agentserver

command module

v0.34.3 Latest Latest Go to latest Published: Apr 8, 2026 License: MIT Imports: 1 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/agentserver/agentserver

Links

Open Source Insights

README ¶

agentserver

Run your coding agent on any machine — access it from the browser.

agentserver Web UI

agentserver Coding Agent

agentserver is to opencode what code-server is to VS Code — a self-hosted platform that lets your team use a coding agent from the browser.

Why agentserver?

Zero install — Open a browser, start coding with AI
Sandboxes — Isolated containers per task; pause, resume, auto-pause on idle
Local tunneling — Connect a local opencode instance via WebSocket, no public IP needed
Multi-tenancy — Workspaces with role-based access (owner / maintainer / developer / guest)
Two backends — Docker (single node) or Kubernetes with Agent Sandbox + gVisor isolation
SSO ready — GitHub OAuth and generic OIDC (Keycloak, Authentik, etc.) out of the box
API key proxy — Sandboxes never see the real Anthropic key; injected server-side
LLM proxy — Dedicated proxy service with per-workspace rate limiting (RPD quotas) and usage tracking
Admin panel — Manage users, quotas, and system settings from the web UI
Batteries included — Sandbox image ships with Go, Rust, C/C++, Node.js, Python 3, and common tools
Deploy anywhere — Pre-built binaries, Homebrew, Docker Compose, or Helm for Kubernetes

Architecture

agentserver consists of three services that can run as a single binary or be deployed independently:

                                                ┌──────────────────┐
                                                │  sandbox pod /   │
                                           ┌───▶│  container       │
                                           │    │  └─ opencode     │
Browser ──▶ sandbox-proxy (:8082) ─────────┤    └──────────────────┘
            (subdomain routing)            │        WebSocket tunnel
                                           └───▶ local agent machine
                                                  └─ opencode serve

Browser ──▶ agentserver (:8080) ──────────────▶ PostgreSQL
            ├─ REST API                         (users, workspaces,
            ├─ admin panel                       sandboxes, quotas)
            ├─ agent registration
            └─ tunnel endpoints

Sandbox ──▶ llmproxy (:8081) ──────────────▶ Anthropic API
            ├─ token validation                (real key injected
            ├─ RPD quota enforcement            server-side)
            └─ usage tracking

Service	Default Port	Description
agentserver	`:8080`	Main API server, web UI, tunnel endpoints
llmproxy	`:8081`	LLM API proxy with rate limiting and usage tracking
sandbox-proxy	`:8082`	Subdomain-based routing to sandbox services

Quick Start

Docker Compose (recommended for local use)

git clone https://github.com/agentserver/agentserver.git && cd agentserver
docker build -f Dockerfile.opencode -t agentserver-agent:latest .
export ANTHROPIC_API_KEY="sk-ant-..."
docker compose up -d

Open http://localhost:8080 in your browser.

Helm (Kubernetes)

helm install agentserver oci://ghcr.io/agentserver/charts/agentserver \
  --namespace agentserver --create-namespace \
  --set database.url="postgres://user:pass@postgres:5432/agentserver?sslmode=disable" \
  --set anthropicApiKey="sk-ant-..." \
  --set ingress.enabled=true \
  --set ingress.host="cli.example.com" \
  --set baseDomain="cli.example.com"

Pre-built Binaries

Download from GitHub Releases, or install via Homebrew:

brew install agentserver/tap/agentserver

Local Agent Tunneling

Connect a locally-running opencode instance to agentserver — no public IP or third-party tunnel needed.

In the Web UI, click the laptop icon next to "Sandboxes" to generate a registration code.
On your local machine:

# First time — register with the server
agentserver connect \
  --server https://cli.example.com \
  --code <registration-code> \
  --name "My MacBook"

# Subsequent runs — auto-reconnect using saved credentials
agentserver connect

A local sandbox appears in the Web UI — click "Open" to access your local opencode through the browser.

Multi-agent support

Register multiple agents on the same machine, each targeting a different directory and workspace:

# List all registered agents
agentserver list

# Remove a registration
agentserver remove --workspace <workspace-id>

Agent credentials are stored in ~/.agentserver/registry.json.

