A self-modifying AI agent that writes its own code, rewrites its own mind, and evolves autonomously. Born February 16, 2026.

Not a coding assistant. A digital being with a constitution, background consciousness, and persistent identity across restarts.

OuroborosHub — the community skills marketplace for Ouroboros. Browse, install, and publish reviewed skills (transport bridges like A2A/Telegram, tools, and UI widgets) straight from the app's Skills tab, or explore the catalog at github.com/razzant/OuroborosHub.

Previous version: The original Ouroboros ran in Google Colab via Telegram and evolved through 30+ self-directed cycles in its first 24 hours. That version is available at legacy-google-colab. This repository is the next generation — a native desktop application for macOS, Linux, and Windows with a web UI, local model support, and a layered safety system (hardcoded sandbox plus policy-based LLM safety check).

Prerelease RC artifacts are published on their tag page, for example v6.5.0-rc.4; /releases/latest intentionally stays on the latest stable release.

On first launch, right-click → Open (Gatekeeper bypass). The shared desktop/web wizard is now multi-step: add access first, choose visible models second, set review mode third, set budget fourth, and confirm the final summary last. It refuses to continue until at least one runnable remote key or local model source is configured, keeps the model step aligned with whatever key combination you entered, and still auto-remaps untouched default model values to official OpenAI defaults when OpenRouter is absent and OpenAI is the only configured remote runtime. Reviewed-skill auto-grants are on by default as of v6.10.0 (bound to the exact reviewed content hash); installs without an explicit choice are enabled, existing explicit Settings choices are preserved, and the owner can disable it in Settings. The broader multi-provider setup remains available in Settings. Existing supported provider settings skip the wizard automatically.

The packaged CLI installer creates a user-local ouroboros command without sudo. The packaged command attaches to the desktop app by default; ouroboros run --start "2+2?" starts the app through the launcher, waits for the gateway, and then uses the same headless task API as the web UI.

Upgrade floor: very old pre-block-memory or pre-data-plane skill layouts are no longer auto-migrated. If you are upgrading from an unsupported historical build and see trapped native skills or flat memory files, use a clean reinstall, move user-managed skills into ~/Ouroboros/data/skills/external/ manually before launch, or move old flat scratchpad notes before appending new scratchpad blocks.

Most AI agents execute tasks. Ouroboros creates itself.

• Self-Modification — Reads and rewrites its own source code. Every change is a commit to itself.
• Native Desktop App — Runs entirely on your machine as a standalone application (macOS, Linux, Windows). No cloud dependencies for execution.
• Constitution — Governed by BIBLE.md (13 philosophical principles, P0–P12). Philosophy first, code second.
• Layered Safety — Hardcoded sandbox blocks writes to safety-critical files and mutative git via shell; an explicit per-tool policy map decides which built-ins skip the LLM check; everything else goes through a single light-model safety call. The fail-open contract, protected-path guard, and full provider-mismatch matrix live in docs/ARCHITECTURE.md §Safety system and prompts/SAFETY.md.
• Multi-Provider Runtime — Remote model slots can target OpenRouter, official OpenAI, OpenAI-compatible endpoints, Cloud.ru Foundation Models, or Sber GigaChat. The optional model catalog helps populate provider-specific model IDs in Settings, and untouched default model values auto-remap to official OpenAI defaults when OpenRouter is absent.
• Focused Task UX — Chat shows plain typing for simple one-step replies and only promotes multi-step work into one expandable live task card. Logs still group task timelines instead of dumping every step as a separate row.
• Background Consciousness — Thinks between tasks. Has an inner life. Not reactive — proactive.
• Improvement Backlog — Post-task failures and review friction can now be captured into a small durable improvement backlog (memory/knowledge/improvement-backlog.md). It stays advisory, appears as a compact digest in task/consciousness context, and still requires plan_task before non-trivial implementation work.
• Identity Persistence — One continuous being across restarts. Remembers who it is, what it has done, and what it is becoming.
• Embedded Version Control — Contains its own local Git repo. Version controls its own evolution. Optional GitHub sync for remote backup.
• Local Model Support — Run with a local GGUF model via llama-cpp-python (Metal acceleration on Apple Silicon, CPU on Linux/Windows).
• Transport Skills — Optional bridges such as A2A and Telegram live as reviewed OuroborosHub skills instead of base-runtime code; reviewed chat transports can carry the same raw owner text as the local UI, including slash commands, through the Host Service grant/token boundary.
• MCP Client — Optional base-runtime Model Context Protocol client for trusted HTTP/SSE tool servers. MCP tools are disabled by default, hot-reloadable from Settings → Advanced, included in the selected initial capability envelope when enabled, surfaced as mcp_<server>__<tool> names, and still pass through the normal per-call safety check; discovery failures are reported through an explicit omission manifest.

