Are there any agentic coding harnesses that AREN'T built on JS and Node?
Posted by OUT_OF_HOST_MEMORY@reddit | LocalLLaMA | View on Reddit | 80 comments
With how often we hear about supply-chain attacks on npm I am hesitant to install any apps that use it, let alone something like an agent harness that will run constantly unsupervised.
BidWestern1056@reddit
npcsh is initially based on python but there is a rust runner for it now too
https://github.com/npc-worldwide/npcsh
voronaam@reddit
Zed (zed.dev) has an agentic mode. It is quite a harness, it is more of AI-enabled IDE though
breadfruitcore@reddit
Zed's agent sucks, I used it a lot last year and had a ton of occurrences where the agent would rewrite entire files instead of using a properly targeted diff. I used it again a couple weeks ago and it still has the same problem.
voronaam@reddit
You do not have to use Zed's model. We are at /r/LocalLLama after all.
There is a tool to create a targetted diff, if the model you use is good enough it should've been able to use it.
breadfruitcore@reddit
It was Claude Sonnet, which never trips up in other harnesses. Also had similar problems with other models.
These days I just open up the terminal and run CC/Opencode instead of the ACP UI. Oftentimes certain terminal commands are not available in the UI. Not seamless but not a bad experience either.
Orion_will_work@reddit
I am using it right now, but it's missing so many features. Being an in-built agent, it doesn't even know the lines I selected in code, which cc in vscode knows. It fails while calling tools. I willl switch back to vscode..
voronaam@reddit
If you select multiple lines in the editor and attempt copy-paste into the AI chat it will only paste the anchor (which file, which lines, not the content).
Selection is not propagated probably because Zed has complicated multi-buffer-multi-select thing going on (which I rarely use)
08148694@reddit
Absolutely hilarious that you are planning on having a constant running unsupervised agent and npm supply chain attacks are the things you’re worried about going wrong
crantob@reddit
Disagree. You can quite easily limit what a llm has access-to. You can not audit millions of lines of code.
sn2006gy@reddit
Oddly enough you can use LLMs to hep audit millions lines of code (which most people don't need millions of lines of code to audit - even for a harness) but it is impossible to audit an LLM and if you limit what it has access to then you should be speaking in terms of MicroVMs or other ways to isolate it... Containers aren't that (which a lot of people are betting on)
Tagedieb@reddit
What about a separate user with limited access?
sn2006gy@reddit
that makes sense if you treat an agent like a human - it's just another user on a multi-user system. delegation to do work on your behalf becomes the next problem.
people who downvoted me dont' realize LLMs are black box and probabilistic - much worse than code sitting in an NPM repo if that's what they're comparing against..
but whatever... ride that choo choo train
breadfruitcore@reddit
OP's trying to reduce the attack surface, which is not unwise.
LiveLikeProtein@reddit
It is actually really handy, you just need to sandbox it or running on a cloud
OUT_OF_HOST_MEMORY@reddit (OP)
that's a very fair point lmao. I think I consider the risks of a clueless but not malicious agent lower than the risks of a potentially very malicious library
MoneyPowerNexis@reddit
Adding a search / http get tool means it could get adversarially prompted by the search results turning it into a malicious agent on your system especially if you get it to process data from places on the net where people would expect agents to be active.
HopePupal@reddit
you don't need to adversarially prompt to fool an LLM that's just googling shit and installing whatever looks okay from the first page of results. (or to fool a human.) you just need good SEO.
sn2006gy@reddit
You obviously haven't ran any unsupervised agents yet
Foreign_Risk_2031@reddit
Most are python? They have the same risks.
OUT_OF_HOST_MEMORY@reddit (OP)
while I agree that python packages have the same risks technically, I feel like I hear about node based supply chain attacks WAY more frequently than any other (this may just be a surface area issue). I would also just prefer something with fewer libraries and packages that it depends on in general.
breadfruitcore@reddit
In case you didn't know, there was a recent massive supply chain attack with LLM packages in Python. Try browsing for "python litellm vulnerability".
wewerecreaturres@reddit
Npm is much larger
Mickenfox@reddit
Because JavaScript people don't know what a standard library is.
kyr0x0@reddit
It's not. Most of npm is unused. Python however .. just look at how every damn minor version brings its own dependency tree.. and the "fun" with CUDA is epic
I_HAVE_THE_DOCUMENTS@reddit
Take a minimal one that you like and then vibe code a clone of it in C.
RMK137@reddit
Yeah exactly. I've been meaning to write my own coding agent just to learn how it works. I might end up with something useful, who knows. I think I am gonna do it in Odin.
I've been keeping an eye on Late. I like its approach of Lead Architect as the main agent and coders as sub-agents. It's written in Go and the code is fairly easy to understand.
Red: https://github.com/mlhher/late
alonsonetwork@reddit
Plenty. Go, python, rust. For example.
All of them suffer the same problem. Supply chain attacks are a risk you face whenever you use a pacage manager hosted by someone else.
