Cortex: Best AI Agent Runtimes for Developers in 2026

What Is Cortex?

Cortex is an open-source AI agent runtime built by by-scott, and Cortex is one of the best AI Agent Runtimes tools for developers shipping local, multi-user LLM agents. The 1.5.0 workspace is split across 7 crates, centered on Rust, SQLite, Unix domain sockets, and a capability-first SDK that keeps ownership, retrieval, and delivery explicit instead of hidden behind prompt glue.

Cortex is designed for long-running agents that need durable state, strict tenant boundaries, and inspectable execution. It is not a thin chat wrapper; it is a daemon-oriented substrate for language models that must survive restarts, enforce permissions, and keep turn history, retrieval evidence, and tool side effects in a recoverable model.

Quick Overview

Who Should Use Cortex?

• Platform engineers building a daemon-backed agent layer that must keep tenant and actor ownership in every request, turn, and retrieval operation.
• Indie hackers who want a local LLM runtime with persistent state, journal replay, and a binary release path instead of a hosted black box.
• Backend teams integrating retrieval, permissions, and tool execution into one runtime without scattering policy across separate services.
• CTOs who need an inspectable agent substrate with explicit persistence, delivery planning, and rollback-friendly release discipline.

Not ideal for:

• Teams that want a browser-first or SaaS-hosted agent UI with zero infra work.
• Builders who only need a single-shot prompt wrapper and do not care about durable state.
• Projects that require the old 1.4 live surfaces today, because those are not restored in the 1.5.0 active path.

Key Features of Cortex

• Ownership-first runtime model — Every tenant, actor, client, session, turn, event, delivery, permission, and corpus identifier is typed. That matters because Cortex rejects cross-tenant access before private state is loaded, replayed, retrieved, delivered, or mutated.
• SQLite-backed durability — Cortex stores migrations, sessions, active sessions, memory, permissions, delivery outbox records, side-effect records, and token usage in SQLite. That gives you a single-file persistence layer that survives daemon restarts without introducing a separate database service.
• File-backed event journaling — The runtime writes events to a journal and replays them with visibility filtering. This is the part that makes recovery deterministic after crashes, and it is the difference between a chat history and an actual runtime log.
• RAG evidence retrieval with ACLs — Cortex retrieval applies query-scope authorization, corpus ACLs, BM25 lexical scoring, placement, taint blocking, and support decisions. Retrieved content is wrapped as untrusted evidence, which is the right default for agent systems that should not blindly trust documents.
• Daemon-first Unix socket boundary — The active line is built around a Unix socket runtime with bootstrap, status, send, tenant registration, client binding, shutdown, journal recovery, and SQLite state recovery. That makes Cortex behave more like a local control plane than a library.
• Capability-first SDK plugins — The SDK contract validates ABI shape, declared capabilities, host paths, and output limits before a plugin can run. Tool execution is then mediated by host-granted permissions and durable side-effect intent/result records, which is a much better failure model than shelling out blindly.
• Structured outbound delivery — Cortex plans outbound delivery for Telegram, QQ, and CLI rendering contracts. If you need agent output to land in multiple transports with the same policy layer, this is where the runtime is more disciplined than a plain chat engine.

Cortex vs Alternatives

Pick OpenSwarm when your main problem is coordinating many agent workers and you want orchestration patterns first. Pick Brainstorm MCP when your stack is already MCP-shaped and you care more about context routing than daemon durability.

Pick OpenTrace when you mainly need execution visibility, spans, and debugging output for existing systems. Pick Cortex when the runtime itself needs to own persistence, permissions, retrieval, and delivery as part of the same contract.

How Cortex Works

Cortex works as a daemon-first runtime with a narrow ingress boundary and a durable substrate underneath it. The control plane uses typed ownership boundaries, then stores runtime state in SQLite and the file journal before it hands work to retrieval, turn planning, or delivery.

The architectural decision that matters most is that Cortex treats retrieval and side effects as first-class runtime concerns instead of incidental helpers. That means the data model is built around tenant-scoped identity, visibility checks, permissions, and evidence placement, while the SDK contract enforces capability limits before code runs. In practice, that is closer to a local agent OS than a prompt loop.

git clone https://github.com/by-scott/cortex.git
cd cortex
./scripts/gate.sh --docker
./scripts/cortex.sh install
./scripts/cortex.sh status

The gate command compiles the workspace with the repository toolchain, runs strict formatting and clippy checks, and executes the full test suite. The install step then places the release binary with checksum verification, and the status check confirms that the daemon boundary and stored state are available before you start binding tenants or clients.

Pros and Cons of Cortex

Pros:

• Strong tenant isolation — Ownership checks happen before state access, which reduces accidental cross-tenant reads and writes.
• Durable execution model — SQLite plus event journaling gives Cortex recoverability after daemon restarts and crash recovery.
• Inspectable retrieval path — BM25 scoring, ACL filtering, and taint blocking make evidence handling auditable instead of implicit.
• Capability-scoped plugins — The SDK contract restricts host paths, declared capabilities, and output size before execution starts.
• Release discipline — The ./scripts/gate.sh --docker flow adds a concrete quality barrier with fmt, clippy, and tests.
• Multi-transport planning — Delivery contracts for Telegram, QQ, and CLI output reduce transport-specific branching in application code.

Cons:

• Not a full 1.4 feature replacement yet — HTTP, WebSocket, JSON-RPC, MCP, ACP, Telegram, QQ, browser live clients, and several legacy modules are not restored in the active path.
• Infra is part of the product — If you do not want a daemon, journal, and SQLite state on disk, Cortex is more machinery than you need.
• Rust-first stack — Teams outside the Rust ecosystem will pay a higher adoption cost for plugins, extensions, and debugging.
• More explicit setup — Ownership, tenant registration, and client binding are deliberate steps, not background magic.

Getting Started with Cortex

A practical Cortex setup starts with the repository, the release gate, and the install script. That sequence tells you whether the runtime is healthy before you trust it with tenant state or tool execution.

git clone https://github.com/by-scott/cortex.git
cd cortex
./scripts/gate.sh --docker
./scripts/cortex.sh install

After installation, the first boot should initialize SQLite state, the file-backed journal, permission records, and delivery outbox tables. If you are wiring Cortex into a larger workflow, pair it with OpenTrace so you can inspect events and side effects while keeping Cortex responsible for the actual runtime contract.

For a real rollout, register a tenant, bind a client, and verify the Unix socket boundary before sending any production workload. That sequence is the point where Cortex stops being a binary and starts acting like a controlled runtime.

Verdict

Cortex is the strongest option for local, multi-user LLM runtime control when you need durable state and hard ownership boundaries. Its biggest strength is the explicit SQLite-plus-journal architecture, and its main caveat is the incomplete restoration of the older live surfaces. Choose Cortex if you want the runtime to be inspectable, recoverable, and policy-driven.