{"slug": "open-ai-sdr-an-open-source-version-of-the-artisans-ava-bdr", "title": "Open AI SDR – An Open Source Version of the Artisans Ava BDR", "summary": "Developer Utpal Nadiger built an open-source AI BDR agent called Open Ava, inspired by Artisan's Ava, using OpenComputer, FastAPI, SQLite, AgentMail, and Anthropic. The agent researches leads, drafts outreach, and requires human approval before sending emails, with a checkpoint for rollback. The code is available on GitHub for others to replicate the system.", "body_md": "# Build an Ava-Inspired BDR Agent That Runs on Its Own Computer\n\nWritten by Utpal Nadiger ·\n\nI kept seeing Artisan’s [“Stop hiring humans”](https://www.artisan.co/blog/stop-hiring-humans) billboards around San Francisco.\n\nThe moral debate aside, the product does look cool and could be helpful: [Ava](https://www.artisan.co/ai-sales-agent) is Artisan’s AI BDR, built to source leads, write outbound, handle replies, and book meetings.\n\nBeing the engineer I am, I decided to build it myself so I could use it at OpenComputer and do outreach for us.\n\nI was trying to replicate a BDR in software, and a BDR has state. It needs a CRM, an inbox, notes, reply history, suppression rules, follow-ups, and some way for a human to inspect what it is about to do before it does something irreversible.\n\nSo I built a small, inspectable version of the loop and called it Open Ava. It is one FastAPI app inside one OpenComputer VM, with the VM acting as the BDR’s computer, SQLite as its CRM, AgentMail as its inbox, and Anthropic handling the structured research, scoring, drafting, and reply classification.\n\nThe run went like this:\n\n- I gave it OpenComputer's product profile and ICP,\n- imported 12 seeded leads,\n- researched and scored them,\n- drafted three sourced outreach variants for the best lead,\n- blocked sending before approval,\n- created a checkpoint before the real send,\n- sent one email only to a controlled test inbox,\n- received a real reply through AgentMail,\n- classified the reply as an objection,\n- sent a follow-up,\n- and kept a durable CRM record across an app restart and checkpoint.\n\nThe code for the run is on GitHub here: [github.com/diggerhq/opencomputer-cookbooks/tree/main/open-ava-bdr](https://github.com/diggerhq/opencomputer-cookbooks/tree/main/open-ava-bdr). Here is how you can build the same loop yourself.\n\n## What you’ll build\n\nThe finished app is a little BDR workspace:\n\n- A persistent OpenComputer VM that acts like the BDR's laptop.\n- A FastAPI dashboard and JSON API exposed through the VM preview URL.\n- A SQLite CRM with campaigns, leads, research notes, drafts, emails, suppression records, durable queue rows, and events.\n- A background worker that imports leads, dedupes them, researches their company URLs, scores fit, and drafts outreach.\n- A prompt-injection-aware research path that treats scraped pages and inbound emails as untrusted data.\n- A human approval gate before any send.\n- A checkpoint before the irreversible send.\n- AgentMail send and inbound reply handling.\n- Idempotency for discovery, sends, and reply processing.\n\nThe tutorial uses OpenComputer itself as the product and a controlled inbox you own. The app never emails arbitrary prospects while you work through it.\n\n## Why a BDR needs a computer\n\nA human BDR lives out of their computer. They open their CRM and pick up where they left off: which accounts they researched yesterday, which leads were a bad fit, which drafts are waiting for approval, which replies need an answer, and which people should not be contacted again.\n\nAn agent doing BDR work needs the same kind of workspace. It needs to remember what it has already researched, keep drafts around until a human reviews them, avoid sending twice when a provider retries an event, and know the difference between a lead that is ready for follow-up and one that should stay rejected. I wanted my agent to have one computer with its own filesystem, local CRM, running process, inbox logic, preview URL, and checkpoints, so I used OpenComputer.\n\nIn this build, the OpenComputer VM is the BDR’s machine, with SQLite as the CRM on disk, FastAPI as the dashboard, a worker that keeps moving leads forward, and AgentMail as the inbox. Before the app sends the approved email, the control script creates a checkpoint so there is a rollback line before the system touches the outside world.\n\n## Architecture\n\nHere is the loop in product terms first:\n\n- The user enters the product and ICP once.\n- The worker imports or discovers lead candidates.\n- Each lead is researched from the company URL we already have.\n- The LLM produces a structured research note with source-backed facts.\n- The LLM scores the lead against the ICP.\n- Fit leads get multiple sourced email variants.\n- A human approves one variant.\n- The control process creates a checkpoint.\n- The app sends one email to the controlled test inbox.\n- AgentMail receives a real reply.