Is AgentLoopKit free?

Yes, AgentLoopKit is free to use.

How do I install AgentLoopKit?

AgentLoopKit is a local plugin. Install it using npm package: agentloopkit and add the generated configuration snippet to your AI app's MCP config file. Then restart your AI app.

Is AgentLoopKit safe to use?

AgentLoopKit was flagged by MCP Marketplace's security scan, scoring 4.5/10 (high risk). It has 1 high or critical finding to review. Review the security report on this page carefully before installing it.

What AI apps work with AgentLoopKit?

AgentLoopKit uses the Model Context Protocol (MCP) and works with any MCP-compatible AI app, including Claude, ChatGPT / Codex, Gemini, Copilot, Cursor, and more.

Back to Browse

AgentLoopKit MCP Server

by Abhiyoheswaran1

Developer ToolsUse Caution4.5MCP RegistryLocal

Free

Server data from the Official MCP Registry

Read-only MCP server for AgentLoopKit tasks, policies, reports, handoffs, and status.

About

Read-only MCP server for AgentLoopKit tasks, policies, reports, handoffs, and status.

Security Report

4.5

Use Caution4.5High Risk

AgentLoopKit is a developer tool CLI with reasonable architecture but has several concerning patterns. The codebase uses unsafe subprocess spawning with partial environment filtering, executes arbitrary user task contracts without sandboxing, and lacks comprehensive input validation on file paths and command arguments. While the tool is designed for local development use with appropriate safety documentation, the combination of shell execution capabilities, file I/O operations across repositories, and environment variable handling creates moderate security risks that users should be aware of. Supply chain analysis found 1 known vulnerability in dependencies (1 critical, 0 high severity). Package verification found 1 issue.

3 files analyzed · 11 issues found

Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.

Permissions Required

This plugin requests these system permissions. Most are normal for its category.

File System Read

Reads files on your machine. Normal for tools that analyze or process local data.

File System Write

Writes or modifies files on your machine. Check that this is expected for the tool.

Shell Command Execution

Runs commands on your machine. Be cautious — only use if you trust this plugin.

process_spawn

Check that this permission is expected for this type of plugin.

env_vars

Check that this permission is expected for this type of plugin.

system_info

Check that this permission is expected for this type of plugin.

How to Install

Add this to your MCP configuration file:

{
  "mcpServers": {
    "io-github-abhiyoheswaran1-agentloopkit": {
      "args": [
        "-y",
        "agentloopkit"
      ],
      "command": "npx"
    }
  }
}

Documentation

View on GitHub

From the project's GitHub README.

AgentLoopKit

A drop-in engineering loop for software agents.

An open-source Baseframe Labs developer tool.

Your software agent can produce a diff. AgentLoopKit helps you decide whether that work is reviewable, verifiable, and merge-ready.

It gives Codex, Claude Code, Cursor, OpenCode, Gemini CLI, GitHub Copilot CLI, and other engineering agents a local acceptance layer: task contracts, safety rules, verification evidence, review-readiness scores, PR descriptions, and reviewer handoffs.

Unstructured automation produces code. Agentic engineering produces auditable work.

The screenshots and terminal demos in this README are generated from committed sources in docs/assets/readme/ with Playwright and VHS.

What It Does

AgentLoopKit is a repo-level toolkit for developers using Codex, Claude Code, Cursor, OpenCode, Gemini CLI, GitHub Copilot CLI, and other engineering agents.

Keep your agent, IDE, and CLI. AgentLoopKit gives those tools a repeatable local workflow:

Specify the task.
Constrain the risk.
Implement the smallest useful change.
Verify with real commands.
Review the diff.
Hand off with evidence.
Ship only when the work is reviewable.

