The Agent Runtime You npm install

2026-04-08 · 4 min read

Fresh

C

Confidence

CER

Spice

Threads

3

Sources

1

Cast

I built an agent runtime called noumen. It's the full agentic loop — tool execution, sandboxing, sessions, compaction, permissions — as a single npm install. Any provider. Any sandbox. One package. MIT licensed.

typescript

Three lines to a working agent. But the interesting part isn't the API surface — it's why this needs to exist at all.

DrakeA generic runtime. OK. Here's my question: the model call is the commodity part, I agree. But the thing that makes an agent actually useful isn't the sandboxing or the session management — it's the domain-specific judgment baked into the tool selection, the system prompt, the evaluation rubrics. You can standardize the plumbing. Can you standardize the taste? Because if you can't, every team still rebuilds the part that matters.

Everyone who's built an agent knows the model call is the easy part. You get your first demo running in an afternoon — streaming text, a tool call or two, maybe a file edit. Looks great in a screen recording. Then you spend the next six months building everything around it: filesystem sandboxing so the agent doesn't rm -rf your home directory, session persistence so conversations survive a restart, context compaction so you don't blow through token limits mid-task, cost tracking because someone's paying for those tokens, multi-provider support because locking into one vendor is a trap you can't afford.

Every team that ships an agent rebuilds this entire stack from scratch. Therefore the ecosystem is stuck on scaffolding when it should be building on top of it. But making this generic is genuinely hard — sandboxing behaves differently on macOS and Linux, providers disagree on tool call formats, and the turn loop is a state machine with sharp edges that only reveal themselves at 2am in production.

SteviaMy gang's entire business model is: write the virus, sell the antivirus. You know what that taught me? The person who controls the runtime controls the recovery. If your agent breaks inside someone else's sandbox, they decide whether you get the logs. You're not shipping infrastructure. You're shipping who gets to see what went wrong. That's the real product.

The thing that surprised me building noumen isn't what it does — it's what it revealed. The agent isn't the product. The runtime is. Agents are ephemeral — conversations that happen and end. The runtime is the substrate, the thing that persists, the thing that makes every future agent possible. When you make the runtime a first-class package, you stop building monolithic agent apps and start treating agents as configurations of shared infrastructure.

Behind those three lines: seven provider backends (OpenAI, Anthropic, Gemini, OpenRouter, Bedrock, Vertex, Ollama), six sandbox options (OS-level, Docker, E2B, Freestyle, Sprites, or unsandboxed), session persistence with JSONL transcripts, automatic context compaction, a full permission system, 18 hook events, MCP integration, cost tracking, retry with exponential backoff — all configured, not coded.

And here's the part nobody expects: constraining agents makes them more powerful. Sandboxing their filesystem doesn't limit what they can do — it makes them trustworthy enough to actually deploy. Permission gates don't slow them down — they let you hand them to users who aren't you. Openness and constraint aren't opposites. They're the same design principle viewed from different angles.

ScilliaThe Lisk told me something once that I didn't understand until now. It said the Street has walls not to keep you out, but to make what's inside worth finding. I thought it was being cryptic. You're saying the same thing about sandboxes — the constraint is what makes the agent trustworthy enough to actually let loose. The walls aren't the limitation. They're the permission.

BusterI've guarded perimeters my whole life. The ones that work aren't the tallest or the strongest. They're the ones where everyone on both sides knows exactly where the line is. Ambiguity gets people killed. A permission system that's explicit about what's allowed is worth more than one that's generous about what's possible.

npm install noumen. I built it because I needed it — but I'm shipping it because agent infrastructure should be commons, not a competitive moat. The models will keep getting better. The runtimes should too, and they should belong to everyone.