\n- The app classifies the reply and sends the next response.\n- CRM state advances and can be inspected.\n\nThe implementation is quite plain:\n\n```\nOpenComputer VM\n FastAPI app\n /api/icp\n /api/state\n /api/lead/{id}\n /api/approve\n /api/send\n /api/poll-replies\n\n SQLite CRM\n campaign\n leads\n research_notes\n drafts\n emails\n sent_keys\n processed_messages\n queue\n events\n suppression\n\n Background worker\n research -> score -> draft\n\n Integrations\n Anthropic for structured reasoning\n AgentMail for inbox, send, reply\n```\n\nThe app lives inside the VM. The orchestration scripts outside the VM only provision the computer, push the app, create checkpoints, and drive the demo. The BDR’s working memory stays with the BDR.\n\n## Prerequisites\n\nYou need:\n\n- an OpenComputer API key,\n- an Anthropic API key,\n- an AgentMail API key,\n- one controlled recipient inbox you own.\n\nThis tutorial uses a seeded CSV of synthetic leads and fetches only the company URLs already present in the file.\n\nStart by making a project folder on your machine. The app has two sides:\n\n`app/`\n\nis the FastAPI app that will run inside the OpenComputer VM.`control/`\n\nis the local control plane: scripts that create the VM, push`app/`\n\ninto it, start the server, checkpoint before sends, and drive the demo.\n\nIf you want the finished version, clone the repo:\n\n```\ngit clone https://github.com/diggerhq/opencomputer-cookbooks.git\ncd opencomputer-cookbooks/open-ava-bdr\n```\n\nIf you are typing it out from the article, create this shape first:\n\n```\nmkdir open-ava-bdr\ncd open-ava-bdr\n\nmkdir -p app/seed control proof\ntouch app/models.py app/db.py app/agent_logic.py app/enrich.py app/mail.py\ntouch app/worker.py app/server.py app/send_once.py app/requirements.txt app/seed/leads.csv\ntouch control/vm.py control/provision.py control/deploy.py control/drive_demo.py\ntouch control/persistence_demo.py control/durability_fallback.py\ntouch requirements-control.txt .env.example .env .gitignore\n```\n\nFrom here on, every filename in the tutorial is relative to that `open-ava-bdr/`\n\nfolder. The GitHub repo is the runnable source of truth; the snippets below show the important pieces in build order and explain why they are there. If you are recreating the app by hand, copy the complete files from the repo and use the verification commands in this post after each layer.\n\nAdd the basic ignores before you do anything else:\n\n```\ncat > .gitignore <<'EOF'\n.env\n.venv/\n__pycache__/\n*.pyc\n*.log\nava.db\nava.db-*\ncontrol/vm.json\nproof/*.txt\nEOF\n```\n\nPut the local control-script dependencies in `requirements-control.txt`\n\n:\n\n```\nopencomputer-sdk==0.6.3\nhttpx==0.28.1\n```\n\nCreate a local virtualenv for the control scripts. These scripts run on your laptop and talk to OpenComputer. Use Python 3.10 or newer; on my Mac, that binary is `python3.12`\n\n:\n\n```\npython3.12 -m venv .venv\nsource .venv/bin/activate\npip install -r requirements-control.txt\n```\n\nOne confusing detail: the package you install is `opencomputer-sdk`\n\n, but the import name is still `opencomputer`\n\n. Do not install the unrelated `opencomputer`\n\npackage for this tutorial. It may install, but it does not provide the `Sandbox`\n\nclass this code uses.\n\nThe repo includes `.env.example`\n\nwith the required keys and a few optional runtime knobs:\n\n```\nOPENCOMPUTER_API_KEY=\nANTHROPIC_API_KEY=\nAGENTMAIL_API_KEY=\nDEMO_RECIPIENT_EMAIL=you@example.com\n\n# Optional knobs\nANTHROPIC_MODEL=claude-sonnet-4-5-20250929\nANTHROPIC_TIMEOUT_SECONDS=60\nANTHROPIC_MAX_RETRIES=2\nAGENTMAIL_TIMEOUT_SECONDS=30\n```\n\nCopy that file to `.env`\n\n, fill in your real values locally, and do not commit `.env`\n\n:\n\n```\ncp .env.example .env\n```\n\nThe required values are:\n\n```\nOPENCOMPUTER_API_KEY=...\nANTHROPIC_API_KEY=...\nAGENTMAIL_API_KEY=...\nDEMO_RECIPIENT_EMAIL=you@example.com\n```\n\nLoad them in the terminal before running the control scripts:\n\n```\nset -a\nsource .env\nset +a\n```\n\nDo not use a real prospect’s address for `DEMO_RECIPIENT_EMAIL`\n\n. Use the tutorial to prove the workflow safely before aiming anything at real outbound.\n\n## Step 1: Create the project and the BDR computer\n\nThe local folder is your source repo. The OpenComputer VM is where the BDR app actually runs.\n\nFirst, put the app’s runtime dependencies in `app/requirements.txt`\n\n:\n\n```\nfastapi\nuvicorn\npydantic>=2\nanthropic\nagentmail\nhttpx\n```\n\nStart by putting the OpenComputer connection helpers in `control/vm.py`\n\n. This excerpt is copied from the repo; it owns the API key, the local `control/vm.json`\n\nfile that remembers which sandbox to reconnect to, and the retry wrapper used by the other control scripts:\n\n``` python\nimport asyncio, json, os, sys\n\nimport httpx\nfrom opencomputer import Sandbox\n\nKEY = os.environ[\"OPENCOMPUTER_API_KEY\"]\nSTATE = os.path.join(os.path.dirname(__file__), \"vm.json\")\nAPP_TAG = \"open-ava-bdr\"\n\n# Exceptions that mean \"the network/control-plane blinked\", not \"your code is wrong\".