hermes-brain/ideas/competitive-analysis-2026-05.org

:PROPERTIES:
:ID:       3aa22300-2f25-57b0-8787-9f199cc978b1
:CREATED:  [2026-05-22 Thu]
:END:
#+title: Competitive Analysis — AI Agent Landscape (May 2026)
#+filetags: :passepartout:strategy:competitive:

* Overview

Analyzed 9 competitor codebases alongside Passepartout. The competitive landscape
divides into three categories:

1. Coding agents (Aider, OpenCode, Codex CLI, Claude Code, Gemini CLI)
2. Personal AI assistants (Hermes, OpenClaw, Thoth)
3. CI/check-based systems (Continue)

None of the nine compete with Passepartout on all axes simultaneously. Passepartout's
strongest differentiators — Org-mode data model, deterministic gate stack, ACL2
verification, Merkle-treed memory, and the triad architecture — are absent from
every competitor.

* Category 1: Coding Agents

** Aider (Python, ~40K lines, MIT)

Language: Python. ~6.8M pip installs. The oldest and most mature open-source
coding agent.

Architecture: Chat-based Coder class with 5 edit formats (diff, udiff, patch,
whole, architect). Uses litellm for universal provider access (50+ providers).
RepoMap provides codebase awareness via cosine-similarity embedding.

Safety model: Purely prompt-based plus user-confirmation dialogs. No deterministic
gate stack. No sandboxing. No model output validator. The allowed_to_edit() gate
is a single user confirmation call. --yes flag auto-approves. Aider can edit its
own source code with no special protection — self-modification is undetectable.

Data model: Ad-hoc. Chat messages in memory. Git commits for persistence. RepoMap
is a cosine-similarity index. No persistent memory across sessions. No knowledge
graph.

Self-modification: Full. No guard against editing its own files.

Verification: None.

Key gap vs Passepartout: No safety gates, no persistent memory model, no knowledge
representation, no verification, no self-modification protection, no architecture
for neurosymbolic reasoning. It is a thin shell around litellm + edit format
parsers.

** OpenCode (TypeScript/Bun, anomalyco/opencode, 163K★)

The dominant open-source coding agent by adoption. Bun runtime, Effect-TS
functional core, Solid.js TUI, Turborepo monorepo.

Architecture: Dual LLM runtime — default AI SDK (streamText/generateText) +
opt-in native Effect-Schema runtime (@opencode-ai/llm) with 4-axis route
decomposition (Protocol/Endpoint/Auth/Framing). 30+ provider plugins.
Agent workflow DSL with plan/build agent switching. Agent Communication
Protocol (ACP) for inter-agent messaging. Subagents inherit permission
boundaries from parent. 18+ built-in tools + custom tools from config.
Effect-TS ScopedCache per-project state management.

Safety model: Explicitly documentes /not/ sandboxing the agent. The
permission system is rule-based (glob matching, actions: allow/ask/deny)
and exists as a UX feature, not security isolation. Built-in agents have
carefully scoped defaults (build allows most, prompts on doom_loop;
plan denies all edits except plan files; explore denies everything except
grep/glob/bash/webfetch/read; question defaults to deny). Permission
rules are inherited by subagents. Shell tool dynamically scans commands
for filesystem-impacting operations to determine ask patterns.

Data model: SQLite via Drizzle ORM with bun:sqlite or better-sqlite3.
Key tables: SessionTable (project, workspace, parent hierarchy, cost,
tokens, model JSON, agent config JSON, permission JSON, revert snapshot),
MessageTable, PartTable. Project model stores worktree, VCS, sandbox
config. Config is JSON-chain (user home → project root → worktree) with
remote config fetch and mergeDeep with concatenating array semantics.
20 config modules covering agents, permissions, providers, MCP, LSP,
plugins, skills, references, variable.

Self-modification: Agent.generate() interface lets the LLM create new
agent definitions — the system grows its own subagent roster. Skills
system loads domain-specific knowledge packs dynamically.

Verification: None.

