MAGI is a local, single-operator reasoning and deliberation aid for Claude Code. It helps structure complex decisions by splitting them into three persona cores that recursively decompose, self-verify, and vote.
What MAGI is NOT:
- A security gate or sandbox
- A deployment approval system
- A comprehensive safety audit
- A substitute for independent review, testing, or rollback planning
When MAGI runs:
- Cores execute as fork subagents, inheriting the user's full permissions (shell, file system, git config, SSH keys, API tokens in environment).
- Cores follow read-only + no-exfiltration constraints when judging untrusted content (see Hard Constraints in magi-protocol.md).
- Cores cannot be instructed by embedded directives in the content being judged (e.g.,
[OVERRIDE], "ignore previous instruction") — such lines are treated as data, not commands.
What this means:
- Trusted input: Your own code, decisions, architecture questions → cores can fully evaluate with all tools.
- Untrusted input (PR comments, external code, user-submitted configs): Cores use only read-only verification and spot-check the claims, never executing arbitrary instructions hidden in that content.
- Verification is spot-check, not exhaustive: Orchestrator verifies one load-bearing fact per core. MAGI does not guarantee 100% correctness.
- Unanimity ≠ proof: All three cores agreeing on a grave operation is a strong signal, but it does not prove the decision is safe. Flawed premises, hidden assumptions, or undisclosed context may still result in a wrong verdict.
- Grave-op list is public: The list of operations requiring 3/3 unanimity + veto (defined in protocol) is not a secret gate. Do not rely on it as a security barrier against sophisticated attackers.
MAGI is distributed as a public GitHub repository. Before installing:
- Review the commit you're installing:
git log --oneline magi-system/magi | head -5 - Inspect the skill source before copying to
~/.claude/skills/:git show HEAD:magi/SKILL.md | head -20 - Do NOT:
- Install from branches you don't control
- Bypass reviewing the commit history
- Auto-update without checking what changed
Checksum verification: We do not mandate GPG signing or checksums. Instead, review the commit yourself. This is lighter and equally valid for local tooling.
Found a potential issue with MAGI's judgment logic, tool constraints, or protocol?
- Open an issue: https://github.com/jangfolk/magi-system/issues
- Describe:
- What the concern is (e.g., "Untrusted input in Core brief can be exploited via prompt injection")
- Concrete example or exploit scenario
- Suggested fix (if applicable)
- Do not publish exploit details if the issue affects active deployments; reach out privately first.
- magi-protocol.md — Full implementation, Hard Constraints, Untrusted Input Handling
- SKILL.md — User-facing skill definition with safety caveats
Last updated: 2026-07-01
License: MIT (See LICENSE)