AnyWareCode
01Entries02Custody03Threat model04Receipts05Queries
Add to Discord

ANYWARECODE — SHIPPING MANIFEST

LEDGER Nº 001 — SHIPPING MANIFEST

Ship codefrom Discord.Signed*

One AI engineer, shared by the whole server. Type /code in any channel — it works alone in a sealed container and comes back with a pull request.

* every PR carries a named human sponsor and a provenance receipt.

Add to Discord →
Read the manifest ↓

BYO LLM key · isolated containers · never pushes to main

ANYWARECODE — PROVENANCE RECEIPT

TASK
#a1f3 — fix flaky retry test
SPONSOR
@mara · maintainer
APPROVED
plan v2 · 14:02 UTC
STEERED BY
@theo, @lin (thread)
CHECKS
typecheck ✓ · tests 42/42 ✓
BRANCH
anywarecode/a1f3

PR #128 OPENED — awaiting human merge

Human-sponsored
/codeSpawn a thread, work the task, open a PR/askRepo-aware Q&A, read-only/connect githubLink your GitHub repos/connect llmBring your own LLM key/setupConnection status + usage/repo setPick the active repo for a channel/statusRunning and queued tasks/config roleChoose who may invoke the agent

¶ THE PREMISE

01 / Entries

What gets logged

Four entries carry the story. The annexes carry the rest.

01

Ship/code → a reviewed pull request

Type a task in any channel. A thread opens, an isolated container does the work, and a PR lands with Merge / Iterate buttons. Your default branch is never touched.

02

Answer/ask — repo-aware, read-only

Questions grounded in the connected repo, answered in the channel. Unlimited on every plan, because it never writes a thing.

03

Steerthe whole room pair-programs

Any reply in the thread forwards straight into the live run as a new turn. @mention the bot anywhere and it routes itself — a reply, an /ask, a /code run, or a proposal with Run buttons.

04

Guardslop filtered before it costs a minute

Repro Gate verifies inbound bug reports in the sandbox before a human reads them. Quarantine strips hidden instructions from issues. Every PR carries its provenance receipt.

ANNEX — ALSO IN THE LEDGER

BYO LLMAnthropic key, Claude Pro/Max token, or compatible endpoint — encrypted per server

Squad ModeN parallel attempts in separate sandboxes, the server votes

MCP extensionsyour Sentry, database, or tracker — role-gated per connection

Provenance receiptssponsor, approver, steerers, evidence — on every PR

Hardened runtimenon-root containers, cap-drop ALL, allowlisted egress

Server Memoryconventions accumulate; /memory commit flows them into AGENTS.md

04 ENTRIES · 06 ANNEXES — NOTHING OFF THE BOOKS

¶ THE WALKTHROUGH

02 / Custody

Chain of custody

From prompt to pull request in four hand-offs — each one visible in the thread, none of them touching your default branch.

01

Add to Discord

Invite the bot with one click. It registers its slash commands automatically on boot.

Add to Discord →

02

Connect repo + key

Link a GitHub repo and bring your own LLM credential. Both are scoped per server.

/connect github
/connect llm

03

Type /code

Describe the change in any channel. A thread opens and the agent streams its progress live.

/code add dark-mode toggle to settings

04

Review the PRMerge

It pushes a branch and opens a pull request. Merge, or hit Iterate to keep going — never touches main.

✓ PR #128 opened

¶ THE OBJECTION

03 / Threat model

Assume hostile input

Repo content, inbound issues, and chat history are all untrusted by default. The sandbox is the trust boundary — not the model's judgment.

01

Repo content is untrusted

Injection defense is in the system prompt — instructions embedded in repo files are ignored.

02

Credentials never leak

Tokens travel over stdin and are stripped from every error path before text reaches Discord.

03

AES-256-GCM at rest

Keys are encrypted per server; one guild's blob can't decrypt for another.

04

Isolated execution

Non-root, every Linux capability dropped, CPU/mem/PID caps, removed on exit.

05

Never pushes to main

All git lands on anywarecode/<taskId>. A human merges, or nothing does.

06

You control access

Admins only by default; grant exactly one role with /config role.

In production the container can reach exactly two hosts: Anthropic and GitHub.

Designed after Comment & Control
04 / Receipts

Per server, not per seat

One subscription, the whole server — no per-seat math. Every plan ships every feature; the only meter is monthly /code. You bring your own AI — we never bill for it.

PLAN / Free

$0/mo

A real plan, not a demo. Connect your own AI and go.

  • 15 code tasks / mo
  • Unlimited /ask
  • Every feature included
  • Bring your own AI
Add to Discord

PLAN / Pro

$19 / ₹1600/mo

One shared engineer for the whole server — no per-seat math.

  • 150 code tasks / mo · 2 concurrent
  • Unlimited /ask
  • Every feature included
  • Job packs to top up anytime
Get Pro
Recommended

PLAN / Studio

$49 / ₹4100/mo

For studios living in voice channels and shipping daily.

  • 600 code tasks / mo · 5 concurrent
  • Unlimited /ask
  • Every feature included
  • Voice → PR, Squad, Spectate
Get Studio

PLAN / OSS Community

$0/mo

For verified public open-source servers. Your runs are the demo.

  • 40 code tasks / mo
  • Unlimited /ask
  • Every feature included
  • Apply with /oss apply
Add to Discord

STUB / Job Pack $8 / ₹700

50 extra code tasks for the server, buyable by ANY member — Discord-boost style, with public credit. Never expires while subscribed.

Buy in Discord
05 / Queries

Asked & answered

Q01Do you store my code?

No. Each task clones into an ephemeral container that's removed when it exits. We keep only task history and usage counters — removing the bot deletes your server's data.

Q02Whose LLM key is used?

Yours, always. We don't supply AI or bill for it. Every server connects its own credential — an Anthropic API key, a Claude Pro/Max token, or any compatible endpoint — encrypted per server. The Free plan is the trial: connect your key and go.

Q03Can it push to my main branch?

Never. All git lands on anywarecode/<taskId> and arrives as a pull request. Nothing merges without a human.

Q04What about prompt injection from repos and issues?

Everything external is untrusted: quarantine strips hidden instructions from inbound issues, verification runs hold read-only tokens, and the container is sealed. Designed after the Comment and Control disclosures, not before them.

Q05Who in my server can invoke it?

Admins only by default. Grant exactly one role with /config role. @everyone and @here never trigger it.

Q06Isn't this just more AI slop for maintainers?

The opposite, by construction: every run has a named human sponsor, every PR carries a provenance receipt, and Repro Gate filters bug reports before they cost a human minute.

06 / SIGN-OFF

Signed.Sealed.Shipped.

Install the bot, connect a repo, type /code. Free to start — your key, your rules, every feature included.

Add to Discord →
See pricing

AUTHORIZED SIGNATURE — YOUR SERVER