Sofos Code

Sofos Code is a terminal-based AI coding assistant for software projects. It connects Claude or OpenAI models to a secure local toolset for reading code, editing files, running approved commands, searching the web, and working with external tools through Model Context Protocol (MCP).

Sofos is written in Rust, runs in your terminal, and is designed around explicit permissions: workspace access is available by default, while external paths and higher-risk actions require user approval or configuration.

Tested on macOS, Linux, and Windows. On Windows the bash executor runs commands through Git for Windows's sh.exe, located automatically at the standard install path even when the integrated terminal of an IDE does not expose Git on PATH.

Table of contents

• What Sofos does
• Key features
• Installation
  • Requirements
  • Prebuilt binary
  • Install with Cargo
  • Install from source
• Quick start
• Usage
  • Interactive commands
  • Input behaviour
  • One-shot prompts
  • Image vision
• CLI reference
• Models and reasoning effort
• Tools
  • Native tools
  • Safe mode tools
  • MCP tools
• Security model
  • Workspace and external paths
  • Bash command permissions
  • Destructive operations
• Configuration
  • Custom instructions
  • Permissions
  • MCP servers
• Sessions and cost tracking
• Development
  • Project structure
  • Release process
• Troubleshooting
• License
• Acknowledgments
• Links

What Sofos does

Sofos provides an AI assistant inside your terminal with controlled access to your project. It can:

• inspect files and directories;
• search code with ripgrep;
• edit files through exact replacements or Morph Apply;
• create, move, copy, and delete files with permission checks;
• run safe build and test commands;
• fetch documentation and use provider-native web search;
• open local image files or remote image URLs through the view_image tool, and accept clipboard pastes directly;
• update a visible task plan during multi-step work;
• save and resume conversations;
• connect to external tools through Model Context Protocol servers.

The assistant can act through tools, but it does not do so silently: tool calls are shown to the user, dangerous commands are blocked, and operations outside the workspace are gated by independent permission scopes.

Key features

• Terminal UI — inline viewport at the bottom of your terminal; normal terminal scrollback remains available.
• Claude and OpenAI support — one provider abstraction with provider-specific streaming, reasoning, web search, and cache handling.
• Live streaming Markdown — assistant responses render as they arrive, including code blocks, headings, lists, blockquotes, and links.
• Tool loop execution — the model can use tools iteratively, with a hard maximum to prevent infinite loops.
• Safe file editing — targeted edit_file, chunked write_file, visual diffs, atomic writes, and optional Morph Apply.
• Strong permission model — independent Read, Write, and Bash grants for paths outside the workspace.
• Bash safety — allowed, denied, and ask tiers, plus structural checks for parent traversal, redirection, and dangerous git operations.
• Safe mode — read-only native tools for review-only sessions.
• Image vision — view_image tool for local files and remote URLs, plus clipboard paste.
• MCP integration — connect additional tool servers through stdio or streamable HTTP.
• Session persistence — saved conversations, resume picker, restored safe mode, restored model where compatible, and persisted cost counters.
• Cost visibility — token totals, cache hit reporting, and provider-specific price estimates.
• Context compaction — local and provider-supported compaction to keep long sessions usable.

Installation

Requirements

You need at least one provider API key:

• ANTHROPIC_API_KEY for Claude models; or
• OPENAI_API_KEY for OpenAI models.

Optional:

• ripgrep (recommended) for fast code search through the search_code tool;
• MORPH_API_KEY for the morph_edit_file fast edit tool.

Prebuilt binary

Download the latest binary from GitHub Releases.

# macOS / Linux
tar xzf sofos-*.tar.gz
sudo mv sofos /usr/local/bin/

# Windows
# Extract the .zip archive and add the extracted folder to PATH.

On macOS, the first run may be blocked by Gatekeeper. Open System Settings → Privacy & Security and choose Allow Anyway for the Sofos binary.

Install with Cargo

cargo install sofos

Install from source

git clone https://github.com/alexylon/sofos-code.git
cd sofos-code
cargo install --path .

Keep .sofos/ out of version control. It stores sessions, local permissions, and personal settings. AGENTS.md is project-level context and is intended to be version controlled.

Quick start

# Choose one provider.
export ANTHROPIC_API_KEY='your-anthropic-key'
# or
export OPENAI_API_KEY='your-openai-key'

# Optional: enable Morph Apply edits.
export MORPH_API_KEY='your-morph-key'

# Start the interactive assistant.
sofos

Use a different model:

sofos --model gpt-5.5
sofos --model claude-opus-4-7 -e high

Run a single prompt and exit:

sofos -p "Review the error handling in src/error.rs"

Start in read-only native-tool mode:

sofos --safe-mode

Resume a saved session:

sofos --resume

Usage

Interactive commands

Input behaviour

• Enter submits the current message.
• Shift+Enter inserts a newline when the terminal supports it.
• Alt+Enter or Ctrl+Enter can be used as newline fallbacks.
• Ctrl+U deletes from the cursor to the start of the line; Ctrl+W deletes the previous word; Ctrl+K deletes to the end of the line — matching readline / bash / zsh / fish.
• Alt+Up / Alt+Down walk through previously submitted prompts. The in-progress draft is preserved and restored when you walk past the newest entry.
• Typing a leading / opens an inline command suggestion list. Use Up / Down to highlight an entry, Enter to run the highlighted command, Tab to insert it into the input, and Esc (or Ctrl+C) to dismiss the list.
• You can keep typing while the model is working. New messages are queued and processed in order.
• If the model is inside a tool loop, a queued message is delivered at the next tool-result boundary so it can steer the current turn without interrupting it.
• The status line shows the model, mode, reasoning setting, running token totals, and (when present) the cumulative cache-read and cache-creation tokens.

