Workcell runs coding agents inside a bounded local runtime on Apple Silicon
macOS: a dedicated Colima VM plus a hardened container inside that VM. It ships
Tier 1 adapters for Codex, Claude Code, GitHub Copilot CLI, and Gemini that
seed each provider's native control plane without pretending provider config is
the security boundary. Google Antigravity CLI remains a queued fail-closed
follow-on; current releases do not support --agent antigravity.
This project is for teams that want local agent velocity without turning the host home directory, keychain, provider state, or local sockets into the trust boundary.
- keep the runtime boundary explicit: dedicated VM, hardened container, minimal mounts
- keep provider adapters native: one shared boundary, thin provider-specific control-plane mapping
- keep publication on the host: signed commits, signed-range verification, and GitHub publication stay out of Tier 1
- keep verification paths nonroot by default: runtime and validator images
default to a named unprivileged
workcelluser, while repo-mounted validation lanes pass explicit caller UID/GID and isolated writable state, with a synthesized isolated home when the caller UID has no passwd entry in the image - keep lower-assurance paths visible:
development, package mutation, transcripts, andbreakglassare labeled instead of implied
| Approach | Primary boundary | Provider-native control plane | Host-side signed publication | Lower-assurance paths called out |
|---|---|---|---|---|
| Host-native provider CLI | host user session | yes | no | rarely |
| Generic container wrapper | container only, often mixed with host state | often partial | varies | often unclear |
| Workcell | dedicated Colima VM plus hardened container | yes | yes | yes |
- pre-1.0 and still tightening the public contract
- Apple Silicon macOS hosts only today; Linux and Windows are not currently supported as launch hosts
- local host-launched runtime first; cloud-facing paths today are the
preview-only
remote_vm/aws-ec2-ssm/compatandremote_vm/gcp-vm/compatbroker plans, and their live smokes remain certification-only - CLI surfaces for Codex, Claude, Copilot, and upstream-served Gemini auth modes plus host-side detached session control and inspection commands
- GitHub Copilot CLI uses explicit
copilot_github_tokenstaging through reviewed host-side inputs, converts it to a host-mounted token handoff outside mounted provider state, moves it through a transient runtime handoff file, and exports its value asCOPILOT_GITHUB_TOKENonly to the managed Copilot child process, with isolatedCOPILOT_HOMEandCOPILOT_CACHE_HOME; hostghauth, Copilot provider state (~/.copilot,~/.config/github-copilot,~/.cache/github-copilot), keychains, and whole-home state are not safe-path inputs - Google Antigravity CLI is queued behind the same evidence bar and remains planned/fail-closed until Workcell ships adapter, auth, quickstart, deterministic evidence, and live certification together
- GitHub-hosted CI verifies repo shape, reproducibility, release posture, and secretless runtime behavior
- GitHub-hosted CI verifies bundle install/uninstall and Homebrew
install/uninstall on Apple Silicon
macos-26andmacos-15on pushes tomain, manual dispatch, and PRs labeledapproved-heavy-ci - the real macOS Colima boundary is still a local operator exercise because GitHub-hosted Linux runners cannot prove it
- the canonical host support boundary lives in
policy/host-support-matrix.tsv, and
--doctor/--inspectemit matching host andsupport_matrix_*lines - Workcell does not yet ship a centralized enterprise policy, inventory, or analytics plane; team rollout today relies on distributing reviewed host-side files
Breaking changes should be called out in CHANGELOG.md and tracked in ROADMAP.md.
- use GitHub Discussions for usage questions, operator workflow notes, and open-ended design conversations
- use GitHub issues for confirmed bugs and concrete feature requests
- use SECURITY.md for security-sensitive reports
See SUPPORT.md, CONTRIBUTING.md, and CITATION.cff for the contributor and operator contract.
Pick the entry point that matches what you need. Each is a short labeled list of links; the full index is in the Docs map below.
