Let agents learn and act. Keep authority in the runtime.
Open-source runtime for bounded action and governed learning.
Quick Start | Documentation | Security | Contribute
Comis is an open-source, self-hosted, security-first runtime for AI agents that learn and act across sessions.
It can turn qualifying experience into source-linked, correctable guidance for later work. Permissions, credentials, tools, delegation limits, budgets, and audit evidence remain under runtime control outside the model.
Learned guidance can influence a proposal. It cannot grant itself a tool, credential, approval, lease, capability, or larger budget.
Use Comis when an agent needs memory, real tools, recurring work, child agents, and a clear boundary between what the model proposes and what the system permits.
Note
Comis is under active development. APIs and configuration may change. Review the known limitations and threat model before using it for critical work.
An agent with a shell, credentials, schedules, memory, or permission to start other agents has more than a prompt-injection problem. Untrusted text can affect a later session, learned guidance can influence tool selection, and delegated work can multiply reach.
Comis puts first-class controls around that path:
- The model proposes an action.
- The runtime checks origin, capability, tool policy, credential scope, approvals, budget, and active leases where those controls are wired.
- The runtime allows or denies the action.
- Execution and security evidence are recorded for review.
This design is intended for teams that need agent autonomy to fit a real security model. It does not make every deployment safe automatically. Host isolation, tool profiles, secret rules, approvals, provider choices, and deployment configuration still matter.
Comis can carry useful experience into a later session without turning learned text into authority.
| Stage | What happens |
|---|---|
| Qualify | Consider the outcome, source trust, and usefulness of an experience. |
| Admit | Validate candidate guidance and apply the configured evidence rule. |
| Reuse | Surface source-linked guidance in a later session while runtime permission stays unchanged. |
| Correct | Use later outcomes and corrections to promote, demote, retire, supersede, or preserve guidance. |
Important learning boundaries:
- Governed learning is enabled by default. The default
single_ownerevidence rule can admit repeated experience from one explicitly trusted owner. It is not independent corroboration. - Read-only candidate guidance can surface before active promotion and can influence which already-authorized tool the model chooses.
- Learned Markdown has no direct script or dynamic replay path. Tools still run through the runtime's permission path.
- Critical injection patterns are blocked. Warning-level harmful or jailbreak-like language can pass static validation.
- A session with a failed terminal task can still contain successful tool outcomes that seed guidance.
- Recall scope is tenant plus agent, not an individual end user within that scope.
- A recorded correction is evidence for later learning decisions. It does not by itself guarantee immediate demotion or a durable behavior change.
- Outcome events default to 90-day retention while learned-memory dormancy defaults to 365 days, so learned state can outlive parts of the evidence ledger that helped grade it.
See the memory and learning stress catalog for the adversarial workloads and inspection surfaces used to test these mechanisms.
For a macOS or Linux host you manage, download and inspect the installer first:
curl -fsSL --proto '=https' --tlsv1.2 https://comis.ai/install.sh -o comis-install.sh
less comis-install.sh
bash comis-install.sh --dry-run
bash comis-install.shThe installer can install Node.js and host tools, initialize Comis, and configure a background service.
After review, the one-line convenience path is:
curl -fsSL --proto '=https' --tlsv1.2 https://comis.ai/install.sh | bashIf Node.js 22.19 or newer is already installed:
npm install --global comisai
comis initThe npm package does not install host tools, create a service account, or register a system service.
Complete the setup wizard and start the daemon when prompted. To start it later:
comis daemon startOpen http://127.0.0.1:4766, or connect a messaging channel during setup. Check the daemon with:
curl http://127.0.0.1:4766/healthSee the installation guides for containers and production hosts. Linux with Bubblewrap is the recommended deployment target for isolated command execution.
Keep original messages and tool results in lossless storage while the model works from a bounded prompt view. Recover selected details, rank memory by trust and relevance, and carry qualifying experience forward with source and correction history.
Use capabilities, origins, scoped secrets, encrypted storage, approvals, leases, and an optional Credential Broker to keep permission out of prompt text and learned guidance.
Coordinate structured dependency graphs and parallel subagents under shared limits for spawning, cost, tokens, time, rates, outward actions, and leases.
Record execution-aware evidence, preserve recoverable context, and assemble a bounded incident report from recorded facts without asking another model to guess.
These are the strongest codebase-backed advantages. Conditions and limits are part of each claim.
-
Recoverable same-session context.
ctx_search,ctx_inspect, andctx_expandrecover selected original details from lossless storage while the active prompt stays bounded. -
Cache-aware execution. Cache detection and trace data span Anthropic, OpenAI, Gemini, context transforms, and parallel graph fanout. Actual cache behavior and savings remain provider-specific.
