pi
defaultThe default agent, with the widest provider support. Runs against LM Studio locally, or any major cloud model by dropping a key into your env file.
-a pi
Learn more
Harness wraps Docker around three open-source coding agents — pi, opencode, and hermes — so you can point one at a project without giving it access to your entire machine. Local-first, supply-chain hardened, and zero install.
$ npx @boldblackai/harness -p "write a fizzbuzz in Go"Instead of installing an agent straight onto your machine — where it can read your keys, your other projects, everything — harness runs it inside a hardened container that only sees what you hand it.
Your current directory is mounted at /workspace
inside the container and the agent works against it. Scope it down to a
single file with -f when you want to.
Every run is capability-dropped with no-new-privileges
and a seccomp profile. The agent never reaches the rest of your machine —
just the path you mounted.
Under the hood, harness wraps Docker around three open-source coding agents — pi, opencode, and hermes — behind one CLI. It's MIT licensed and open source.
Pick an agent with -a. Same flags, same flow. Start local with LM Studio, or drop in a provider key and reach for a bigger model — whichever agent you choose.
The default agent, with the widest provider support. Runs against LM Studio locally, or any major cloud model by dropping a key into your env file.
-a pi
Learn more
Fast, terminal-native coding. Uses LM Studio by default and auto-detects your provider from the env file when you switch to cloud mode.
-a opencode
Learn more
NousResearch's agent. Broad provider and MCP support, and the one to reach for when deploying a long-running claw on fly.io, Kubernetes, or AWS.
-a hermes
Learn more
No global install, no config file. If you have a container runtime, you have everything you need — npx does the rest.
$ npx @boldblackai/harness -p "write a fizzbuzz in Go"npx, bunx, and pnpm dlx are interchangeable — or install it globally.
Harness runs agents inside Docker by default — nothing else to install globally. On macOS 26 / Apple Silicon you can opt into Apple's native container CLI instead.
cd into any project and run harness. Your current directory is mounted at /workspace inside the container and the agent works against it — and nothing else.
$ npx @boldblackai/harness -p "write a fizzbuzz in Go"With no keys, harness uses LM Studio locally with gemma-4-e4b. Start the daemon and pull the model once, and everything runs on your machine.
$ lms daemon up && lms get google/gemma-4-e4bDrop an API key into an env file to switch to Anthropic, OpenAI, OpenRouter, Gemini, and more. Same CLI, same flow — the agent auto-detects the provider.
$ npx @boldblackai/harness -e .env -p "add tests"Switch between pi, opencode, and hermes with -a. Interactive runs persist their state; one-shot prompts stay fully ephemeral.
$ npx @boldblackai/harness -a hermes -e .env -p "add tests"The same sandbox we wanted for ourselves — capability-dropped, signature-verified, and supply-chain hardened, so you get autonomous agents without the blast radius.
Every run is capability-dropped with no-new-privileges and a seccomp profile. The agent only sees the directory — or single file — you mount, never the rest of your machine.
Switch between pi, opencode, and hermes with -a. Same flags, same flow. Point any of them at your project without changing your workflow.
The image is signed and verified with cosign and SLSA provenance on every run, and dependencies sit out a 7-day cooldown to dodge fresh supply-chain attacks.
Runs against LM Studio out of the box — no API key required. Drop in a key for Anthropic, OpenAI, OpenRouter, Gemini and more when you want a bigger model.
Harness layers defenses at runtime, image, and dependency level — so an autonomous agent stays contained even when it's doing real work.
Every run drops all capabilities, sets no-new-privileges, and applies an inline seccomp profile that blocks known container-escape vectors. Only the path you mount is visible to the agent.
The container image is signature- and provenance-checked with cosign and SLSA on every run. Verified digests are cached, so it only happens once per image.
The image build enforces a 7-day cooldown on dependency resolution — a guard against supply-chain compromises that are typically discovered and yanked within hours.
One command, no setup beyond a container runtime. Sandboxed, local-first, and open source.
$ npx @boldblackai/harness -p "write a fizzbuzz in Go"