- Operators — run Workcell locally: 5-minute path · install options · onboarding and auth · provider quickstarts · command reference · mode map · safe-path expectations
- Enterprise evaluators — assess the assurance model: enterprise evidence baseline · threat model · security invariants · support tiers · enterprise rollout
- Contributors — work on Workcell: repository layout · contributor workflow · agent guidelines · improvement-tracks plan
Install Workcell, create the host-side auth policy, inspect the derived posture, then launch:
./scripts/install.sh
workcell auth init
workcell auth set \
--agent codex \
--credential codex_auth \
--source /Users/example/.config/workcell/codex-auth.json
workcell --agent codex --doctor --workspace /path/to/repo
workcell --agent codex --inspect --workspace /path/to/repo
workcell --agent codex --workspace /path/to/repoFor Copilot, use the provider-specific credential instead of the Codex auth file:
workcell auth set \
--agent copilot \
--credential copilot_github_token \
--source /Users/example/.config/workcell/copilot-github-token.txt
workcell --agent copilot --workspace /path/to/repoSee docs/getting-started.md for the release install
path and provider-specific onboarding. For team rollout patterns on today's
local-first product, see docs/enterprise-rollout.md.
Use policy/host-support-matrix.tsv to interpret the
host support boundary that --doctor and --inspect report.
On Apple Silicon macOS, download a tagged release bundle, unpack it, and run the supported installer:
tar -xzf workcell-vX.Y.Z.tar.gz
cd workcell-vX.Y.Z
./scripts/install.sh./scripts/install.sh installs only the missing required Homebrew formulas
(colima, docker, gh, git, go) before it links the launcher.
For the Homebrew formula asset, the source checkout path, and the full host requirements, see docs/install.md.
The supported commands at a glance; follow the links for the full behavior and options.
workcell --agent <name> --workspace /path/to/repo— launch a managed agent session (see the 5-minute path and provider quickstarts).--target colima|docker-desktop|aws-ec2-ssm|gcp-vm— select the runtime backend (safe-path expectations).--prepareand--prepare-only— pre-build the runtime image before, or instead of, launching (safe-path expectations).--doctor,--inspect, and--auth-status— inspect host readiness, a resolved launch plan, and auth posture (onboarding and auth).workcell why— explain a credential or configuration decision (onboarding and auth).workcell session— manage detached sessions, includingworkcell session start,workcell session list, andworkcell session diff(safe-path expectations).workcell publish-pr— the host-side PR publication helper (safe-path expectations).
| Topic | File |
|---|---|
| Install and requirements | docs/install.md |
| Onboarding and auth | docs/onboarding-and-auth.md |
| Provider quickstarts | docs/provider-quickstarts.md |
| Mode map | docs/mode-map.md |
| Safe-path expectations | docs/safe-path-expectations.md |
| Release posture | docs/release-posture.md |
| Topic | File |
|---|---|
| Contributor workflow | CONTRIBUTING.md |
| Support | SUPPORT.md |
| Code of conduct | CODE_OF_CONDUCT.md |
| Governance | GOVERNANCE.md |
| Maintainers | MAINTAINERS.md |
| Roadmap | ROADMAP.md |
| Changelog | CHANGELOG.md |
| Security reporting | SECURITY.md |
| Stability and exit-code contract | docs/stability-contract.md |
| Standards watchlist | docs/standards-watchlist.md |
runtime/: VM and container boundary implementationpolicy/: shared contract layer and hosted-control policyadapters/: provider-native baselines for Codex, Claude, Copilot, and Gemini, plus fail-closed Antigravity planning scaffoldingcmd/: host-side and runtime-side Go entrypoints (theworkcell-*binaries)internal/: shared Go packages backing thecmd/binariesscripts/: launcher, validation, release, audit, and bootstrap entrypointsverify/: invariant-oriented verification materialman/: workcell.1 manpagetests/: scenario manifests and fixturestools/: developer tooling (markdownlint, validator image)docs/: user-facing design, quickstarts, install, and release docsworkflows/: implementation notes such as adapter porting guidance
Workcell is licensed under Apache-2.0. See LICENSE.