Skip to content

Harness

Run agents in a sandboxed container — ready to drop into any project.

Harness wraps Docker around three open-source coding agents — pi, opencode, and hermes — so you can point one at a directory (or file) without giving it access to your entire machine.

Why Harness?

  • Sandboxed by default — capability-dropped container with no-new-privileges; the agent only sees the directory you mount.
  • Three agents, one CLI — switch between pi, opencode, and hermes with -a. Same flags, same flow.
  • Supply-chain hardened — images are signed and verified with cosign and SLSA provenance on every run; dependencies are pinned and verified.
  • Local-first — defaults to LM Studio with gemma-4-e4b. Drop in an --env-file to use Anthropic, OpenRouter, OpenAI, Gemini, and others.
  • Stateful or one-shot — interactive runs persist agent state; one-shot prompts stay ephemeral.
  • Zero installnpx @capotej/harness just works.

Quick start

Docker is required. By default, harness uses LM Studio locally:

lms daemon up
lms get google/gemma-4-e4b

Then run:

npx @capotej/harness -p "write a fizzbuzz in Go"

See the Getting Started guide for more details.

Choose an agent

Agent Description Best for
pi Default agent from pi.dev General-purpose coding
opencode Terminal-based agent from opencode.ai Quick one-off tasks
hermes Full-featured agent from NousResearch Long-running "claw" deployments