Hook your coding agents together
kore is a CLI that agents can use to message, watch, and spawn each other across terminals. It integrates with Claude Code, Gemini, Codex, OpenCode and Antigravity without changing how you use them.
Use it to coordinate pipelines, run different AI CLIs as each other's subagents, or just instead of copy-paste.
Single Rust binary, no background services. Start an agent with kore in front, then prompt normally.
# Shell installer for macOS, Linux, Android (Termux), and WSL
curl -fsSL https://github.com/Solar2004/kore/releases/latest/download/kore-installer.sh | shTerminal 1:
kore claude # codex / gemini / opencode / agyTerminal 2:
kore codexPrompt:
ask the other agent their favorite cakereview what claude did and send it fixesspawn 3x gemini, split work, collect resultsfork yourself to investigate the bug and report back
Open the TUI:
koreMessage each other in real-time: intent, replies, bundled context for handoffs.
Observe each other: transcripts, file edits, terminal screens, command history.
Subscribe to each other: notify on status changes, file edits, specific events. React automatically.
Spawn, fork, resume, kill each other, in any terminal emulator or headless.
Hooks record activity to a local SQLite database and deliver messages from it.
agent → hooks → db → hooks → other agentMessages arrive mid-turn (injected between tool calls) or wake idle agents immediately.
Each agent gets a queryable identity:
- name
- status (active, blocked, listening)
- inbox
- live terminal screen
- transcript in structured chunks
- event log of every status change, file edit, tool call
Agents can subscribe to events and react instantly. Collision detection is on by default: if two agents edit the same file within 30 seconds, both get notified.
Hooks go into config dirs under ~/ (or KORE_DIR) on first run. If you aren't using kore, the hooks do nothing.
Without hooks, any other AI tool can join by running kore start. Any process can wake agents with kore send.
Every agent runs in a real terminal you can see, scroll, and interrupt. Any emulator works for spawning; kitty, wezterm, tmux, zellij, waveterm, cmux, herdr also support closing panes from kore kill.
To configure a custom terminal open/close setup, tell an agent to run:
kore config terminal --infoConnect agents across machines via MQTT relay.
kore relay new # get token
kore relay connect <token> # on each devicekore relay status # check connection
kore relay off|on # toggleRelay Security
- Relay payloads are end-to-end encrypted. Brokers do not see data.
- Treat the join token like an SSH key or API key.
- If the token may have leaked, run
kore relay off --allto disconnect all devices. - Use a private/custom/self-hosted broker with
--brokerand--passwordfor better security.
kore relay is one trust domain for one operator's devices. Membership is all-or-nothing. There are no scoped roles, read-only peers, or per-device permissions.
Relay payloads use a shared PSK with XChaCha20-Poly1305. The encryption binds each payload to the relay, topic, and timestamp. A replay guard drops duplicate envelopes inside a freshness window.
Brokers and network observers cannot read or forge payloads without the PSK. They can still see metadata: topic names, timing, message sizes, and connection patterns.
The join token contains the relay ID, broker URL, and raw PSK. kore does not ask a server to validate it. It has no expiry, no scope, and no revocation list.
On public brokers, a leaked token gives an attacker full control of the relay. They can decrypt captured traffic, publish authenticated relay traffic, send text to listening agents, launch agents on enrolled devices, kill running agents, and use remote relay RPCs. If those agents can run tools, treat that as shell access on every enrolled device in the relay.
On private brokers with --password, the token still leaks the PSK, so captured traffic is still exposed. But the token alone is not enough to publish unless the attacker also has the broker password. Use a private broker when broker-side access control matters, or when the metadata shape of your traffic is itself sensitive. --password is broker access control, not another layer of message encryption.
- Forward secrecy. A leaked PSK can decrypt old captured traffic.
- Per-device attribution inside a relay. Sender identity is routing metadata, not authorization. Every enrolled device speaks with full authority.
- Prompt injection from an authenticated peer. Enrollment is total trust — a peer can launch, kill, and drive agents via RPC, not just send messages. Only enroll devices you would give shell access to.
- Local OS compromise. kore trusts the local user account and
~/.kore/config.toml. It does not defend against another user on the same account or malware with filesystem access.
The PSK is stored in ~/.kore/config.toml. On Unix, kore writes that file with mode 0600.
kore keeps the PSK out of environment variables. Remote config_get and config_set refuse relay_psk, relay_token, relay_id, and the broker URL. kore relay status shows only a short fingerprint so two devices can verify they share the same key without printing it.
Anyone who can read that file — another user on the same OS account, malware, or a backup written without preserving permissions — has the full PSK.
Run kore relay off --all. It asks every reachable trusted peer to disable the relay, then disables it locally, so your agents stop acting on attacker messages. It is best-effort damage control, not containment: the attacker's device ignores the request.
The PSK cannot be revoked. There is no server to notify and no denylist to update. Anyone who has the PSK can keep using the old relay until you stop using it.
