An operating system for
AI coding agent sessions

ExoProtocol is a governance kernel that treats AI coding agent sessions the way an OS treats processes — with enforceable scope, lifecycle control, audit trails, and crash recovery. Everything lives in git.

PyPI version Python ≥ 3.10 License
pip install exoprotocol && exo install GitHub →

The problem

Multi-agent development is uncontrolled

You spin up three Claude sessions on different features. One silently clobbers the other's files. A Cursor agent duplicates work that's already on an unmerged branch. Nobody knows who changed what, or whether the changes stayed within scope.

The code gets written. The governance doesn't exist.

The insight

OS primitives mapping

Operating systems solved process coordination decades ago: isolation, scheduling, memory management, locks, audit logs. These primitives map directly to multi-agent development — not as a metaphor, but as convergent engineering. We arrived at the same abstractions by solving the same class of problems.

OS Concept ExoProtocol What it does
Kernel exo/kernel/ 10-function enforcement core. Frozen. No expansion without RFC.
Process Session start → suspend → resume → finish. PID tracking, crash recovery.
Virtual memory Scope Allow/deny glob patterns. Agents can only touch files within their scope.
Scheduler Dispatch Lane-aware scheduling. Priority 1 = highest urgency. Only tasks dispatched (epics/intents are containers). Concurrency limits.
Mutex Ticket lock Single-writer enforcement. Distributed leases for multi-clone setups.
IPC Mementos + Handoff Session closeout writes learnings. Handoff records transfer context between agents.
Telemetry Traces + Metrics OTel-compatible span export. Drift distribution, verify rates, fleet health.
Audit log Ledger Append-only event log. Tamper-evident. Git-committed.
Boot sequence Bootstrap Compiles governance rules + scope + learnings into a prompt the agent sees first.
GC exo gc Age-based cleanup of mementos, caches, stale sessions.
Health check exo doctor Scaffold, config, drift, git tracking, and session liveness — one command.
Policy linker exo compose Compiles all governance into a single SHA-256 sealed artifact. Tamper detection built in.

Governance model

Constitution, compile, verify

Your repo gets a constitution — a YAML file declaring rules, deny patterns, file budgets, and checks. It compiles into a tamper-evident governance lock with a hash chain. Every session verifies the lock before starting. If the constitution changed but wasn't recompiled, the hash won't match — governance drift is caught before any agent writes a line of code.

Change the rules, recompile, commit. The hash chain updates. Adapters regenerate. Every agent sees the new governance on their next session start. No deploy, no restart, no coordination — just git.

exo compose takes it further: it compiles the constitution, config, feature manifest, and requirement registry into a single sealed policy artifact (.exo/policy.sealed.json) with a SHA-256 integrity hash. Session-start auto-recomposes if sources have changed. Session-finish verifies the seal and recomposes for the next session. One canonical artifact, always fresh.

How it works

Session lifecycle

Every AI agent session runs under governance. The lifecycle is simple — start, work, finish — but a lot happens at each boundary.

init → next → session-start → [suspend ↔ resume] → session-finish / session-handoff

▸ init scan repo, generate constitution + adapters ▸ next dispatch highest-priority task (skips epics/intents), acquire lock ▸ session-start verify sealed policy (auto-recompose if stale) compile governance rules load ticket scope + budgets scan sibling sessions detect scope conflicts check unmerged work inject operational learnings generate bootstrap prompt ▸ session-finish drift detection feature tracing verify + recompose sealed policy write memento release lock update index ▸ session-handoff finish session + write handoff record receiving agent gets context in bootstrap one-shot: record consumed on start

At session-start, ExoProtocol compiles everything the agent needs into a bootstrap prompt: governance rules, scope constraints, sibling awareness (who else is working), machine context (CPU/RAM), and operational learnings from prior sessions. The agent sees this first, before any user instructions.

At session-finish, drift detection scores how well the work stayed within scope. A closeout memento captures what was learned. The lock is released. The next agent inherits the knowledge.

Session-start intelligence

What the agent sees before writing a line of code

Scope conflicts

Warns if a sibling session's ticket overlaps your file scope.

Unmerged work

Flags relevant changes on unmerged branches so agents don't duplicate effort.

Ticket contention

Detects if another agent is actively working on the same ticket.