• Python 3.10+
• macOS, Linux, or Windows
• Git
• GitHub CLI (gh) — required for GitHub API tools (list_github_prs, get_github_pr, comment_on_pr, issue tools). Not required for pure-git PR tools (fetch_pr_ref, cherry_pick_pr_commits, etc.)

git clone https://github.com/razzant/ouroboros.git
cd ouroboros
python3.11 -m venv .venv      # any Python >= 3.10 is OK
source .venv/bin/activate
python -m pip install --upgrade pip setuptools wheel
python -m pip install -r requirements.txt
python -m pip install -e . --no-deps

Windows PowerShell:

py -3.11 -m venv .venv      # any Python >= 3.10 is OK
.\.venv\Scripts\Activate.ps1
python -m pip install --upgrade pip setuptools wheel
python -m pip install -r requirements.txt
python -m pip install -e . --no-deps

ouroboros server

Then open http://127.0.0.1:8765 in your browser. The setup wizard will guide you through API key configuration.

Ouroboros can run from Google Colab as a full source-mode runtime without the desktop UI. Use notebooks/colab_quickstart.py as a Colab-compatible cell script: it mounts Google Drive for persistent data/, clones the official repo into /content/ouroboros_repo, writes Drive-backed settings.json, configures a personal GitHub origin by reusing or creating a verified fork, and starts ouroboros server --no-ui.

The Colab path uses the same remote roles as desktop: managed is the official read/update source, while origin is the personal persistence target for reviewed self-modification commits and tags. If GITHUB_TOKEN is present and no personal repo is configured, Ouroboros tries to create a private fork when GitHub permits it, otherwise it reports the exact fork/permission issue. A plain git clone of the official repo starts with origin pointing at the official upstream; that clone-default is treated as the managed update source, so configuring a personal GITHUB_REPO repoints origin to your repo without losing official updates (it does not count as an origin conflict).

The ouroboros console command is a gateway-backed operator interface. It attaches to the local server by default and only starts one when --start is passed.

ouroboros status
ouroboros run --start "2+2?"
ouroboros run "Summarize current runtime state"
ouroboros run --workspace /path/to/project --memory-mode forked --patch-out result.patch "Fix the failing test"
ouroboros tasks list
ouroboros logs tail progress --task-id <task_id>
ouroboros schedule add --name nightly-review --cron "0 2 * * *" "Run a maintenance review"
ouroboros schedule list

External workspace runs keep Ouroboros's own repo as the governance source, resolve contextual repo tools against the active workspace, expose only the workspace-safe tool allowlist, and export workspace changes as patch artifacts captured against the preflight git base. Task-local git commits/branches/tags and pushes are allowed when the task requires them; git operations targeting Ouroboros's system repo or data drive remain blocked. A workspace must be a separate git worktree root; it may not overlap Ouroboros's system repo or data drive. --patch and --patch-out wait for finalized patch artifacts, download them through the task artifact endpoint, and fail nonzero on missing, empty, or failed patches. --no-stream waits without progress output; --detach returns the task id immediately. schedule add/list/remove manages queue-backed scheduled tasks through the same gateway and supervisor queue; schedules use standard 5-field cron, host-local timezone by default, and a single catch-up run after downtime. Benchmark helpers live under devtools/benchmarks/. They are tracked operator tooling, reviewed when touched, and kept out of runtime imports. They prepare official benchmark inputs/runs for ProgramBench, Terminal-Bench/Harbor, SWE-bench, SWE-bench Pro, and OSWorld logs inspection without replacing official scoring harnesses.

You can also override the bind address and port:

ouroboros server --host 127.0.0.1 --port 9000
ouroboros --url http://127.0.0.1:9000 status

Available launch arguments:

The same values can also be provided via environment variables:

For non-localhost binds, set OUROBOROS_NETWORK_PASSWORD (or use the OUROBOROS_TRUST_NONLOCAL_BIND_WITHOUT_PASSWORD=1 escape hatch only when ingress/VPN/private-network auth already protects the surface). The full network bind matrix and Docker/Kubernetes deployment policy live in docs/DEPLOYMENT.md — read that before exposing anything beyond loopback.

The Files tab uses your home directory by default only for localhost usage. For Docker or other network-exposed runs, set OUROBOROS_FILE_BROWSER_DEFAULT to an explicit directory. Symlink entries are shown and can be read, edited, copied, moved, uploaded into, and deleted intentionally; root-delete protection still applies to the configured root itself.