One-shot prompts

One-shot mode sends a prompt, runs the assistant turn, saves the session, prints a summary, and exits.

sofos -p "Find the likely cause of the failing tests"
sofos -p "Create a high-level summary of this crate" --safe-mode

Image vision

Ask about an image by referring to it in your message. The model calls the view_image tool to open the file or URL you mention.

What is wrong in ./screenshots/error.png?
Describe ./docs/architecture-diagram.webp.
Review https://example.com/chart.png
What do you see in the images in ./assets/?

For a folder, the model lists the directory first and then opens each image one by one.

Clipboard paste:

Ctrl+V    # Inserts a numbered marker such as ①.

Supported formats: JPEG, PNG, GIF, and WebP. Local images are capped at 20 MB. Images larger than 2048 pixels on the long side are scaled down proportionally before being sent to the model, so a 4K screenshot does not balloon your token budget. Images outside the workspace require Read permission the first time, just like reading a file.

CLI reference

-p, --prompt <TEXT>          Run one prompt and exit.
-s, --safe-mode              Start with read-only native tools.
-r, --resume                 Resume a previous session.
    --check-connection       Check provider connectivity and exit.
    --api-key <KEY>          Anthropic API key; overrides ANTHROPIC_API_KEY.
    --openai-api-key <KEY>   OpenAI API key; overrides OPENAI_API_KEY.
    --morph-api-key <KEY>    Morph API key; overrides MORPH_API_KEY.
    --model <MODEL>          Model to use. Default: claude-sonnet-4-6.
    --morph-model <MODEL>    Morph model to use. Default: morph-v3-fast.
    --max-tokens <N>         Maximum output tokens per response. Default: 32768.
-e, --reasoning-effort <LV>  off, low, medium, high, xhigh, or max. Default: medium.

--max-tokens must be greater than 16384 when reasoning effort is enabled. The deprecated hidden --thinking-budget flag still parses for backwards compatibility but has no effect and is intentionally omitted from the CLI help.

Models and reasoning effort

Sofos supports seven models, in /model picker order:

--model <name> accepts only the values above; any other slug is refused at startup with the supported list. The same whitelist drives the inline /model picker, so the two surfaces never disagree about which models exist.

Sofos exposes six reasoning levels:

off, low, medium, high, xhigh, max

The active model determines which levels are accepted. Sofos validates the level at startup and when /effort is used, so unsupported combinations fail before reaching the provider API.

Examples:

sofos -e medium                       # Default balance.
sofos -e off                          # Lowest-cost path.
sofos -e high                         # More reasoning for hard tasks.
sofos -e max --model claude-opus-4-7  # Highest Anthropic adaptive level.
sofos -e xhigh --model gpt-5.5        # Highest OpenAI gpt-5 reasoning level.

Support matrix:

Provider mapping:

• OpenAI sends reasoning.effort; off maps to minimal reasoning and suppresses reasoning summaries.
• Claude Opus 4.7 and Sonnet 4.6 use adaptive thinking. The provider chooses the token budget from the effort level.
• Claude Haiku 4.5 uses fixed legacy thinking budgets for low, medium, and high. off disables extended thinking.

Tools

Native tools

Clipboard pastes are not routed through a tool: pressing Ctrl-V in the prompt attaches the image directly to the message.

Safe mode tools

Safe mode is enabled with --safe-mode or /safe. It restricts the native tool set to:

• list_directory;
• read_file;
• glob_files;
• search_code when ripgrep is installed;
• update_plan;
• view_image;
• web_fetch;
• web_search.

MCP tools are filtered out in safe mode by default. To make a particular server's tools available in safe mode, add safe_mode = "read_only" (server is known to expose only read operations) or safe_mode = "allow" (explicit opt-in even when the server may mutate) to its entry in ~/.sofos/config.toml or .sofos/config.local.toml. Sofos lists which servers are filtered out and which are opted in on the startup banner whenever safe mode is on.

MCP tools

Configured MCP servers can add tools dynamically. Sofos prefixes each MCP tool with the server name using a triple underscore separator so distinct (server, tool) pairs cannot collide on the prefixed name:

filesystem___read_file
github___create_issue

Server names and tool names that contain the reserved separator are rejected at startup with a warning. If two servers expose the same tool name, the second registration is skipped so the first one keeps its identifier. Tool listings are cached at startup for the session.

Security model

Sofos is built around explicit access boundaries. The assistant can be useful without receiving unrestricted access to the host system.

