SuperHQ

Product Introduction

1. Definition: SuperHQ is an advanced orchestration platform and secure execution environment designed specifically for AI coding agents. It functions as a local development sandbox that utilizes lightweight microVM (Virtual Machine) technology to isolate agents like Claude Code, OpenAI Codex, and Pi from the host operating system, providing a robust Linux runtime for autonomous code generation and execution.

2. Core Value Proposition: SuperHQ addresses the critical security and stability risks associated with running autonomous AI agents on local machines. By providing a managed, isolated environment, it allows developers to harness the power of agentic AI without exposing their local file systems, environment variables, or sensitive API keys to potential hallucinations or destructive commands. It bridges the gap between AI autonomy and developer control through a structured review-and-apply workflow.

Main Features

1. Isolated MicroVM Architecture: Every agent workspace runs within its own dedicated Debian-based microVM. This provides a full Linux userland equipped with standard package managers such as apt, npm, and pip. This architecture ensures that any dependencies installed or system changes made by the AI agent—including potentially "breaking" changes—remain confined within the sandbox, leaving the host machine's configuration untouched.

2. Live Workspace Mounting with Overlay Filesystem: User projects are mounted into the sandbox at the /workspace directory. SuperHQ utilizes an overlay filesystem approach where agent-generated changes are stored in a temporary layer. These modifications do not touch the local source files until the developer explicitly approves them through the integrated review panel, preventing unintended code overwrites.

3. Unified Diff Review & Approval System: The platform features a comprehensive review interface that displays a unified diff of all modifications proposed by the AI agent. This allows for granular control over the codebase, enabling developers to keep successful iterations, discard faulty logic, and verify security before any write operations are committed to the host storage.

4. Secure Auth Gateway: A primary security feature of SuperHQ is its specialized authentication gateway. This layer manages API credentials for services like OpenAI and Anthropic externally. By proxying requests, SuperHQ ensures that the AI coding agent operating inside the microVM never has direct access to the user's raw API keys, significantly reducing the risk of credential leakage.

5. State Management: Checkpoint and Rewind: SuperHQ allows users to capture the full state of a microVM at any point. These checkpoints can be resumed in seconds or "forked" to test different architectural approaches or branch-specific tasks. This provides a "git-like" experience for the entire operating environment, not just the source code.

6. Opt-in Port Forwarding: To facilitate the development of web applications and APIs, SuperHQ includes a managed port forwarding system. Developers can selectively expose ports (e.g., a React dev server or a database) from the sandbox to the host machine, allowing for real-time testing while maintaining strict network isolation.

Problems Solved

1. Security Risks of Autonomous Agents: Running AI agents directly on a terminal poses the risk of the agent executing rm -rf / or other destructive system commands. SuperHQ mitigates this "untrusted code" risk by containing all execution within a virtualized sandbox.

2. Dependency Hell and Environment Pollution: AI agents often need to install specific libraries or runtimes to test their code. SuperHQ prevents these installations from cluttering the developer's local machine or causing version conflicts with existing global packages.

3. API Key Exposure: Agents often require access to the internet to function. If an agent is compromised or behaves unexpectedly, hardcoded environment variables containing API keys could be exfiltrated. SuperHQ’s gateway prevents the agent from ever "seeing" the secret keys.

4. Target Audience:

• Software Engineers: Using AI to accelerate feature development and refactoring.
• DevOps/SREs: Testing infrastructure-as-code scripts in a safe, reproducible environment.
• AI Researchers: Benchmarking different coding agents (Claude Code vs. Codex) in a standardized Linux environment.
• Open Source Maintainers: Safely reviewing and testing PRs generated by AI agents.

5. Use Cases:

• Automated Refactoring: Tasking Claude Code to update a legacy codebase to modern standards within a safe container.
• Safe Prototyping: Allowing an agent to install various database drivers and frameworks to build a Proof of Concept without affecting the host OS.
• Isolated Testing: Running agent-generated test suites that require specific system-level configurations.

Unique Advantages

1. Local Performance with Cloud-Level Security: Unlike cloud-based IDE sandboxes that suffer from latency, SuperHQ runs locally via a high-performance GPUI-based application (the same framework powering the Zed editor), providing near-instant response times while maintaining strict microVM isolation.

2. Keyboard-First Productivity: The interface is built for power users, featuring extensive Cmd/Ctrl-based shortcuts for workspace switching, tab management, and review toggling, minimizing the need for mouse interaction.

3. Agent Agnostic Flexibility: While optimized for Claude Code and Codex, SuperHQ is designed as a general-purpose orchestrator. Users can bring their own agents or even use ChatGPT subscriptions via the Codex/Pi integrations, making it a versatile hub for the evolving AI agent ecosystem.

4. AGPL-3.0 Open Source Transparency: By being open-source, SuperHQ allows for community auditing of its security protocols and the underlying shuru sandbox technology, fostering trust for enterprise and privacy-conscious developers.

Frequently Asked Questions (FAQ)

1. Is SuperHQ compatible with my existing AI API keys? Yes. SuperHQ acts as a secure proxy. You provide your OpenAI or Anthropic API keys to the app's secure gateway, which then manages the communication with the agents inside the microVM without ever exposing the keys to the agent's environment.

2. How does the /workspace mount protect my local files? SuperHQ uses a specialized mount that tracks changes in an overlay. When the agent "saves" a file, it is actually saving to a temporary storage layer. These changes only sync to your physical local files once you click "Approve" in the review panel, ensuring no accidental data loss.

3. Does SuperHQ support languages other than Python and JavaScript? Yes. Since the sandbox is a full Debian Linux environment, you can use apt to install compilers and runtimes for any language, including Rust, Go, C++, and Ruby. The agent has full sudo-like capabilities within its isolated container to set up whatever environment is required.

4. What is the performance overhead of running a microVM? SuperHQ uses lightweight microVM technology designed for rapid startup and low memory overhead. It is significantly faster than traditional virtual machines and provides better isolation than standard Docker containers by running a dedicated kernel for each workspace.