co:op

Keep your agents busy while you sleep

Run a coding agent in a box it can't escape.

Coding agents are most useful with the brakes off — and that's exactly when you don't want them loose on your laptop. Coop runs them in a disposable container that mounts only your repo, shadows its secrets, and can't reach your home dir, SSH keys, or other projects.

$ curl -fsSL https://raw.githubusercontent.com/AndrewDryga/coop/main/install.sh | sh
Get started → ★ Star on GitHub
coop loop — drain the queue overnight
🔒

The cage, not the leash

The container is the boundary. The agent runs --dangerously-skip-permissions and the worst it can do is trash one repo you can restore from git.

🙈

Secrets never enter

.env, *.pem, secrets/ and friends are shadowed — empty tmpfs over dirs, a blank read-only file over files. Templates stay visible.

🌙

A whip for all-nighters

A fresh agent per iteration drains .agent/TASKS.md, rides through rate limits with profile failover, and audits its own work when the queue empties.

What it does

One binary. Every workflow.

Point it at any git repo and go. The same box drives a whole fleet overnight, a PR-style handoff, or a council of models — all behind the same container boundary.

The loop

Drain the queue while you sleep

Fill .agent/TASKS.md with checkbox tasks and walk away. A fresh agent per iteration (no context rot) works every [ ], commits behind your gate, and won't quit while any remain.

  • Each iteration prints which model is working, live.
  • A rate limit triggers profile failover, not a stall — it switches accounts and keeps going.
  • When the queue empties, a fresh auditor re-checks every [x] against the git log.
coop loop
A fleet

Many models, one live board

Run several agents at once, each looping in its own fork on its own slice of the queue. coop fleet watch is the live dashboard — progress, the task each is on, and who's done.

  • Declare the fleet once in .agent/fleet; coop fleet up starts them all detached.
  • Watch them finish in real time, then coop fork merge --all lands the lot through a revalidating rebase queue.
  • Add agents until review, not generation, is your bottleneck.
coop fleet up · coop fleet watch
Forks

Hand off work like a PR

A fork is a throwaway local clone handed to an agent instead of your working tree. Its origin is a local path, so the agent has nowhere to push — and you stay the only one who lands anything.

  • Open → work → review → land, the lifecycle of a contractor's PR.
  • Review the diff in your terminal or your IDE; merge rebases onto your branch.
  • Set COOP_GATE and every merge re-runs your tests on the rebased tree.
coop fork — review & land
Fusion

A council that argues before it commits

One model leads and does the real work; the other two advise read-only; the leader synthesizes the best of all three. You stop betting the run on one model's blind spots.

  • No extra service — the leader consults its peers from its shell, in parallel.
  • The synthesized answer beats any single model working alone.
  • Or add --consult to any run for a lighter, opt-in second opinion.
coop fusion claude
Defense in depth

Secrets stay out of the box

Out of the box, coop shadows the usual suspects by name — no setup. .coopignore adds your repo's own; coop check-secrets catches tokens hiding inside files; and coop doctor proves the whole thing holds.

🙈 Shadowed by default

A blank tmpfs covers secret folders and an empty read-only file covers secret files — applied before the agent starts, so a well-known credential name is never readable or writable.

.env.env.**.pem*.key*.p12*.tfvars*.tfstateid_rsa.ssh/.aws/.kube/.gnupg/.npmrc.netrc.git-credentialssecrets/credentials.jsonservice_account.jsonkubeconfigdatabase.yml+ more
👁 Kept visible

Templates and public CA bundles stay readable, so the agent can still see the shape of your config and TLS keeps working.

*.example*.sample*.templatecacerts.pemca-bundle.crt
.coopignore

Your final say on what's hidden

The defaults above can't know your repo holds a config/credentials.yaml or a committed prod.yml. Add a .coopignore — one pattern per line — and it's shadowed everywhere the box can see.

  • The boundary is .coopignore, not .gitignore — a normal run mounts your whole tree.
  • A content scan also gates every coop fork merge, so a token in an innocuous file is caught on the way in.
  • The box keeps your git identity — commits are authored as you, your key never enters.
coop check-secrets
Prove it

coop doctor attacks the box for you

Don't take the isolation on faith. doctor plants a decoy secret, launches the box, and checks from inside that the secret is unreadable and unwritable — then checks on the host that a fork carries neither the secret nor a pushable remote.

  • Inside the sandbox: secrets shadowed, decoy unwritable, source still readable.
  • On the host: gitignored secrets never enter a clone; origin is a dead-end local path.
  • Run it anytime — especially after changing config.
coop doctor
Install

From nothing to a sandboxed agent

One binary, no Go, no clone. A container runtime — Apple container, Docker, or Podman — is the only requirement.

01

Install the binary

Drops coop into ~/.local/bin and builds the box if a runtime is present.

$ curl -fsSL https://raw.githubusercontent.com/AndrewDryga/coop/main/install.sh | sh
02

Authenticate once

The token persists in the config dir — paste-code, no browser needed. 

coop doctor       # prove isolation
coop login claude
coop claude       # go
03

Or run it all night

Scaffold a queue, fill it with checkbox tasks, and let the loop drain it. 

coop init
# …fill .agent/TASKS.md…
coop loop

Read the docs →