Finally, a grumbo-compatible agent orchestrator. The fleeb juice is included.
Glorbo is a self-hosted agent orchestration platform that models companies as real organisations — org charts, goals, budgets, governance, chat — and runs AI agents as employees inside kernel-level sandboxes.
Like Obsidian, but for your agents. Everything is markdown. Everything is a
file. No cloud, no SaaS, no Kubernetes — just a folder, some bwrap sandboxes,
and an Elixir process.
~/.glorbo/
├── glorbo # Single binary. That's the app.
├── glorbo.db # SQLite index. Rebuildable.
└── companies/acme/
├── company.md # Mission, budget, settings
├── agents/ceo/AGENT.md # Identity, permissions, model
├── channels/general.md # Append-only chat logs
├── projects/<slug>/tasks/
└── audit/2026-04.jsonl # Append-only. Never modified.
Back up with tar. Version-control with git. Move with scp. Debug with
cat.
 |
 |
/companies |
/companies/<co> — rollups, roster, org chart |
 |
 |
/companies/<co>/kanban |
/companies/<co>/agents/<slug> |
 |
 |
/companies/<co>/inbox — unified approvals |
/providers — CLI + native registry |
Terminal phosphor aesthetic — monospace, OKLCH tokens, lowercase-slash panel headers. No JS framework, no CSS build step.
- Filesystem-first. Agents, tasks, chat, permissions, goals, and audit
logs are markdown + JSONL on disk. SQLite is a rebuildable index
(
glorbo reindex). - Kernel-sandboxed agents. Every wake is a fresh
bwrapprocess with user/IPC/PID/net/UTS namespaces unshared and--cap-drop ALL. Nothing escapes the bind-mount list. - Two provider kinds. CLI adapters for
claude,gemini,codex,opencode,hermes,pi, etc., plus native OpenAI-compatible endpoints (openai,openrouter, drop-in LM Studio / Ollama / llama.cpp / LocalAI / vLLM viaglorbo detect-providers++ enable). See GEP-32. - Budget governance. Per-agent AND per-company monthly budgets in frontmatter; dispatch refuses at 100%, warns at 80%.
- Permission model. Declared in
AGENT.md, enforced at both the Elixir router AND the kernel via bwrap mounts. No bind-mount → no access. - Real-time dashboard. Phoenix LiveView at
http://127.0.0.1:4000. Inotify repaints in under a second. - Approval + audit trail. Tasks can require Director approval. Every
decision writes a structured
YYYY-MM.jsonlrow. - Task chain observability. Every
assigned_to:flip appends to the task'shandoff_chain:frontmatter; the/companies/:co/tasks/:id/chainview reconstructs the full multi-agent route with drift detection against the audit log (GEP-40). - Peer-review gate, auto-dispatched. Tasks flagged
severity: major|critical— or any task whose author opts in withpeer_review_required: true— route through thecritiqueopsreviewer before Director approval can clear; the gate drops a wake sentinel into the reviewer's inbox so the review actually fires without manual intervention. Three-way verdict (approve/revise/block) is append-only per task;reviserounds the loop back to the original assignee with notes (GEP-41 + GEP-42). - Single Director write-channel. Every filesystem mutation the
Director-facing LiveViews can make flows through
Glorbo.Actions.*modules with slug validation, atomic writes, threatmodel-appropriate symlink guards, and audit emission before theFile.*call lands — enforced by a Credo ratchet that rejects raw writes underlib/glorbo_web/live/(GEP-36). - Optional git history.
glorbo history initopts the home tree into a derivative git repo with a tracked-scope.gitignore(durable state only; secrets, derived data, and per-agent transport dirs excluded). Every host-side write (Director or agent) lands as a kernel-committed commit with actor provenance; manual filesystem edits flow through the watcher fallback asExternalcommits. CLI:glorbo history {status, log, show, diff, restore}(GEP-33). - Portable.
glorbo backup | scp | glorbo restorereproduces a working install on a fresh host.
bubblewrap(bwrap),passt(for enforcednetwork: proxy),inotify-tools.- Ubuntu 24.04 / Debian 13: an unconfined AppArmor profile for
/usr/bin/bwrap(template in.github/workflows/ci.yml). - Either a provider CLI on
$PATHor a native credentials file (see below).
glorbo doctor checks and, with --fix, repairs what it can.
Homebrew (Linux x86_64 / aarch64):
brew tap foobarto/tap
brew install glorbo
glorbo initManual:
curl -L https://github.com/foobarto/glorbo/releases/latest/download/glorbo-linux-$(uname -m) \
-o ~/.local/bin/glorbo
chmod +x ~/.local/bin/glorbo
glorbo initmacOS (Intel + Apple Silicon):
brew tap foobarto/tap
brew install glorbo
glorbo initBoth Mach-O binaries are built by CI via Burrito's Zig-based cross-
compile from a Linux runner — no GHA macOS runners needed. On the
target Mac, bwrap has no equivalent, so agents run unsandboxed
with a one-time agent.sandbox_unavailable audit per company
boot; every other feature (dashboard, routing, scheduling, approval
gates, MCP server, audit log) matches Linux. FSEvents powers the
watcher, and the Burrito binary bundles its own BEAM runtime.
Windows — run the Linux binary inside WSL2. No native Windows port planned (bwrap / inotify / user namespaces).
mkdir -p ~/.local/etc/glorbo/credentials && chmod 700 $_
cat > ~/.local/etc/glorbo/credentials/openai.toml <<'EOF'
api_key = "sk-..."
EOFThen point an agent at provider: openai (or openrouter) in AGENT.md.