-
Trust-aware memory and governed learning. Recall and learned guidance can use provenance, trust, corroboration policy, usefulness, outcomes, and corrections. The default evidence rule is not independent corroboration.
-
Typed parallel orchestration. Typed dependency graphs coordinate cache-aware parallel subagents with explicit dependencies, retries, timeouts, and optional node-boundary checkpoints.
-
Tree-wide autonomy limits. Configured controls can cover spawning, cost, tokens, time, rates, outward actions, and leases across a parent agent and the children it starts. Not every limit can cancel work already in flight.
-
Layered security. Capability gates, deny-by-origin checks, sandbox controls, encrypted secrets, scoped secret access, validation layers, and the optional Credential Broker protect different parts of the path.
-
Secure CLI-driven autonomy. On the supported constrained path, jailed execution uses capability-limited Unix sockets, expiring leases, and brokered credentials so the agent can drive approved CLI tools without receiving broad control-plane access.
-
Persistent interactive terminal automation. The supported Linux isolation path keeps interactive terminal sessions persistent and fails closed when its jail cannot be established. This claim does not apply to ordinary host exec when sandboxing is disabled or unavailable.
-
Execution-aware observability. Instrumented runs support trace, cache, cost, policy, recovery, and security evidence.
comis explaindeterministically assembles an incident report from recorded evidence; a reported likely cause is a rule-based explanation, not proof of root cause.
comis explain "<sessionKey|traceId|rootRunId>"The report includes the recorded outcome, attributed cost, tool and policy failures, coverage information, and suggested next steps. When evidence matches a known rule, it can report a likely cause. When no rule matches, it does not invent one.
The explanation process makes no model calls. It can also run from local data when the daemon is unavailable:
comis explain "<sessionKey|traceId|rootRunId>" --offlineFor a wider operational view:
comis fleet --since 24
comis security audit-logReports are bounded and designed to exclude raw message bodies and credential values. Some error details may be sanitized, shortened, or replaced with a digest.
Start with a read-only recurring research brief. It can collect and compare sources, preserve useful findings as the prompt changes, and leave evidence for failed branches without granting write access to production systems.
Add credentials, write tools, and outward actions only after testing the controls on your host. See the use cases and scheduling guide.
Comis assumes model output and external content may be unsafe. It includes capability and origin checks, URL validation, prompt-injection detection, memory-write checks, completed-response checks, tool policy, encrypted secret storage, and durable security audit records. Streaming clients may receive partial output before the completed response is checked.
Important defaults and boundaries:
- Linux with Bubblewrap provides the strongest supported command isolation.
- macOS
sandbox-execis best-effort and is not the same security boundary. - The ordinary
exectool can run on the host when its sandbox is disabled or unavailable. - The default tool-policy profile is
full. - An empty per-agent
secrets.allowlist is unrestricted. - Human approvals are disabled by default and protect only paths explicitly connected to an approval gate.
- The Credential Broker is optional.
- Self-hosted does not mean offline. Configured model, messaging, media, MCP, and tool providers may receive data sent to them.
- Graph checkpoints recover at node boundaries; they do not exactly replay model calls, tool calls, network requests, or external side effects.
Narrow tools and secret rules before accepting untrusted input. Read the threat model, known limitations, and security documentation before granting sensitive access.
Comis does not currently claim complete tenant isolation, high availability, compliance certification, a mature enterprise identity stack, or commercial support.
Build it. Break it. Measure it. Improve it.
Comis Open Evidence is a planned public proof program, not a shipped benchmark runner or certification. Its goal is to make claims inspectable through small workloads, exact configurations, comparison runs, artifacts, and stated residual risk.
Bring a workload, an attack path, a learning failure, or an integration. Leave a reproducible result or a maintained artifact.
Useful contribution paths include:
- Learning and evaluation
- Runtime security and adversarial testing
- Orchestration and operations
- Integrations and recurring workloads
- Documentation and operator experience
- Maintained deployment profiles
Companies can contribute a recurring workload, deployment profile, or adapter with a named owner, tested version, evidence link, and known limitations.
Browse open issues, start a proposal in GitHub Discussions, and read CONTRIBUTING.md before opening a pull request.
Comis is a pnpm and TypeScript monorepo built around ports and adapters. Core packages define contracts, adapters implement them, and the daemon connects the running system.
git clone https://github.com/comisai/comis.git
cd comis
pnpm install
pnpm validateStart with the architecture guide, package guide, and repository engineering protocol.
Comis is licensed under the Apache License 2.0. Commercial use, modification, redistribution, and private deployment are permitted under its terms.
Comis builds on prior work from pi-mono by Mario Zechner.