Run init inside an existing repository and AgentLoopKit creates:

.agentloop/ for tasks, reports, handoffs, gates, policies, templates, and agent instructions
AGENTS.md for agent-facing repo guidance
AGENTLOOP.md for the working loop
agentloop.config.json for local command and path settings

Generated AGENTS.md includes a specialist roster for product, CLI, template, verification, security, release, docs, compatibility, MCP, and repo-steward work. It helps future agent sessions split work without adding a background service.

Install

Use it with npx from the repository you want to configure:

cd /path/to/your/repo
npx agentloopkit init --dry-run
npx agentloopkit init

init writes files into the current directory. --dry-run previews the same plan and writes nothing.

Commit the generated harness baseline before your first feature task when you want clean diff evidence. If the harness files are still uncommitted, explain-diff, Guard, and resume packs will include those generated files as local work, which is accurate but noisier than the steady-state loop.

After setup, non-init commands search upward for the nearest agentloop.config.json and use that folder as the AgentLoop root. You can run agentloop status, agentloop verify, agentloop ship, or agentloop prepare-pr from a nested source folder and still write tasks, reports, runs, and handoffs to the initialized repo root.

Do not run init from your home directory unless you intend to configure your home folder. AgentLoopKit refuses that by default; --force allows it and prints a home-directory target warning. If you want local agent guidance but do not want to commit the generated files, use local-only mode:

npx agentloopkit init --local-only

--local-only writes the harness, asks Git for this clone's metadata directory, then adds a marked block to that clone's info/exclude for .agentloop/, AGENTS.md, AGENTLOOP.md, and agentloop.config.json. It does not edit .gitignore, global Git config, shell profiles, or other project files.

Check the published package explicitly:

npx --yes agentloopkit@latest version
npx --yes agentloopkit@latest init

For repeatable CI or team setup, replace @latest with a vetted version.

Before initialization, exploratory preflight can be advisory:

npx --yes agentloopkit@latest doctor --advisory --redact-paths

Advisory mode keeps missing-setup diagnostics visible but exits 0 so first-run scripts can continue. Use plain doctor or doctor --strict for gates that should fail on setup errors.

Pinned team usage:

pnpm add -D agentloopkit
pnpm agentloop init

Existing Repos

Repos that already use AgentLoopKit can update the CLI without rewriting local harness files:

cd /path/to/existing/repo
npx --yes agentloopkit@latest version
npx --yes agentloopkit@latest doctor --redact-paths
npx --yes agentloopkit@latest upgrade-harness --details --redact-paths
npx --yes agentloopkit@latest init --dry-run

init skips existing generated files and appends to unmarked AGENTS.md files instead of overwriting maintainer edits. Use upgrade-harness to find older guidance that does not mention the current review-readiness loop, then copy only the useful pieces into AGENTS.md, AGENTLOOP.md, or .agentloop/harness/*.

You can use the latest loop before refreshing old guidance:

npx --yes agentloopkit@latest create-task --type bugfix --title "Fix checkout bug"
npx --yes agentloopkit@latest verify
npx --yes agentloopkit@latest ship
npx --yes agentloopkit@latest prepare-pr
npx --yes agentloopkit@latest maintainer-check

Core Workflow

First useful loop after init:

agentloop doctor
agentloop create-task --type bugfix --title "Fix checkout bug" --include-config-commands
agentloop status --brief
agentloop start --for codex --goal implement --redact-paths
agentloop verify --task-commands --progress
agentloop ship
agentloop prepare-pr
agentloop task done

That sequence creates a task contract, checks the repo setup, gives the next software agent a compact start briefing, runs only reviewed verification commands, records review-readiness evidence, drafts PR copy, and closes the active task. It does not post to GitHub, publish packages, call an LLM, or run hidden commands.

npx agentloopkit init
agentloop create-task --title "Fix login redirect bug" --type bugfix \
  --acceptance "Password-reset login redirects to the requested page" \
  --include-config-commands \
  --verification "npm test -- auth"

