Logo
Smooth

The Smoo AI CLI.
One binary for everything.

Coordinate teams of AI coding agents — Smooth Operators — inside hardware-isolated Microsandbox microVMs, with adversarial surveillance and policy-gated access control.

th is a single ~10 MB Rust binary. No Docker. No Node.js. No runtime dependencies.

install.sh
$ curl -fsSL https://raw.githubusercontent.com/SmooAI/smooth/main/install.sh | sh
View on GitHubDownload binary
The loop

We tried seven phases. One agent plus a governor wins.

Inside each operator VM, a single agent handles its own inner iteration (LLM → tool → LLM …). A thin outer governor feeds last run's test output back in, snapshots the workspace when failing tests drop, and stops on the first convincing signal.

Task promptCoding turnsmooth-codingagent runs tools internallyTestsgreen?DoneSnapshot workspaceif failing count droppedStop signal?close-to-green · budget ·iter capRestore best-seenstateyesnonoyes
Green

Agent reports all tests passing.

Close-to-green

Previous turn reached ≤3 failing; this turn didn't improve. More iteration likely regresses.

Budget

Next turn would blow the --budget-usd cap.

Iteration cap

Safety ceiling (default 5) — not the primary brake.

Stop conditions are budget + plateau, not a fixed iteration cap.

One key, every model

Semantic routing slots, resolved by the gateway.

Every LLM call dispatches through a routing slot. The gateway (typically llm.smoo.ai) resolves each slot to a concrete model. Upgrading backends doesn't churn the code.

SlotUsed byShape
smooth-codingThe coding loop (workhorse)Strong tool use + multi-turn
smooth-thinking`th code` Thinking preset, deep reasoningExtended chain-of-thought
smooth-planning`th code` Planning presetTask decomposition
smooth-reviewing`th code` Reviewing preset, code-review flowsAdversarial critique
smooth-judgeNarc's LLM-as-a-judge, bench scoringYes/no verdicts, low latency
smooth-summarizeContext compression during long runsSummarization
smooth-fastSession auto-naming, titles, autocompleteHaiku/Flash-class, sub-second TTFT
smooth-defaultFallback when a specific slot isn't configuredGeneralist

Bring your own provider

Smooth talks to any OpenAI-compatible endpoint. Pin each slot to a different upstream via th code's model picker or ~/.smooth/providers.json.

Kimi CodeKimiOpenRouterOpenAIAnthropicGoogle (Gemini)Ollama (local)
Full model roster, pricing, and provider notes
Hardware-isolated sandboxes

Every agent runs inside a microVM. Including the orchestrator.

Smooth runs on Microsandbox — hardware-isolated microVMs with iptables-enforced egress, FUSE-mediated filesystem access, and a policy authority per VM. The only services allowed to write code are the Operators.

HOST MACHINEBootstrap Bill · msb (microsandbox daemon)THE BOARDROOMmicroVM · The Board operates hereBig Smoothorchestrator · READ-ONLYArchivistcentral log + trace aggregatorWonk · Goalie · Narc · Scribe · GrooveNarc in the Boardroom blocks any write from Big Smooth.Archivist can write — only to log paths.OPERATOR VM 1smooth-operator-runneragent + toolsWonk — access controlGoalie — network + fsNarc — surveillanceScribe — loggingOPERATOR VM 2smooth-operator-runneragent + toolsWonk — access controlGoalie — network + fsNarc — surveillanceScribe — loggingorchestratesevents

The Cast

Big Smooth

The Boardroom

Orchestrator. Schedules work, generates policy, handles access requests. READ-ONLY — cannot write to the filesystem. Narc enforces it.

Archivist

The Boardroom

Central log + trace aggregator. Receives events and OTLP traces from every Scribe. Stores traces in SQLite, optionally forwards to Jaeger / Tempo / Honeycomb.

Wonk

Every VM

Access control authority. Reads policy TOML, answers "is this allowed?" for every network request, tool call, pearl access, and CLI command. No LLM.