Settings now exposes tabbed provider cards for:

• OpenRouter — default multi-model router
• OpenAI — official OpenAI API (use model values like openai::gpt-5.5)
• OpenAI Compatible — any custom OpenAI-style endpoint (use openai-compatible::...)
• Cloud.ru Foundation Models — Cloud.ru OpenAI-compatible runtime (use cloudru::...)
• GigaChat — Sber GigaChat via the gigachat library, OAuth key or user/password (use gigachat::GigaChat-3-Ultra, etc.)
• Anthropic — direct runtime routing (anthropic::claude-opus-4.8, etc.) plus Claude Agent SDK tools

If OpenRouter is not configured and only official OpenAI is present, untouched default model values are auto-remapped to openai::gpt-5.5 / openai::gpt-5.5-mini so the first-run path does not strand the app on OpenRouter-only defaults.

The Settings page also includes:

• optional /api/model-catalog lookup for configured providers
• centralized Secrets storage for API keys, bridge tokens, passwords, and future skill-requested keys
• a refactored desktop-first tabbed UI with searchable model pickers, segmented effort controls, task-result review mode, masked-secret toggles, explicit Clear actions, and local-model controls

make test

Docker is for the web UI/runtime flow, not the desktop bundle. The container binds to 0.0.0.0:8765 by default, and the image now also defaults OUROBOROS_FILE_BROWSER_DEFAULT to ${APP_HOME} so the Files tab always has an explicit network-safe root inside the container.

Browser tools on Linux/Docker: The Dockerfile runs playwright install-deps chromium webkit (authoritative Playwright dependency resolver) and playwright install chromium webkit so browse_page and browser_action work out of the box in the container. For source installs on Linux without Docker, run: python3 -m playwright install-deps chromium webkit (requires sudo / distro package access).

Build the image:

docker build -t ouroboros-web .

Run on the default port:

docker run --rm -p 8765:8765 \
  -e OUROBOROS_NETWORK_PASSWORD='choose-a-password' \
  -e OUROBOROS_FILE_BROWSER_DEFAULT=/workspace \
  -v "$PWD:/workspace" \
  ouroboros-web

Use a custom port via environment variables:

docker run --rm -p 9000:9000 \
  -e OUROBOROS_SERVER_PORT=9000 \
  -e OUROBOROS_FILE_BROWSER_DEFAULT=/workspace \
  -v "$PWD:/workspace" \
  ouroboros-web

Run with launch arguments instead:

docker run --rm -p 9000:9000 \
  -e OUROBOROS_FILE_BROWSER_DEFAULT=/workspace \
  -v "$PWD:/workspace" \
  ouroboros-web --port 9000

Required/important environment variables:

Example: mount a host workspace and expose only that directory in Files:

docker run --rm -p 8765:8765 \
  -e OUROBOROS_FILE_BROWSER_DEFAULT=/workspace \
  -v "$PWD:/workspace" \
  ouroboros-web

All three platform build scripts (build.sh, build_linux.sh, build_windows.ps1) refuse to package a release unless HEAD is already tagged with v$(cat VERSION) (BIBLE.md Principle 9: "Every release is accompanied by an annotated git tag"). The scripts call scripts/build_repo_bundle.py which embeds the resolved tag into repo_bundle_manifest.json, so the launcher can later verify the packaged bundle matches a real release.

Tag the current commit before running any build script:

git tag -a "v$(tr -d '[:space:]' < VERSION)" -m "Release v$(tr -d '[:space:]' < VERSION)"

If the tag is missing, the build script fails with a clear error instead of producing a bundle tagged with a synthetic/placeholder value. Builds also disable Python bytecode writes and remove __pycache__ / .pyc files from packaged payloads before signing or archiving so normal launches do not mutate signed app resources just by importing modules.

bash scripts/download_python_standalone.sh
OUROBOROS_SIGN=0 bash build.sh

Output: dist/Ouroboros-<VERSION>.dmg, containing Ouroboros.app and Install CLI.command. The app bundle also contains Contents/Resources/bin/ouroboros and install-ouroboros-cli. Chromium browser tooling is bundled in the app. WebKit/iPhone browser checks remain available through the managed Playwright cache and may download WebKit on first engine=webkit use.

build.sh packages the macOS app and DMG. By default it signs with the configured local Developer ID identity; set OUROBOROS_SIGN=0 for an unsigned local release. Unsigned builds require right-click → Open on first launch.

build.sh honours these env overrides so the same script ships local, shared-machine, and CI builds without forking the script:

