{"slug": "maturana-hardware-isolated-zero-trust-agent-harness", "title": "Maturana: Hardware-isolated, zero-trust agent harness", "summary": "Maturana, a new open-source AI agent platform, launches with hardware-isolated microVMs for each agent, zero-trust security via encrypted secrets and egress control, and a shared knowledge graph. Built on Codex and a modular Rust core, it supports Firecracker on Linux and Hyper-V on Windows, aiming to provide a secure, lightweight alternative to existing agent harnesses.", "body_md": "*A secure agent harness that runs every agent in its own hardware-isolated microVM. Lightweight, fast, and completely yours to customise from Codex.\n\nMaturana is a secure, zero-trust, Codex-native AI agent platform. It has hardware isolation (Firecracker/Hyper-V), encrypted secrets that never enter the VMs (pipelock), egress network control, and a shared knowledge graph. Maturana is built on a small, modular Rust core, enccapculated in Codex skills. You use Codex to interact with Maturana, either through the CLI or the Windows / Mac application. Codex is therefore the control plane (or you can use the CLI directly).\n\nThe result is a secure, fast, and intuitive personal agent platform built on Codex. Agent VMs can run Claude Code, OpenCode, and Codex CLI.\n\nThere is no shortage of agent harnesses. Most optimize for features, not security. The powerful ones have grown so large and so flexible that their attack surface is enormous — large enough that vendors now ship hardened shells just to make them safe to run. Others isolate agents in containers, which is the right instinct, but bind themselves tightly to a single vendor's ecosystem.\n\nI wanted something different: a harness I can actually read, that is secure because of how it is\n*built*, not because of a wall of permission checks bolted on afterward. I also just enjoy\nengineering with Codex. So Maturana is a lean harness on the Codex ecosystem, with\n**hardware-level** isolation for every agent — Firecracker on Linux, Hyper-V on Windows — and\nzero-trust wired through the whole thing.\n\nIt combines the elegance of Unix, the agentic workflow of Codex, and the isolation of a\nhypervisor. The core is a small Rust runtime; everything else is a skill or a tool you can read,\nswap, or write yourself. *(The name nods to Humberto Maturana, who coined* autopoiesis *—\nself-producing systems — which is what these agents do as they build their own tools and memory.)*\n\n**Maturana is not** a chat UI competing with Codex, a generic multi-control-plane framework,\nDocker orchestration, or multi-tenant SaaS. It is a single-operator, security-first agent\nharness.\n\n**Secure by design.** Agents are isolated with real hardware virtualization — a Firecracker or\nHyper-V microVM per agent — for maximum security, not just a container.\n\n**Zero-trust.** Pipelock keeps secrets like API keys and credit-card numbers out of an agent's\nreach, and an egress proxy controls exactly which systems it can talk to. Treat every agent as an\nadversary and lock it down.\n\n**Build anything.** Maturana is built on and for Codex, the premier OpenAI agent-engineering\nenvironment. Everything is a skill — from agent creation to tools — so you customise your agents\nwith prompts and nothing else.\n\n**Self-evolving.** An internal WASM engine lets agents build their own tools on the fly, safely\nsandboxed with no ambient authority.\n\n**Shared knowledge.** Maturana ships with a shared knowledge graph that scales past markdown\nfiles. Agents build their own memory, so you don't have to.\n\n**Lean and fast.** Maturana is built in Rust with a modular core from the start. Skills are\nextensions to that core — you run only what you need.\n\nOne line. It downloads the prebuilt `maturana`\n\nbinary (no Rust toolchain needed), verifies its\nSHA-256 against the published checksum, clones the repo for the skills/examples, and registers the\nruntime plane as a service.