executor is a local-first execution environment for AI agents.
It gives an agent a TypeScript runtime, a discoverable tool catalog, and a single local place to connect external systems such as MCP servers, OpenAPI APIs, and GraphQL APIs. Instead of pasting large MCP manifests into every chat or giving an agent broad shell access, you run code inside executor and let it call typed tools.* functions.
Join the Discord community: https://discord.gg/eF29HBHwM6
At runtime, executor behaves like one local product:
- a CLI for starting the runtime and executing code
- a local API server
- a local web UI for connecting sources, inspecting tools, and managing secrets
- an MCP endpoint for hosts that want to drive
executorthrough MCP
The current codebase lives in apps/ and packages/. Older experiments stay in legacy/ and legacy2/.
- Crystian provided the npm package name
executor. - The
codemodeconcept in this project is inspired by Cloudflare's Code Mode announcement.
executor is built around a simple idea: agents should work against a structured tool environment instead of guessing at raw HTTP calls, carrying huge MCP definitions in context, or running arbitrary local commands with broad permissions.
In practice that means:
- sources are connected once and turned into a reusable workspace tool catalog
- the agent discovers tools by intent, inspects schemas, and then calls typed functions
- secrets and OAuth flows stay in the local runtime and web UI instead of being pasted into chat
- human interaction can pause an execution and resume it cleanly
Think of executor as a local control plane for agent tool use.
- You start a local
executordaemon. - You connect sources such as an MCP server, an OpenAPI document, or a GraphQL endpoint.
executorindexes those sources into a workspace tool catalog.- An agent runs TypeScript against that catalog through
executor callor through the MCP bridge. - If a tool needs credentials or user input, execution pauses, opens a local flow, and then resumes.
executor currently supports these source types:
mcp: remote MCP servers, including transport selection for streamable HTTP or SSEopenapi: REST APIs described by an OpenAPI documentgraphql: GraphQL endpoints that can be introspected into callable tools
The add-source flow can:
- probe a URL and infer what kind of source it is
- infer likely authentication requirements
- prompt for credentials when discovery or connection needs them
- start OAuth when a source requires it
- persist the source and its indexed tool metadata in the local workspace
The web app also includes templates for common providers so you can start from real examples instead of filling every field by hand.
The main CLI workflow is executor call.
The runtime expects the agent to use the built-in discovery workflow:
const matches = await tools.discover({ query: "github issues", limit: 5 });
const path = matches.bestPath;
const detail = await tools.describe.tool({ path, includeSchemas: true });
return await tools.github.issues.list({
owner: "vercel",
repo: "next.js",
});A few important rules shape the execution model:
- write TypeScript, not raw shell pipelines
- use
tools.*, not directfetch - discover first when the exact tool path is not known
- inspect schemas before calling complex tools
When a source or tool needs human input, executor can pause the execution and create an interaction record.
That interaction may ask you to:
- open a secure local credential page
- complete an OAuth flow in the browser
- respond to a structured elicitation from a tool host
- resume a paused execution from the CLI
This is the core human-in-the-loop behavior that lets executor keep secrets and approvals outside the agent's raw context.
The web UI is not just a setup surface. It is also where you can inspect what executor learned from a source.
For each source you can:
- browse its tool tree
- search for tools by intent
- inspect input and output schemas
- view generated manifests, definitions, and raw source documents when available
- edit source settings and authentication details
If you want to use this a package distribution, install it via npm:
npm install -g executor
executor upThen either tell your agent to use the CLI or to open the web UI and copy the MCP CLI install command.
Then you can run the CLI as executor.
If you are working from this repository locally, the easiest path is:
bun install
bun devThat starts the local runtime. The default base URL is:
http://127.0.0.1:8788
From there:
- Open the web UI in your browser.
- Add a source from
/sources/add. - If needed, store credentials in
/secrets. - Run TypeScript with
bun run executor call ....
If you are using a packaged distribution, the command name is simply executor instead of bun run executor.
executor up
executor down
executor status --json
executor doctor --json
executor call --file script.ts
executor resume --execution-id exec_123executor call accepts code in three ways:
- inline as a positional argument
- from
--file - from standard input with
--stdin
Examples:
executor call 'const matches = await tools.discover({ query: "repo details", limit: 1 }); return matches;'
executor call --file script.ts
cat script.ts | executor call --stdin
executor call --no-open --file script.tsIf an execution pauses, resume it with:
executor resume --execution-id exec_123There are two main ways to add a source.