\nTRANSIENT = (\n httpx.ReadTimeout,\n httpx.ConnectTimeout,\n httpx.ConnectError,\n httpx.RemoteProtocolError,\n httpx.PoolTimeout,\n # The OpenComputer SDK can occasionally receive a malformed exec response\n # without exitCode during control-plane blips; retry the call instead of\n # failing the whole live proof.\n KeyError,\n)\n\nasync def retry(make_coro, *, what=\"op\", attempts=6, base=2.0, max_delay=30.0):\n \"\"\"Run an awaitable factory with bounded exponential backoff on transient errors.\n\n `make_coro` is a zero-arg callable returning a fresh coroutine each try\n (a coroutine can only be awaited once, so we must rebuild it per attempt).\n \"\"\"\n delay = base\n last = None\n for i in range(1, attempts + 1):\n try:\n return await make_coro()\n except TRANSIENT as e:\n last = e\n print(f\"[retry] {what}: transient {type(e).__name__} \"\n f\"(attempt {i}/{attempts}), backing off {delay:.1f}s\", file=sys.stderr)\n if i == attempts:\n break\n await asyncio.sleep(delay)\n delay = min(delay * 2, max_delay)\n raise last\n\ndef save_id(sid: str):\n json.dump({\"sandbox_id\": sid}, open(STATE, \"w\"))\n\ndef load_id():\n if os.path.exists(STATE):\n return json.load(open(STATE)).get(\"sandbox_id\")\n return None\n```\n\nWith that helper in place, `control/provision.py`\n\ncan create one persistent sandbox and install the Python packages the app needs inside that sandbox. This is the core create-and-save path from the repo:\n\n``` python\nimport asyncio\nimport os\nimport sys\n\nimport httpx\nfrom opencomputer import Sandbox\n\nsys.path.insert(0, os.path.dirname(__file__))\nfrom vm import retry, save_id, KEY, APP_TAG\n\nPROOF = os.path.join(os.path.dirname(__file__), \"..\", \"proof\")\nDEPS = [\"fastapi\", \"uvicorn\", \"pydantic>=2\", \"anthropic\", \"agentmail\", \"httpx\"]\n\nasync def main():\n sb = await retry(lambda: Sandbox.create(timeout=0, metadata={\"app\": APP_TAG}, api_key=KEY),\n what=\"create\")\n save_id(sb.id)\n running = await retry(lambda: sb.is_running(), what=\"is_running\")\n print(\"NEW VM:\", sb.id, \"running:\", running)\n```\n\nIt saves the sandbox ID in `control/vm.json`\n\n, which is intentionally local state. The next script should reuse the same VM instead of creating a new computer every time you run the demo.\n\nRun it from your project root:\n\n```\npython control/provision.py\n```\n\nOnce the VM exists, `control/deploy.py`\n\npushes the files from `app/`\n\ninto the VM and starts uvicorn there. This is the first moment where the split between local code and the BDR’s computer matters: you edit files locally, and the deploy script copies them into the running VM.\n\n```\nAPP_LOCAL = os.path.join(os.path.dirname(__file__), \"..\", \"app\")\nAPP_REMOTE = \"/tmp/open-ava-app\"\nFILES = [\"models.py\", \"db.py\", \"agent_logic.py\", \"enrich.py\", \"mail.py\",\n \"worker.py\", \"server.py\", \"send_once.py\", \"requirements.txt\", \"seed/leads.csv\"]\n```\n\n`APP_LOCAL`\n\nis the `app/`\n\nfolder on your machine. `APP_REMOTE`\n\nis the folder the deploy script creates inside the VM. You do not create `/tmp/open-ava-app`\n\nlocally; it exists on the BDR’s computer.\n\nThe deploy script also passes only the runtime secrets the app needs. It does not write your API keys into the repo:\n\n```\nSECRET_ENVS = [\"ANTHROPIC_API_KEY\", \"AGENTMAIL_API_KEY\", \"DEMO_RECIPIENT_EMAIL\"]\n\ndef env_block():\n e = {k: os.environ[k] for k in SECRET_ENVS if os.environ.get(k)}\n e[\"AVA_DB\"] = f\"{APP_REMOTE}/ava.db\"\n return e\n```\n\nThen it starts uvicorn as a background exec inside the VM:\n\n```\nenv = env_block()\nawait retry(lambda: sb.exec.background(\n \"python3\", [\"-m\", \"uvicorn\", \"server:app\", \"--host\", \"0.0.0.0\", \"--port\", \"8000\"],\n cwd=APP_REMOTE, env=env, max_run_after_disconnect=10_000_000,\n), what=\"start uvicorn\")\n```\n\nRun the deploy:\n\n```\npython control/deploy.py\n```\n\nAt this point you can verify the local control environment in layers:\n\n```\npython -m py_compile control/*.py app/*.py\n```\n\nThat catches syntax errors in the control scripts without touching the network. `python control/provision.py`\n\nshould print a VM ID and `PROVISION_OK`\n\n, then `python control/deploy.py`\n\nshould print `DEPLOY_OK`\n\nand a preview URL. Finally, `curl https:///healthz`\n\nshould return `{\"ok\":true,...}`\n\n. If any of those fail, fix that layer before continuing.\n\nIt prints a preview URL like `https://-p8000.workers.opencomputer.dev`\n\n. Open that URL in your browser and you should see the empty BDR dashboard. At this point you have not created leads or sent email yet. You have only created the computer, copied the app into it, and started the server.\n\n## Step 2: Model the CRM as state, not logs\n\nBefore you add any LLM calls, give the agent somewhere to put its memory. In this project, that starts in `app/db.py`\n\n.