paradigmxyz/centaur

Centaur is a self-hosted platform that lets a whole team share one AI agent instead of each person setting up their own. The way it shows up day to day is in Slack: someone tags the bot, asks a question like why are the billing tests failing, and the bot opens a small isolated workspace, looks around, and reports back in the thread. The team also gets an HTTP API for the same thing if they want to drive it from elsewhere. Each conversation runs inside its own Kubernetes sandbox, which is just a small container that has a shell, a workspace folder, git, Python, Node.js, Bun, and the usual command-line tools an engineer would expect. The agent that runs inside the sandbox is not built into Centaur. The team picks a harness (the README names Amp, Claude Code, and Codex as examples) and Centaur runs it. Progress messages flow back to Slack while the work is happening, then the final answer arrives in the same thread. Four pieces make up the platform. A FastAPI control plane (services/api) holds the durable state, manages sandboxes, and registers tools and workflows. A Slack bot service (services/slackbot) receives Slack events and delivers replies. A sandbox container image (services/sandbox) is the per-conversation workspace. A separate piece called iron-proxy sits between the sandbox and the outside world, controlling outbound network calls and swapping in real credentials only at the moment a request goes out, so the agent itself never sees raw API keys. The security story is built around that proxy plus a default-deny Kubernetes network policy on each sandbox. Anything the agent touches outside its container goes through the proxy, which is bound to specific hosts and headers. Every message, every execution, every event is written to Postgres so a client can reconnect later without losing the result, and so the activity can be audited afterwards. Teams extend Centaur by adding tool plugins (small Python packages whose public methods become HTTP endpoints under /tools/my_tool/) and workflow plugins (Python functions with durable steps that can sleep, wait for external events, schedule themselves, or spawn child agents). The README lists everyday uses for this setup: investigating CI failures, answering questions against internal tools, summarizing Slack threads, running scheduled digests, and coordinating multi-step operational tasks. Local boot uses brew install just plus a few environment variables for Slack and 1Password, then just up.