Goalie

Every VM

Network + filesystem proxy. Dumb pipe — forwards or blocks based on Wonk's answer. iptables + FUSE enforced at the kernel level.

Narc

Every VM

Tool surveillance + prompt-injection guard. Two-tier detection: fast regex pre-filters, then an LLM-as-a-judge (Haiku/Flash) for the ambiguous cases.

Scribe

Every VM

Structured logging service. All services log through Scribe, which writes to on-pod SQLite and feeds events upstream to Archivist.

Groove

Every VM

LLM checkpointing + session resume. Captures conversation state after tool calls so an interrupted operator can resume from the last checkpoint.

The Board = Big Smooth + Archivist. The Boardroom = the VM where The Board operates, with its own Wonk, Goalie, Narc, Scribe, and Groove. Smooth Operators are the AI agents — the only ones who write code.

Key invariants
  • Big Smooth never writes. Narc in the Boardroom enforces this — any write attempt is instantly blocked.
  • Archivist can write — but only to log paths. Everything else is denied.
  • Operators see only their pearls. Assigned pearl + depth-2 dependency closure, scoped by auth token.
  • All outbound traffic goes through Goalie. No process can bypass the proxy — enforced at the kernel with iptables + FUSE.
  • Narc runs two tiers. Regex fast path for secrets and write guards; an LLM-as-a-judge (Haiku / Flash / GPT-4o-mini) for the ambiguous cases.
Hosted sessions
Coming soon

Share a running Big Smooth from anywhere.

Review a pearl from your phone. Hand a teammate a live session to steer. Drive your laptop's Smooth from your office machine. Smooth dials a reverse tunnel out to a smooai-operated rendezvous and gives you a stable HTTPS URL at <slug>.th.smoo.ai.

Ephemeral scratch-XXXX.th.smoo.ai slugs for ad-hoc sharing; stable subdomains on paid tiers. TLS terminates at the smooai edge on a valid wildcard — your laptop never opens an inbound port. th adds reachability, not authorization: Big Smooth still enforces the same auth locally and over the tunnel.

The CLI

Every platform surface behind one binary.

Auth, orchestration, access control, tools, tunnels, and background service management. No separate installers, no Docker Compose, no per-project runtime juggling.

Core

  • th up

    Start Big Smooth + the embedded web dashboard

  • th down

    Stop everything cleanly

  • th code

    Interactive coding assistant (ratatui)

  • th status

    System health

Auth

  • th auth login smooai-gateway

    Recommended — every slot resolves via one key

  • th auth login openai

    Or: anthropic, google, kimi, kimi-code, openrouter, ollama

  • th auth providers

    List configured providers

  • th auth default <provider>

    Pick which backs smooth-default

Work

  • th run <pearl-id>

    Dispatch a pearl to a Smooth Operator in a microVM

  • th operators

    List active operators

  • th pause / resume / steer / cancel

    Control an operator mid-task

  • th inbox

    Messages needing attention

Access

  • th access pending

    List pending access requests from operators

  • th access approve <pearl> <domain>

    Approve domain access for a pearl

  • th access policy <operator-id>

    Show the current policy an operator is running under

Tools & Plugins

  • th mcp add playwright npx @playwright/mcp@latest

    Register a Model Context Protocol server

  • th mcp list

    Global + project scopes

  • th plugin init jq --command "jq {{filter}} <<< {{json}}"

    Expose any CLI as an agent tool

Tunnel (coming soon)

  • th tunnel start

    Expose your local Big Smooth at <slug>.th.smoo.ai

  • th tunnel list

    Active tunnels for your org

  • th tunnel stop <slug>

    Close a tunnel

Full command reference on GitHub

Install it.

One 10 MB binary. MacOS, Linux, Windows. Authenticate once, you're running.

$ curl -fsSL https://raw.githubusercontent.com/SmooAI/smooth/main/install.sh | sh
Download binarySmooAI/smooth