Use the Add Source flow to:
- paste a URL
- run discovery
- review the inferred kind, namespace, transport, and auth
- connect the source
- complete credential or OAuth setup if required
This is the easiest path for most users.
The runtime also exposes tools.executor.sources.add(...), which lets an agent add a source from code.
Examples:
return await tools.executor.sources.add({
endpoint: "https://example.com/mcp",
name: "Example",
namespace: "example",
});return await tools.executor.sources.add({
kind: "openapi",
endpoint: "https://api.github.com",
specUrl:
"https://raw.githubusercontent.com/github/rest-api-description/main/descriptions/api.github.com/api.github.com.json",
name: "GitHub",
namespace: "github",
});For HTTP-style sources, executor can drive the credential flow for you.
At a high level, every execution follows the same loop:
executorresolves the current local installation and workspace.- It builds a tool catalog from built-in tools plus all connected workspace sources.
- It runs your TypeScript inside the SES sandbox runtime.
- Tool calls are dispatched through
executorrather than directly from your code. - If a tool needs interaction, the run pauses and records a pending interaction.
- Once the interaction is resolved, the execution continues and eventually completes or fails.
This gives you a stable surface for agent automation:
- the agent sees a coherent catalog
- connected sources become reusable namespace-based tools
- auth stays attached to sources and secret material
- the runtime can track execution state instead of losing it inside a one-shot prompt
The React web app is served from the same local server as the API.
Main screens:
/: list connected sources in the current local workspace/sources/add: discover and connect new sources/sources/:sourceId: inspect tools, search tools, and browse source artifacts/sources/:sourceId/edit: edit source settings and auth/secrets: create, update, and delete locally stored secrets
The UI uses the same control-plane API as the CLI, so both surfaces are operating on the same local runtime state.
By default executor runs as a single local daemon process.
It serves:
/v1for the local control-plane API/mcpfor theexecutorMCP endpoint- the web UI for normal browser routes
Default network location:
- host:
127.0.0.1 - port:
8788
Default data locations are OS-aware:
- Linux data:
~/.local/share/executor - Linux runtime state:
~/.local/state/executor/run - macOS:
~/Library/Application Support/Executor - Windows:
%LOCALAPPDATA%\Executor
The server also maintains local PID and log files in its runtime directory.
executor persists the local control plane to SQL.
By default it uses embedded PGlite for a local install, which keeps the product self-contained. If you provide a Postgres URL, the persistence layer can target real Postgres instead.
Persisted concepts include:
- the local installation record
- organizations and workspaces provisioned for that install
- connected sources
- indexed tool artifacts and related metadata
- credentials and secret material bindings
- source auth sessions
- executions and execution interactions
- policies
On first start, executor provisions a local account, a personal organization, and a default workspace automatically.
executor is designed to narrow how agents interact with external systems.
Compared with direct shell or raw API usage, the model is intentionally more structured:
- tool calls are routed through a controlled runtime
- secrets are stored separately from prompt text
- OAuth and credential capture happen through local flows
- executions can pause for interaction instead of guessing or failing silently
- source auth and tool metadata live with the workspace rather than inside each prompt
This does not make the system magically risk-free, but it gives the runtime places to enforce policy, collect approvals, and keep sensitive material out of the agent's immediate context.
If you are exploring the repo, these are the directories that matter most:
apps/executor: packaged CLI entrypoint and daemon lifecycle commandsapps/web: local React web UIpackages/server: local HTTP server that serves API, MCP, and UIpackages/control-plane: source management, secrets, persistence, execution, and inspectionpackages/runtime-ses: SES sandbox runtime for TypeScript executionpackages/executor-mcp: MCP bridge forexecuteandresumepackages/codemode-*: core tool abstractions plus MCP and OpenAPI adapters
This repository is explicitly on its third major architecture iteration.
apps/andpackages/are the active implementationlegacy/is the original codebaselegacy2/is the second generation
If you want the system view instead of the product view, read ARCHITECTURE.md.