\n\n```\n# Linux — control plane only\ncurl -fsSL https://www.maturana.sh/install.sh | bash\n\n# Linux that will also RUN isolated agents — add the Firecracker microVM host\ncurl -fsSL https://www.maturana.sh/install.sh | bash -s -- --firecracker\n# Windows (Hyper-V) — self-elevates once, prompts for your Windows password (for the no-login boot tasks)\nirm https://www.maturana.sh/install.ps1 | iex\n```\n\nBuild from source instead with `--from-source`\n\n(Linux) / `-FromSource`\n\n(Windows). Uninstall any\ntime with `scripts/uninstall.sh`\n\n/ `scripts/uninstall-windows.ps1`\n\n— add `--purge`\n\n/ `-Purge`\n\nto\nalso delete your agents and secrets.\n\n**Verify it worked** — open a new shell, then:\n\n```\nmaturana --help # resolves on PATH\nmaturana service status # the runtime plane is registered and healthy\n```\n\nMost first-run failures are virtualization not being available: on Linux, no `/dev/kvm`\n\nmeans\nenabling virtualization in BIOS (and use `--firecracker`\n\nonly on a KVM-capable host); on Windows,\nenable **Hyper-V** first (Windows 11 Pro / Enterprise / Workstations only).\n\nMaturana is **Codex-native** — you don't hand-assemble an agent from CLI flags. You tell Codex to\nbuild one, and it runs the ** maturana-agent-create** skill as a guided setup wizard: it\ninterviews you (the agent's name, who you are, how you'll reach it, what it can do), writes its\n\n`IDENTITY.md`\n\n/ `SOUL.md`\n\n/ `MATURANA.md`\n\n, then launches it into a Firecracker microVM and\nvalidates a live turn — driving the `maturana-agent-create → -launch → -validate`\n\nskills end to\nend. That conversation **is** the product.\n\n```\n# 1. Open a fresh login shell so the `kvm` group + ~/.local/bin PATH apply\n# (sanity: `ls -l /dev/kvm` is group-readable, `maturana --help` resolves).\n\n# 2. Log in to the harness your agent will run on (at least one):\ncodex login # or: claude (then /login inside it)\n\n# 3. Hand Codex the wheel — it's oriented by AGENTS.md + the skills/ pack:\ncd ~/maturana && codex\n```\n\nThen just tell it what you want:\n\ncreate and launch a new agent\n\n…or invoke the skill directly — type `/skills`\n\n, or `$maturana-agent-create`\n\n. Codex runs the\nwizard, builds the image, boots the microVM, and tells you when your agent is up and reachable\n(the first build downloads/builds the guest image, ~5–15 min on a cold cache; later launches are\nseconds — Codex streams progress as it goes). Every skill in `skills/`\n\nships as a Codex skill\nunder `~/.agents/skills`\n\n.\n\n**Note:** run this in a **plain shell**, not inside a sandboxed agent — Firecracker needs\n`/dev/kvm`\n\n, which a sandbox hides.\n\n## Rather drive the CLI yourself? The skill just orchestrates these steps.\n\n```\ncd ~/maturana\nmkdir -p .maturana/host-auth && cp -r ~/.codex .maturana/host-auth/codex # stage harness auth\nmaturana setup firecracker-harnesses --agent-id codex-firecracker # build image + boot microVM (idempotent)\nmaturana service status # plane already runs as a service — confirm it's healthy\nmaturana agent run codex-firecracker --prompt \"say hi\" --wait # talk to it\n```\n\nSee [docs/linux-firecracker-harnesses.md](/ajensenwaud/maturana/blob/main/docs/linux-firecracker-harnesses.md) for the full Linux guide.\n\nMaturana is **Codex-native** on Windows too — you don't hand-assemble an agent from CLI flags. You\ntell Codex to build one, and it runs the ** maturana-agent-create** skill as a guided setup\nwizard: it interviews you (the agent's name, who you are, how you'll reach it, what it can do),\nwrites its\n\n`IDENTITY.md`\n\n/ `SOUL.md`\n\n/ `MATURANA.md`\n\n, then launches it into a **Hyper-V microVM** and validates a live turn — driving the\n\n`maturana-agent-create → -launch → -validate`\n\nskills end\nto end. That conversation **is** the product.\n\n```\n# 1. Open a NEW PowerShell as Administrator. New, so the User-scope PATH the installer set picks\n# up bin\\maturana.exe; elevated, because launching a Hyper-V VM needs admin.\n# (sanity: `maturana --help` resolves.)\n\n# 2. Log in to the harness your agent will run on (at least one):\ncodex login # or: claude (then /login inside it)\n\n# 3. Hand Codex the wheel — it's oriented by AGENTS.md + the skills/ pack:\ncd $env:USERPROFILE\\maturana ; codex\n```\n\nThen just tell it what you want:\n\ncreate and launch a new agent\n\n…or invoke the skill directly — type `/skills`\n\n, or `$maturana-agent-create`\n\n. Codex runs the\nwizard, builds the image, boots the microVM, and tells you when your agent is up and reachable\n(first build can take ~5–15 min on a cold cache; later launches are seconds). Every skill in\n`skills/`\n\nships as a Codex skill under `~/.agents/skills`\n\n.