# Run Codex, Claude Code, Cursor, OpenCode, Gemini CLI, or another software agent.

agentloop verify --task-commands --only-task-commands --progress
agentloop ship --github-comment
agentloop prepare-pr

create-task sets the new contract as the active task. Use agentloop task set <path> only when you need to switch to another contract. Add --include-config-commands when you want the task contract to copy non-empty test, lint, typecheck, and build commands from agentloop.config.json. Task creation records those commands; it does not run them. Use verify --task-commands --only-task-commands when the active contract already includes the full check list. Use verify --post-verification-gates only for reviewed task gates that need the verification report to exist first. After verification and ship, use agentloop prepare-pr for reviewer copy and agentloop task done to close the active task before starting unrelated work.

Use agentloop status or agentloop next when an agent needs the next local action without reading every file:

npx agentloopkit status
npx agentloopkit status --brief
npx agentloopkit next
npx agentloopkit next --redact-paths

When status or next recommends create-task in a dirty repo, the reason calls out existing dirty non-evidence files so agents can confirm the next task scope before implementation. When create-task sees that same pre-existing dirty work, it also adds a bounded Risk Notes bullet to the generated task contract so later review evidence preserves the baseline count and examples.

Use agentloop start --for codex --goal implement --redact-paths when a software agent needs the repo truth before broad reads. Start is the preflight: exact task, decisive state, next safe command, read-first handles, risk summary, verification freshness, context-budget impact, and source handles. Use agentloop context show <handle> to expand source truth only when needed. Use agentloop context pack --for codex --goal continue --redact-paths when you need the lower-level receipt and omission details directly. Use agentloop guard when you want a live local check for scope drift, stale verification, proof debt, and context-budget pressure before review. Use agentloop explain-diff when you need to understand whether the current changed files are covered by task scope, recent run evidence, fresh verification, and risk guidance. Use agentloop resume-pack --for codex, --for claude, --for cursor, --for generic, or --for human when you need the older compact continuation surface. These commands are read-only by default and use local evidence only.

agentloop start is the agent starting point. It keeps agents from guessing by turning task state, changed files, verification, risk, and context pressure into one compact preflight. The Context Contract sits underneath it: context pack explains why each item is present, names what was left out, and provides local handles for the source truth. A large changed-file list becomes a small briefing the agent can expand only when it needs detail.

Your software agent / app
  (Codex, Claude Code, Cursor, OpenCode, Gemini CLI, Copilot CLI,
   LangChain, Agno, Strands, your own scripts...)
        |
        | task contracts - diffs - verification - runs - research notes - logs
        v
 +------------------------------------------------------------------------+
 | AgentLoop Start Preflight + Context Contract (source truth stays here) |
 |------------------------------------------------------------------------|
 | State -> Next Safe Command -> Read First -> Risk -> Impact -> Handles   |
 |                                      |                                  |
 |                                      +-- task:active                    |
 |                                      +-- verification:latest            |
 |                                      +-- run:latest                     |
 |                                      +-- evidence-map:current           |
 |                                      +-- context-budget:current         |
 |                                                                        |
 | Goals: implement - continue - review - debug - handoff - research       |
 | MCP tools - generated agent instructions - transparent local heuristics |
 +------------------------------------------------------------------------+
        |
        | compact preflight + retrieval handles
        v
Agent session / review / research handoff

The context-budget example is generated from local AgentLoopKit output in this repository. Token estimates use a transparent character-count heuristic for planning, not provider tokenizer counts or billing claims. The percentage changes with repo state; the point is that agents can start from selected evidence and expand source handles instead of pasting broad history.

The terminal demo is generated from committed VHS sources in this repository. It shows the intended agent workflow: run Start preflight, see what not to broad-scan, expand only the active task handle, and verify with local evidence.

Dogfood Gate

AgentLoopKit uses its own loop in this repo. Contributors can run the same local self-check:

npm run dogfood

That command checks task-folder hygiene, current loop status, public docs hygiene, dependency audit results, harness upgrade state, review gates, artifact inventory, maintainer reviewability, agent review context, AgentFlight health, and ProjScan health. It does not publish packages, create tags, post comments, read tokens, read .env contents, or run verification commands.

