Table of Contents generated with DocToc

What is Apache Magpie?

Apache Magpie is an AI assistant for open-source project maintainers. It handles the repetitive parts of running a project — triaging issues, reviewing PRs, onboarding contributors, managing security reports, cutting releases — so maintainers can spend their time on design, relationships, and the work that actually requires a human.

The agent proposes. The human decides. Magpie never merges, never pushes, never sends mail, never flips a label without a maintainer confirming first.


How it works

Magpie provides skills — step-by-step workflows an AI agent follows. You pick which skills your project uses. The agent reads your issues, PRs, or security reports, does the analysis, and drafts a response. You review it and hit “go” (or don’t).

Five modes describe what the agent can do, from low-risk to high:

Mode What it does Status
Agentic Triage Classify issues/PRs, spot duplicates, propose labels Stable
Agentic Mentoring Help contributors with conventions, point to examples Experimental
Agentic Drafting Write a code fix or a PR for you to review Stable (security)
Agentic Pairing Self-review your own code before submitting Experimental
Agentic Autonomous Merge trivial changes without human review Off (deliberately)

Each project picks the modes that fit. You can run just Agentic Triage and nothing else.


Need help with one of these? Adopt a family of skills

Magpie’s skills ship in families. You don’t adopt all of them — you pick the ones that match a problem you actually have today. Each family page explains what it does, which skills it includes, and how to turn it on.

Most families work on any project, inside or outside the Apache Software Foundation. The ones marked 🪶 ASF-specific encode Foundation processes — the release lifecycle and the contributor-to-committer path — and assume an ASF adopter profile by default; a non-ASF project can still adopt them through the adapter/config layer, but they carry ASF assumptions the generic families do not.

If you’re dealing with… Adopt the family Scope
Setting up agents safely — sandbox, clean environment, privacy routing setup Any project
Security reports that need careful, audited handling security Any project
A pull-request queue that’s out of control pr-management Any project
An issue backlog full of duplicates and stale reports issue-management Any project
Repo hygiene slipping — CI runners, dependencies, licenses, flaky tests repo-health Any project
Releases that are a manual, error-prone slog release-management 🪶 ASF-specific
New contributors getting stuck and drifting away mentoring Any project
Growing contributors into committers contributor-growth 🪶 ASF-specific
Building or maintaining your own skills utilities Any project

Start with setup regardless — it is the prerequisite every adopter installs first — then add the families above as you need them.


Who is this for?

Maintainers wanting to adopt Magpie in their project

You have an open-source project with an issue tracker and/or PR queue, and you want agent assistance with the mechanical parts.

→ Start with the README (adoption steps) and install recipes.

Security team members

You handle CVE reports and want agent help with the 16-step lifecycle — import, triage, fix, allocate, publish.

→ Start with security workflow overview, then new member onboarding.

Contributors to the Magpie framework itself

You want to improve the skills, add tools, or fix bugs in the framework.

→ Start with CONTRIBUTING.md and the spec-driven development loop.

People evaluating whether to adopt

You want to understand the trust model, cost, and governance commitments before deciding.

→ Read MISSION.md (the why), PRINCIPLES.md (the rules), and mode economics (what it costs in tokens).

People who are concerned for security and privacy when using their agents

You would like to use agentic AI but you are concerned about security and privacy - when LLMs / Agent might get access to your credentials and poison your workstation, or have access to private information from mailing lists, slack etc.

→ When you setup Magpie, it will setup your workstation with security guardrail layers that will run your agents in containerized sandbox, and it will setup privacy gateways for the tools your agentic setup will use. Read more details in Secure agent setup RFC and Privacy-aware LLM routing for foundation private information.


Key concepts in 60 seconds

  • Skill — A markdown file describing one workflow (e.g., “triage a PR”). The agent reads it and follows the steps.
  • Mode — A risk level (Agentic Triage → Agentic Mentoring → Agentic Drafting → Agentic Pairing → Agentic Autonomous). Projects opt in per-mode.
  • Adopter config — Your project-specific settings (mailing lists, label schemes, canned responses) in a <project-config>/ directory.
  • Sandbox — The agent runs in a locked-down environment. It can’t read your credentials, can’t access the network freely, and can’t push code.
  • Human-in-the-loop — Every action visible to others requires explicit maintainer confirmation. No exceptions until Agentic Autonomous (which is off).

Where to go next

I want to… Read…
Understand the full vision MISSION.md
Understand how it stays vendor-neutral vendor-neutrality.md
Find or author a backend adapter adapters/registry.md
Pull a skill/family from a trusted external source skill-sources/README.md
Extend Magpie (project / org / individual) extending.md
See what skills exist today modes.md
Adopt in my project README → Adopting
Set up the secure agent sandbox setup/
Understand the security workflow security/
Know what it costs to run mode-economics.md
Understand the privacy model rfcs/RFC-AI-0003.md
Contribute to the framework CONTRIBUTING.md
Learn to build and extend skills education/
Suggest a change