Agent

An agent with real hands.

Your shell. Your filesystem. Every cloud CLI you already auth'd. A multi-step loop that plans, calls tools, watches output, and adjusts — locally, under your per-call approval. No paste-back. No copy-loop. No surprise execution.

Download — start free How the loop works ↓

PROMISE 1

It asks before it acts.

Reads auto-run because they’re reversible. Anything that mutates disk, runs shell, or installs a package shows an approval card with the exact bytes — even when the agent is "very sure."

PROMISE 2

It uses the auth you already have.

GitHub via your gh. AWS via your IAM role. Kubernetes via your kubeconfig. The agent shells out to the CLIs you already trust — there’s no second credential perimeter to manage.

PROMISE 3

Every step is on the record.

Hash-chained audit log captures every tool call, every approval, every byte. Read on Free, export on Pro, aggregate across the fleet on Teams.

The loop

Plan. Call. Watch. Adjust.

One iteration. The agent runs it until your task is done or it stops to ask.

01
PlanModel reads your message + recent context (open file, working dir, recent shell output) and produces a tool call or a question.
02
ApproveIf it’s a write, you see an approval card with the literal command or diff. Reads auto-run. The deny-list refuses .env / .ssh / credentials structurally.
03
CallTool runs on your machine with your permissions — PTY for shell, filesystem for edits, network for HTTP, MCP for whatever you wired up.
04
AdjustResult + stdout/stderr go back to the model. It reasons over the actual output and continues — or stops to report what it found.

What approval looks like

The literal bytes. Every time.

No paraphrasing. The card shows what the agent will actually execute — diff, command, request body, MCP arguments. You see what you’re approving.

shell.execute WRITE · WAITS FOR ✓

kubectl rollout restart deployment/api-gateway -n production

cwd: ~/work/infra · auth: kubeconfig (prod-eks) · [a] approve [d] deny [e] edit

On every tier you can approve, deny, or edit the call before it runs. Pro adds "approve pattern" (e.g., always allow kubectl get *) and a per-repo deny-list that compounds with the built-in structural one.

Tools the agent can call

Real verbs. Real systems.

Not a sandbox. The agent reaches the same things you reach from a terminal — through the same auth, with the same blast radius.

shell.execute WRITE
Runs a command in a real PTY. Multi-tab, output streams back to the loop in chunks.

fs.read · fs.glob · fs.grep READ
Reversible. Auto-run. Deny-list refuses .env*, .ssh/, credentials at the boundary.

fs.write · fs.edit · fs.delete WRITE
Per-hunk diff in the editor. Vim bindings + accept/reject per chunk. Original file untouched until you approve.

net.fetch WRITE
HTTP/HTTPS request. Approval card shows method, URL, headers, body. Strict mode asks per request.

mcp.<server>.<tool> WRITE
Any tool from any MCP server you wired up — Figma, Gmail, Linear, GitHub, custom. Approval card shows the arguments.

memory.remember · memory.recall READ
Auto-run, scrubbed for secrets before persist. Global memory syncs cross-device (Pro+, opt-in).

subagent.spawn WRITE
Delegates a subtask to a sibling agent with isolated context. You approve the spawn; sub-agent shows full audit trail.

code.diff · code.apply WRITE
Per-hunk diff with semantic awareness. Apply hunk-by-hunk; rejected hunks never touch disk.

Sub-agents

Delegate work. Keep your context window clean.

Long-running searches, fan-out audits, "go figure out X across 200 files" — push them to a sub-agent with isolated context. You get a summary back; the noise stays out of your main loop.

# In your main agent — spawn a focused sub-agent
spawn explore "Find every place we still use jwt-simple and write a migration plan"

  → sub-agent runs independently
  → reads 200 files, greps, opens config
  → returns a 6-line summary + file list

# Your main context stays small
# The audit log captures every sub-agent step too

Explore

Read-only fan-out. Search across the repo, return excerpts. Built-in agent type — no setup.

Plan

Architectural reasoning. Returns a step-by-step plan and the files it’ll touch — you approve the plan, then dispatch.

Custom

Define your own agent types in a per-repo file. Different system prompts, different tool allowlists, different models.

Model Context Protocol

Every MCP server. Approval card per call.

Wire up any MCP server — Figma, Gmail, Linear, custom internal tools. The agent discovers their tools at runtime; each call shows the literal arguments before execution.

Configure once

// ~/.config/azmx-ai/mcp.json
{
  "servers": {
    "linear": {
      "transport": "stdio",
      "command": "npx",
      "args": ["@linear/mcp"]
    },
    "figma": {
      "transport": "http",
      "url": "https://mcp.figma.com"
    }
  }
}

Use everywhere

Tools appear as mcp.linear.create_issue, mcp.figma.get_design_context, etc. The agent discovers them — you don’t have to name them in your prompt.

Teams ships a shared MCP registry — wire a server once at the org level, every seat gets it. Per-server allow / deny rules let you scope what tools each role can call.

Auth tokens live in the same 0600 secrets file as BYOK keys — never localStorage, never logged.

What the agent already knows

Context, automatically.

You don’t have to paste in files, project structure, or recent commands. The agent already sees them.

Source	What it gives the agent
Working directory	File tree, gitignore-respected. Knows it’s a Rust workspace or a Vite app from the first turn.
Open editor file	Cursor position, visible region, language mode. "this function" resolves correctly.
Recent shell history	Last N commands + their exit codes. "why did that fail" works without re-running.
Git state	Current branch, dirty paths, recent commits. The agent knows what you’re working on.
AZMX.md	Per-repo agent instructions you check into the repo. Loaded every session.
Long-term memory	Scrubbed, append-only memory of facts you ask it to remember. Global memory syncs cross-device (Pro+).

Honest answers

What the agent doesn’t do.

It doesn’t auto-execute writes.

Ever. Reads auto-run because they’re reversible. Writes wait — even in Permissive mode (which only auto-approves patterns you’ve approved before).

It doesn’t paste your code to a vendor by default.

You bring the key. The provider you pick (Anthropic, OpenAI, your local llama.cpp) is the only place your code goes. AZMX HQ never sees your prompts.

It doesn’t reverse approved actions.

If you approved rm -rf node_modules, it ran. We don’t snapshot your filesystem before each write — use git like you would with any other tool.

It doesn’t make the agent "smarter" than your model.

The model you choose drives intelligence. AZMX gives that model real tools and a strict approval gate. Pick Claude Opus for hard problems, Haiku for speed, a local 70B for offline.

It doesn’t hide tool calls from you.

Even auto-run reads stream into the transcript with their results. Nothing happens off-screen. The audit log captures every call.

It doesn’t need a network to think.

Point it at a local Ollama / LM Studio / llama.cpp endpoint and the entire loop runs offline. Air-gap mode (Enterprise) makes that structural.

Real hands. Your approval. Start free.

An agent that touches the same things you touch — through your auth, behind your gate, on the record.

Download — start free See the trust model →