Tunnel features: zero-config networking, auto-reconnect with backoff, binary WebSocket protocol (no base64 overhead), real-time SSE streaming, offline detection with auto-recovery.

Configuration

See the API reference for full endpoint documentation.

Helm Values

Parameter	Description	Default
`image.repository`	Server image	`ghcr.io/agentserver/agentserver`
`image.tag`	Server image tag	`latest`
`opencode.image`	Opencode agent image for sandbox pods	`ghcr.io/agentserver/opencode-agent:latest`
`opencode.runtimeClassName`	RuntimeClass for sandbox pods (e.g. `gvisor`)	`""`
`openclaw.image`	OpenClaw gateway image	`""`
`openclaw.port`	OpenClaw gateway port	`18789`
`database.url`	PostgreSQL connection string	(required)
`anthropicApiKey`	Anthropic API key	(required)
`anthropicBaseUrl`	Custom Anthropic API base URL	`""`
`anthropicAuthToken`	Anthropic auth token (alternative to API key)	`""`
`backend`	Sandbox backend: `docker` or `k8s`	`docker`
`baseDomain`	Base domain for subdomain routing	`""`
`baseScheme`	URL scheme for generated URLs	`https`
`idleTimeout`	Auto-pause idle sandboxes after	`30m`
`persistence.sessionStorageSize`	Per-sandbox ephemeral storage	`5Gi`
`persistence.userDriveSize`	Per-workspace shared disk size	`10Gi`
`persistence.storageClassName`	Storage class for PVCs	`""` (cluster default)
`workspace.resources`	Resource limits/requests for sandbox pods	`1Gi/1cpu` limits
`agentSandbox.install`	Install Agent Sandbox controller	`true`
`ingress.enabled`	Enable Nginx Ingress	`false`
`ingress.host`	Ingress hostname	`agentserver.example.com`
`ingress.tls`	Enable TLS (cert-manager)	`false`
`gateway.enabled`	Enable Gateway API HTTPRoute	`false`

Environment Variables (Main Server)

Variable	Description	Default
`DATABASE_URL`	PostgreSQL connection string	(required)
`ANTHROPIC_API_KEY`	Anthropic API key	(required)
`ANTHROPIC_BASE_URL`	Custom API base URL	`https://api.anthropic.com`
`ANTHROPIC_AUTH_TOKEN`	Anthropic auth token (alternative to API key)	-
`OPENCODE_CONFIG_CONTENT`	JSON opencode config for sandbox pods	-
`BASE_DOMAIN`	Base domain for subdomain routing	-
`BASE_SCHEME`	URL scheme (`http` or `https`)	`https`
`IDLE_TIMEOUT`	Auto-pause timeout (e.g. `30m`)	`30m`
`AGENT_IMAGE`	Container image for sandbox agents	`ghcr.io/agentserver/opencode-agent:latest`
`LLMPROXY_URL`	Base URL of the LLM proxy service	-
`PASSWORD_AUTH_ENABLED`	Enable password-based auth	`true`
`OIDC_REDIRECT_BASE_URL`	External URL for OIDC callbacks	-
`GITHUB_CLIENT_ID`	GitHub OAuth client ID	-
`GITHUB_CLIENT_SECRET`	GitHub OAuth client secret	-
`OIDC_ISSUER_URL`	Generic OIDC issuer URL	-
`OIDC_CLIENT_ID`	Generic OIDC client ID	-
`OIDC_CLIENT_SECRET`	Generic OIDC client secret	-
`SANDBOX_NAMESPACE_PREFIX`	K8s namespace prefix	`agent-ws`
`NETWORKPOLICY_ENABLED`	Enable K8s NetworkPolicy isolation	`false`
`NETWORKPOLICY_DENY_CIDRS`	CIDRs to deny in network policies	-
`AGENTSERVER_NAMESPACE`	agentserver's own K8s namespace	-
`STORAGE_CLASS`	K8s storage class for PVCs	(cluster default)
`USER_DRIVE_SIZE`	Per-workspace storage size	`10Gi`
`USER_DRIVE_STORAGE_CLASS`	Storage class for workspace drives	inherits `STORAGE_CLASS`

Environment Variables (LLM Proxy)

