An operating system for
AI coding agent sessions

ExoProtocol is a governance kernel that treats AI coding agent sessions the way an OS treats processes — with enforceable scope, lifecycle control, audit trails, and crash recovery. Everything lives in git.

pip install exoprotocol GitHub →

The problem

Multi-agent development is uncontrolled

You spin up three Claude sessions on different features. One silently clobbers the other's files. A Cursor agent duplicates work that's already on an unmerged branch. Nobody knows who changed what, or whether the changes stayed within scope.

The code gets written. The governance doesn't exist.

The insight

OS primitives mapping

Operating systems solved process coordination decades ago: isolation, scheduling, memory management, locks, audit logs. These primitives map directly to multi-agent development — not as a metaphor, but as convergent engineering. We arrived at the same abstractions by solving the same class of problems.

OS Concept ExoProtocol What it does
Kernel exo/kernel/ 10-function enforcement core. Frozen. No expansion without RFC.
Process Session start → suspend → resume → finish. PID tracking, crash recovery.
Virtual memory Scope Allow/deny glob patterns. Agents can only touch files within their scope.
Scheduler Dispatch Lane-aware scheduling. Priority queues. Concurrency limits.
Mutex Ticket lock Single-writer enforcement. Distributed leases for multi-clone setups.
IPC Mementos Session closeout writes operational learnings that future sessions read.
Audit log Ledger Append-only event log. Tamper-evident. Git-committed.
Boot sequence Bootstrap Compiles governance rules + scope + learnings into a prompt the agent sees first.
GC exo gc Age-based cleanup of mementos, caches, stale sessions.
Health check exo doctor Scaffold, config, drift, and session liveness — one command.

Governance model

Constitution, compile, verify

Your repo gets a constitution — a YAML file declaring rules, deny patterns, file budgets, and checks. It compiles into a tamper-evident governance lock with a hash chain. Every session verifies the lock before starting. If the constitution changed but wasn't recompiled, the hash won't match — governance drift is caught before any agent writes a line of code.

Change the rules, recompile, commit. The hash chain updates. Adapters regenerate. Every agent sees the new governance on their next session start. No deploy, no restart, no coordination — just git.

How it works

Session lifecycle

Every AI agent session runs under governance. The lifecycle is simple — start, work, finish — but a lot happens at each boundary.

init → next → session-start → [suspend ↔ resume] → session-finish ▸ init scan repo, generate constitution + adapters ▸ next dispatch highest-priority ticket, acquire lock ▸ session-start compile governance rules load ticket scope + budgets scan sibling sessions detect scope conflicts check unmerged work inject operational learnings generate bootstrap prompt ▸ session-finish drift detection feature tracing write memento release lock update index

At session-start, ExoProtocol compiles everything the agent needs into a bootstrap prompt: governance rules, scope constraints, sibling awareness (who else is working), machine context (CPU/RAM), and operational learnings from prior sessions. The agent sees this first, before any user instructions.

At session-finish, drift detection scores how well the work stayed within scope. A closeout memento captures what was learned. The lock is released. The next agent inherits the knowledge.

Session-start intelligence

What the agent sees before writing a line of code

Scope conflicts

Warns if a sibling session's ticket overlaps your file scope.

Unmerged work

Flags relevant changes on unmerged branches so agents don't duplicate effort.

Ticket contention

Detects if another agent is actively working on the same ticket.

Branch mismatch

Alerts when a ticket was previously worked on a different branch.

Base divergence

Warns when the feature branch has fallen behind main.

Machine context

Reports CPU/RAM so resource-heavy tickets can gate concurrent sessions.

All advisories are just that — advisory. They never block session start. They surface in the bootstrap prompt so the agent can make informed decisions.

Entropy control

Drift detection + intent accountability

Every session gets a drift score (0–1) measuring how well the work stayed within scope. The formula weights scope compliance (40%), file budget (30%), LOC budget (20%), and boundary violations (10%). It's deterministic, not vibes.

Tickets can be intents — with brain dumps, boundaries, success conditions, and risk levels. Child tickets trace back to parent intents. Orphan detection catches work that drifted away from stated goals.

INTENT-001 "auth system" scope: src/auth/** drift: 0.12 ├── TICKET-001-EPIC "registration" │ ├── TICKET-002 "signup form" drift: 0.08 │ └── TICKET-003 "email verification" drift: 0.31 └── TICKET-004-EPIC "session management" └── TICKET-005 "JWT middleware" drift: 0.05

Together, drift scoring and intent hierarchies give you a quantitative answer to "did the agent do what we asked?" — see the deep dive for the full formula.

Architecture

Four layers, frozen kernel

CLI / MCP Server │ ▼ Orchestrator ─── session lifecycle, bootstrap, closeout │ ▼ Stdlib ───────── governance subsystems (drift, features, requirements, GC, ...) │ ▼ Kernel ───────── 10 functions. Frozen. Governance, tickets, audit, rules.

The kernel is intentionally small: load_governance, verify_governance, open_session, mint_ticket, validate_ticket, check_action, resolve_requirements, commit_plan, append_audit, seal_result. That's it. Everything else — session lifecycle, drift detection, feature tracing, dispatch, adapters, GC — lives in the stdlib.

Every CLI command has a matching MCP tool. Works with Claude Code, Cursor, and any MCP-compatible client.

Vendor agnostic

Works with any agent, any model

ExoProtocol doesn't care which LLM is driving the session. Claude Code, Cursor, Windsurf, Copilot, open-source models — if it can read a prompt and write files, ExoProtocol can govern it.

The adapter layer generates config files native to each tool: CLAUDE.md for Claude Code, .cursorrules for Cursor, AGENTS.md for GitHub Copilot. Same governance, different surface. Switch models mid-project without losing session history or drift tracking.

Quickstart

Five commands to governed development

# Initialize — scans your repo, generates governance + adapters
exo init

# Health check
exo doctor

# Dispatch a ticket and acquire a lock
exo next --owner your-name

# Start a governed agent session
EXO_ACTOR=agent:claude exo session-start \
  --ticket-id TICKET-001 \
  --vendor anthropic --model claude-code \
  --task "implement the feature described in the ticket"

# Finish — runs drift detection, writes memento, releases lock
EXO_ACTOR=agent:claude exo session-finish \
  --summary "implemented feature, added tests"

exo init detects your language, build tools, sensitive files, and CI system. It generates a project-aware constitution and adapter files (CLAUDE.md, .cursorrules, AGENTS.md) so governance adds value from the first session.

Integration

MCP server

Every CLI command has a matching MCP tool. Install, point your agent at it, done. 

// Claude Code / Cursor — add to your MCP config
{
  "mcpServers": {
    "exo": {
      "command": "exo-mcp",
      "args": [],
      "env": { "EXO_ACTOR": "agent:claude" }
    }
  }
}

No external services

Everything lives in .exo/

Governance state, tickets, session history, mementos, audit logs, feature manifests, requirement registries — all stored as files in your repo. Git is the source of truth. Git is the transport. No SaaS, no database, no accounts.

pip install exoprotocol is all you need.

Stay in the loop

Get updates on ExoProtocol

New releases, governance patterns, and multi-agent development insights. No spam.