Workspace and external paths

• Files inside the current workspace are available by default unless blocked by a deny rule.
• External paths use three independent scopes:
  • Read(path) for reading files and listing directories;
  • Write(path) for writing, editing, creating, moving, copying, and deleting;
  • Bash(path) for bash commands that reference external paths.
• Read access does not imply Write or Bash access.
• Write access does not imply Read or Bash access.
• Tools that both read and write external files, such as edit_file and morph_edit_file, require both Read and Write grants.
• External access can be allowed for the current session or remembered in configuration.

Bash command permissions

Bash commands pass through three layers:

1. Command tier — known safe commands may run automatically; dangerous commands are blocked; unknown commands prompt.
2. Structural checks — parent traversal, file output redirection, here-documents, and dangerous git operations are blocked regardless of command tier.
3. Path checks — commands that reference external absolute or ~/ paths require Bash-path permission.

Default behaviour:

Destructive operations

delete_file and delete_directory always show a confirmation prompt before deletion. If the user cancels a deletion in a batch of tool calls, Sofos returns synthetic tool results for the skipped tools so the next provider request remains valid.

Configuration

Sofos reads configuration from:

.sofos/config.local.toml     # Workspace-specific, ignored by git.
~/.sofos/config.toml         # Global, optional.

Local configuration is loaded in addition to global configuration. Keep .sofos/ out of version control.

Custom instructions

Two instruction files are loaded at startup and appended to the system prompt:

Use AGENTS.md for team-wide conventions, architecture notes, and project-specific rules. Use .sofos/instructions.md for private preferences or machine-local context.

Permissions

Example permission configuration:

[permissions]
allow = [
  # Read permissions.
  "Read(~/.zshrc)",
  "Read(~/.config/**)",
  "Read(/etc/hosts)",

  # Write permissions.
  "Write(/tmp/sofos-output/**)",

  # Bash path permissions.
  "Bash(/var/log/**)",

  # Bash command permissions.
  "Bash(custom_tool)",
  "Bash(cargo:*)",
]

deny = [
  "Read(./.env)",
  "Read(./.env.*)",
  "Read(./secrets/**)",
  "Bash(dangerous_tool)",
]

ask = [
  # Ask only applies to Bash commands.
  "Bash(unknown_tool)",
]

Rules:

• Deny rules take priority over allow rules.
• Read, Write, and Bash path scopes are independent.
• * matches within one path segment.
• ** matches recursively.
• Read(/path/**) also covers /path itself.
• Bash(/path/**) grants bash path access, not command execution by itself.
• Bash(command) grants one exact command.
• Bash(command:*) grants commands by base name.
• A bare "Bash" in allow allows every bash command except built-in forbidden commands; structural checks still apply.
• A bare "Bash" in deny rejects every bash command.
• ask is valid only for Bash command rules.

MCP servers

Configure MCP servers in either local or global config.

Stdio server:

[mcp-servers.github]
command = "npx"
args = ["-y", "@modelcontextprotocol/server-github"]
env = { "GITHUB_TOKEN" = "ghp_YOUR_TOKEN" }

HTTP server:

[mcp-servers.internal-api]
url = "https://api.example.com/mcp"
headers = { "Authorization" = "Bearer token" }

Sofos connects at startup, lists available tools, prefixes tool names by server, and caches the list for the session.

Sessions and cost tracking

Sessions are saved automatically under:

.sofos/sessions/

A saved session includes:

• provider-facing conversation messages;
• display history for replay;
• system prompt;
• model name where available;
• safe-mode state;
• token counters and cache counters.

Resume with:

sofos --resume

or from inside Sofos:

/resume

On exit, Sofos prints token usage and an estimated cost. The summary includes cache-read information when available and accounts for provider cache discounts and cache-write premiums. For OpenAI models with tiered pricing, Sofos tracks the largest single-turn input and switches the estimate when the premium threshold is crossed.

Development

Project structure

For the complete source structure and ownership map, see STRUCTURE.md.

High-level layout:

src/
├── api/       Provider clients, shared message types, model metadata.
├── repl/      Turn orchestration, request building, response handling, TUI worker.
├── tools/     Native tool execution, permissions, filesystem, bash, search, image handling.
├── mcp/       Model Context Protocol configuration, clients, manager, transports.
├── session/   Runtime session state and on-disk session persistence.
├── ui/        Markdown, syntax highlighting, diffs, cost summaries, and display helpers.
└── commands/  Slash-command parsing and dispatch.

Useful commands:

cargo fmt --all
cargo clippy --all-targets -- -D warnings
cargo test --all
cargo build --release

Debug logging:

RUST_LOG=debug sofos

Release process

This project uses cargo-release.

# Preview a patch release.
cargo release patch

# Execute a patch release.
cargo release patch --execute

# Release a specific increment.
cargo release minor --execute

See RELEASE.md for the full process.

Troubleshooting

License

MIT License. See LICENSE.

Acknowledgments

Sofos is built with Rust and powered by Anthropic Claude or OpenAI models. Optional fast edits are provided through Morph Apply.

Links

• GitHub
• Crates.io
• Release notes
• Source structure

Disclaimer: Sofos Code can make mistakes. Review generated code and tool actions before relying on them.