A vetted list of tools and systems for building, running, and governing AI agents.
Most agent lists are append-only. An entry is added because someone opened a pull request, and it stays after the project is abandoned. This list is the opposite: every entry is checked against the criteria below before it is added, and entries are removed when they stop meeting them. A short list of things that work is more useful than a long list of things that exist.
- Vetting
- Frameworks
- Coding Agents
- Runtimes and Sandboxes
- Model Serving
- Protocols
- Memory and Retrieval
- Evaluation
- Observability
- Security and Governance
- Reading
Every entry must meet all five criteria. An entry that stops meeting them is removed, not marked stale.
Maintained. A substantive commit in the last six months, and open issues that receive maintainer replies. A repository that stopped merging pull requests is not maintained, however many stars it has.
Runnable. The documented quickstart works on a clean machine. A project that requires undocumented setup does not belong here yet.
Documented. The readme explains what the project does and what it does not do, before it explains how to install it.
Used in earnest. Either a contributor has run it on real work, or it has a public track record of use beyond its own examples.
Not a wrapper. A thin shell around one API call, published to claim a name, is excluded.
Entries maintained by Ion Alpha are marked, so you can weigh them accordingly.
Libraries for composing models, tools, and control flow into an agent.
- LangGraph - Graph-structured agent orchestration with explicit state and durable execution.
- CrewAI - Role-based multi-agent teams with declarative task delegation.
- AutoGen - Conversation-driven multi-agent programming with a research-oriented design.
- Semantic Kernel - Agent and plugin composition for .NET, Python, and Java.
- smolagents - Minimal agent library where the model writes and runs code as its action space.
- Pydantic AI - Type-checked agent construction built on Pydantic validation.
Agents whose primary action space is a codebase.
- Aider - Terminal pair programmer that edits a Git repository and commits its own changes.
- OpenHands - Sandboxed development agent with a browser, shell, and editor.
- SWE-agent - Agent-computer interface research vehicle for resolving repository issues.
Where the agent's actions actually execute, and what contains them.
- Flynn - Agent operating system in a single Go binary, where every action is sandboxed, governed, and sealed into a verifiable record. Maintained by Ion Alpha.
- E2B - Hosted code-interpreter sandboxes for agent-generated code.
- gVisor - User-space kernel providing container isolation with a narrowed host syscall surface.
- Firecracker - MicroVM monitor for hardware-virtualized isolation with fast start times.
Running the model the agent thinks with, locally or on your own hardware.
- llama.cpp - Efficient CPU and GPU inference for GGUF models, with an OpenAI-compatible server.
- vLLM - High-throughput serving with paged attention and continuous batching, suited to concurrent agent runs.
- Ollama - Local model management and serving behind a single command.
Standards for connecting agents to tools, data, and each other.
- Model Context Protocol - Open protocol for exposing tools and resources to a model over a uniform interface.
- Agent2Agent - Protocol for discovery and task delegation between independent agents.
Giving an agent something to recall between turns and between runs.
- Chroma - Embedding database with a small API surface, suited to per-agent memory stores.
- Qdrant - Vector search engine with payload filtering and on-disk storage.
- LlamaIndex - Ingestion and retrieval pipelines over private data.
Measuring whether the agent did the thing, rather than whether it sounded like it did.
- SWE-bench - Benchmark of real GitHub issues resolved against real test suites.
- Inspect - Evaluation framework for agentic tasks, from the UK AI Safety Institute.
- Ragas - Metrics for retrieval-augmented pipelines, including faithfulness and relevance.
Seeing what the agent did, in enough detail to explain a failure.
- Langfuse - Self-hostable tracing, evaluation, and prompt management for LLM applications.
- OpenLLMetry - OpenTelemetry instrumentation for model and agent calls.
- Phoenix - Tracing and evaluation with a local-first notebook workflow.
Constraining what an agent is permitted to do, and proving what it did.
- Garak - Vulnerability scanner that probes a model for prompt injection, leakage, and jailbreaks.
- OWASP Top 10 for LLM Applications - Reference list of the failure classes worth designing against.
- Promptfoo - Red-teaming and evaluation harness that runs adversarial probes as a test suite.
- Building Effective Agents - Argues most production value comes from composable patterns rather than autonomous loops.
- ReAct: Synergizing Reasoning and Acting in Language Models - The interleaved reason-and-act loop most agent frameworks still implement.
- Toolformer: Language Models Can Teach Themselves to Use Tools - Self-supervised tool use, and the origin of much of the tool-calling literature.
Read the contribution guidelines first. An entry that does not meet the vetting criteria will be declined with the reason, which is the point of the list.