network traffic summaries — but never secrets. A\njournal converts into a deterministic regression test:\n\n```sh\nsilo replay-test ~/.llmdevsilo/journals/\u003cid\u003e.jsonl -o session.json\nsilo run --workspace /tmp/replay --create --deterministic \\\n    --frontend mock --llm mock --sandbox mock --mock-proxy --script session.json\n```\n\nThe replay uses mock components throughout: no model calls, no code\nexecution, no network.\n\n## State\n\nEverything the harness persists outside workspaces lives in\n`~/.llmdevsilo` (override with `LLMDEVSILO_STATE_DIR`): journals, frontend\nauthentication material, workspace snapshots and containers. The sandbox\ncan never read this directory — it is on the hardcoded risk list, along\nwith `~/.ssh`, browser profiles, cloud credentials, and other known\nsensitive paths that the harness refuses to add to the read allowlist.\n\n## Development\n\n```sh\ncargo test --workspace          # unit + integration tests (mock components)\ncargo clippy --workspace --all-targets\ncd apps/silo_app \u0026\u0026 flutter test\n```\n\nThe crate layout and contribution conventions are described in\n[docs/ARCHITECTURE.md](docs/ARCHITECTURE.md).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhixie%2Fllmdevsilo","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhixie%2Fllmdevsilo","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhixie%2Fllmdevsilo/lists"}