Plenty of developers now keep several coding agents close at hand, reaching for Claude Code on one task and Codex or Cursor on the next. Each tool arrives with its own command line, its own handling of credentials, and its own way of running shell commands against a working directory. That spread leaves teams with a governance gap around where agent actions land and how much they cost.
Omnigent, an open-source project, sits one level above those tools as a meta-harness. The common layer drives Claude Code, Codex, Cursor, OpenCode, Hermes, Pi, and agents a team writes in YAML, and a user swaps or combines them with one-line changes. Omnigent draws on a first-party API key, a Claude or ChatGPT subscription, or any compatible gateway such as OpenRouter, with a per-agent default a user can switch mid-session. A single session follows the user from a terminal to a browser to a phone, with messages, sub-agents, terminals, and files in sync.
Guardrails set at the harness layer
The security design centers on policies. A policy governs what an agent may do across shell commands, file edits, and token spend, and it checks every action to allow it, block it, or pause for a person’s approval. Spend caps and access limits ship as builtins, so a session can carry a hard dollar ceiling with a softer warning along the way. These checks run at the meta-harness layer as stateful, data-centric rules that track agent actions, which keeps enforcement out of the prompt where an agent might drift past it.
Policies stack across three levels. An administrator sets server-wide rules, a developer sets per-agent rules, and the person in a session sets per-session rules, with the stricter session rules checked first. A team can write a policy in plain language inside a chat, and the agent assembles it for them.
Sandboxing and brokered credentials
Each agent runs inside an operating-system sandbox that restricts filesystem and network reach. On Linux that isolation comes from bubblewrap and is mandatory for the native terminal wrappers; macOS relies on the built-in seatbelt sandbox. The sandbox can hide credentials from the agent and broker access to them, which lets a user grant an agent wide latitude with the secrets held back. Omnigent describes this as a way to “Run YOLO mode safely.”
Windows support arrives in a degraded mode. Agents there run under a Windows Job Object for process-tree containment and resource limits, with filesystem and network isolation absent, so Windows users who want sandboxing get pointed toward Linux, macOS, or WSL.
Shared sessions and the host machine
Collaboration runs through shared sessions. A teammate opens a link and follows an agent in real time, with history, inline comments, and a code editor side by side. A second mode, co-drive, lets a teammate attach to a running session so their messages execute on the host’s machine, which suits pairing and handing the keyboard to a domain expert mid-investigation. That arrangement puts the host on the hook for what a collaborator triggers, and the policy layer and sandbox become the controls that hold a shared session in bounds. Accounts are invite-only, and a deployed server can route sign-in through Google, GitHub, Okta, or Microsoft.
A second vendor on every diff
Two example agents ship with the repo. Polly works as a coding orchestrator that handles planning and delegation; she assigns the work to coding sub-agents in parallel git worktrees, sends each diff to a reviewer drawn from a different vendor than the one that wrote it, and leaves the merge to the user.
Debby works as a brainstorming partner with two heads, one Claude and one GPT. A debate command sets the two against each other for a few rounds before they converge. Both patterns lean on the same idea, putting more than one vendor’s model on a single piece of work.
Where it runs
A team can keep everything on a laptop or push sessions into disposable cloud sandboxes from providers including Modal, Daytona, E2B, CoreWeave, and Kubernetes, launched from the command line or provisioned per session so a machine can stay offline. The server can provision a sandbox per session, a setup the project calls managed hosts, so an always-on host carries the work.
Omnigent is available for free on GitHub.
![]()
Must read:
![]()
Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools. Subscribe here!
![]()

