Agentix is a safety-first control layer for building toward an agentic operating system. The long-term goal is an OS where AI agents can help configure, repair, maintain, and evolve the machine — without receiving unrestricted live-system control.
It starts with NixOS because NixOS gives us a strong foundation: declarative configuration, reproducible builds, rollback-friendly changes, and clear system boundaries.
plan -> sandbox -> propose -> verify -> human apply/rebuild
Agentix does not run sudo, nixos-rebuild switch, or rebuild-nixos. It does not edit /etc/nixos. It does not push or commit system config changes. Apply, verify, and activation are human-only.
GitHub: Beach-Bum/Agentix Language: Python ~3,800 lines across 23 modules, 4 test files
What it does today
| Version | Capability |
|---|---|
| v0.1 | MVP: inspect repos, propose Nix dev shells, save patches, manual apply with audit |
| v0.2 | Sandboxed agent-loop: run a goal in a temporary Git worktree, save the diff as a proposal. Source workspace stays untouched |
| v0.3 | Controller layer: controller-plan describes the contract, controller-run plans and optionally executes a goal end-to-end with full audit, hardened source-untouched invariant, and conservative subprocess timeouts. Claude Code integrates here |
Safety ladder
Every NixOS goal walks the same ladder. Each rung is reversible until the next.
controller-plan # describe what is allowed
v
controller-run (dry-run) # parse + validate; no subprocess
v
controller-run --execute # run goal in temp worktree, save proposal
v
saved proposal patch # human reviews the diff
v
human apply-verify # human applies the patch
v
human rebuild-nixos # human activates the new system
The LLM controller stops at the saved-proposal rung. Everything below is human-only.
Commands
| Command | What it does |
|---|---|
controller-plan --json |
Print the safety contract |
controller-run "<goal>" |
Dry-run: parse goal, print plan, stop |
controller-run "<goal>" --execute |
Run in temp worktree, save proposal, stop |
worktree-run "<goal>" --save-proposal --json |
Lower-level form for scripts |
agent-loop "<goal>" |
Single-pass agent loop |
audit tail --json / audit summary --json |
Review what happened |
public-check / export-public --dest <out> --yes |
Sanitize for public release |
Safety invariants
- Source workspace untouched. Every run snapshots HEAD,
git diff HEAD --, and SHA-256 of every untracked file before and after. Any unexpected change exits non-zero witherror="source_workspace_mutated". - No apply, no rebuild, no sudo from the agent. The agent stops at the saved proposal.
- Conservative subprocess timeout. Default 1800 seconds. Timeout returns exit code 124 with
error="timeout". - Audit log per run. One JSON line per invocation, appended to
.agentix/audit.jsonl. - Public release safety.
public-checkflags private artifacts.export-publicstrips them.
Claude Code integration
Claude Code operates against the same safety contract. It runs controller-plan first, uses controller-run for sandboxed work, and stops at the saved proposal. Apply, verify, and rebuild are human-only.