Mistle
Self-hostable platform for running autonomous coding agents in isolated, credentialless sandboxes with brokered credentials, reusable snapshots, and event-driven triggers.
Mistle is an open-source platform for running and automating background coding agents inside secure sandboxes. Rather than a single chat interface bolted onto an LLM, it’s infrastructure: a control plane for configuring integrations, sandbox profiles, and triggers, and a data plane that provisions sandboxes, mediates every outbound request, and streams sessions back to a dashboard. Teams self-host it with a single Docker Compose installer, or point it at remote sandbox providers when they need more scale than a laptop or local server can offer.
The design centers on credentialless sandboxes: agents never receive raw secrets. Instead, the data-plane gateway loads a sandbox’s active runtime plan, matches outbound HTTP requests against compiled egress routes, and injects the right credential at request time, mediated through scoped bootstrap, egress, MCP, and PTY-transport tokens issued by dedicated auth packages. Combined with identity attribution (so agent actions trace back to the human account behind them), sandbox profiles, reusable snapshots, and event-driven triggers, Mistle reads like an attempt to bring the governance a large engineering org would want around autonomous agents, closer to what a hosted product like Devin offers, into a project you run yourself.
Under the hood it’s a TypeScript monorepo (pnpm workspaces, Turborepo) split into control-plane and data-plane services built on Hono, Drizzle ORM over Postgres, and the openworkflow library for durable workflows, with a React 19 dashboard. Performance- and security-sensitive pieces, including the in-sandbox daemon, commit signing, and the CLI, are written in Rust. Sandbox execution is provider-agnostic, supporting local Docker as well as remote providers including E2B, Modal, Freestyle, Tensorlake, and OpenComputer.
Mistle is young: the repository was created in February 2026, and the project describes itself as early with bugs to be expected. It ships under the MIT license with no enterprise tier or self-hosting restrictions, but the maintainers are not yet accepting external code contributions, only issues and discussion. For teams that want an open, self-hosted alternative to hosted autonomous-coding-agent products, it’s worth watching closely rather than betting production workflows on it today.
What You Get
- Integrations that connect Mistle to external systems and models such as GitHub, Slack, and OpenAI
- Credential brokering that lets agents call external services without secrets ever living inside the sandbox
- Identity attribution that links an agent’s actions back to the human account responsible for them
- Sandbox profiles that define the tools, permissions, and environment an agent session starts with
- Snapshots that capture a prepared sandbox environment so new sessions start with dependencies already installed
- Sessions for interactive agent work such as debugging, code review, and repository changes
- Triggers that start agent work automatically in response to external events like webhook deliveries
Common Use Cases
- Wiring a GitHub webhook trigger so a reported bug automatically starts a sandboxed session that reproduces it and proposes a fix
- Self-hosting a shared agent platform so a whole engineering team uses brokered credentials instead of personal API keys
- Starting sessions from a pre-built snapshot so an agent’s toolchain and dependencies are ready immediately
- Running recurring maintenance work, such as dependency updates, from a scheduled or chat-based trigger
- Prototyping on local Docker sandboxes before moving the same sandbox profile to a remote provider for scale
Under The Hood
Architecture
Mistle splits its runtime into a control plane and a data plane, mirrored in the repo as separate apps: dashboard, control-plane-api, and control-plane-worker manage integrations, sandbox profiles, sessions, and trigger setup, while data-plane-api, data-plane-worker, and data-plane-gateway handle sandbox provisioning, lifecycle, and runtime connectivity. Credential brokering is implemented as its own layer rather than a config flag: gateway-tunnel-auth and gateway-connection-auth mint scoped bootstrap, egress, MCP, and PTY-transport tokens, and the data-plane gateway resolves and injects credentials at request time by matching outbound calls against egress routes compiled from integrations-core. Thirty-five documented architecture decision records track how these boundaries evolved, which is an unusually disciplined practice for a project this young, and the internal-client packages that let control-plane and data-plane talk to each other show the seams were deliberately drawn rather than left implicit. Score: 80/100 (solid, clearly separated layers; long-term durability of the boundary is still unproven at this age).