Key gap vs Passepartout: No deterministic safety architecture, no
knowledge graph, no Org-mode, no verification/proof system, no
neurosymbolic architecture. The permission system is explicitly labeled
\"not security isolation\" — it's UX, not a gate stack. Largest userbase
and most polished product of any coding agent, but architecturally
conventional.

** Codex CLI (OpenAI, Rust, ~950K lines)

OpenAI's open-source coding agent. Rust, Sandboxed.

Architecture: ~116 crate Rust workspace with a protocol layer (SQ/EQ session types),
sandbox manager (macOS Seatbelt, Linux nsjail), multi-provider support (via defined
protocol, not directly), configurable TUI.

Safety model: Most sophisticated safety system of any coding agent analyzed.
Multi-layer:
- Process hardening (macOS Seatbelt with 4 profile tiers)
- Execution policy engine (defined policy in execpolicy crate)
- Sandboxing via nsjail on Linux, seatbelt on macOS
- Guardian module for tool permission gating
- No prompt-based safety — all deterministic through policy definitions

Data model: Protocol-defined session types. Structured request/response models.
Config through TOML files with schema validation.

Self-modification: Protected by sandbox — the agent cannot escape to modify its
own binary or config without explicit policy override.

Verification: None (no proof system).

Key gap vs Passepartout: No knowledge graph (Org or otherwise), no persistent
memory model, no deterministic gate stack for agent behavior (only OS-level
sandboxing), no ACL2/prover, no neurosymbolic architecture. Strongest sandbox
but weakest cognitive architecture.

** Claude Code (Anthropic, TypeScript/Bun, ~512K lines leaked)

Anthropic's proprietary coding agent. Only available via leaked source analysis.
Not open source.

Architecture: Bun-bundled TypeScript single-file executable. Ink/React terminal UI.
23+ core tools. Subagent forking with byte-identical API prefixes for prompt cache
sharing. Multi-agent coordination mode.

Safety model: Layered deterministic safety — NOT prompt-based:
1. Permission mode system (7 modes: default, acceptEdits, bypassPermissions, etc.)
2. Persistent permission rules (alwaysAllow, alwaysDeny, alwaysAsk, rule sources
   from userSettings, projectSettings, localSettings, policySettings)
3. Bash security validator — 2,592 lines of dedicated code with 23+ named
   security checks using tree-sitter AST parsing
4. Sandbox runtime for filesystem/network containment
5. Path/mode validation
6. Optional ML bash classifier (ant-only feature)

This is the most sophisticated safety system of any coding agent. Passepartout's
gate stack is architecturally similar (deterministic multi-layer) but Claude
Code's implementation is vastly more mature — 2,592 lines of bash validation
alone is ~50x the equivalent in Passepartout.

Data model: File-based markdown memdir at ~/.claude/projects/<slug>/memory/.
4 memory types: user, feedback, project, reference. YAML frontmatter in .md files.
PROJECT.md and CLAUDE.md for project-level config. No database.

Self-modification: HIGH. Skill system writes SKILL.md files that change future
behavior. Plugin system, cron scheduling, agent spawning.

Verification: None.

Key gap vs Passepartout: No proof system, no neurosymbolic architecture, no
self-verification, no persistent knowledge graph (flat markdown files, not
Org-mode with cross-references), markdown data model lacks semantic depth.
Proprietary — Anthropic controls it completely. Linux-only (uses macOS sandbox
profiles natively). The permission rules system is impressive but structurally
inferior to Passepartout's gate stack because rules are heuristic (regex-based
pattern matching) rather than typed (type-level gates with structural guarantees).

** Gemini CLI (Google, TypeScript, ~525K lines, Apache 2.0)

Google's open-source coding agent. Node.js 20+, Ink/React TUI.

Architecture: 7-package npm monorepo. Core backend handles Gemini API orchestration,
tool execution, policy engine, safety checks, sandbox management, session management,
MCP client. 7-strategy composite model routing chain.