TheRealMasonMac@reddit
With Rust, at least, supply chain attacks are much less frequent because:
- Developers are more competent. The skill barrier of learning Rust weeds out a lot of unskilled developers.
- There is a culture of not updating dependencies unnecessarily for the major crates. Things are audited, tested, and only then applied.
I don't recall seeing anything on the scale of the average month of NPM in my six years with Rust.
_bones__@reddit
Sure buddy. Having seen the obscene amount of packages you need with cargo just to get a web server going, I wish any competent developer good luck figuring out where any library is actually coming from.
So any security vulnerabilities tend to remain unpatched, good to know. Any other expectation is mindless optimism.
Rust doesn't have the critical mass to make attacking it worth it, compared to npm.
TheRealMasonMac@reddit
Bad faith comment.
ProfessionalSpend589@reddit
I update opencode only on reinstall.
kyr0x0@reddit
He is right. Don't vote him down just because his opinion isn't yours.
crantob@reddit
Rust is another modern disease.
TheRealMasonMac@reddit
It's just a programming language, bro.
OUT_OF_HOST_MEMORY@reddit (OP)
You're right, but I feel like npm is disproportionately attacked (or at least reported on), so I'd prefer something more static (though that's probably the wrong word to use), with fewer dependencies and ideally without needing a package manager in general.
Dubious-Decisions@reddit
This is a lack of understand around how to manage versions in package.json. Manage the lock file and it will always pull constant, approved versions when you rebuild. If you are just blindly pulling down the latest version of things, you're not doing it wisely. There are version numbers in there for a reason.
alonsonetwork@reddit
Don't use the ^ symbol in your package json so you pin versions to a fixed version. Upgrade intentionally. The most popular will always be the most targeted. Don't limit yourself bc if this.
anzzax@reddit
I'm watching how this agents evolve:
- https://github.com/docker/docker-agent
- https://github.com/charmbracelet/crush
gurilagarden@reddit
I know what you mean. I stopped driving my car because of all the fatal car accidents.
jakegh@reddit
Codex is built in rust.
LiveLikeProtein@reddit
Which Codex? The OpenAI ones, Codex cli is node and Codex desktop is Electron
jakegh@reddit
Incorrect, codex-cli is rust. It did start out ts, they completely rebuilt it.
HopePupal@reddit
Rust has nearly the same problems as JS/TS and Python. a lot of Rust apps have dependency trees that would be considered unhinged kleptomaniac shit by C++, Swift, or (most) JVM devs
kyr0x0@reddit
I busted out laughing like a manic when I read "JVM" devs ;)) Have you ever been in a Java/Lot in project? My dear lord, would 99% of the projects compile for 30 Mins because of the dependency tree xD
HopePupal@reddit
worked on big Java distributed computation systems for years, our dependencies were measured in tens, not hundreds, including transitive. think big ones from competent upstreams: Netty, Guava, Jackson, Kryo, protobufs, JNA bindings for various native compression implementations… we weren't pulling in shit like left-pad, i can tell you that.
also… if your build time is big specifically because you have a lot of dependencies, you're probably doing something wrong, like maybe your CI is too stupid to cache downloaded JARs, or your resolver is crap (lol Maven). but it's usually not the compiler proper. Java doesn't have WPO/LTO, type resolution isn't anywhere near the constraint solving nightmares in other languages, AOT isn't really a thing outside of Android and that happens on-device anyway… i mean, the more you have, the more Proguard or R8 have to do if you're using them, but again, not the compiler.
philmarcracken@reddit
holy shit even code can oxidize?
Risen_from_ash@reddit
Wow, so you can for real de-glass Tyson.
AgentME@reddit
You can configure npm to only install packages that are more than a day or two old: https://cooldowns.dev/#javascript-ecosystem. All of the recent major supply chain attacks across npm and Python's PyPI were found before the packages were out for a day, so this simple type of configuration would've kept you safe no matter the timing of when you installed things.
_p00@reddit
Nice.
AdventurousSwim1312@reddit
Try building one in python from scratch, it's surprisingly simple to reach a usable state, and on the plus side you get full mastery of how it work, so you can update it as you please (no more memory update that suddenly break all your workflows).
Cosmicdev_058@reddit
Totally feel that. The fix is less about a better model and more about the orchestration layer, prompt chaining, context management, and evaluation pipelines that catch drift. LangChain or DSPy if you want to build it yourself, or platforms like Orq.ai that ship prompt versioning, evals, and tracing as one stack.
Cosmicdev_058@reddit
Totally get the npm hesitation. Aider is Python, that is probably your best fit for a coding harness specifically. For general agent frameworks in Python, LangChain, AutoGen, CrewAI, and DSPy are the main options.
evia89@reddit
use code like this to minimize chain attack risk of uv and npm to 1%
OffBeannie@reddit
Codex is using Rust.
lastesthero@reddit
The supply-chain concern is fair but the JS/Node distinction isn't the lever that solves it. Most agentic harnesses regardless of language pull a transitive dependency graph in the hundreds-to-thousands range; the difference is whether package.json shows you 5 direct deps or 500. The actual attack surface is similar.
