# Coop

> Run Claude, Codex, and Gemini coding agents on your real repos inside a secure container sandbox that hides secrets and prevents filesystem escapes.

Coop is an open-source CLI tool written in Go that runs AI coding agents — Claude, Codex, and Gemini — inside disposable containers so they can work autonomously on real repositories without access to your home directory, SSH keys, or other projects. Created by Andrew Dryga and released under the MIT License, it is available on GitHub and currently at version v2.5.2. The project grew out of two published write-ups: "Running an AI coding agent you can't trust" (the sandbox design) and "One brain, two agents" (the queue, hooks, and unattended foreman).

## What It Is

Coop is a sandboxed agent harness for local AI coding agents. Its core job is to let you run agents with their most permissive autonomous flags (`--dangerously-skip-permissions`, `--yolo`) while keeping them confined to a single repository. The container mounts only the repo you're working on, shadows secrets by filename and content, and blocks access to the rest of your disk. A single static Go binary with no extra runtime dependencies drives the whole workflow — from launching an interactive agent session to running an unattended overnight task queue across a fleet of parallel forks.

## The Sandbox and Secret Shadowing

The security model has two layers. First, the container boundary: only the target repo is bind-mounted at its real host path; the home directory, SSH keys, and other projects are simply absent from the container. Second, secret shadowing: `.env`, `*.tfvars`, `*.pem`, `secrets/`, `.ssh`, and similar paths are overlaid with empty `tmpfs` mounts or read-only empty files so the agent sees their shape but never their content. A `.coopignore` file (similar to `.gitignore`) extends the default denylist with repo-specific paths. The `coop check-secrets` command scans visible files for high-entropy values and provider token shapes (AWS, OpenAI, Anthropic, GitHub, Slack, and others) and exits non-zero on a hit, making it usable as a pre-flight or CI check. `coop doctor` proves isolation end-to-end by planting a fake secret, launching the box, and verifying from inside that the secret is unreachable.

## Workflow: Forks, Loops, and Fleets

Beyond interactive sessions, Coop provides three higher-level workflow primitives:

- **Forks** — throwaway local clones handed to an agent instead of your working tree. The lifecycle mirrors a contractor PR: `coop fork <name> <agent>` opens the fork, the agent works in it, `coop fork review <name>` shows a brief and diff, and `coop fork merge <name>` rebases onto your branch and fast-forwards. A configurable `COOP_GATE` command re-runs in the box on the rebased tree before landing.
- **The loop** — `coop loop` works a `TASKS.md` checkbox queue unattended, starting a fresh agent per iteration to avoid context rot. When the queue empties, a fresh auditor re-checks every completed item against the git log and reopens anything that doesn't hold up. The loop also handles rate-limit resets automatically, reading the reset time from the agent's output and waiting it out.
- **Fleets** — multiple forks running in parallel, each looping its own tasks file. `coop fleet up` starts them all detached; `coop status` shows a roll-up of progress, blockers, and current task per fork; `coop fork merge --all` lands them in a revalidating rebase queue.

## Fusion: A Governed Council of Models

Coop includes a "Fusion" mode where one model acts as governor (does the real work and edits files) while the other two advise read-only in parallel. The governor synthesizes the strongest parts of all three responses before proceeding. The council is invoked with `coop fusion [agent]` and works in interactive, headless, and Zed ACP modes. A lighter `--consult` flag on any normal run gives the agent the option to poll its peers on genuinely hard or risky calls without the full synthesis mandate.

## Platform and Integration Support

Coop auto-detects Apple `container` (macOS 26+), Docker, or Podman as the container runtime. It integrates with the Zed editor via the Agent Client Protocol (ACP): `coop acp [claude|codex|gemini|fusion]` runs the matching ACP adapter inside the box over stdio, letting Zed's agent panel drive the sandboxed agent while the box remains the security boundary. MCP servers are configured once in `~/.config/coop/agents/mcp.json` and automatically wired into all three agents' native config formats. Per-project toolchains are provisioned from `.tool-versions` (asdf) at runtime or baked into a `Dockerfile.agent` for fully reproducible images.

## Update: v2.5.2

The latest release is v2.5.2, published on 2026-06-17. The repository was created in June 2026 and has seen active development, with the last push on 2026-06-17. The project is MIT-licensed and distributed as a prebuilt static binary for multiple OS/arch combinations, with cosign/Sigstore keyless signature verification available for release artifacts.

## Features
- Sandboxed container execution for Claude, Codex, and Gemini agents
- Secret shadowing by filename and content (tmpfs overlays)
- .coopignore support for repo-specific secret denylist
- coop doctor end-to-end isolation verification
- coop check-secrets content scanner for credentials in visible files
- Fork workflow: throwaway repo clones with review and merge lifecycle
- Unattended task queue loop with per-iteration fresh agent context
- Fleet management: parallel forks each looping their own tasks file
- Fusion mode: governed council of three models with synthesis
- -consult flag for lightweight peer second opinions
- Zed ACP integration for IDE-driven sandboxed agents
- MCP server config wired once to all three agents
- Per-project toolchain provisioning from .tool-versions (asdf)
- Dockerfile.agent support for fully reproducible per-project images
- COOP_GATE pre-merge gate command with rollback on failure
- Rate-limit-aware loop with automatic reset wait
- coop fork merge --all revalidating rebase queue for fleets
- Single static Go binary, no extra runtime dependencies
- Cosign/Sigstore keyless signature verification for release artifacts
- Compose-based sibling services (Postgres, Redis) with coop up/down

## Integrations
Claude (Anthropic), Codex (OpenAI), Gemini (Google), Zed editor (ACP), Docker, Podman, Apple container (macOS 26+), MCP servers, asdf / .tool-versions, Docker Compose, cosign / Sigstore, git

## Platforms
WINDOWS, MACOS, LINUX, API, VSC_EXTENSION, JETBRAINS_PLUGIN, CLI

## Pricing
Open Source

## Version
v2.5.2

## Links
- Website: https://github.com/AndrewDryga/coop
- Documentation: https://github.com/AndrewDryga/coop#readme
- Repository: https://github.com/AndrewDryga/coop
- EveryDev.ai: https://www.everydev.ai/tools/coop-coding-agent-sandbox