QuantCode

Autonomous coding agents on sovereign AI

QuantCode is a fork of OpenCode wired into Quant's IRAP-backed Australian AI infrastructure. Bring it to your terminal, dispatch it from chat or Slack, or wire it to GitHub via workflows. Every run is logged at the org level.

Get startedRead the docs
terminal
$ quantcode
✓ Connected to Quant (AU sovereign)
› quantgov-code-orchestrator selected
@quant audit quantcdn/portal for supply-chain risk
› delegating to supply-chain agent…
› osv-scanner: 0 known CVEs · 3 pinning gaps
✓ issue #482 opened (label: supply-chain-audit)

One platform, four surfaces

Bring QuantCode to where work happens

Same agents, same audit trail. The surface is just how you reach them.

Terminal

A polished TUI on top of OpenCode — local agents, sub-agents, and skills, talking to your sovereign Quant org.

Cloud agents

Code, plan, review, security, debug, and supply-chain specialists pre-built in every org. Call them from chat, workflows, Slack, or another agent.

Autonomous jobs

Long-running containerised work — repo audits, PR reviews, multi-step refactors — dispatched via the quant_autonomous_start tool. Reads, plans, edits, opens PRs.

Workflows

Webhook and scheduled triggers tied to tool nodes. GitHub events flow in, agents take action, results land in PRs or issues.

Six pre-built specialists

Every Quant org ships with system prompts, models, tool sets, and skills already wired. Call them from chat, workflows, Slack bots, or via call_agent.

code

Implementation — writes code, runs tests, opens PRs

plan

Investigation and design proposals before code

security

Threat modelling, vuln assessment, ISM/ES8 compliance

review

Severity-classified code review (Blocker / Warning / Nit)

debug

Systematic four-phase root-cause analysis

supply-chain Flagship

Dependency risk, CVEs, release age, pinning audit

Flagship capability

Supply-chain
on autopilot

A pre-built specialist agent that does real research — not rubber-stamps. It runs osv-scanner and ecosystem audits, confirms each CVE actually reaches your code, weighs release age and maintainer signals, and always reports floating or unpinned dependencies.

Three task shapes from one shared methodology — scheduled audits, dependency PR reviews, ad-hoc CVE queries. All read-only against your repo by default; pinning remediation is a separate, gated capability.

Read the agent docs GitHub webhook setup
Why we built it this way — read What The ASD Asked. What We Built.
Supply-chain audit — quantcdn/portal supply-chain-audit
Updated by quant-agent · 3m ago
Severity
🔴 0 High 🟠 1 Med 🟡 3 Low
Findings
axios < 1.7.4 — SSRF
GHSA-8hc4-vh64-cxmj · package.json:31 · reachable via webhook handler
Unpinned action: actions/checkout@v4
.github/workflows/ci.yml:14 · pin to commit SHA

Scheduled audits

Cron-trigger workflow runs the full risk sweep against a repo and opens (or idempotently updates) a single labelled GitHub issue with severity-ranked findings.

Cadence: Weekly / nightly
Output: GitHub issue labelled supply-chain-audit

Dependency PR reviews

GitHub pull_request webhook (HMAC-authenticated through Portal) triggers a review. Self-filters to dep PRs — no spam on application changes.

Cadence: Per PR
Output: Single PR review comment via gh pr review

Ad-hoc CVE queries

Ask in chat or Slack. The agent inspects the repo, applies the methodology, and gives a direct AFFECTED / NOT AFFECTED verdict with evidence.

Cadence: On demand
Output: Cited verdict in thread

The methodology, applied every run

Every finding cites file:line and an authority (CVE / GHSA / OSV / OWASP). Findings without that level of evidence are dropped, not softened.

Confirmed CVEs

Runs osv-scanner + ecosystem audits up front, then confirms each advisory affects both the installed version AND the actually-used code path before reporting. Cites CVE / GHSA / OSV IDs.

Release age

Fetches each new or changed dependency's publish date. Anything < 5 days old is an elevated-risk flag — fresh releases are a prime supply-chain attack vector.

Supply-chain signals

Web-searches the package for compromise, malware, typosquatting, and maintainer-change reports. Notes sudden permission-scope changes.

Usage & criticality

Greps how the dep is actually used. Prod runtime weighs heavily; dev-only or CI-only weighs low — a risky dep in a build tool is not the same as one in the request path.

Pinning audit (always-on)

Scans Dockerfiles, GitHub Actions uses: refs, package.json / composer.json / lockfiles for floating, range, or unpinned specifiers. Always reported, even when no CVEs are found.

Remediation, gated and scoped

By default the supply-chain agent is read-only against your repo. Pinning remediation is a separate, opt-in capability — turn it on per workflow or confirm it in chat, and the autonomous code agent opens a real PR scoped strictly to pinning.

  • GitHub Actions @tag → pinned commit SHA (with tag comment)
  • Dockerfile FROM image:tag@sha256:digest
  • Never auto-merged. Never bumps versions. Never edits app code.

100% Australian residency

Every prompt and response is processed by Bedrock in Melbourne or Sydney. Nothing leaves Australia.

IRAP & ISM-aligned

Quant is the first company through Australia's new ISM controls for AI. Government and contractor-ready by design.

Org-level audit log

Every conversation, tool call, autonomous job, and PR action is captured. Compliance-ready out of the box.

Bring autonomous coding inside your governance perimeter

QuantCode runs against your repos, on your sovereign Quant org, with every action logged.

Six pre-built specialists
Sovereign AU AI
Workflows, Slack, terminal
Start in the dashboardRead the docs