Tech Stack
The repository is a TypeScript monorepo managed with pnpm workspaces and Turborepo, targeting Node 25. Control-plane and data-plane APIs are built on Hono with @hono/zod-openapi for typed, self-documenting routes, backed by Drizzle ORM over Postgres with separate control-plane and data-plane schemas, and the openworkflow library drives durable background workflows. The dashboard is a React 19 application. Performance- and security-sensitive components are written in Rust with their own Cargo toolchains: sandboxd (the in-sandbox daemon), commit-sign, and the mstl-cli/mstl-core command-line client. Sandbox execution abstracts over local Docker and remote providers including E2B, Modal, Freestyle, Tensorlake, and OpenComputer. Self-hosted deployment ships as a Docker Compose bundle, development runs through a Nix flake, and GitHub Actions drive CI, release, and container-publishing pipelines alongside a dedicated CodeQL workflow.
Code Quality
Testing is extensive for a project this age: thousands of TypeScript test files sit alongside a large body of Rust tests for the sandboxd and CLI crates, and the team documents an explicit no-mocking testing philosophy and use of property-based testing rather than relying only on example-based unit tests. The base TypeScript configuration enables strict mode plus stricter-than-default checks such as noUncheckedIndexedAccess and exactOptionalPropertyTypes. Linting runs through type-aware oxlint with pre-commit hooks via lefthook, and a comprehensive CI pipeline runs the full lint, typecheck, test, and build matrix for both the TypeScript and Rust portions of the codebase. Inline comment density is low, since the codebase leans on types and naming over prose, but the volume of automated verification and the ADRs capturing design rationale point to a genuinely engineering-first process. Score: 82/100 (typed, extensively tested, linted, and covered by CI).
What Makes It Unique The interesting choice isn’t running agents in containers, plenty of tools do that, it’s treating credentials as something that must never enter the sandbox at all. Outbound requests are mediated by a gateway that resolves and injects credentials per request against a compiled egress policy, rather than handing an agent an environment variable or a mounted secrets file. Paired with identity attribution linking agent actions to a human account, versioned sandbox profiles, and reusable snapshots, Mistle is aiming at the operational governance that a large engineering org would expect from an autonomous-agent platform, positioning itself as a self-hosted, open counterpart to hosted products like Devin rather than competing purely on agent reasoning quality. Score: 72/100 (a thoughtful, uncommon security and governance model for open-source agent tooling, even if the underlying agent orchestration patterns are not themselves novel).
Self-Hosting
Licensing Model MIT licensed, all features available in self-hosted deployments with no restrictions or license keys required.
Self-Hosting Restrictions
No self-hosting restrictions were found. There are no ee/, enterprise/, pro/, or cloud/ directories in the repository, and no license-gating code such as isPro, isEnterprise, or feature-flag checks was found in the source.
Enterprise Features Mistle does not currently document a separate paid or enterprise tier. The README and roadmap describe one feature set available to everyone who runs the project.
Cloud vs Self-Hosted
Mistle is designed to be run yourself via the provided Docker Compose installer (deploy/compose/local/install.sh) or against remote sandbox providers you configure; there is no evidence of a hosted SaaS offering with additional features beyond what ships in the open-source repository.
License Key Required No. Nothing in the codebase requires a license key or activation step.
Related Apps
claw-code
AI Agents · AI Code Assistants
A Rust-built CLI agent harness for Claude AI with persistent sessions, MCP tool integration, plugin hooks, and multi-provider support — designed to run autonomous coding workflows without human babysitting.
claw-code
MITOllama
AI Development · Developer Tools
Run Llama, Gemma, DeepSeek, and other open LLMs on your own machine with one command and an OpenAI-compatible API.
Ollama
MITLangflow
AI Agents · AI Development
Build, test, and deploy AI agents and RAG workflows visually with native API and MCP server export.