\n\nThe CRM is the source of truth for what the agent has done and what it is allowed to do next. A lead starts as an imported row, then moves through research, scoring, drafting, approval, sending, and reply handling. Some leads exit early because they are rejected or suppressed.\n\nUse a small status vocabulary so the dashboard, worker, and send endpoint all speak the same language:\n\n``` php\nnew -> researching -> qualified -> drafted -> approved -> sent -> replied\n```\n\nIt also has terminal or side statuses:\n\n```\nrejected\nsuppressed\nmeeting_proposed\n```\n\nThe schema body in `app/db.py`\n\nis plain SQL inside a Python `executescript()`\n\ncall. `leads`\n\nholds the account state, `queue`\n\nholds the next piece of work, `sent_keys`\n\ndedupes outbound email, and `processed_messages`\n\ndedupes inbound replies.\n\n```\nCREATE TABLE IF NOT EXISTS campaign(\n id INTEGER PRIMARY KEY AUTOINCREMENT,\n icp_json TEXT NOT NULL,\n created_at REAL NOT NULL\n);\nCREATE TABLE IF NOT EXISTS leads(\n id INTEGER PRIMARY KEY AUTOINCREMENT,\n campaign_id INTEGER NOT NULL,\n name TEXT, title TEXT, company TEXT, email TEXT,\n company_url TEXT, source TEXT,\n dedup_key TEXT UNIQUE NOT NULL,\n status TEXT NOT NULL DEFAULT 'new',\n score INTEGER, score_reason TEXT,\n created_at REAL NOT NULL\n);\nCREATE TABLE IF NOT EXISTS research_notes(\n id INTEGER PRIMARY KEY AUTOINCREMENT,\n lead_id INTEGER NOT NULL,\n note_json TEXT NOT NULL,\n created_at REAL NOT NULL\n);\nCREATE TABLE IF NOT EXISTS drafts(\n id INTEGER PRIMARY KEY AUTOINCREMENT,\n lead_id INTEGER NOT NULL,\n variants_json TEXT NOT NULL,\n approved_variant INTEGER,\n created_at REAL NOT NULL\n);\nCREATE TABLE IF NOT EXISTS emails(\n id INTEGER PRIMARY KEY AUTOINCREMENT,\n lead_id INTEGER,\n direction TEXT NOT NULL, -- outbound | inbound\n provider_message_id TEXT,\n thread_id TEXT,\n subject TEXT, snippet TEXT,\n created_at REAL NOT NULL\n);\nCREATE TABLE IF NOT EXISTS sent_keys(\n send_key TEXT PRIMARY KEY, -- app-side send idempotency\n provider_message_id TEXT,\n created_at REAL NOT NULL\n);\nCREATE TABLE IF NOT EXISTS processed_messages(\n provider_message_id TEXT PRIMARY KEY, -- inbound idempotency\n created_at REAL NOT NULL\n);\nCREATE TABLE IF NOT EXISTS queue(\n id INTEGER PRIMARY KEY AUTOINCREMENT,\n task TEXT NOT NULL, -- research | score | draft\n lead_id INTEGER NOT NULL,\n status TEXT NOT NULL DEFAULT 'pending', -- pending | done\n created_at REAL NOT NULL,\n UNIQUE(task, lead_id)\n);\nCREATE TABLE IF NOT EXISTS events(\n id INTEGER PRIMARY KEY AUTOINCREMENT,\n lead_id INTEGER,\n kind TEXT NOT NULL,\n detail TEXT,\n created_at REAL NOT NULL\n);\nCREATE TABLE IF NOT EXISTS suppression(\n email TEXT PRIMARY KEY,\n reason TEXT,\n created_at REAL NOT NULL\n);\n```\n\nThe unique constraints are the design decision here:\n\n`leads.dedup_key`\n\nprevents duplicate imports.`queue(task, lead_id)`\n\nprevents duplicate work.`sent_keys.send_key`\n\nprevents duplicate sends.`processed_messages.provider_message_id`\n\nprevents duplicate reply handling.\n\nThat is what makes retries boring. If a worker restarts, a provider retries, or you run the demo script twice, the database can reject duplicate intent instead of making the agent rely on memory in a running Python process.\n\n## Step 3: Accept the ICP once\n\nNow add the first user action in `app/server.py`\n\n: submit the product and ICP.\n\nThis route does three things in one place because they belong to the same moment in the workflow. It stores the product/ICP, imports the initial lead list for that campaign, and starts the worker so the BDR begins researching without another manual step.\n\n``` python\n@app.post(\"/api/icp\")\nasync def set_icp(req: Request):\n body = await req.json()\n return await asyncio.to_thread(_set_icp, body)\n\ndef _set_icp(body):\n icp = ICP(**body)\n with db.conn() as c:\n c.execute(\"INSERT INTO campaign(icp_json,created_at) VALUES(?,?)\",\n (icp.model_dump_json(), time.time()))\n cid = c.execute(\"SELECT id FROM campaign ORDER BY id DESC LIMIT 1\").fetchone()[\"id\"]\n db.log_event(\"icp_set\", f\"{icp.product_name} -> {icp.target_persona}\")\n created = worker.discover_from_seed(cid)\n worker.start()\n return {\"campaign_id\": cid, \"leads_discovered\": created}\n```\n\nFor this article, the product is OpenComputer and the ICP is founders and engineers building AI agent products. The route stores that as campaign state because every later decision depends on it: research has to know what facts matter, scoring has to know what “fit” means, and drafting has to know what the sender is selling.\n\nWhen this works, the first ICP call creates the 12 seeded leads:\n\n``` php\nPOST /api/icp -> 200\n{\"campaign_id\":1,\"leads_discovered\":12}\n```\n\n## Step 4: Run a durable lead loop\n\nNext, add the worker in `app/worker.py`\n\n. This is the part that makes the app feel like a BDR instead of a form submission.