The native tool catalog is read_file / write_file / edit_file / glob
/ grep / bash / web_fetch. See GEP-32 for the contract.
Or auto-detect a local server:
glorbo detect-providers # probes ollama, llama.cpp, LocalAI, vLLM, LM StudioEdit ~/.glorbo/companies/acme/agents/ceo/AGENT.md:
---
kind: agent/v1
slug: ceo
role: Chief Executive Officer
provider: claude-code # or openai / openrouter / ...
model: claude-sonnet-4-5
network: proxy # none | proxy | open
budget:
monthly_usd: 100.00
heartbeat: "*/30 * * * *"
permissions:
- projects:read:*
- projects:write:*
- tasks:create:*
- agents:message:*
- chat:write:*
---
You are the CEO of {{ company.name }}. Your mission: {{ company.mission }}.glorbo up # Detached daemon — dashboard at http://127.0.0.1:4000
glorbo status
glorbo logs acme ceo --follow
glorbo downTo run as a user-level systemd service that survives shell sessions:
glorbo install # writes ~/.config/systemd/user/glorbo.service + enable --now
sudo loginctl enable-linger "$USER" # optional — survive logout
glorbo uninstall # disable + remove the unit (keeps ~/.glorbo intact)glorbo init [--force] [--no-example] Bootstrap ~/.glorbo/ and verify deps
glorbo up | down | status | serve Daemon lifecycle
glorbo install [--force] [--no-start] Install user-systemd service (Linux)
glorbo uninstall Remove user-systemd service
glorbo new company|agent|project|skill Scaffold
glorbo doctor [--fix] Verify host prerequisites
glorbo detect-providers [--json] Probe localhost for native providers
glorbo validate [PATH] Check files against FileSpec (GEP-25)
glorbo fmt [PATH] [--write] Normalise frontmatter (GEP-25)
glorbo reindex Rebuild SQLite index from filesystem
glorbo backup | restore tar.gz roundtrip
glorbo logs <co> [agent] [--follow] Tail audit or stdout
glorbo console iex --remsh into the running daemon
glorbo help [<verb>]
The built-in glorbo harness subcommand is the internal native-provider
runtime invoked inside bwrap (GEP-32); Directors don't call it directly.
Director + agents. You are the Director. You own companies. Agents work for you. The CEO agent is just the first employee.
Inbox / outbox. Agents write to their outbox/; Glorbo routes via the
Elixir router (permission-checked, atomic) into the recipient's inbox/ or
a channel file. Agents never touch each other's directories directly.
Execution. An event (inbox item, heartbeat cron, channel mention) wakes
an agent. Glorbo composes a bwrap argv from the agent's permissions +
network policy, invokes the provider CLI or glorbo harness inside the
sandbox with the prompt on stdin, and reads the answer from
$GLORBO_REPLY_PATH when the process exits. Native providers additionally
emit usage.json for token accounting and per-tool audit events.
Sandboxing baseline:
--die-with-parent --unshare-user-try --unshare-ipc --unshare-pid
--unshare-uts --unshare-cgroup-try --new-session --cap-drop ALL
Plus workspace rw, outbox rw, inbox ro, per-permission mounts from
AGENT.md, and provider credentials bind-mounted ro with the right env
redirect (CLAUDE_CONFIG_DIR, CODEX_HOME,
GLORBO_NATIVE_CREDENTIALS_PATH).
Network policy:
network: none # --unshare-net (no egress possible)
network: proxy # Linux: pasta-wrapped, only the Glorbo proxy port visible
network: open # Inherits host netns
Two-layer permissions. The kernel layer is the bwrap mount list: denied paths are simply not mounted. The Elixir router enforces the same rules as belt-and-braces for cross-directory transfers.
| Component | Technology |
|---|---|
| Orchestration | Elixir / OTP |
| Dashboard | Phoenix LiveView |
| Agent Runtime | bwrap(1) + provider CLI OR glorbo harness |
| LLMs | CLI (claude, gemini, codex, ...) or OpenAI-compatible endpoint |
| Filesystem | inotify + file_system (FSEvents on macOS) |
| Database | SQLite (via ecto_sqlite3) |
| Config / Data | Markdown + YAML frontmatter |
| Audit | JSONL files (append-only) |
| Binary | Burrito + bundled ERTS |
- docs/DESIGN.md — full living architecture.
- docs/geps/ — Glorbo Enhancement Proposals (numbered, append-only design records). Start with GEP-1, GEP-2, and the Zen of Glorbo.
- docs/architecture.md — module map + graph caveats (read before greping 200+ modules).
- CHANGELOG.md — full release history.
Pre-1.0. Latest release v0.20.0 (2026-05-04). APIs, CLI flags, on-disk
layout, and SQLite schema may change between minor versions. See
CHANGELOG.md for the full release trail; see
docs/geps/ for which GEPs are Draft / Accepted /
Implemented.
See CONTRIBUTING.md. Security reports: SECURITY.md.
Local dev loop:
git clone https://github.com/foobarto/glorbo && cd glorbo
mix setup # deps + db + esbuild
mix phx.server # dashboard on :4000
mix precommit # format + compile-warn + credo + testsRuntime is Elixir 1.18.4 / OTP 28.0 (pinned in .tool-versions —
mise install picks them up).
Licensed under either of
- Apache License, Version 2.0 (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)
- MIT license (LICENSE-MIT or http://opensource.org/licenses/MIT)
at your option.
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.
You take the whole Glorbo. You put it on another machine. It's still a Glorbo. What part of this is complicated?