Branch mismatch

Alerts when a ticket was previously worked on a different branch.

Base divergence

Warns when the feature branch has fallen behind main.

Machine context

Reports CPU/RAM so resource-heavy tickets can gate concurrent sessions.

All advisories are just that — advisory. They never block session start. They surface in the bootstrap prompt so the agent can make informed decisions.

Entropy control

Drift detection + intent accountability

Every session gets a drift score (0–1) measuring how well the work stayed within scope. The formula weights scope compliance (50%), file budget (35%), and boundary violations (15%). It's deterministic, not vibes.

Tickets can be intents — with brain dumps, boundaries, success conditions, and risk levels. Child tickets trace back to parent intents. Orphan detection catches work that drifted away from stated goals.

INTENT-001 "auth system" scope: src/auth/** drift: 0.12 ├── TICKET-001-EPIC "registration" │ ├── TICKET-002 "signup form" drift: 0.08 │ └── TICKET-003 "email verification" drift: 0.31 └── TICKET-004-EPIC "session management" └── TICKET-005 "JWT middleware" drift: 0.05

Together, drift scoring and intent hierarchies give you a quantitative answer to "did the agent do what we asked?" — see the deep dive for the full formula.

Architecture

Four layers, frozen kernel

CLI / MCP Server │ ▼ Orchestrator ─── session lifecycle, bootstrap, closeout │ ▼ Stdlib ───────── governance subsystems (drift, features, requirements, GC, ...) │ ▼ Kernel ───────── 10 functions. Frozen. Governance, tickets, audit, rules.

The kernel is intentionally small: load_governance, verify_governance, open_session, mint_ticket, validate_ticket, check_action, resolve_requirements, commit_plan, append_audit, seal_result. That's it. Everything else — session lifecycle, drift detection, feature tracing, dispatch, adapters, GC — lives in the stdlib.

Every CLI command has a matching MCP tool. Works with Claude Code, Cursor, and any MCP-compatible client.

Multi-agent coordination

Agent handoff with context transfer

Agent A builds the API. Agent B needs to write the tests. session-handoff atomically finishes A's session, writes a handoff record with summary, reason, and next steps, then releases the lock. When B starts on the same ticket, the handoff context is injected into its bootstrap prompt.

Agent A Agent B | | +-- session-handoff | | +-- finish session (memento) | | +-- write handoff record | | +-- release lock | | session-start | +-- detect pending handoff | +-- inject Handoff Context | +-- acquire lock | +-- consume (delete) record

Handoff records are one-shot — consumed on start, never stale. The receiving agent sees exactly what was done, what needs doing, and which branch to continue from. No copy-pasting between chat windows.

Vendor agnostic

Works with any agent, any model, any SDK

ExoProtocol doesn't care which LLM is driving the session. Claude Code, Cursor, Windsurf, Copilot, OpenAI Agents SDK, open-source models — if it can read a prompt and write files, ExoProtocol can govern it.

The adapter layer generates config files native to each tool: CLAUDE.md for Claude Code, .cursorrules for Cursor, AGENTS.md for GitHub Copilot. Same governance, different surface. Switch models mid-project without losing session history or drift tracking.

Adapter files

Auto-generated CLAUDE.md, .cursorrules, AGENTS.md from governance state.

MCP server

70 tools mirroring every CLI command. Works with any MCP client.

OpenAI Agents SDK

ExoRunHooks wraps governed sessions around agent runs. pip install exoprotocol[openai-agents]

Claude Code hooks

Auto-start/finish sessions, scope-gated Write/Edit blocking, tamper detection with auto-reinstall. exo hook-install

Quickstart

Three commands to governed development

# One-shot setup (init + compile + adapters + hooks + gitignore + git-track)
pip install exoprotocol && exo install

# Dispatch a ticket and acquire a lock
exo next --owner your-name

# Start a governed agent session
EXO_ACTOR=agent:claude exo session-start \
  --ticket-id TICKET-001 \
  --vendor anthropic --model claude-code \
  --task "implement the feature described in the ticket"

# Finish — runs drift detection, writes memento, releases lock
EXO_ACTOR=agent:claude exo session-finish \
  --summary "implemented feature, added tests"

exo install does everything in one shot: scans your repo, generates a project-aware constitution, compiles governance, writes adapter files (CLAUDE.md, .cursorrules, AGENTS.md), installs Claude Code hooks, creates .exo/.gitignore, and commits governance files to git. Idempotent — safe to run again anytime.