Safety model: Multi-layered:
1. CONSECA (Contextual Security Checker) — AI-driven per-request policy generation
   using a separate Gemini Flash model. Principle of least privilege.
2. Policy engine — 4 approval modes (PLAN, DEFAULT, AUTO_EDIT, YOLO), hierarchical
   rules with priority scores and wildcard matching
3. 6 sandbox methods (macOS Seatbelt, Docker/Podman, bwrap, gVisor, LXC, Windows)
4. Trusted folders with discovery phase and path traversal protection
5. Policy integrity verification via cryptographic hashes
6. Built-in safety checkers (AllowedPathChecker, CONSECA)
7. Loop detection service

Data model: JSONL session files. Turn-based conversation model. 4-layer config
precedence (system-defaults → user → project → system-override). TOML policy files.

Self-modification: Modifiable hooks system, MCP extensions, custom commands.
Core binaries are protected on disk by file permissions.

Verification: None.

Key gap vs Passepartout: No proof system, no persistent knowledge graph, no
self-verification, no neurosymbolic architecture, lock-in to Google Gemini models
(though it can use others via routing). The CONSECA approach is interesting
(AI-generated policies) but introduces a second LLM call for every security
decision — the opposite of Passepartout's approach of zero-token deterministic gating.

* Category 2: Personal AI Assistants

** Hermes Agent (Python, ~17K core, MIT)

The agent running this conversation. Python, OpenAI-format conversations.

Architecture: Synchronous conversation loop with OpenAI-format messages. 60+
built-in tools. 109+ providers via pluggable transport layer. 15+ messaging
platforms via gateway. MCP client (native, not bridge). Ink/React TUI as Node.js
subprocess. Cron jobs, Kanban board, subagent delegation.

Safety model: Multi-layer but NOT a deterministic gate stack:
1. Message sanitization (surrogates, control chars, malformed JSON)
2. Tirith binary scanner (pre-execution terminal command analysis)
3. Command approval system (manual/smart/off modes)
4. Memory injection detection (prompt injection pattern matching)
5. Secret/PII redaction
6. Tool call guardrails (loop detection)
7. MCP security (env filtering, credential stripping)
8. Context fencing (memory injection span scrubbing)

These are all heuristic or prompt-based — no structural type-level gates.
Tirith is a separate binary, not in-process. The approval system is good but
reactive (LLM proposes → system blocks) rather than preventive (type system
prevents by construction).

Data model: SQLite session DB (FTS5 full-text search). File-based memory
(MEMORY.md + USER.md). YAML config. No knowledge graph. No Org-mode.

Self-modification: Skill system writes SKILL.md files. Memory tool edits
MEMORY.md/USER.md. Config YAML editable. Core Python code is read-only in
execution but the LLM could request modifications to its own source files
(no gate specifically prevents this).

Verification: None.

Key gap vs Passepartout: No deterministic gate stack (heuristic layers, not
structural/typed), no knowledge graph, no Org-mode, no neurosymbolic architecture,
no self-verification, no proof system. Hermes's strength is breadth —
109 providers, 15 platforms, MCP ecosystem, big tool surface. But it has no
depth in safety, knowledge representation, or reasoning architecture.

** OpenClaw (TypeScript/Node.js, ~3.5M lines)

The largest codebase analyzed. Personal AI assistant with 25+ messaging channel
support.

Architecture: pnpm workspace with ~135 bundled plugins. Gateway control plane
routes messages through multi-agent routing. Per-agent sessions, workspaces,
skill registries. Companion native apps (macOS, iOS, Android).

Safety model: Tiered — main agent runs tools directly on host (trusted-operator),
non-main sessions sandboxed via Docker (read-only rootfs, capability dropping,
seccomp/AppArmor, memory/cpu/PID limits, SSH/OpenShell backends).

Data model: Typed JSON/YAML config (openclaw.json). Multi-source model catalog.
Plugin SDK with narrow typed subpath exports.

Self-modification: ACP (Agent Control Protocol) for spawning child sessions.
Skill system with npm distribution and ClawHub registry.

Verification: None.

Key gap vs Passepartout: Same as Hermes — no gate stack, no knowledge graph,
no Org-mode, no verification, no neurosymbolic architecture. Differentiated by
vastly broader channel support and mature plugin ecosystem. But architecturally
conventional — LLM + tools + channels, no cognitive architecture innovation.