The levers that move the needle: pin lockfiles, run with no internet egress except your model endpoint, and put the harness in a container with the host filesystem mounted read-only except for one workspace dir. I run mine under a podman policy that does exactly that — the agent can scribble in the workspace, can't reach anywhere else.
Rust harnesses are nicer if you also want fewer packages by count, but a malicious crate.io package and a malicious npm package have the same blast radius once the binary runs as your user. The xz incident is the canonical reminder that language doesn't save you, sandboxing does.
Glittering-Wall-8445@reddit
Forge Code is rust. Scores high on terminal bench https://www.tbench.ai/leaderboard/terminal-bench/2.0
kevin_1994@reddit
Just don't use npm. The reality is that all package managers for any language have risks. If you don't like the risk, just build everything from scratch. I've done it before for financial clients and its not that hard. Nowadays with LLMs it should be way easier lol. Don't have to reinvent like websockets or something, qwen can do that easily
kyr0x0@reddit
Right. That's what I'm preaching every day. And you'll be learning a lot doing so. It should be part of a CS degree to build a Compiler and an OS.
SnooPaintings8639@reddit
What language do you code in? I mean, each has its own security quirks, but I am guessing it's Python,/JS/Rust, i.e. the common ones. If you pick the one which is based on the same stack as your apps, then you're not introducing any "new" attack vectors anyway.
Although... I'd suggest a different path. Keep the best coding agent you can, and make it sandboxed. If you're on Linux then a dedicated user is enough to address 99% of the risks, if Windows, then you'll probably need a dev container.
OUT_OF_HOST_MEMORY@reddit (OP)
C/C++ mainly, and I'll be honest I wouldn't trust a harness written in them either
llitz@reddit
I am sure c and c++ have had hijacks... Didn't we have the xz just not too long ago?
As someone who always dealt with C and C+j, node and python have never been my preference.
That said, things in npm land are caught quickly. Odds are we have a few problematic packs around different ecosystems, they just haven't been caught.
MrSomethingred@reddit
Worrying about supply chain risk in npm while using a LLM Code agent is certainly A threat model
DangKilla@reddit
Your own registry. There are solutions out there like Github Packages.
o0genesis0o@reddit
Write your own, then. If necessary, get claude code with whatever decent cloud model to build it for you. You only need pydantic, openAI SDK and/or anthropic SDK (or even raw httpx calls if you incline), and maybe textual if you want to have nicer TUI.
At the heart of it, it's just a loop with callbacks and interrupts. If you want to support skills and agents md, get your coding agent to read the spec and implement.
SourceCodeplz@reddit
Great points! Dunno why you are getting downvoted
o0genesis0o@reddit
Maybe people just don't trust themselves enough to have a go at building their own agent. IMHO, it's a good exercise for both beginner and relatively experienced developers. Very simple, but could be endlessly complex. And very educational.
blackhawk00001@reddit
Install and run it in a docker sbx shell.
crantob@reddit
Great question. Node is like taking an AIDS suppository, or systemd.
Evening_Ad6637@reddit
I was looking for an agent that is not written in js or python, but couldn’t find really good ones. Well there are some agents in rust, but i am not familiar with rust and wanted to understand the code and how the agent works. I thought why not write my own agent.. there now I am working on an agent in golang, but I still need some time and it will be very basic initially.
Thigh_Clapper@reddit
On the little-coder repository, they started with python and swapped to node very quickly. I’d be curious to hear their reasoning, but if you want a reference check out commit 424f7a4b9f9214a36a6bcb69e1f3435ca3e68d03 over there.
Pleasant-Shallot-707@reddit
https://github.com/Dicklesworthstone/pi_agent_rust
false79@reddit
.... you don't have to install via npn. You can always pull the code down and build it locally.
OUT_OF_HOST_MEMORY@reddit (OP)
you know, I'll be honest I didn't think about that...
Top-Rub-4670@reddit
This doesn't make any sense. To build it locally it will pull hundreds of not thousands of packages from npm anyway...
There has never been, in the entire of node-based projects, a standalone non-trivial project that didn't eventually pull 3000 dependencies. Not once.
That's just how it is with node. Accept the supply chain risk, or don't use it.
You'll have the same issues with Python (pypi had its fair share of supply chain attacks) and Rust (they thought npm was a great model to copy), the other two languages likely to be used to build harnesses.
Both_Opportunity5327@reddit
I don't use Node because I just hate the amount of libraries it pulls down,
With the advent of agentic coders no need to use it.
Dubious-Decisions@reddit
Then why would you care? If the agent manages it all, it's a black box for you.
schneeble_schnobble@reddit
https://github.com/srothgan/claude-code-rust go check it out.
Parzival_3110@reddit
The bigger filter for me would be dependency surface and permission boundaries, not runtime. A boring Python tool with a huge transitive graph is not safer than a small Node one.
TFYellowWW@reddit
Wouldn’t Hermes-agent be considered what you are looking for? It’s based in Python I believe
RealisticNothing653@reddit
Mistral Vibe. It isn't super fancy but it's decently customizable.