What's new in 0.2

Community feedback round 1

Eight tickets shipped together to close the most-cited friction points from real ExoProtocol deployments. Every CLI command below has a matching MCP tool.

Command What it does Closes
exo brief Read-only governance summary — active rules, budgets, intents, learnings. No session, no lock, no memento. The right primitive when you just need context for read-only work. Review-only mode (#1)
exo worktree-create --ticket-id X
exo worktree-remove --path …
exo worktrees		 First-class per-ticket git worktrees. Each ticket gets its own isolated checkout sharing .git internals — no more agents fighting over a dirty workspace. Worktree support (#2)
exo pr-merge <PR> Merge via the GitHub API after passing exo pr-check. NEVER touches the local checkout, so worktree-mode sessions don't trip on ownership conflicts. --break-glass-reason to override a non-pass verdict (audit-trailed). API-based merge (#3)
ticket-create --checks …
exo doctor		 Tickets default-fill checks from config.checks_allowlist when --checks is omitted, so bootstrap can never silently produce an unverifiable ticket. exo doctor flags any active task whose checks list is empty. Ticket validation (#4)
framework_paths in .exo/config.yaml Splits framework-mutated paths (.exo/cache/**, .exo/memory/**, lock/queue files) from user-governed paths. Auto-unioned into scope.allow at ticket-create AND at runtime — closeout writes never fail because the user forgot a framework-internal path. Framework-vs-user split (#5)
exo test-triage tests/test_x.py Stale-vs-regression classifier. git log -1 on the test file vs. the most-recent non-test, non-governance commit; classifies regression / stale / ambiguous with evidence and a recommended owner. Never deletes or rewrites tests — judgment call stays with you. Test triage (#6)
exo archive <paths> --reason "…" Move source paths under archive/ with a structured archive/INDEX.md entry (date, reason, git SHA, restore-via-git mv hint). When the scanner detects an archive/ directory, it emits RULE-ARC-001 automatically — archived code is then immutable until you explicitly restore it. Archive defaults (#7)

Upgrade an existing install with pip install --upgrade exoprotocol && exo install. The scanner re-runs and your constitution gets the new RULE-ARC-001 automatically if you already have an archive/ directory.

Integration

MCP server

Every CLI command has a matching MCP tool. Install, point your agent at it, done. 

// Claude Code / Cursor — add to your MCP config
{
  "mcpServers": {
    "exo": {
      "command": "exo-mcp",
      "args": [],
      "env": { "EXO_ACTOR": "agent:claude" }
    }
  }
}

No external services

Everything lives in .exo/

Governance state, tickets, session history, mementos, audit logs, feature manifests, requirement registries — all stored as files in your repo. Git is the source of truth. Git is the transport. No SaaS, no database, no accounts.

.exo/ is designed as its own governance namespace inside your repo. Non-ephemeral files (constitution, config, lock, tickets) are committed to git so CI pipelines, other agents, and team members all see the same governance. Ephemeral data (cache, logs, locks, active sessions) is excluded via .exo/.gitignore. exo install sets this up automatically.

For teams that want full separation, exo sidecar-init mounts .exo/ as a dedicated git worktree on an orphan branch — giving app code and governance state independent git histories. Auto-commits at every lifecycle boundary (start, finish, suspend, resume) keep the governance branch current without polluting your app history.

pip install exoprotocol is all you need.

Observability

Governance you can measure

ExoProtocol isn't just rules — it's instrumented. Every session produces structured data that feeds into metrics, traces, and fleet-level drift aggregation.

Governance metrics

Verify pass rate, drift distribution, ticket throughput, actor breakdown. Dashboard-ready JSON.

Fleet drift

Aggregate drift across all active, suspended, and finished sessions. Spot which agents are drifting.

OTel traces

Export session history as OpenTelemetry-compatible JSONL spans. Import into Jaeger or Grafana Tempo.

Sandbox policy

Preview derived permissions from constitution deny rules. See what your agents can and can't do.

Stay in the loop

Get updates on ExoProtocol

New releases, governance patterns, and multi-agent development insights. No spam.