// the find
langchain-ai/open-swe
An Open-Source Asynchronous Coding Agent
Open SWE is a self-hostable coding agent framework built on LangGraph, designed for teams that want their own internal Devin/Cursor Agent — triggered from Slack, Linear, or GitHub PR comments, running in isolated cloud sandboxes, and auto-opening PRs. It's positioned as the open-source version of what Stripe, Ramp, and Coinbase built internally, with pluggable sandbox backends and a middleware architecture around the agent loop.
- Middleware architecture is the right call: deterministic hooks (message queue injection, step-limit notification, sandbox circuit breaking) run outside the agent loop rather than being prompt-instructed, which means they actually execute reliably.
- AGENTS.md convention for per-repo context encoding is a clean primitive — org conventions and test requirements live in the repo, not in a central config that drifts out of sync.
- Sandbox pluggability (Modal, Daytona, Runloop, LangSmith, local) is real, not just a checkbox — each has its own integration file and the abstraction is thin enough to actually swap.
- Test coverage is unusually thorough for a project this young: 80+ test files including middleware, auth flows, tool behavior, and reviewer evals with golden outputs against real OSS repos.
- Validation is entirely prompt-driven — 'the agent is instructed to run linters and tests before committing.' Their own comparison table shows competitors have 3-layer deterministic validation. Trusting the LLM to remember to run pytest and interpret the output correctly is not a safety net.
- LangSmith is a hidden hard dependency: GitHub operations in the sandbox go through a LangSmith-backed GH proxy (GH_TOKEN=dummy gh ...). You cannot run this without LangSmith even if you have no interest in tracing, which contradicts the pluggable framing.
- Deep Agents is another young LangChain project sitting underneath this one — the README sells the composition as an 'upgrade path,' but it's also a second moving target. If Deep Agents changes its agent loop API or gets abandoned, Open SWE inherits that instability.
- The observability tool security model (Datadog/LangSmith tools loaded per-run for authorized users only) is reasoned about honestly in the README, but the residual risk isn't small: the agent has network egress, tools operate with LLM-chosen inputs, and credentials are encrypted but still present in the server process. The README's own warning about prompt injection via observability data is worth taking seriously before pointing this at production repos.