Keystone

Product Introduction

1. Definition: Keystone is an open-source, agentic infrastructure-as-code (IaC) automation tool designed to self-configure standardized development environments. Specifically, it functions as an autonomous agent that analyzes any git repository to generate a fully functional .devcontainer configuration, including a Dockerfile, devcontainer.json, and a verified test runner script.

2. Core Value Proposition: Keystone exists to eliminate the "time-to-run" friction inherent in modern software development. By leveraging large language models (LLMs) and sandboxed execution environments, it automates the complex task of dependency mapping and environment provisioning. It allows developers to move from a raw repository to a reproducible, containerized development environment—compatible with VS Code and GitHub Codespaces—without manual configuration.

Main Features

1. Automated Devcontainer Specification Generation: Keystone performs a deep architectural analysis of a source project to produce three critical artifacts: a Dockerfile (defining the OS and system dependencies), a devcontainer.json (configuring editor settings and extensions), and a run_all_tests.sh script. This triad ensures that the environment is not only built but is also capable of executing the project’s specific test suite.

2. Sandboxed Agent Execution via Modal: Unlike standard coding agents that run directly on a host machine, Keystone utilizes a managed Modal sandbox. This architecture provides a secure, isolated layer where Claude Code or other agents can execute shell commands, install packages, and build Docker images. This prevents the agent from making potentially destructive changes to the user's local kernel settings or Docker configuration.

3. Multi-LLM Provider Integration: The tool is built with a flexible backend supporting various state-of-the-art LLMs. It natively integrates with Anthropic’s Claude (e.g., Claude 3.5 Sonnet/Opus via Claude Code), OpenAI’s Codex, and the OpenCode provider. This allows users to select models based on budget, reasoning capabilities, or specific language performance.

4. Iterative Test-Driven Configuration: Keystone does not simply "guess" the configuration; it employs a loop of execution and verification. It attempts to build the container and run the project's automated tests within the sandbox. If tests fail, the agent iterates on the Dockerfile or environment variables until a passing state is achieved, ensuring the resulting devcontainer is production-ready.

Problems Solved

1. Environmental Inconsistency: It eliminates the "it works on my machine" problem by forcing a standardized, container-native definition of the development stack. This is essential for teams using disparate hardware (e.g., Intel vs. Apple Silicon) or different operating systems.

2. Security Risks of Autonomous Agents: Coding agents like Claude Code often require high-level system permissions to be effective. Keystone solves the security dilemma by restricting the agent’s actions to a short-lived, ephemeral Modal environment, protecting the host's sensitive data and system integrity.

3. Manual Dependency Hell: For polyglot projects or legacy codebases (FastAPI, TensorFlow, Rust, Elixir, Flutter), identifying the exact versions of system libraries and runtimes required can take hours. Keystone automates this discovery process using LLM-driven heuristics.

4. Target Audience: The tool is designed for DevOps Engineers seeking to standardize CI/CD environments, Open Source Maintainers who want to lower the barrier for contributors, and Software Architects implementing AI-assisted development workflows.

5. Use Cases: Rapid onboarding of new developers to complex legacy repos, creating reproducible bug-report environments, and providing a safe execution layer for autonomous coding agents used in automated PR reviews.

Unique Advantages

1. Verification-Led Generation: Unlike static template generators, Keystone validates its output. The inclusion of a "passing test runner" means the generated environment is guaranteed to support the application's runtime requirements.

2. Agentic Safety via Virtualization: While competitors often run agents locally, Keystone's "agent-in-a-box" approach via Modal is a significant safety innovation. It allows the agent to act as a "sysadmin" (clearing caches, modifying configs) without any risk to the user's actual workstation.

3. Ecosystem Compatibility: The output follows the open Development Container Specification. This means Keystone-generated environments are immediately portable across VS Code, GitHub Codespaces, DevPod, and other industry-standard tools.

Frequently Asked Questions (FAQ)

1. How do I install Keystone and what are the prerequisites? Keystone can be installed via PyPI using pip install imbue-keystone or run without installation using uvx imbue-keystone. The primary requirements are a Modal account for sandboxing and an Anthropic API key (specifically for the $ANTHROPIC_API_KEY environment variable) to power the underlying reasoning agent.

2. Is Keystone compatible with non-Python languages? Yes. Although written in Python, Keystone is language-agnostic. It successfully self-configures environments for Rust, Elixir, Flutter, TensorFlow, and more by analyzing the project structure (e.g., Cargo.toml, mix.exs, or pubspec.yaml) to determine the necessary system-level dependencies.

3. How does Keystone handle agent costs and budgets? Keystone includes a --max_budget_usd flag (defaulting to $1.00). This allows users to set a strict financial ceiling on LLM inference costs per repository. Additionally, it utilizes a logging database (SQLite or PostgreSQL) to cache results, preventing redundant costs for previously analyzed repositories.

4. Can I use Keystone for private enterprise repositories? Keystone is open-source (MIT License) and can be used on private repos. Because it clones the repository into a private Modal sandbox, the source code is processed within your controlled Modal environment and the LLM provider’s API, adhering to their respective data handling and privacy policies.