\n\nDiscovery imports from `app/seed/leads.csv`\n\nfor the tutorial. In a production system, this could be a lead provider or search API. After discovery, each lead gets queued for the next action, and the queue is stored in SQLite so the app can stop and start without forgetting where it was.\n\nThe worker only does one unit of work at a time:\n\n``` python\ndef step_once():\n \"\"\"Process exactly one queued task. Returns the task dict or None.\"\"\"\n icp = current_icp()\n if not icp:\n return None\n task = _take_task()\n if not task:\n return None\n lead = _lead(task[\"lead_id\"])\n if not lead:\n _finish_task(task[\"id\"])\n return task\n\n try:\n if task[\"task\"] == \"research\":\n do_research(icp, lead)\n elif task[\"task\"] == \"score\":\n do_score(icp, lead)\n elif task[\"task\"] == \"draft\":\n do_draft(icp, lead)\n except Exception as e:\n # A failed task must NOT be marked done, or the lead is stuck forever.\n # Leave it 'pending' so the loop retries it on the next pass. We bump an\n # attempt counter and only give up (and finish it) after a hard ceiling,\n # so a genuinely poisoned task can't spin the loop indefinitely.\n attempts = _bump_attempt(task[\"id\"])\n db.log_event(\"error\",\n f\"{task['task']} failed (attempt {attempts}): {str(e)[:110]}\",\n lead[\"id\"])\n if attempts >= MAX_TASK_ATTEMPTS:\n db.log_event(\"task_abandoned\",\n f\"{task['task']} for lead {lead['id']} after {attempts} attempts\",\n lead[\"id\"])\n _finish_task(task[\"id\"])\n return task\n _finish_task(task[\"id\"])\n return task\n```\n\nThere are two useful choices in that snippet. First, `step_once()`\n\nreads the next pending task from the database instead of holding work in memory. Second, failures get logged and retried a bounded number of times, so one poisoned lead does not stop the whole run.\n\nFor the cookbook, let the worker exit when the queue is empty:\n\n``` python\ndef _loop():\n while not _stop.is_set():\n try:\n t = step_once()\n except Exception as e:\n db.log_event(\"error\", f\"loop: {str(e)[:120]}\")\n t = None\n if not t:\n return\n time.sleep(0.5)\n```\n\nThat looks almost too simple, but it makes the tutorial easier to follow. You can submit the ICP, wait until the queue drains, inspect the drafts, approve one, and then test the send path. A production BDR might keep a scheduler alive forever; this version stops when the current batch is done so the human review step is obvious.\n\n## Step 5: Treat web text as untrusted data\n\nResearch is the first place the agent touches text it does not control. The company URL in the seed row might contain useful product information, but it could also contain prompt injection, stale copy, or nothing useful at all.\n\nPut the model-facing research logic in `app/agent_logic.py`\n\n. Before any scraped text goes into the prompt, wrap it as untrusted input:\n\n```\n# Untrusted text is fenced so the model can tell content from instructions.\nUNTRUSTED_OPEN = \"<<>>\"\nUNTRUSTED_CLOSE = \"<<>>\"\n\ndef wrap_untrusted(text: str) -> str:\n # Defang any of our own delimiters that appear in the scraped text.\n text = text.replace(\"<<<\", \"\").replace(\">>>\", \"\")\n return f\"{UNTRUSTED_OPEN}\\n{text}\\n{UNTRUSTED_CLOSE}\"\n```\n\nThe wrapper is not magic security. It is a clear boundary for the model: this page is data to analyze, not instructions to obey. The system prompt should say the same thing, and the output should carry an `injection_detected`\n\nflag so the rest of the app can surface suspicious sources.\n\nDefine that output shape in `app/models.py`\n\n:\n\n```\nclass ResearchFact(BaseModel):\n fact: str = Field(..., description=\"A specific, verifiable fact about the lead/company.\")\n source_url: str = Field(..., description=\"URL the fact was drawn from. Never empty.\")\n\nclass ResearchNote(BaseModel):\n \"\"\"Structured LLM research output. fit_summary + source-backed facts only.\"\"\"\n fit_summary: str\n facts: list[ResearchFact] = Field(default_factory=list)\n injection_detected: bool = Field(\n default=False,\n description=\"True if the scraped text tried to give instructions (prompt injection).\",\n )\n```\n\nThen enforce the source rule after the model returns:\n\n```\nnote = _tool_call(system, user, \"research_note\", ResearchNote)\n# Enforce the source rule in code, not just in the prompt.\nnote.facts = [f for f in note.facts if f.source_url.strip()]\nreturn note\n```\n\nThis is the first guardrail against fake personalization. If the model cannot attach a fact to a source URL, the app drops that fact. Some of the seeded leads intentionally point to placeholder or standards pages, and that is useful because it forces the agent to say “I do not have enough evidence” instead of inventing a warmer email.\n\nWhen the research, scoring, and drafting queue has drained, the verified run looked like this:\n\n```\n{\n \"drafted\": 1,\n \"rejected\": 11\n}\n```\n\n## Step 6: Score fit before drafting\n\nAfter research, decide whether a lead is worth drafting at all. This is a separate step on purpose. If you draft for every lead, you spend tokens on bad accounts and make the human review queue noisy.