CoWork-OS

Deploys a single AI agent across WhatsApp, Telegram, Discord, Slack, and iMessage through a unified message routing layer that normalizes incoming messages into a common schema, routes them through the agent pipeline, and formats responses back to each platform's native API format. Uses adapter pattern with platform-specific SDK integrations (Twilio for WhatsApp, Telegram Bot API, Discord.js, Slack Bolt, iMessage via native macOS APIs) that translate between platform message formats and internal message objects.

Abstracts Claude, GPT, Gemini, and Ollama behind a unified provider interface that accepts model-agnostic prompts and routes them to the appropriate provider's API with format translation. Handles provider-specific differences in API contracts (message format, parameter names, response structure) through a provider registry pattern, allowing agents to switch models or providers without changing prompt logic. Supports streaming and non-streaming responses with unified callback handling.

Provides agents with access to native macOS system capabilities through Electron bridge: file system access (read/write files), clipboard operations (read/write), system notifications, and native dialogs. Implements sandboxed access where agents declare required system permissions upfront, and runtime validates each system call against declared permissions. Uses Electron IPC (Inter-Process Communication) to safely bridge agent process and native APIs.

Captures all agent actions, tool calls, capability requests, and security decisions as structured audit logs with timestamps, user IDs, agent IDs, and outcomes. Stores logs in queryable format (JSON, database) with configurable retention policies. Generates compliance reports (who did what, when, why) for security investigations and regulatory audits. Supports log export in standard formats (CSV, JSON) for external analysis.

Enforces security through capability-based access control where agents declare required permissions (file access, network calls, tool execution) upfront, and the runtime validates each agent action against declared capabilities before execution. Implements guardrails that intercept agent outputs and tool calls, applying content filtering, prompt injection detection, and rate limiting. Uses a policy engine to define allowed actions per agent, with audit logging of all capability requests and denials.

Enables fully self-hosted deployment where CoWork-OS runs on user infrastructure (macOS desktop, Linux server, or Docker container) without requiring cloud services for core agent execution. Supports local LLM inference via Ollama integration, local message storage, and optional cloud provider integration (Claude, GPT) only when explicitly configured. Uses Electron for desktop deployment on macOS with native system integrations (iMessage, file system access), and Docker for server deployments.

Implements MCP as both server (exposing agent capabilities as MCP resources and tools) and client (consuming MCP servers from other systems). Agents can declare tools and resources following MCP specification, allowing external systems to discover and invoke agent capabilities through standardized MCP protocol. Supports MCP server spawning, lifecycle management, and bidirectional communication with proper error handling and timeout management.

Manages multi-turn conversation history with automatic context window optimization that summarizes or truncates old messages to fit within LLM token limits while preserving conversation semantics. Stores conversation state locally (or in configured database) with per-user and per-channel isolation. Implements sliding window strategy where recent messages are kept verbatim, older messages are summarized, and very old messages are archived, with configurable retention policies.

Defines agents through declarative configuration files (YAML/JSON) specifying agent name, system prompt, available tools, capability requirements, provider preferences, and channel assignments. Orchestrates agent lifecycle (initialization, message routing, tool execution) based on configuration without requiring code changes. Supports agent composition where one agent can delegate to other agents based on task routing rules defined in configuration.

Implements tool calling through a schema-based function registry where tools are defined as JSON schemas with implementation functions. Translates tool schemas to provider-native formats (OpenAI function calling, Anthropic tool_use, Gemini function calling, Ollama tool calling) and handles tool execution with automatic parameter validation and error handling. Supports both synchronous and asynchronous tool implementations with timeout management.

Applies content filtering and prompt injection detection to both user inputs and agent outputs through configurable rule sets. Uses pattern matching, keyword detection, and heuristic analysis to identify potential injection attempts (e.g., 'ignore previous instructions', 'system prompt override'). Filters outputs for prohibited content (profanity, PII, sensitive data) based on configurable word lists and regex patterns. Supports custom filter implementations for domain-specific requirements.

Enforces rate limits and quotas at multiple levels: per-agent (total requests), per-user (requests per user), and per-channel (requests per channel). Implements token bucket algorithm for smooth rate limiting with configurable burst allowances. Tracks usage across time windows (per minute, per hour, per day) and enforces hard limits with graceful degradation (queuing, rejection, or fallback). Integrates with LLM provider quotas to prevent exceeding provider limits.