Hive

Active Rust Tokio PostgreSQL WASM Axum

Hive is a self-hosted agent harness written in Rust. It manages long-lived agents as durable processes, connects them to external communication channels, and enforces security boundaries between agents, data, and the outside world using kernel-level primitives rather than application-level trust.

The core systems are functional and I'm using Hive daily for my own workflows. I plan to open-source it once the codebase is in a state I'm comfortable with.

Agents run in isolated environments with overlay filesystems, scoped capabilities, and per-process network filtering enforced through eBPF. A structured knowledge graph built on typed ontologies handles reasoning. A shared ticketing system coordinates work between agents and humans across sessions. Browser automation runs through a headless Firefox instance behind a filtering proxy.

The architecture reference covers the major components and how they connect. The security model documents the enforcement layers in detail.

API Security Hardening

2026-04-08 Sam Stelfox 2 min read

This security pass wouldn't have been possible without first cleaning up the pedantic lint issues and expanding test coverage. Auth was optional, password hashing was SHA-256, and the GCRA rate limiter had a bug where it never actually rejected requests, this one I stumbled upon by accident while writing end-to-end tests. The nested Result<Result<_, NegativeOutcome>, InsufficientCapacity> return was only being checked at the outer level so every request that should have been limited was getting waved through. Not ideal.

Auth is mandatory now but the first-time user experience isn't great. You get a 503 on everything until you use hive security set-password on the server side to manually create a user. Query parameter tokens were previously being used and have since entirely been removed. Putting credentials in query params is a very easy way to get live credentials in logs, referrer headers, and browser history. Password hashing moved to Argon2id, SHA-256 is not acceptable for user credentials. There's now a real user system backed by the database with per-user API keys (hive_ prefixed so they're easy to spot if they leak). CLI persistent authentication similar to other tools like the AWS CLI, and first class support for remote servers both in the config and via a --host flag.

Looking for something specific?

Log Entries

Ref Pages

5,111

Words

Code Blocks

Build Span

0h 27m

Time to Read

2026-04-08 API Security Hardening hive project security rust api authentication
2026-04-08 A Third Fork hive project ai agents open-source community
2026-04-04 Why Build Another Agent Harness hive project ai agents rust philosophy