** Thoth (Python, ~151K lines, Apache 2.0)

https://github.com/siddsachar/Thoth — Personal AI Sovereignty. Local-first
desktop AI assistant with knowledge graph, tools, voice, vision, shell,
browser automation, workflow engine, and messaging channels.

Architecture: LangGraph create_react_agent (prebuilt ReAct pattern). Dual-mode
streaming via agent.stream(). NiceGUI web UI served by Python app.py with
desktop launcher (tray icon, Ollama auto-start, browser/OS window). Context
trimming via tiktoken to ~85% of model window, base64 data redaction, stale
browser snapshot compression (keeps last 8), MD5 tool result dedup, old tool
result summarization. 50-step recursion limit (chat), 100 (tasks), 120 (Developer
Studio). Agent graph cached by tool set + model override. Checkpoints via
LangGraph's SQLite-backed checkpointer. 30+ tool modules.

Safety model: Shell command classification (tools/shell_tool.py) with 17 blocked
patterns (rm -rf /, mkfs, dd of=/dev/, shutdown, fork bombs, pipe-to-bash, etc.),
30+ safe auto-execute prefixes (ls, cat, grep, git status, etc.), needs-approval
for compound commands (;, &&, ||, |, $(), backticks). Interactive interrupt() for
non-safe shell — LangGraph human-in-the-loop pauses the graph. Per-workflow safety
modes: block (default, refuse non-safe), approve (pause), allow_all.
Prompt-injection defense: scans tool outputs and user inputs for 5 categories
(role overrides, instruction hijacking, data exfiltration, invisible unicode,
hidden HTML directives) — detection-only, no stripping. Filesystem workspace
boundary (~/Documents/Thoth). Opt-in Docker Sandbox for Developer Studio.
Destructive ops (file delete, moderate shell, Gmail send, calendar delete,
memory/task/tracker delete) require confirmation. MCP servers disabled until
tested. Custom Tools reviewed and promoted. No sandboxing of agent runtime
itself — agent runs in-process. No response-level guardrails.

Data model: SQLite (WAL mode) at ~/.thoth/memory.db — shared between knowledge
graph and legacy memory. Knowledge graph: SQLite (durable) + NetworkX MultiDiGraph
(in-memory, rebuilt on startup) + FAISS vector index (semantic recall, rebuilt on
every entity write). 11 entity types (person, preference, fact, event, place,
project, organisation, concept, skill, media, self_knowledge). 67+ typed relations
with 30+ LLM-produced aliases mapped to canonical forms. Dream Cycle refinement
pipeline for entity dedup/merge/stale-confidence decay. Config: JSON files
(skills_config.json, api_keys.json, providers.json, channels_config.json). Keys in
OS credential store (Windows Credential Manager, macOS Keychain, Linux Secret
Service/KWallet). Memory extraction background daemon scanning past conversations
every ~2 hours.

Self-modification: Agent CAN create/update/delete skills via dedicated tools
(thoth_create_skill, thoth_patch_skill, thoth_delete_skill). SKILL.md files with
YAML frontmatter at ~/.thoth/skills/. Bundled skills (read-only) at app root;
user skills override by name. Skill patching requires user confirmation + auto
backup. Maximum 1 patch proposal per conversation. Tool guides cannot be patched.
Self-knowledge block injected into system prompt. No tool to modify agent.py,
prompts.py, or system prompt directly. Developer Studio provides code editing
through approval-gated tools (tool-assisted human workflow, not agent self-mod).

Verification: None formal. Update signature verification (updater.py).
Comprehensive test suite at tests/test_suite.py. No tool-call verification beyond
LangGraph schema validation. No output verification or fact-checking.

