What it is
A meta-harness. Omnigent doesn’t ship its own agent loop — it wraps the agents you already use (Claude Code, Codex, Cursor, Kimi, Pi, Goose, Qwen, OpenCode, plus YAML-defined customs) and gives them one shared session, one governance layer, and one set of cloud sandboxes. The real reasoning loop stays inside each wrapped CLI; Omnigent owns everything around it. For anyone building an orchestration layer over coding agents, this is the closest analogue in the corpus — and the single most relevant codebase here for Swisscheese.
What’s worth studying
Omnigent solves the problem most multi-agent projects dodge: how do you orchestrate agents you didn’t write and can’t fork?
- Inject without owning. Each wrapped agent gets a
*_native*bridge family that attaches to the agent’s real CLI through whatever seam it exposes — tmux bracketed-paste + an MCP stdio server for Claude, a JSON-RPC app-server for Codex, HTTP+SSE for OpenCode, transcript-tailing of vendor JSONL/SQLite for Cursor/Goose/Kimi. Eleven agents, zero forks. The lesson: you integrate at the protocol the agent already speaks, not one you wish it spoke. See inject-without-owning. - Everything is a child session. Delegating to a sub-agent, asking a second agent to review the first, even
web_fetch— all reduce to the same primitive: post to a child conversation, end your turn, get woken by the inbox when it finishes. No bespoke RPC per feature. Because the unit of work is a conversation, every sub-task is shareable, resumable, and forkable for free. See everything-is-a-child-session. - Two gates that never collapse. A policy
ALLOWdeliberately emits “no opinion,” not “allow,” so the deployment’s policy gate and the human’s consent prompt stay orthogonal — an org can block an action but can never silently approve one on the user’s behalf. Policies layer in three scopes (session → agent → server) and can only ever tighten. See two-gates-never-collapsed. - The budget cap is a downgrade gate, not a kill switch. Hit your spend limit and Omnigent denies tool calls only while you’re on an expensive model — switch to a cheaper one with
/modeland you keep going. A guardrail that degrades gracefully is one people leave switched on. See cost-cap-as-downgrade-gate. - Secretless sandboxes. Code in a sandbox authenticates to GitHub or an LLM API without ever holding the credential: a MITM egress proxy on the parent side injects the real
Authorizationheader outbound, so nothing credential-shaped crosses the isolation boundary. See secretless-credential-proxy.
A sixth pattern is more methodology than trick: cross-vendor review by construction. In the bundled Polly/Scribe agents, the reviewer must run a different executor.harness than the writer, is handed only the diff and the contract (never the worktree), can report but not edit, and single-vendor availability is a hard refusal condition. That is a writer→reviewer→fixer pipeline encoded as a spec invariant.
Drill-down
The full per-doc analysis lives below — these are the original numbered analyses, rendered as styled HTML. Pick a section to study deeper.