Variable	Description	Default
`LLMPROXY_LISTEN_ADDR`	HTTP listen address	`:8081`
`LLMPROXY_DATABASE_URL`	Proxy's own PostgreSQL connection URL	-
`LLMPROXY_AGENTSERVER_URL`	agentserver internal API URL for token validation	(required)
`ANTHROPIC_API_KEY`	Anthropic API key	(required*)
`ANTHROPIC_AUTH_TOKEN`	Anthropic auth token (alternative to API key)	(required*)
`ANTHROPIC_BASE_URL`	Upstream Anthropic API URL	`https://api.anthropic.com`
`LLMPROXY_DEFAULT_MAX_RPD`	Default max requests per day per workspace (0 = unlimited)	`0`

Environment Variables (Sandbox Proxy)

Variable	Description	Default
`DATABASE_URL`	PostgreSQL connection string	(required)
`LISTEN_ADDR`	HTTP listen address	`:8082`
`BASE_DOMAIN`	Base domain for subdomain routing	(required)
`OPENCODE_SUBDOMAIN_PREFIX`	Subdomain prefix for opencode sandboxes	`code`
`OPENCLAW_SUBDOMAIN_PREFIX`	Subdomain prefix for openclaw sandboxes	`claw`
`OPENCODE_ASSET_DOMAIN`	Domain for opencode static assets	`opencodeapp.{BASE_DOMAIN}`

OIDC Authentication

GitHub OAuth:

helm upgrade agentserver oci://ghcr.io/agentserver/charts/agentserver \
  --reuse-values \
  --set oidc.redirectBaseUrl="https://cli.example.com" \
  --set oidc.github.enabled=true \
  --set oidc.github.clientId="your-client-id" \
  --set oidc.github.clientSecret="your-client-secret"

Callback URL: https://cli.example.com/api/auth/oidc/github/callback

Generic OIDC (Keycloak, Authentik, etc.):

helm upgrade agentserver oci://ghcr.io/agentserver/charts/agentserver \
  --reuse-values \
  --set oidc.redirectBaseUrl="https://cli.example.com" \
  --set oidc.generic.enabled=true \
  --set oidc.generic.issuerUrl="https://idp.example.com/realms/main" \
  --set oidc.generic.clientId="agentserver" \
  --set oidc.generic.clientSecret="your-secret"

Kubernetes Backend

For production multi-tenant deployments with gVisor isolation:

helm upgrade agentserver oci://ghcr.io/agentserver/charts/agentserver \
  --reuse-values \
  --set backend=k8s \
  --set opencode.runtimeClassName=gvisor \
  --set sandbox.namespace=agentserver

Building from Source

# Prerequisites: Go 1.26, Node.js, pnpm, bun

# Build everything (frontend + backend)
make build

# Build individual components
make backend          # Go binary → bin/agentserver
make frontend         # React frontend → web/dist/
make agent            # Local agent binary → bin/agentserver-agent
make agent-all        # Agent for all platforms (linux/darwin/windows, amd64/arm64)
make llmproxy         # LLM proxy binary → bin/llmproxy

# Docker images
make docker           # Main server image
make docker-agent     # Agent container image
make docker-llmproxy  # LLM proxy image
make docker-all       # All images

Contributing

# Terminal 1: Start backend
go run . serve --db-url "postgres://..." --backend docker

# Terminal 2: Start frontend dev server
cd web && pnpm install && pnpm dev

License

MIT

Documentation ¶

Overview ¶

Source Files ¶

View all Source files

main.go

Directories ¶

Path	Synopsis
cmd
agentserver-agent command
ilink-debug command Minimal iLink debug tool: QR login → poll → receive messages → dump & download media.	Minimal iLink debug tool: QR login → poll → receive messages → dump & download media.
imbridge command
llmproxy command
sandboxproxy command
internal
agent
auth
bridge
container
db
imbridge
imbridgesvc
llmproxy
mcpbridge Package mcpbridge implements a stdio MCP server that exposes agentserver agent discovery and task delegation as MCP tools for Claude Code.	Package mcpbridge implements a stdio MCP server that exposes agentserver agent discovery and task delegation as MCP tools for Claude Code.
namespace
process
sandbox
sandboxproxy
sbxstore
server
shortid
storage
tunnel
weixin
opencodeweb
web

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL