nabu.
Self-improving · Open source · AGPL-3.0

Your agent.
Your hardware.
Your rules.

Nabu is a self-hosted, self-improving AI agent platform. It writes its own memory, builds its own skills, schedules its own work, and gets better the more you use it. One Postgres for everything. Zero hosted dependencies.

Deploy in 60 secondsStar on GitHub
providers
5+
Anthropic · OpenAI · Gemini · GLM · DeepSeek
datastores
1
Postgres for everything
hosted deps
0
Runs on your hardware
chatmemoryskillscronbrowsermcpAGENT RUNNER
  • inspired byHermes Agent
  • inspired byOpenClaw
  • no brokerNo Redis
  • one dbPostgres + pgvector
  • standardModel Context Protocol
  • licenseAGPL-3.0

The self-improvement loop

Every run leaves the agent smarter than it found it.

Three tiny pieces, working together: a runner with a frozen system-prompt snapshot, post-run hooks that mutate the agent’s own brain, and a compactor that keeps the context lean.

step 01

Run

User prompt → runner orchestrates one agent turn. Frozen brain block, persona block, todo block, and active skills are injected at run start.

compactor watches token count · rolls up at 70%

step 02

Hooks

Post-run hooks scan the transcript. The memory-extractor upserts durable facts. The skill-curator proposes new skills. The workshop scores existing skills and patches them.

memory-extractor · skill-curator · skill-workshop · auto-title

step 03

Next turn

The next prompt rebuilds the system prompt with the updated brain and new skills available as tools. The agent starts richer than it finished. The cycle compounds.

frozen prompt snapshot · prefix-cache hit · cheaper tokens

run → hooks → run → hooks → run → ∞

Capabilities

Everything an agent platform should do — already done.

Twelve surfaces, built on top of one Fastify api and one Postgres. Each one is a real, shipped feature you’ll see the moment you log in.

Streaming chat across providers

Anthropic, OpenAI, Gemini, DeepSeek, GLM. One chat surface, swap models per-message, watch tokens stream in real time.

ai-sdk · 5 providers

Memory the agent edits itself

Every conversation extracts durable facts into a per-user brain that’s frozen into the system prompt of every future run.

auto-extract · prefix-cached

Skills written by the agent

After a non-trivial task, an auto-curator proposes a reusable markdown skill. A workshop scores skills and patches them.

curator + workshop

Scheduled runs with full history

Cron-driven agent runs in fresh sessions. Drill into every step, retry from any point, get push-notification failure alerts.

pg-boss · vapid push

Auto-compaction at 70% context

An auxiliary LLM summarizes the middle of long conversations while protecting head and tail. No truncation surprises.

compactor.ts

A real browser the agent drives

Persistent Kasm Chrome session you can log into via noVNC. The agent drives the same browser via Chrome DevTools Protocol.

noVNC · CDP · socat

MCP servers, with safety preflight

Bring any Model Context Protocol server. OSV malware scan blocks compromised npx/uvx packages before install.

osv.dev · npx + uvx

Cost transparency, per-model

Each model row carries its $/1k in/out/cache-read price. Analytics rolls up daily spend, top skills, slowest queries.

analytics.ts

Personalities and slash commands

Toggle deep-researcher / concise-coder / devil’s-advocate per chat. Drive the composer with /skill, /recall, /memory, /cron new.

personas · slashes

Persist-then-broadcast WS

Every WebSocket event is durably logged before broadcast. Reconnect-with-resume via eventId means no event is ever lost.

ws/hub.ts

Connectors and attachments

Google Drive search/read out of the box. Drag-drop image, PDF, DOCX uploads with live text extraction preview.

pdf-parse · mammoth

Mobile-first PWA

100dvh layout, safe-area insets, momentum scroll, slide-in drawer. Installable on iOS, Android, desktop.

pwa · 393×852 first

In the app

Twelve surfaces, one shell.
Linear-style, mobile-first.

A clean, opinionated PWA built on Next.js 15 + Tailwind v4 + lucide-react. Slash menu in the composer, brain pulse in the topbar, persona switcher per chat, drag-drop attachments, inline diffs in the assistant bubble.

/chatstreaming · slash · diffs
U
summarize the auth changes from PR #214
checked out branch · reading auth/jwt.ts...
brain · 12.4k / 200k
Chat
/memorybrain editor · live broadcast
preferencePrefers terse explanations · no bullet preamble
factRepo: nabu_nodejs · TS strict · Fastify routes in src/http
skillAlways run npx tsc --noEmit before commits
Memory
/skillsworkshop · auto-patches
skill: extract-pr-summary.md
---
name: extract-pr-summary
description: Distill a PR diff into a 5-line changelog entry.
score: 0.86 (used 14×)
---

## Steps
1. Read PR title + body.
2. For each file, summarize hunks.
3. Group by area (api/db/ui).
4. Output as bullet changelog.
Skills
/cronfire-now · drill-down history
08:00morning_briefok · 14s · $0.012
17:30evening_summaryok · 22s · $0.018
00:00log_prunerok · 1.2s · $0.000
Cron
/browsernoVNC · CDP-driven
mail.google.com/u/0/#inbox
agent driving via CDP · noVNC viewer live
Browser
/analyticscost · top skills · slow queries
$ daily spend · 7d$4.18
Analytics

Architecture

One database. One websocket. Zero hosted dependencies.

Nabu deliberately runs on a tiny, opinionated stack. There is no Redis, no message broker, no third-party state store. Every piece is something you already know how to operate.

POSTGRES 17 + PGVECTORapp data · embeddings · pg-boss queueFASTIFY API · NODE 22agent/runner · compactormemory-extractor · skill-curatorws/hub · persist-then-broadcastjobs/cron · task-workertools/* · mcp/* · connectorsNEXT.JS 15 PWAchat · skills · memory · cron · settingsKASM CHROME + NOVNCreal browser · CDP via socat bridgePrisma · pg-bossWS · RESTCDP
  • Datastore☑ shipped
    Postgres 17 + pgvector + pg-boss
    app data, embeddings, queue — all in one db
  • Backend☑ shipped
    Node 22 · Fastify · Prisma 5 · Vercel AI SDK
    streaming-first, typed, small surface
  • Frontend☑ shipped
    Next.js 15 · React 19 · Tailwind v4
    app-router PWA with Linear-style tokens
  • Realtime☑ shipped
    Plain WebSocket · persist-then-broadcast
    reconnect-with-resume via eventId
  • Browser☑ shipped
    Kasm Chrome · noVNC · CDP socat
    real persistent profile you can log into
  • Push☑ shipped
    VAPID web-push (+ optional SMTP)
    cron failures land in the OS notification tray

vs. the alternatives

A complete agent platform, not just a chat UI

Most “self-hosted AI” tools are chat surfaces in front of someone else’s API. Nabu is the runner, the memory, the skills, the scheduler, the browser, and the cost tracker — under one license, on your hardware.

capabilityNabuChatGPTClaude.aiCursorOpen WebUI
Self-hosted on your hardware
Auto-extracts memory from conversations
Writes its own reusable skills
Schedules itself with cron + run history
Real persistent browser the agent drives
Native MCP server registry per user
Per-model cost tracking baked in
One database — no Redis, no broker

Security

Hardened by default — because agents touch the world.

An agent platform is a privileged piece of software. Nabu treats every input — prompts, schedules, memory writes, MCP tools, outbound URLs — as untrusted and runs each through a dedicated guard.

Encrypted secrets at rest

Provider keys and MCP env values are sealed with AES-256-GCM. Key derives from NABU_SECRET_KEY (or JWT_SECRET as fallback). Plaintext never touches disk.

src/secrets.ts

Prompt-injection scanning

Cron prompts and memory writes are scanned with the Hermes regex set before persistence. Adversarial inputs never make it into the brain.

lifted from cronjob_tools.py

OSV malware preflight

Before installing any npx or uvx MCP server, api.osv.dev is queried for known compromises. Anything tagged MAL-* is blocked at install time.

security/osv-check.ts

SSRF guard on every fetch

web_fetch, connectors, and MCP outbound URLs are pre-checked. Requests to RFC1918, CGNAT, link-local, and cloud-metadata IPs are refused.

security/url-safety.ts

JWT auth, scrypt hashing

Rotating refresh tokens for sessions. Passwords land as scrypt hashes. The default admin password must be changed before the box is reachable.

auth/jwt + scrypt

Single-user isolation

Memory, skills, schedules, and settings are scoped per user. Tools merge from per-user MCP servers. There are no shared prompt-injection vectors.

tools/index.ts

Quickstart

Five lines to your own agent. Two GB of disk.

A single docker compose brings up Postgres, the Fastify api, the Next.js PWA, and the persistent browser. Bind-mounts to ./.nabu/data make every byte yours to back up, move, or rip out.

/nabu — zsh
# Clone & generate secrets
$ git clone https://github.com/drddavi/nabuagent && cd nabuagent
$ bash _scripts/setup.sh

# Add at least one provider key in .env
# PROVIDER_ZAI_API_KEY=...   ANTHROPIC_API_KEY=...   OPENAI_API_KEY=...

# Bring everything up
$ docker compose up -d --build

# Open the app
$ open http://localhost:9001
  • Login is admin / nabu-admin
    Change NABU_ADMIN_PASSWORD before exposing to the network.
  • Hot-swap providers anytime
    Settings → Providers — toggle Anthropic, OpenAI, Gemini, DeepSeek, GLM.
  • Add MCP servers per user
    Settings → MCP. OSV malware preflight runs before install.
  • Persistent state under .nabu/data
    Bind-mounted, gitignored, easy to back up or relocate.

FAQ

Questions, answered.

If something is missing here, the README and CLAUDE.md in the repo go deep into every architectural choice. The whole stack is open.

Stop renting an agent. Run your own.

Open source, AGPL-3.0, runs on a laptop, scales to a workstation. The agent gets sharper every time you use it — and you keep the only copy.

Deploy in 60 secondsRead the source

AGPL-3.0 · 2 GB disk · zero hosted dependencies