Use JSON output when an agent or CI job needs a structured dogfood summary:

npm run dogfood:json
npm run dogfood:strict:json

The JSON summary reports the mode, overall status, step results, exit codes, durations, and safety notes. It redacts the current workspace root as [git-root] before printing structured output.

Run the public-doc check by itself when you edit README, examples, or release-channel docs:

npm run check:public-docs

Use the stricter gate before a release or final handoff:

npm run dogfood:strict

Use the maintenance gate when typecheck, release-proof or npm-status command health, public docs, SchemaStore, policy packs, GitHub metadata, AgentFlight, or ProjScan behavior changes:

npm run maintenance:check

maintenance:check covers unit tests, typecheck, public docs, links, non-strict npm release-proof smoke coverage, read-only npm-status safety tests, SchemaStore output and consistency tests, policy-pack inventory and safety tests, GitHub metadata safety and ship-score neutrality tests, AgentFlight, ProjScan, and the non-strict dogfood self-check. Use npm run dogfood:strict after fresh handoff or ship evidence exists, when review-gate warnings should block the handoff. maintainer-check warnings remain reviewer guidance unless the command exits non-zero. Strict public release proof remains part of approved release gates.

Commands

The package exposes two binaries:

agentloop init
agentloopkit init

Command	Purpose
`agentloop init`	Generate the repo harness and config
`agentloop doctor`	Check setup health, commands, git state, and risk files; use `--advisory` for first-run preflight
`agentloop create-task`	Create a scoped task contract
`agentloop task ...`	List, show, pin, update, archive, and inspect task state
`agentloop status`	Show active task, latest report, latest run, dirty files, and next step
`agentloop next`	Print only the next recommended loop action
`agentloop start`	Run a repo-native agent preflight with task, evidence, risk, proof, and impact
`agentloop review-context`	Show one read-only reviewability context snapshot
`agentloop context`	Build context budgets, auditable packs, and source-handle expansions
`agentloop guard`	Check local drift, proof debt, and context-budget pressure
`agentloop explain-diff`	Explain the current diff with local task, verification, run, and risk evidence
`agentloop resume-pack`	Generate a compact local continuation brief for agents or reviewers
`agentloop verify`	Run configured checks and write a verification report
`agentloop ship`	Score review readiness, write a ship report, and optionally print a PR comment
`agentloop prepare-pr`	Generate a PR title, grouped body, and optional GitHub comment
`agentloop summarize`	Preview a deterministic reviewer summary
`agentloop handoff`	Write a reviewer handoff summary
`agentloop check-gates`	Check review evidence without running tests
`agentloop runs --latest`	Show the newest local ship, verify, or handoff run entry
`agentloop show-run <id>`	Show one local run ledger entry
`agentloop intent <file>`	Show which runs touched a file and why
`agentloop maintainer-check`	Check whether an agent-assisted PR is reviewable
`agentloop artifacts`	Inventory local tasks, reports, ship reports, badges, and run evidence
`agentloop artifacts --stale`	Preview capped older local evidence candidates without deleting files
`agentloop upgrade-harness`	Inspect older generated guidance without overwriting local edits
`agentloop report`	Write a local static HTML evidence report
`agentloop badge`	Write a local SVG evidence badge
`agentloop ci-summary`	Summarize CI context and existing AgentLoop evidence
`agentloop release-notes`	Draft local release notes from repo evidence
`agentloop release-check`	Check local release readiness without publishing
`agentloop release-proof`	Check post-release proof across public release channels
`agentloop npm-status`	Check npm registry status without publishing
`agentloop mcp-server`	Start the read-only MCP stdio server
`agentloop policy ...`	Read and compare local safety policies
`agentloop schemastore`	Print the config schema catalog entry
`agentloop github import`	Import explicit local GitHub issue or PR JSON
`agentloop install-agent <name>`	Add agent-specific instructions
`agentloop list-templates`	List bundled templates
`agentloop completion <shell>`	Print shell completion scripts
`agentloop version`	Print the CLI version

Clean up finished task contracts after verification and review-readiness evidence:

agentloop task archive --status done --dry-run
agentloop task archive --status done

See docs/cli-reference.md for command examples, JSON modes, and safety notes.

