The news. As of July 6, 2026, Omnigent — an Apache-2.0, open-source meta-harness for coding agents — had climbed to roughly 6,300 GitHub stars. Its pitch is one common layer over Claude Code, Codex, Cursor, OpenCode, Hermes, Pi, and custom YAML-defined agents. From a single session you set the credentials once, share state across agents, and — in the project's words — "enforce policies and sandboxing, and collaborate in real time from any device." It runs on Python 3.12+ and leans on OS-level sandboxing: bubblewrap on Linux, seatbelt on macOS. See the project →

Picture a busy construction site with three trade crews on it — an electrician from one firm, a plumber from another, a framer from a third. Each shows up with their own tools and their own way of working, and that is fine. What you do not want is three crews wandering the whole site with three different sets of keys, three different sign-in sheets, and no one place that says who is allowed to do what. That is what running several coding agents looks like today: Claude Code, Codex, and Cursor are each their own CLI, each with its own login, its own session, and its own direct line to the shell on your machine. A meta-harness is the site office every crew checks in through — one control layer that sits above all of them.

Route every agent through that one office and the scattered setup collapses into a single desk. The office issues one badge instead of three logins, keeps one logbook so a task another agent started is state any agent can continue, and runs a permit check before a crew is cleared to act. The important move is where the rules live: instead of hoping each agent's prompt tells it to behave, governance moves out of each agent's prompt and into one runtime you control — the same instinct behind enforcing policy at the harness layer rather than trusting the model to police itself.

The sharpest part of the metaphor is the fence. A coding agent's real power — and its real danger — is that it runs shell commands in your development environment, with whatever your own user account can reach — which is exactly the attack surface that makes tool use risky. Omnigent wraps each agent in an OS-level sandbox: bubblewrap on Linux, seatbelt on macOS, and a weaker Job-Objects fallback on Windows. The sandbox is the taped-off zone — it confines what an agent's shell commands can touch, so a bad command hits a fenced patch of the site, not the whole machine. This is capability scoping done by the kernel: the agent physically cannot reach past its fence, whatever its prompt tells it to do.

How the sandbox is actually enforced

The containment is not a policy the agent is asked to follow — it is a boundary the operating system draws. Each platform hands Omnigent a different primitive, and the strength of the fence depends on which one is available.

PlatformSandbox primitiveWhat it fences
LinuxbubblewrapAn unprivileged namespace jail around the agent's terminal — a restricted view of files, network, and processes
macOSseatbeltA sandbox profile that whitelists which files and operations the process may use; the rest is kernel-denied
WindowsJob ObjectsProcess-tree containment only — the README calls it degraded next to the Unix sandboxes

Put rough numbers on the governance surface (illustrative). Say you run the 6 coding agents Omnigent names and you care about 4 controls for each: who it logs in as, what session it shares, what policy gates its actions, and what sandbox fences its shell. As separate silos that is 6 × 4 = 24 independent things to configure and keep in sync — and adding a seventh agent puts you on the hook for 4 more. Route them all through one meta-harness and those same 4 controls are set once, in one place: 24 collapses to 4, and a seventh agent doesn't stand up a fifth silo — it checks in under the same 4 controls and inherits the rules.

The honest caveat is that a meta-harness concentrates power as much as it contains it. One layer now holds every agent's credentials and shapes what every agent may do, so that layer's own correctness — and the strength of the sandbox it can get from the OS — is what your safety rides on; the Windows fallback is explicitly weaker than the Unix path. And a meta-harness is not an orchestrator that decides what to do — it is the layer that decides what each agent is allowed to do, and what it can reach while doing it. What Omnigent really ships is a place to put agent governance: not inside each vendor's prompt, but in one runtime you own, with the fence drawn by the kernel.

Goes deeper in: AI Agents → The Agent Loop & State → The Anatomy of a Harness

Related explainers

Frequently Asked Questions

Check what you knowMap your AI & GPU knowledge across every track — free, role-based