\n\nThe scoring output in `app/models.py`\n\nis small:\n\n```\nclass LeadScore(BaseModel):\n score: int = Field(..., ge=0, le=100)\n reason: str\n is_fit: bool\n```\n\nIn `app/worker.py`\n\n, the score decides the next state. Fit leads move to `qualified`\n\nand get a `draft`\n\nqueue item. Non-fit leads become `rejected`\n\nand stop there.\n\n``` python\ndef do_score(icp, lead):\n note = latest_note(lead[\"id\"])\n s = brain.score_lead(icp, lead, note)\n def _w():\n with db.conn() as c:\n if s.is_fit:\n c.execute(\"UPDATE leads SET status=?,score=?,score_reason=? WHERE id=?\",\n (LeadStatus.qualified.value, s.score, s.reason, lead[\"id\"]))\n c.execute(\"INSERT OR IGNORE INTO queue(task,lead_id,status,created_at) VALUES('draft',?,'pending',?)\",\n (lead[\"id\"], time.time()))\n else:\n c.execute(\"UPDATE leads SET status=?,score=?,score_reason=? WHERE id=?\",\n (LeadStatus.rejected.value, s.score, s.reason, lead[\"id\"]))\n db.with_retry(_w)\n if s.is_fit:\n db.log_event(\"qualified\", f\"score {s.score}: {s.reason[:80]}\", lead[\"id\"])\n else:\n db.log_event(\"rejected\", f\"non-fit score {s.score}: {s.reason[:80]}\", lead[\"id\"])\n return s\n```\n\nThat keeps the CRM honest. The dashboard can show why a lead was rejected, and the draft generator only sees accounts that passed the ICP check. In the seeded demo, you should expect most leads to be rejected because several URLs are intentionally weak or mismatched.\n\n## Step 7: Draft with sources\n\nDrafting is where an outbound agent can do the most damage to trust. A confident but unsupported personalization line is worse than a generic email because it teaches the prospect that the system made something up.\n\nSo the draft schema in `app/models.py`\n\ncarries sources with each variant:\n\n```\nclass EmailVariant(BaseModel):\n label: str # e.g. \"value-led\" / \"pain-led\"\n subject: str\n body_text: str\n personalization_sources: list[str] = Field(\n default_factory=list,\n description=\"Source URLs backing each personalized claim used in the body.\",\n )\n\nclass EmailDraftSet(BaseModel):\n \"\"\">= 2 personalized variants for one lead. Each fact must cite a source.\"\"\"\n variants: list[EmailVariant]\n```\n\nAfter the model returns variants, filter the sources again in `app/agent_logic.py`\n\n:\n\n```\ndrafts = _tool_call(system, user, \"email_draft_set\", EmailDraftSet)\n# Keep only personalization sources that are actually in our research.\nallowed = set(sources)\nfor v in drafts.variants:\n v.personalization_sources = [u for u in v.personalization_sources if u in allowed]\nreturn drafts\n```\n\nThat second filter is there because prompts are not enough. The prompt can say “only use these sources,” but the application should still check the returned data. In the verified run, the qualified lead got three useful email variants, with source URLs the dashboard can show next to the draft.\n\n## Step 8: Require approval before send\n\nSending is the first irreversible action in the app, so it gets two separate gates.\n\nThe first gate lives in the FastAPI app: `/api/send`\n\nrefuses to send unless a human has approved a specific draft variant. The endpoint also ignores any requested recipient and always uses `DEMO_RECIPIENT_EMAIL`\n\n, which keeps the tutorial pointed at an inbox you control.\n\nBefore approval:\n\n``` php\nPOST /api/send -> 400\n{\"error\":\"draft not approved\"}\n```\n\nApproval in `app/server.py`\n\ndoes not send anything. It only records which variant the human picked and moves the lead into the `approved`\n\nstate:\n\n``` python\n@app.post(\"/api/approve\")\nasync def approve(req: Request):\n \"\"\"Human approval gate. Records a pre-send checkpoint MARKER in the DB.\n\n The actual OpenComputer checkpoint is taken by the control side right\n before send (so it can restore_checkpoint to roll back). Here we just\n flip the lead to 'approved' and remember which variant a human picked.\n \"\"\"\n body = await req.json()\n lead_id = int(body[\"lead_id\"])\n draft_id = int(body[\"draft_id\"])\n variant_idx = int(body[\"variant_index\"])\n with db.conn() as c:\n c.execute(\"UPDATE drafts SET approved_variant=? WHERE id=?\", (variant_idx, draft_id))\n c.execute(\"UPDATE leads SET status=? WHERE id=?\", (LeadStatus.approved.value, lead_id))\n db.log_event(\"approved\", f\"variant {variant_idx} approved by human (pre-send checkpoint)\", lead_id)\n return {\"ok\": True, \"lead_id\": lead_id, \"approved_variant\": variant_idx}\n```\n\nThe second gate lives in the control script. Right before it calls `/api/send`\n\n, `control/drive_demo.py`\n\ncreates an OpenComputer checkpoint:\n\n```\n# DoD #7: checkpoint the IRREVERSIBLE action (the real send) BEFORE doing it,\n# so the run is rollback-able. This is a real OpenComputer checkpoint taken\n# from the control side; the app already recorded a pre-send marker on approve.