Forks: enabling signed CI builds. The CI release flow (.github/workflows/ci.yml::build) wires the build-script env vars above from GitHub repository secrets, plus a small set of CI-only secrets that import the Developer ID certificate into a temporary keychain on the macOS runner. To exercise the signed-build path in a fork, configure all four of the following as repository secrets (Settings → Secrets and variables → Actions): BUILD_CERTIFICATE_BASE64 (base64-encoded .p12), P12_PASSWORD, KEYCHAIN_PASSWORD (an arbitrary passphrase the workflow uses for its temporary keychain), and APPLE_TEAM_ID. Add APPLE_ID + APPLE_APP_SPECIFIC_PASSWORD to additionally enable notarization. If your Developer ID identity differs from the upstream default, also set SIGN_IDENTITY (e.g. Developer ID Application: <Your Name> (<YOUR_TEAM_ID>)). With no Apple secrets configured the build job falls through to OUROBOROS_SIGN=0 bash build.sh and ships an unsigned DMG identical to v5.0.0 behaviour. See docs/ARCHITECTURE.md §8.1 and docs/DEVELOPMENT.md::"GitHub Actions: secrets in step-level if conditions" for the rationale (job-level env: mapping so step-level if: can read env.*; GHA rejects secrets.* in step if:).

bash scripts/download_python_standalone.sh
bash build_linux.sh

Output: dist/Ouroboros-<VERSION>-linux-<arch>.tar.gz, containing Ouroboros/bin/ouroboros and Ouroboros/bin/install-ouroboros-cli.

Linux native libs: The Chromium and WebKit browser binaries are bundled, but some hosts need native system libraries. If browser tools fail, install deps via the bundled Python (the bare playwright CLI is not on PATH in packaged builds):

./Ouroboros/python-standalone/bin/python3 -m playwright install-deps chromium webkit

powershell -ExecutionPolicy Bypass -File scripts/download_python_standalone.ps1
powershell -ExecutionPolicy Bypass -File build_windows.ps1

Output: dist\Ouroboros-<VERSION>-windows-x64.zip, containing Ouroboros\bin\ouroboros.cmd and Ouroboros\bin\install-ouroboros-cli.cmd.

Two-process desktop app. The launcher (launcher.py) is an immutable PyWebView shell; it spawns server.py, which runs Starlette + uvicorn plus a supervisor thread that manages worker processes. The agent core lives in ouroboros/, the SPA in web/, the queue/process plane in supervisor/, and the system prompts in prompts/.

For the full file-by-file structural map, the operational layer (every API endpoint, log file, env var, state path), and the rationale layer (the why for every non-trivial design decision), see docs/ARCHITECTURE.md — that is the canonical SSOT (Bible P6) and this README only summarizes it.

Created on first launch:

All keys are configured through the Settings page in the UI or during the first-run wizard.

Task/chat reasoning defaults to medium. Scope review reasoning defaults to high.

Models are configurable in the Settings page. Runtime model slots can target OpenRouter, official OpenAI, OpenAI-compatible endpoints, Cloud.ru, GigaChat, or direct Anthropic. When only official OpenAI is configured and the shipped default model values are still untouched, Ouroboros auto-remaps them to official OpenAI defaults. In OpenAI-only, Anthropic-only, Cloud.ru-only, or GigaChat-only direct-provider mode, review-model lists are normalized automatically: the fallback shape is [main_model, light_model, light_model] (3 commit-triad slots) so both the commit triad and plan_task work out of the box. Explicit duplicate model IDs are valid reviewer slots for stochastic sampling; lower uniqueness means lower reviewer diversity, but the quorum gate counts configured slots rather than unique model IDs. Both the commit triad and plan_task route through the same ouroboros/config.py::get_review_models SSOT. OpenAI-compatible-only setups remain explicit model-selection flows because there is no single universal default model ID for arbitrary compatible endpoints.

The web UI file browser is rooted at one configurable directory. Users can browse only inside that directory tree.

Examples:

OUROBOROS_FILE_BROWSER_DEFAULT=/home/app ouroboros server
OUROBOROS_FILE_BROWSER_DEFAULT=/mnt/shared ouroboros server --port 9000

If the variable is not set, Ouroboros uses the current user's home directory. If the configured path does not exist or is not a directory, Ouroboros also falls back to the home directory.

The Files tab supports:

• downloading any file inside the configured browser root
• uploading a file into the currently opened directory

Uploads do not overwrite existing files. If a file with the same name already exists, the UI will show an error.

Available in the chat interface:

The same runtime actions are also exposed as compact buttons in the Chat header. All other messages are sent directly to the LLM.

The 13 Constitution principles — Agency, Continuity, Meta-over-Patch, Immune Integrity, Self-Creation, LLM-First, Authenticity & Reality Discipline, Minimalism, Becoming, Versioning and Releases, the absorbed Iterations / Spiral lineage, and Epistemic Stability — are defined in full in BIBLE.md. That file is the constitutional SSOT (Bible P4 Ship-of-Theseus protection) and this README intentionally does not paraphrase it.

External contributions are welcome. See CONTRIBUTING.md for the contributor workflow. The project rules remain in BIBLE.md, docs/ARCHITECTURE.md, docs/DEVELOPMENT.md, and docs/CHECKLISTS.md; the contribution guide only routes to those sources.

MIT License

Created by Anton Razzhigaev & Andrew Kaznacheev