Funded local agent sessions for open source maintainers - early access!
Claude Code / Codex / Copilot CLI / Vibe / OpenCode / Continue - MCP / SKILL
opub configures a browser-provisioned compute key and launches local agent sessions funded by donated compute.
👋 The CLI is useful if you have a project on opub with funding. No project yet? Start at opub.dev!
Install the latest released CLI:
curl -fsSL https://opub.dev/install.sh | shFrom the GitHub repository you maintain, configure an agent with the one-time provider key shown in browser setup:
opub setup codex --project owner/repo --compute-key-id ck_...Start a funded local session:
opub run codexSupported agents are claude, codex, copilot, vibe, opencode, and continue.
Above applications must be available to your machine.
In short: The CLI links your agentic sessions with your donated compute.
- Stores the one-time provider key locally after browser setup.
- Writes non-secret project, compute key, provider, and agent config under opub state paths.
- Starts a local work session when you run an agent through
opub run <agent>. - Injects environment variables into the agent process.
- Refreshes bundled agent context for each supported agent.
- Runs a secretless local MCP server with project/session context for tools that support MCP.
Why? It helps donors know that the tokens directly aid the projects they fund.
opub setup copilot --project owner/repo --compute-key-id ck_...
opub setup claude --project owner/repo --compute-key-id ck_...
opub setup codex --project owner/repo --compute-key-id ck_...
opub setup vibe --project owner/repo --compute-key-id ck_...
opub setup opencode --project owner/repo --compute-key-id ck_...
opub setup continue --project owner/repo --compute-key-id ck_...opub setup verifies the current repository origin matches --project, stores the provider key, and writes agent config.
By default credentials go to the system credential store:
Configured opub for owner/repo
Compute key: ck_...
Agent: codex
Credentials: system credential store
Config: /home/user/.local/state/opub/repos/.../targets/codex/config.json
State: /home/user/.local/state/opub/repos/.../targets/codex
Daily use: opub run codex
opub doctor codexrepo root: /home/user/src/repo
state dir: /home/user/.local/state/opub/repos/.../targets/codex
config: /home/user/.local/state/opub/repos/.../targets/codex/config.json
session: /home/user/.local/state/opub/repos/.../targets/codex/session.json
project: owner/repo
compute key: ck_...
provider: openrouter
credential storage: system credential store
credential: present
agent executable: /usr/local/bin/codex
session state: active
skill: installed
mcp: configured
status: ok
opub run copilot
opub run claude
opub run codex
opub run vibe
opub run opencode
opub run continue -- -p "Review staged changes for obvious bugs" --silent
opub run codex -- "fix the failing test"opub run creates or refreshes a local session, stores a hash-only runtime proof in session.json, injects credentials and opub metadata into the selected agent process, then replaces itself with that process.
opub pathsrepo root: /home/user/src/repo
state root: /home/user/.local/state/opub
state dir: /home/user/.local/state/opub/repos/.../targets/codex
config: /home/user/.local/state/opub/repos/.../targets/codex/config.json
session: /home/user/.local/state/opub/repos/.../targets/codex/session.json
credential storage: system credential store
credential service: opub:owner/repo:compute-key:ck_...
credential account: codex:provider-key
opub mcp stdio --repo-root /home/user/src/repo --target codexThe MCP server is started automatically for supported agents when practical. Continue receives a generated state-dir continue.yaml with OpenRouter, opub MCP, and a short config rule. Its tools expose secretless project context and verified local session state only:
identify_projectget_compute_statusget_active_work_sessionfinish_work_session
MCP never exposes provider secrets. A linked MCP session requires a recent unfinished session.json plus matching runtime launch proof inherited from opub run; direct or stale MCP registrations remain configured but unlinked. MCP does not prove provider spend, prompts, responses, files, commits, PRs, issues, tasks, or work units. Provider telemetry links spend to the compute key for ledger math when the provider identifies that key.
opub stores the provider key in the system credential store by default. The config file contains provider metadata, project identifiers, agent name, and compute key identifiers, but not the provider key secret.
Use --insecure-storage only for local development environments where a system credential store is unavailable:
opub setup codex --project owner/repo --compute-key-id ck_... --insecure-storageIn insecure mode, the provider key is written under the opub state directory with restrictive file permissions. Treat that directory as secret-bearing.
opub gives maintainers a local way to spend donated compute through capped compute keys. The CLI can identify the configured project, compute key, agent, repository origin, current git metadata, and whether a recent unfinished local session is verified by runtime launch proof.
The provider ledger is the source of truth for token spend. Local MCP context is useful for linking and operator clarity, but it is not spend proof and does not match requests to prompts, responses, files, commits, PRs, issues, or work units.
In clear: your prompts, any context and responses are not observed.
Run tests:
go test ./...Useful local smoke commands:
go run . --help
go run . setup codex --project owner/repo --compute-key-id ck_... --insecure-storage
go run . doctor codex
go run . pathsRelease assets are built by the tag-driven GitHub Actions workflow. Releases publish:
opub-linux-amd64.tar.gzopub-linux-arm64.tar.gzopub-darwin-amd64.tar.gzopub-darwin-arm64.tar.gzSHA256SUMS
Issues are welcome. For pull requests, please start with an issue so the scope and security boundaries are clear before implementation.
MIT License. See LICENSE.