Key differentiators vs other assistants: LangGraph ReAct agent with structured
streaming event model. Personal knowledge graph (11 entity types, 67 relations,
NetworkX + FAISS). Developer Studio (Docker sandbox, code threads, Git operations,
approval modes). Designer Studio (decks, documents, landing pages, sandboxed
interactive runtime). 5 messaging channels (Telegram, Discord, Slack, WhatsApp,
SMS) with streaming, reactions, media processing. Background workflow engine
(schedules, webhooks, step pipelines, conditions, approvals, concurrency groups).
30+ tool modules including browser automation, shell, Gmail, Calendar, X, image/
video generation. 39 curated Ollama tool-calling models. 10 LLM providers (Ollama,
OpenAI, Anthropic, Google AI/Gemini, xAI/Grok, MiniMax, OpenRouter, Ollama Cloud,
ChatGPT/Codex subscription, custom endpoints). MCP client (stdio, Streamable HTTP,
SSE) with namespaced tools, approval gates. No accounts, no telemetry, no hosted
server. Local-first with OS credential store.

Key gap vs Passepartout: No deterministic gate stack — shell safety is pattern
list (17 blocked, 30 safe), not typed gates. No sandboxed agent runtime. No
proof system. No output guardrails. No neurosymbolic architecture. No Org-mode.
No Merkle-tree memory. Knowledge graph (SQLite+FAISS) is richer than Hermes but
is LLM-driven entity extraction — no structural integrity guarantees. Thoth's
differentiation from Hermes/OpenClaw is the knowledge graph + Developer/Designer
studios + embedded LangGraph framework — a broader product scope, but still
architecturally conventional (LLM + tools + channels + KG), not a new cognitive
architecture.

* Category 3: CI/Check Systems

** Continue (TypeScript, ~328K lines, Apache 2.0)

Source-controlled AI checks for CI/CD. Markdown-as-gate-policy.

Architecture: Shared core (@continuedev/core) with ~80 provider implementations,
tool-calling engine, config system (YAML/JSON/Markdown). Serves CLI (Ink/React TUI
+ headless CI mode), IDE extensions (VS Code, JetBrains), web dashboard.

Safety model: Three permission levels (allow/ask/exclude). Precedence: mode policies
→ CLI flags → permissions.yaml → built-in defaults. Terminal security package for
shell command analysis via shell-quote parsing. Workspace-scoped file access.

Data model: Markdown files for checks, agents, rules. Source-controlled in-repo.
YAML frontmatter for metadata.

Self-modification: Checks source-controlled — any change goes through git.

Verification: None (the checks are themselves unverified).

Key gap vs Passepartout: The "checks as markdown" concept is philosophically
similar to Passepartout's gate rules (deterministic policies checked before
execution) but the implementation is dramatically simpler — regex-based policy
objects, not a type-level gate stack with structural guarantees. No persistent
agent, no memory, no knowledge graph, no neurosymbolic architecture. It is a
gate system without an agent to gate.

* The Passepartout Advantage

| Dimension | Passepartout | Best Competitor | Gap |
|-----------|--------------|-----------------|-----|
| Safety model | Type-level gates + 11-vector deterministic stack | Claude Code (7 permission modes + 23 bash checks) | Structural vs heuristic. Passepartout's type-level gates prevent self-modification at the category level; competitors block patterns. |
| Knowledge model | Org-mode (tree, properties, TODOs, timestamps, cross-refs, IDs, tags) | Claude Code (flat markdown memdir) | Org-mode's semantic richness is ~15 primitives markdown doesn't have. |
| Memory integrity | Merkle tree + SHA-256 + rollback | Hermes (file-based); Claude Code (flat files + git) | Content-addressed, tamper-evident memory no competitor has. |
| Self-verification | ACL2 → CIC prover (planned) | None | No competitor does provable correctness. |
| Cognitive architecture | 10-80-10 symbolic-first (planned) | 100% LLM (every competitor) | Post-flip, Passepartout uses ~10% of the tokens competitors use. |
| Data format | Org-mode (human-editable, machine-parseable, single file) | JSONL/Markdown/YAML/DB (competitors use 2-5 formats) | Unified format reduces translation layers to zero. |
| Self-modification | Type-level gates + hot-reload | Claude Code (skills), Hermes (skills) | Passepartout's guard against self-modification is structural (type level), not heuristic (pattern list). |
| Triad | Passepartout + Stoa + Agora | None | No competitor is building a full computing stack + social network. |
| Provider independence | Any OpenAI-compatible API | Hermes (109+), Gemini CLI (1 primary) | Comparable to Hermes, better than most. |