Maintainers can run a faster focused sanity set while iterating:

npm run test:quick
npm run test:integration

Run the full suite before release:

npm run test:release
npm run release-flow

test:quick runs the fast unit-oriented set. test:integration runs slower CLI workflow coverage. test:release is the full Vitest suite. release-flow runs the local release gate without publishing packages, creating tags, or creating GitHub releases.

Agent Setup

Install instructions for the agent you use:

agentloop install-agent codex
agentloop install-agent claude-code
agentloop install-agent cursor
agentloop install-agent opencode
agentloop install-agent gemini-cli
agentloop install-agent github-copilot-cli
agentloop install-agent all
agentloop install-agent all --json --redact-paths

AgentLoopKit writes repo-local Markdown instructions. Re-running install-agent is safe: existing .agentloop/agents/<agent>.md files are skipped so local edits are preserved, while AGENTS.md is updated with any missing AgentLoopKit references. Use --redact-paths before sharing setup output; it hides local roots in human and JSON output without changing where files are written. When exact third-party config conventions are uncertain, it keeps the output generic instead of pretending to own another tool's setup.

Safety Model

AgentLoopKit is intentionally boring:

no postinstall scripts
no telemetry
no cloud backend
no database
no API keys
no hidden network calls
no reading .env contents
no destructive actions during install

Env files are reported by path only. Verification commands run only when you explicitly run agentloop verify.

agentloop ship reuses current verification evidence by default. Pass --run-verify when you want it to run verification as part of the readiness flow. Pass --github-comment when CI needs compact Markdown for a pull request comment. AgentLoopKit does not post the comment itself.

agentloop prepare-pr groups changed files by review area, including risk-sensitive paths, source, tests, AgentLoop evidence, docs, CI, config, and other files.

agentloop start briefs software agents with the active task, decisive preflight state, next safe command, read-first source handles, risk summary, verification freshness, context-budget impact, and source handles. agentloop context turns local task, diff, verification, and run evidence into a compact context budget or source-handled pack for software agents. It is read-only and explains what was included, what was omitted, why, and how to expand local source truth. agentloop guard adds drift, proof-debt, baseline, and context-budget checks on top of the evidence map. It is read-only unless you explicitly pass --write-report or --write-baseline. agentloop explain-diff shows the evidence map directly. agentloop resume-pack packages the same local evidence into the older compact continuation brief with context-budget estimates. They do not run tests, call external APIs, read .env contents, post comments, publish packages, create tags, intercept prompts, proxy provider traffic, or change task state.

For narrower evidence history, agentloop verify --write-run and agentloop handoff --write-run can add their own local run records without changing the default command behavior.

