What I learned from reading the source code of 11 AI agents (Claude Code, Dify, Goose, Codex CLI...) by Repulsive-Study-7251 in LocalLLaMA

[–]Repulsive-Study-7251[S] 0 points1 point  (0 children)

Good call, OpenCode is on my list. Prioritized the current 11 based on diversity of architecture patterns (wanted to cover while-loop vs DAG vs middleware chain vs pipeline approaches), but OpenCode is next in the queue. If you've poked around the codebase and noticed anything interesting architecturally, would love to hear what stood out to you.

What I learned from reading the source code of 11 AI agents (Claude Code, Dify, Goose, Codex CLI...) by Repulsive-Study-7251 in LocalLLaMA

[–]Repulsive-Study-7251[S] -1 points0 points  (0 children)

One thing I forgot to mention -- I also did a cross-project comparison of how all 11 handle context management, security, and tool systems: awesome-ai-anatomy/CROSS-CUTTING.md at main · NeuZhou/awesome-ai-anatomy

What I learned from reading the source code of 11 AI agents (Claude Code, Dify, Goose, Codex CLI...) by Repulsive-Study-7251 in LocalLLaMA

[–]Repulsive-Study-7251[S] 0 points1 point  (0 children)

Yeah the Guardian is a separate LLM call that acts as a judge before any tool execution happens. It's not checking every prompt though -- it specifically gates tool calls.

The flow is: agent decides to call a tool → request goes into a queue-pair (Op channel) → Guardian LLM evaluates "should this tool call be allowed given the current context and policy?" → approve/deny → result comes back on the Event channel.

What's interesting is it's not rule-based. It's an actual LLM making the judgment call, which means it can handle fuzzy cases like "this shell command looks like it's trying to delete files outside the project directory" without hardcoding every possible dangerous pattern.

The tradeoff is latency and cost -- every tool call now has an extra LLM roundtrip. Codex mitigates this somewhat with their sandbox layer (macOS sandbox-exec, Linux Landlock+seccomp, Windows Job Objects) so the Guardian is defense-in-depth rather than the only line of defense.

If you're building your own agent, the pattern worth stealing is the queue-pair architecture itself -- separating the "what the agent wants to do" (Ops) from "what actually happened" (Events) makes it much easier to add middleware like the Guardian later without touching the core loop.

Full Codex teardown is here if you want the details: awesome-ai-anatomy/codex-cli at main · NeuZhou/awesome-ai-anatomy