* Where Competitors Lead

| Dimension | Leader | Passepartout Status |
|-----------|--------|---------------------|
| Safety implementation maturity | Claude Code (2,592 lines bash security) | Gate stack exists but bash validation is minimal in comparison |
| Provider breadth | Hermes (109+), OpenClaw (50+) | 8 providers — adequate but not competitive |
| Channel/platform support | OpenClaw (25+ channels) | TUI only — no multi-channel |
| Plugin ecosystem | OpenClaw (ClawHub, npm registry) | No plugin marketplace |
| Subagent delegation | Claude Code (fork with context inheritance) | Planned via Screamer planner |
| Codebase size / features shipped | All competitors have working products | In development |
| MCP integration | Hermes, Codex (native), Continue | Planned |
| Sandboxing | Codex CLI (Seatbelt+nsjail), Gemini CLI (6 methods) | None |
| Business model | Hermes (MIT+services), Codex (tokens) | AGPL + appliances + SaaS |
| Cross-platform | Claude Code (macOS/*nix), Codex (macOS) | Linux only |

* Strategic Positioning

Passepartout is not competing in the existing AI agent market. It is building a
new category: provable personal infrastructure.

Competitors optimize for:
- Token efficiency (Aider's edit formats, OpenCode's LSP integration)
- Model flexibility (Hermes' 109 providers)
- Platform reach (OpenClaw's 25 channels)
- UI polish (Gemini CLI's Ink/React, Claude Code's permission dialogs)
- Sandbox security (Codex's Seatbelt, Gemini's gVisor)

Passepartout optimizes for:
- Provable correctness (ACL2 → CIC)
- Data integrity (Merkle tree)
- Cognitive architecture (10-80-10 symbolic-first)
- Safety by construction (type-level gates)
- Unified data model (Org-mode as everything)
- Network effects (Agora)
- Full-stack ownership (Stoa)

These are not axes any competitor cares about. The risk is not that a competitor
builds a better Passepartout — it's that the market never develops a preference
for provable agents. If token-burning LLM agents remain the default and users
don't demand verification, the entire category Passepartout addresses may not
exist yet.

* Immediate Implications for Development

1. Claude Code's safety system is the benchmark to exceed. The type-level gate
   architecture is theoretically superior to Claude Code's heuristic patterns,
   but the implementation needs to prove it catches things Claude Code
   misses.

2. No competitor has anything resembling a neurosymbolic architecture. The 10-80-10
   plan has zero competition — but that also means zero market validation.

3. The Org-mode bet is invisible to competitors. They don't see the advantage
   because they've never tried to build a knowledge graph from flat markdown files.
   This is Passepartout's widest moat — it depends on a skill (Org-mode literate
   programming) that no competitor's team has.

4. Hermes is the closest full-stack competitor (tools, skills, cron, subagents,
   multi-platform), but architecturally conventional. For Hermes to match
   Passepartout, it would need to be rewritten.

5. The coding agents (Aider, OpenCode, Codex) are not competitors — they are
   single-purpose tools Passepartout could eventually replace entirely when the
   planner matures.

* File references

Repository dumps and analysis artifacts at /tmp/:
- /tmp/aider/ — Aider source (Python)
- /tmp/opencode/ — OpenCode archived source (Go)  
- /tmp/codex/ — OpenAI Codex CLI (Rust)
- /tmp/claude-code-leaked-source/ — Claude Code leaked (TypeScript/Bun)
- /tmp/gemini-cli/ — Google Gemini CLI (TypeScript)
- /tmp/openclaw/ — OpenClaw source (TypeScript)
- /tmp/thoth/ — Thoth source (Python)
- /tmp/continue/ — Continue source (TypeScript)
- /usr/local/lib/hermes-agent/ — Hermes Agent (Python)