\n\n**Note:** Hyper-V is Windows 11 Pro / Enterprise / Workstations only, and launching a VM needs an\n**elevated** shell. You don't manage the hypervisor yourself — the privileged ** hostd** daemon\n(installed as SYSTEM, port 47832) owns the fixed Hyper-V lifecycle, and\n\n`install.ps1`\n\nalready\nregistered the no-login **boot tasks**, so the runtime plane and your VMs come back after a reboot without an interactive login. The installer also already prepared the Ubuntu VHDX image and the agent SSH key, so the first launch has nothing left to download.\n\n## Rather drive the CLI yourself? The skill just orchestrates these steps.\n\n```\ncd $env:USERPROFILE\\maturana\n\n# Stage harness auth where the spec reads it (Codex shown; Claude Code → host-auth\\claude-code).\nmkdir .maturana\\host-auth -Force\nCopy-Item -Recurse $env:USERPROFILE\\.codex .maturana\\host-auth\\codex\n\nmaturana service status # plane already runs as a service — confirm it's healthy\nmaturana spec validate examples\\MATURANA.codex-hyperv.md # check before launch (id: codex-demo)\nmaturana agent launch examples\\MATURANA.codex-hyperv.md --apply # hostd creates + boots the Hyper-V microVM, then provisions the guest\nmaturana agent run codex-demo --prompt \"say hi\" --wait # talk to it\n```\n\nRe-launching an existing VM needs an explicit override: set `$env:MATURANA_HYPERV_FORCE = \"true\"`\n\nbefore `--apply`\n\n. A second bundled spec, `examples\\MATURANA.claude-hyperv.md`\n\n(id `claude-demo`\n\n),\nruns the Claude Code harness. If a running VM stops replying, `maturana doctor`\n\nthen\n`maturana setup windows-harnesses`\n\nrefreshes the guest workers and channels without rebuilding the\nVM.\n\nSee [docs/harness-operations.md](/ajensenwaud/maturana/blob/main/docs/harness-operations.md) for the full Windows / Hyper-V guide.\n\nA Maturana agent is one `MATURANA.md`\n\nspec — identity, runtime, VM, mounts, egress, memory,\nchannels, schedules, snapshots. Codex writes it; you can read and edit it. (Full field\nreference: [docs/maturana-spec.md](/ajensenwaud/maturana/blob/main/docs/maturana-spec.md).)\n\n```\nmaturana spec validate examples/MATURANA.codex-firecracker.md # check before launch\nmaturana agent launch examples/MATURANA.codex-firecracker.md --apply\nmaturana agent inspect codex-firecracker --live # health, logs, status\n```\n\n**Talk to an agent**\n\n-\nConsole TUI:\n\n`maturana tui`\n\n(agent picker) or`maturana agent chat `\n\n-\nHost turn:\n\n`maturana agent run --prompt \"…\" --wait`\n\n-\nTelegram / Discord — pair a bot, then chat from your phone (one bot per agent):\n\n```\nmaturana pipelock set telegram/bot-token --value-file ./token\nmaturana channel pair telegram start --agent-id --token-source pipelock:telegram/bot-token\n# send the printed /pair to your bot\n```\n\n**Always-on** — agents have a heartbeat, run cron-style schedules, and push notifications:\n\n```\nmaturana schedule add morning --cron \"0 9 * * *\" --prompt \"Send a morning brief\" --channel telegram\n```\n\n**Capabilities** — skills give agents the web and your tools: browse (headless Chrome), web\nsearch, image generation, voice (speech-to-text / text-to-speech), and GitHub / Notion / Slack /\nemail integrations.\n\n**Govern** — read the audit trail, then snapshot and rewind:\n\n```\nmaturana audit list --limit 10\nmaturana snapshot take before-change --live\nmaturana snapshot restore before-change --live\n```\n\n**Tailor it to your exact needs with Codex.** Because every capability is a skill, extending\nMaturana is a conversation: ask Codex to write a new skill or tool, test it, and deploy it into\na running guest. The skill pack already includes `maturana-skill-create`\n\n, `maturana-tool-create`\n\n,\n`maturana-develop`\n\n, and `maturana-skill-deploy`\n\nfor exactly this.\n\n**Self-mutation with WASM.** Agents can author, build, register, and run their own tools at\nruntime — no host rebuild. A tool is one WebAssembly module plus a manifest, executed in a\ncapability-gated sandbox with **no ambient authority**: fuel metering, a wall-clock timeout, a\nmemory ceiling, and only the filesystem/network the manifest opts into. It is the Maturana\nanswer to on-the-fly tool creation, made safe by default.