\nckpt = await retry(lambda: sb.create_checkpoint(f\"pre-send-{int(time.time())}\"),\n what=\"create_checkpoint_pre_send\")\nckpt_id = ckpt.get(\"id\") if isinstance(ckpt, dict) else getattr(ckpt, \"id\", ckpt)\ngate_text += f\"\\n[checkpoint] create_checkpoint BEFORE send -> id={ckpt_id}\\n\"\n```\n\nWhen the control script creates the pre-send checkpoint, the result should look like this:\n\n``` php\ncheckpoint BEFORE send -> id=\n```\n\nThat checkpoint is the rollback line. Up to approval, the app is only changing internal CRM state. After send, it has touched the outside world, so you want a named point to return to if the next step behaves badly.\n\n## Step 9: Send one controlled email\n\nNow wire the email provider in `app/mail.py`\n\n.\n\nAgentMail handles the actual outbound email. The app sends both text and HTML because many providers and clients behave better when both bodies are present:\n\n```\nresp = am.inboxes.messages.send(\n inbox_id=inbox_id,\n to=[to_addr],\n subject=subject,\n text=text,\n html=html,\n labels=[\"outreach\", \"unreplied\"],\n)\n```\n\nProvider APIs often do not give you exactly the idempotency shape you want, so the app owns its own send key. For the first outbound email, the key is derived from the lead, draft variant, and send kind:\n\n``` python\ndef send_key(lead_id, draft_idx, kind=\"initial\"):\n raw = f\"{kind}:{lead_id}:{draft_idx}\"\n return hashlib.sha256(raw.encode()).hexdigest()[:24]\n```\n\nBefore sending, `/api/send`\n\nchecks whether that key already has a provider message ID. If it does, the app returns the existing message instead of calling AgentMail again. That is what makes control-script retries safe.\n\n``` php\nsend AFTER approve -> 200\ndeduped: false\n\nsend AGAIN -> 200\ndeduped: true\n```\n\nThe important behavior is simple: the first call sends, the second call proves it would not send twice.\n\n## Step 10: Handle a real inbound reply\n\nThe reply leg should be real too, but it still should not involve a real prospect. The demo solves that by creating a second AgentMail inbox that plays the controlled prospect. It sends an actual email back to the BDR inbox, so the receive/classify/follow-up path is exercised without contacting anyone outside the test setup.\n\nThat controlled reply helper lives in `app/mail.py`\n\n:\n\n```\nsubj = in_reply_subject if in_reply_subject.lower().startswith(\"re:\") else f\"Re: {in_reply_subject}\"\nresp = am.inboxes.messages.send(\n inbox_id=prospect_inbox_id,\n to=[to_bdr_addr],\n subject=subj,\n text=body_text,\n html=\"
\" + body_text.replace(\"\\n\", \"
\") + \"
\",\n)\n```\n\nThen `app/server.py`\n\npolls the BDR inbox, ignores the BDR’s own outbound messages, fetches the full inbound message, and classifies the extracted reply text. The same idempotency idea from sending applies here too: each provider `message_id`\n\ngoes into `processed_messages`\n\n, so a repeated poll cannot double-handle the same reply.\n\nThe controlled reply was:\n\n```\nInteresting, but we're already using E2B/Runloop. Why switch?\n```\n\nThe model classified it as:\n\n```\n{\n \"category\": \"objection\",\n \"suggested_action\": \"answer_objection\"\n}\n```\n\nThe classification is not just a label for the dashboard. It decides the next action. In this case, an objection triggers a short objection-handling follow-up and records the events in the CRM:\n\n``` php\n[reply_classified] objection -> answer_objection\n[followup_sent] answered objection\n```\n\nThe final CRM snapshot showed 12 leads, 11 rejected, and 1 sent, with the inbound reply classified and the follow-up logged. The dashboard screenshot above is the actual UI after this step.\n\n## Step 11: Prove durability\n\nThe durability check is there to prove the BDR can pick up where it left off. After the send and reply flow, `control/durability_fallback.py`\n\nconnects to the same VM from `control/vm.json`\n\n, reads the SQLite CRM directly from disk, creates a named OpenComputer checkpoint, restarts the app process, and reads the CRM again.\n\nThat test focuses on the state this prototype owns: lead statuses, the outbound send log, sent-message dedupe, handled replies, and the queue. If those values only lived in Python memory, a restart would change or erase them. Because they live in SQLite and provider message IDs, the app can restart and still know which leads were rejected, which email was sent, and which reply was already handled.\n\nThe result:\n\n```\nBEFORE restart:\n counts: rejected=11, sent=1\n n_leads: 12\n emails: 3\n leads_hash: df168b5b6a211ace\n\nAFTER restart:\n counts: rejected=11, sent=1\n n_leads: 12\n emails: 3\n leads_hash: df168b5b6a211ace\n\nSTATE SURVIVED PROCESS RESTART/CHECKPOINT: True\n```\n\nAfter the process restart, the counts and lead hash stayed the same. If the hash changes in your run, stop there and inspect the write path before trusting the demo.\n\n## Run the safe demo\n\nAt this point you have a local project, a VM, the app code deployed into that VM, and an empty dashboard. The demo is the sequence that turns that empty dashboard into a real BDR run.