A new open-source coding agent called Agent Joe just dropped on Hacker News, and it's taking a radically different approach to AI-assisted development. The tool is TUI-based, Rust-only, and deliberately stripped of shell access—the developer behind it says he "just hate[s] the fact that cli tools with connections to llm providers can execute any arbitrary command on my terminal." That paranoia about what these agents can do under the hood is the entire thesis here.

The Shell Access Problem Nobody Talks About

When you hand an AI coding agent full terminal access, you're trusting it—and whatever prompt injection or misdirection might slip through—with your entire system. Agent Joe eliminates that attack surface entirely by design. No shell means no rm -rf /, no curl-piping malicious scripts, no spawning background crypto miners while you're trying to refactor a React component. The Rust-only constraint isn't just an arbitrary choice either; the developer explicitly notes it "reduce[s] the number of possible actions to just rust specific ones, lowering the total tool count." Fewer tools means fewer vectors.

Supported Providers and Current Capabilities

Agent Joe works with OpenAI and Codex out of the box—both fully supported according to the project README. Claude support exists but remains untested "due to cost" per the developer. OpenRouter integration is functional except for web search, which isn't implemented yet. Self-hosted setups can connect via a local response API endpoint. The tool ships with two command-line flags: --debug enables verbose logging and thinking token output for debugging agent behavior, while --simple disables multi-agent mode entirely, collapsing it down to behave more like Codex's single-agent approach.

TUI Design and Vim Bindings

The interface borrows heavily from Claude Code and Codex in terms of interaction patterns—file editing, git operations, running tests—but with one significant UX twist: Vim keybindings are forced on you. No escape hatch to Emacs mode or arrow keys like some editors pretend is a preference setting. For the Vim-curious developer who wants to dip their toes into modal editing without committing fully, it's either a feature or a dealbreaker depending on your relationship with hjkl navigation.

Where It Falls Short

The developer is upfront that Agent Joe doesn't match Codex's quality yet. The main bottlenecks are prompt engineering and the absence of a plan mode—features that let Codex reason through larger refactors before touching code. For smaller tasks, one-off bug fixes, or Rust-specific work where you want visibility into exactly what an AI agent is doing without worrying about side effects, it fills a niche. "This is a fun project to work on," the developer notes with refreshing honesty about motivations.

Key Takeaways

  • No shell access by design—security through architectural constraint rather than trust
  • Rust-only tooling limits possible actions and reduces attack surface
  • Supports OpenAI, Codex fully; Claude support untested due to API costs
  • Vim keybindings mandatory for all navigation—no exceptions
  • Currently missing plan mode that makes Codex more reliable on complex tasks

The Bottom Line

Agent Joe is a proof-of-concept that's onto something real: the assumption that AI coding tools need shell access is worth challenging. Whether Rust-only tooling catches on or this stays a niche tool for security-conscious developers remains to be seen, but the approach deserves attention. Sometimes the best security feature is simply not having the capability in the first place.