\n\n```\nmaturana tool register weather --wasm weather.wasm --manifest tool.json\nmaturana tool run weather --input '{\"city\":\"oslo\"}'\n```\n\nSee [docs/wasm-tools.md](/ajensenwaud/maturana/blob/main/docs/wasm-tools.md) and the `maturana-self-forge`\n\nskill.\n\n| Linux | Windows | |\n|---|---|---|\n| OS | x86_64 with KVM | 11 Pro / Enterprise / Workstations |\n| Hypervisor | Firecracker (`--firecracker` ) |\nHyper-V |\n| Guest harness | Codex / Claude Code / OpenCode subscription, run inside the agent's VM (OAuth injected at runtime) — distinct from the control-plane Codex you drive on the host |\nsame |\n| Build | Prebuilt binary (SHA-256 verified) by default; Rust toolchain only for `--from-source` |\nsame |\n| Optional | Telegram/Discord tokens, integration API keys — all via pipelock | same |\n\nmacOS is not supported yet.\n\nCodex orchestrates from the host. A small set of long-lived Rust processes — the **runtime\nplane**, supervised as one restart-on-failure group by `maturana up`\n\n— own channels, schedules,\nthe session queue, egress, and shared memory. Each agent runs inside its own VM, where the\nselected harness executes the turn.\n\n```\n you ── Codex (control plane) ──────────────────────────────┐\n │ define / launch / govern\n ┌──────────────────────────── host runtime plane ────────────────┴─────────────┐\n │ maturana up (supervises every process, restarts on failure) │\n │ │\n │ sessiond :47834 channel bridges schedule runners │\n │ per-agent SQLite (Telegram / Discord) (cron → queue) │\n │ │\n │ pipelock proxy :47833 MaturanaGraph :47835 hostd :47832 (Windows) │\n │ egress allowlist + knowledge graph + fixed Hyper-V │\n │ credential injection GraphRAG lifecycle │\n └───────────────┬───────────────────────────────────────────────────────────────┘\n │ session queue (HTTP) + governed SSH\n ┌─────────┴──────────┐ ┌────────────────────┐ ┌─ … one microVM per agent\n │ microVM: agent A │ │ microVM: agent B │\n │ harness │ │ harness … │\n │ (codex / claude- │ │ │\n │ code / opencode) │ │ │\n │ run-agent.sh loop │ │ │\n └─────────────────────┘ └────────────────────┘\n Firecracker (Linux) / Hyper-V (Windows) — hardware isolation per agent\n```\n\nOne Telegram turn travels the queue and back, so channels never touch the harness lifecycle:\n\n```\nTelegram → channel bridge → inbound (sqlite) ← (HTTP) ← guest worker → harness\n ↑ ↓\nTelegram ← channel bridge ← outbound (sqlite) ← (HTTP) ──────┘\n```\n\n**Ports**\n\n| Port | Service | Bind |\n|---|---|---|\n| 47832 | hostd (Hyper-V, Windows) | 127.0.0.1 |\n| 47833 | pipelock egress proxy | guest-facing |\n| 47834 | sessiond (session queue) | 0.0.0.0 |\n| 47835 | MaturanaGraph | 0.0.0.0 |\n\nThe host never casually exposes its filesystem to a guest: workspace, memory, wiki, schedules,\ntools, audit, and snapshots all live under per-agent directories with governed mounts. Deeper\ndetail in [docs/orchestration.md](/ajensenwaud/maturana/blob/main/docs/orchestration.md),\n[docs/script-boundary.md](/ajensenwaud/maturana/blob/main/docs/script-boundary.md), and the\n[documentation index](/ajensenwaud/maturana/blob/main/docs/README.md).\n\nQuestions, ideas, or want to share an agent? **Join the Discord — find the invite at\nmaturana.sh.**\n\n**Docs:** start with the[documentation index](/ajensenwaud/maturana/blob/main/docs/README.md).**License:** BSD 3-Clause — see[LICENSE](/ajensenwaud/maturana/blob/main/LICENSE).", "url": "https://wpnews.pro/news/maturana-hardware-isolated-zero-trust-agent-harness", "canonical_source": "https://github.com/ajensenwaud/maturana", "published_at": "2026-06-24 22:17:45+00:00", "updated_at": "2026-06-24 22:44:12.749162+00:00", "lang": "en", "topics": ["ai-agents", "ai-safety", "ai-infrastructure", "ai-tools", "ai-research"], "entities": ["Maturana", "Codex", "Firecracker", "Hyper-V", "Rust", "Claude Code", "OpenCode", "Humberto Maturana"], "alternates": {"html": "https://wpnews.pro/news/maturana-hardware-isolated-zero-trust-agent-harness", "markdown": "https://wpnews.pro/news/maturana-hardware-isolated-zero-trust-agent-harness.md", "text": "https://wpnews.pro/news/maturana-hardware-isolated-zero-trust-agent-harness.txt", "jsonld": "https://wpnews.pro/news/maturana-hardware-isolated-zero-trust-agent-harness.jsonld"}}