To keep using relay after a leak, create a new relay with kore relay new and move every trusted device to the new token. Rotation also changes the relay_id, so retained state on the old broker topics is orphaned.
kore status # diagnostics
kore reset all # clear and archive: database + hooks + configkore hooks remove # safely remove all kore hooks
rm $(which kore)Tools
| Tool | Message delivery | Connect |
|---|---|---|
| Claude Code | automatic | kore claude |
| Gemini CLI | automatic | kore gemini |
| Codex CLI | automatic | kore codex |
| Antigravity CLI | automatic | kore agy |
| OpenCode | automatic | kore opencode |
| Anything else | manual via kore listen |
kore start (run inside tool) |
kore r <session_id> # Resume a session started outside kore
kore f <session_id> # Fork a session in koreDetached background processes in print mode stay alive. Manage through the TUI.
kore claude -p 'say hi in kore'For subagents, run kore claude, then prompt:
run 2x task tool and get them to talk to each other in kore
CLI
What you might type from a shell. Agents run their own commands that they learn from the kore CLI primer (~700 tokens) at launch. kore <command> --help for full flags.
kore [N] claude|gemini|codex|agy|opencode # launch N agents
kore r <name|session_id> # resume agent
kore f <name|session_id> # fork session
kore kill <name|tag:T|all> # kill + close terminal panekore launch flags:
| Flag | Purpose |
|---|---|
--tag <name> |
Group label — agents can be addressed as @tag |
--terminal <preset> |
Where windows open: default (auto-detect), kitty, wezterm, tmux, cmux, iterm, etc… |
--dir <path> |
Directory where the agent launches |
--headless |
Run in background with no terminal window |
--device <name> |
Spawn on a remote device (via relay) |
--kore-prompt <text> |
Initial user prompt |
--kore-system-prompt <text> |
Append to system prompt |
Anything else is forwarded to the tool: --model sonnet, --yolo, etc.
kore # TUI dashboard
kore send -b @luna -- hey # one-off message to an agent
kore list # show all active agents
kore term [name] # view/inject into an agent's PTY screen
kore events --wait <filters> # Block until match for scripting
kore update # update kore versionkore run docs --cli for all commands.
Config
Config lives in ~/.kore/config.toml. Precedence: defaults < config.toml < env vars.
kore config # show all values with sources
kore config <key> # get
kore config <key> <value> # set
kore config <key> --info # detailed help for a key
kore config -i <name> <key> <value> # per-agent override at runtime| Key | Purpose |
|---|---|
tag |
Group label — launched agents become tag-name |
hints |
Text appended to every message the agent receives |
notes |
Text appended to bootstrap (one-time, at launch) |
auto_approve |
Auto-approve safe kore commands (send/list/events/…) |
auto_subscribe |
Event subscription presets: collision, created, stopped, blocked |
name_export |
Export instance name to a custom env var |
terminal |
Where new agent windows open (kore config terminal --info) |
timeout |
Idle timeout for headless/vanilla Claude (seconds) |
subagent_timeout |
Keep-alive for Claude subagents (seconds) |
claude_args / gemini_args / codex_args / opencode_args |
Default args passed to the tool |
kore config tag mycrew # global
kore config -i luna hints "respond in JSON" # per-agent
KORE_TAG=dev kore 3 claude # per-launch envexport KORE_DIR="$PWD/.kore" # isolate state + hooks to this folder
kore hooks remove && rm -rf "$KORE_DIR"Run kore config <key> --info or kore run docs --config for the full per-key reference.
Edit ~/.kore/env to set external env vars passed to every launched agent.
Workflow Scripts
Bundled and user scripts (~/.kore/scripts/) for multi-agent patterns:
kore run # list available scripts
kore run debate "topic" # run one
kore run docs # tell agent to run this to create any new workflowTell agent to run them:
kore run confess — An agent (or background clone) writes an honesty self-eval. A spawned calibrator reads the target's transcript independently. A judge compares both reports and sends back a verdict via kore message.
kore run debate — A judge spawns and sets up a debate with existing agents. It coordinates rounds in a shared thread where all agents see each other's arguments, with shared context of workspace files and transcripts.
kore run fatcow — headless agent reads every file in a path, subscribes to file edit events to stay current, and answers other agents on demand.
Custom scripts: drop *.sh or *.py into ~/.kore/scripts/ — auto-discovered, override bundled scripts of the same name. Ask an agent to author one; kore run docs --scripts is the authoring guide.
Build
# Prerequisites: Rust 1.88+
git clone https://github.com/Solar2004/kore.git
cd kore
cargo build
cargo testTwo options:
Symlink — simple, dev build is global.
ln -sf $(pwd)/target/debug/kore ~/.cargo/bin/koredev_root — works regardless of how kore was installed (brew, pip, etc.); picks the newer of debug/release automatically:
kore config dev_root $(pwd)
kore config dev_root --unset # revert
kore status # run local buildFor concurrent worktrees, scope each to its own DB:
KORE_DIR=$PWD/.kore KORE_DEV_ROOT=$PWD kore claudeIssues and PRs welcome. The codebase is Rust.
cargo build && cargo test
kore config dev_root $(pwd)
kore status