agentloop status includes the newest local run ledger entry when .agentloop/runs/ exists, so agents can see the latest review-readiness or verification evidence without opening every report. Run ledger output uses safe display paths: .agentloop/... for AgentLoopKit artifacts, repo-relative paths for repo files, and filenames for older outside absolute paths. Use --redact-paths with doctor, task list, task show, task set, task status, task done, task archive, task clear, status, next, start, review-context, context, guard, explain-diff, resume-pack, check-gates, artifacts, report, badge, runs, show-run, intent, verify, summarize, handoff, ship, prepare-pr, maintainer-check, upgrade-harness, ci-summary, release-notes, schemastore, github import, install-agent, release-check, or release-proof before pasting output into a public issue, PR, or CI log. That mode replaces local root paths with a placeholder. Default JSON output keeps raw paths for scripts unless the redaction flag is passed. task show applies redaction to displayed task contract content. task list, artifacts, runs, show-run, intent, schemastore, and github import already use repo-relative paths or catalog metadata, and accept the flag for command consistency. agentloop review-context --json gives non-MCP agents one read-only local snapshot with status, active-task risk-note count, evidence map, context-budget estimates, gates, policies, artifacts, recent runs, latest ship evidence, and the next action. agentloop upgrade-harness is read-only. It tells existing users which generated guidance files need manual review after a CLI upgrade. It does not merge templates or overwrite local edits. agentloop schemastore --json prints the catalog entry for agentloop.config.json. Use it when preparing a SchemaStore contribution; the CLI does not submit that contribution for you. schemastore --redact-paths is accepted for consistency; catalog values are not local filesystem paths, so output values do not change. agentloop github import --issue-json issue.json --pr-json pr.json imports explicit local GitHub metadata into .agentloop/github/context.json. review-context, prepare-pr, and maintainer-check use that local context when it exists. Missing metadata does not block the loop. github import --redact-paths is accepted for consistency; metadata paths are already repo-relative, so output values do not change. The CLI does not call GitHub APIs, read tokens, or run gh. agentloop release-proof checks post-release evidence for npm, GitHub Releases, GitHub Marketplace, GHCR, and MCP Registry. Use --only <channel> to re-check one channel. It can query public metadata or read captured JSON files that you pass explicitly. It does not publish, tag, upload, post comments, or read tokens. Shell completions include fixed values for task types, task-list status filters, status transitions, the done archive status, agent names, policy subcommands, completion shells, artifact types, badge sources, summarize and handoff formats, and release-proof --only channels.

More Docs

Examples

See examples/ for sample generated harnesses and CI recipes:

See docs/stack-recipes.md for Next.js, React/Vite, Remix, SvelteKit, Node API, Django, FastAPI, Python, docs-only, empty-repo, and monorepo verification recipes.

Compared With Plain AGENTS.md

AGENTS.md gives instructions. AgentLoopKit adds process artifacts: task contracts, gates, policies, verification reports, PR summaries, and rollback notes.

The result is easier to review because the work produces evidence, not only code.

Compared With Prompt Collections

Prompt collections help an agent respond better. AgentLoopKit gives the repository a standing workflow that compatible agents can read and follow.

Compared With Superpowers

Superpowers is a broader agent methodology and skills system. AgentLoopKit focuses on repo-level engineering loops, task contracts, verification evidence, and handoff artifacts.

They can be complementary. You can use AgentLoopKit alongside Superpowers. AgentLoopKit has no affiliation with Superpowers.

Contributing

Contributor setup:

git clone https://github.com/abhiyoheswaran1/agentloopkit
cd agentloopkit
pnpm install
pnpm test
pnpm build

See CONTRIBUTING.md for local setup and PR expectations.

License

MIT.

Reviews

No reviews yet

Be the first to review this server!

More Developer Tools MCP Servers

Git

Free

by Modelcontextprotocol · Developer Tools

Read, search, and manipulate Git repositories programmatically

Fetch

Free

by Modelcontextprotocol · Developer Tools

Web content fetching and conversion for efficient LLM usage

Toleno

Free

by Toleno · Developer Tools

Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.

AgentLoopKit MCP Server

About

Security Report

Findings (11)Action required

Permissions Required

How to Install

Documentation

AgentLoopKit

What It Does

Install

Existing Repos

Core Workflow

Dogfood Gate

Commands

Agent Setup

Safety Model

More Docs

Examples

Compared With Plain AGENTS.md

Compared With Prompt Collections

Compared With Superpowers

Contributing

License

Reviews

No reviews yet

More Developer Tools MCP Servers

Git

Fetch

Toleno

mcp-creator-python

MarkItDown

FinAgent