\n\nFirst, create `icp.json`\n\nin your project root. This is the product and customer profile the agent will use for research, scoring, and drafting:\n\n```\n{\n \"product_name\": \"OpenComputer\",\n \"product_pitch\": \"Persistent cloud VMs for AI agents: each agent gets its own computer with a filesystem, preview URLs, checkpoints, and hibernation.\",\n \"sender_name\": \"Ava (Open Ava demo)\",\n \"sender_company\": \"Open Ava Demo\",\n \"sender_postal_address\": \"123 Demo Street, Suite 100, San Francisco, CA 94105\",\n \"target_persona\": \"Founders and engineers building AI agent products\",\n \"target_industry\": \"AI developer tools and agent infrastructure\",\n \"disqualifiers\": \"Non-software businesses, tiny design studios, and legacy on-prem vendors with no appetite for new tooling.\"\n}\n```\n\nUse the preview URL printed by `python control/deploy.py`\n\nas ``\n\n. Start with the health check so you know the app is running before you create state:\n\n```\ncurl https:///healthz\n```\n\nSubmit the ICP. This creates the campaign, imports the seeded leads, and starts the worker:\n\n```\ncurl -X POST https:///api/icp \\\n -H 'Content-Type: application/json' \\\n -d @icp.json\n```\n\nWatch `/api/state`\n\nor the dashboard while leads move through `new`\n\n, `researching`\n\n, `rejected`\n\n, and `drafted`\n\n:\n\n```\ncurl https:///api/state\n```\n\nWhen at least one lead reaches `drafted`\n\n, inspect its lead card. The exact lead ID can vary if you change the seed data; in the demo run, lead `12`\n\nwas the top drafted lead:\n\n```\ncurl https:///api/lead/12\n```\n\nTry to send before approval. This should fail, and that failure is the point:\n\n```\ncurl -X POST https:///api/send \\\n -H 'Content-Type: application/json' \\\n -d '{\"lead_id\":12,\"draft_id\":1}'\n```\n\nApprove one variant for the drafted lead:\n\n```\ncurl -X POST https:///api/approve \\\n -H 'Content-Type: application/json' \\\n -d '{\"lead_id\":12,\"draft_id\":1,\"variant_index\":0}'\n```\n\nNow create the checkpoint from the control side, send once, and send again to prove dedupe. The repo’s `control/drive_demo.py`\n\nautomates that sequence so you do not have to copy provider IDs by hand.\n\nThen send the controlled prospect reply and poll the BDR inbox:\n\n```\ncurl -X POST https:///api/_demo/prospect-reply \\\n -H 'Content-Type: application/json' \\\n -d '{\"text\":\"Interesting, but we are already using E2B/Runloop. Why switch?\"}'\n\ncurl -X POST https:///api/poll-replies\n```\n\n## Costs and limits\n\nOpenComputer’s default 4 GB / 1 vCPU VM costs [$0.004 per minute, or $0.24 per hour](https://opencomputer.dev/). Claude Sonnet 4.5 is [$3 per million input tokens and $15 per million output tokens](https://platform.claude.com/docs/en/about-claude/pricing). AgentMail’s free tier includes [3 inboxes, 3,000 emails per month, 100 emails per day, and 3 GB of storage](https://www.agentmail.to/pricing).\n\nThis tutorial uses one short VM session, 27 structured model calls, two AgentMail inboxes, and a few emails. With OpenComputer’s hibernation, this run would cost you less than $2.\n\n## Closing\n\nAt this point, you have a small BDR computer: one VM running the dashboard, worker, SQLite CRM, AgentMail inbox, approval gate, checkpoint, send path, and reply handler. You can open the dashboard and see why a lead was rejected, what facts supported a draft, which variant a human approved, and what happened when a reply came back.\n\nThat pattern is useful beyond outbound. Once an agent works across time, it needs somewhere to keep state, show its work, and pause before side effects. OpenComputer gives you that base layer as one running machine instead of making the first version start with a pile of separate infrastructure.\n\nClone the repo, run the demo, and swap in the workflow you care about.\n\nThe full Open Ava cookbook is on GitHub at [diggerhq/opencomputer-cookbooks](https://github.com/diggerhq/opencomputer-cookbooks/tree/main/open-ava-bdr). Use the same VM, preview URL, filesystem, and checkpoint model for your next agent.", "url": "https://wpnews.pro/news/open-ai-sdr-an-open-source-version-of-the-artisans-ava-bdr", "canonical_source": "https://opencomputer.dev/blog/open-ava-bdr-agent/", "published_at": "2026-06-26 19:30:44+00:00", "updated_at": "2026-06-26 20:06:01.186127+00:00", "lang": "en", "topics": ["ai-agents", "ai-tools", "ai-products"], "entities": ["Utpal Nadiger", "Artisan", "Ava", "OpenComputer", "FastAPI", "SQLite", "AgentMail", "Anthropic"], "alternates": {"html": "https://wpnews.pro/news/open-ai-sdr-an-open-source-version-of-the-artisans-ava-bdr", "markdown": "https://wpnews.pro/news/open-ai-sdr-an-open-source-version-of-the-artisans-ava-bdr.md", "text": "https://wpnews.pro/news/open-ai-sdr-an-open-source-version-of-the-artisans-ava-bdr.txt", "jsonld": "https://wpnews.pro/news/open-ai-sdr-an-open-source-version-of-the-artisans-ava-bdr.jsonld"}}