Headless Mode
Run Autohand Code on AWS EC2
Create a small EC2 Linux runner for Autohand Code, restrict access with AWS security groups, and run repeatable headless jobs against a repository.
Provider docs used
This tutorial follows the shape of the AWS EC2 getting started guide: launch an instance, choose an image and instance type, attach a key pair, control inbound traffic with a security group, and connect with SSH. Keep the AWS guide open for current console labels and region-specific defaults: Get started with Amazon EC2.
Architecture
The EC2 instance is the Autohand Code runner. It holds a working copy of your repository, an Autohand Code config, provider credentials, and optional cron or systemd timers. Humans connect over SSH or AWS Systems Manager Session Manager; automation can call a local webhook endpoint through a private load balancer, API Gateway, or Cloudflare Tunnel.
| Component | Recommendation |
|---|---|
| AMI | Ubuntu LTS or Amazon Linux; use the same family across runners |
| Instance type | Start small, then scale CPU and memory to match your repo build requirements |
| Storage | Use enough EBS space for the repo, dependencies, build artifacts, and logs |
| Network | Allow SSH only from trusted IP ranges or use Session Manager |
| Identity | Use a dedicated Unix user and a dedicated Git deploy key |
Step 1: Launch the EC2 instance
- Open the EC2 console and choose Launch instance.
- Name the instance
autohand-runner. - Select an Ubuntu LTS or Amazon Linux image.
- Select an instance type that is large enough for your repository tests.
- Create or select a key pair. Do not proceed without a key pair if you plan to use SSH.
- In network settings, create a security group that allows SSH only from your trusted IP address or VPN CIDR.
- Launch the instance and wait until instance status checks pass.
Production warning: AWS shows an easy path that allows SSH from anywhere. Use that only for a short-lived test. For a real runner, restrict inbound SSH, use Session Manager, or place access behind a private network.
Step 2: Connect and create a runner user
Use the SSH command from the EC2 console's Connect tab. The user depends on your AMI, such as ubuntu for Ubuntu or ec2-user for Amazon Linux.
chmod 400 ~/.ssh/autohand-runner.pem
ssh -i ~/.ssh/autohand-runner.pem [email protected]
sudo adduser --disabled-password --gecos "" autohand
sudo usermod -aG sudo autohand
sudo su - autohandStep 3: Install Node.js, Git, and Autohand Code
sudo apt-get update
sudo apt-get install -y ca-certificates curl git build-essential
# Install Node.js from your approved source, then verify:
node --version
npm --version
npm install -g autohand-cli
autohand --versionPin the Autohand Code CLI version for production runners if your organization requires repeatable deployments.
Step 4: Configure credentials
Store model provider credentials in a file owned by the runner user, or inject them from AWS Secrets Manager into the shell environment before starting a job.
mkdir -p ~/.autohand
chmod 700 ~/.autohand
cat > ~/.autohand/env <<'EOF'
export OPENROUTER_API_KEY="sk-or-v1-..."
export AUTOHAND_MODEL="anthropic/claude-sonnet-4"
export AUTOHAND_OUTPUT_FORMAT="stream-json"
EOF
chmod 600 ~/.autohand/env
source ~/.autohand/envStep 5: Clone and prepare the repository
mkdir -p ~/work ~/logs
cd ~/work
git clone [email protected]:your-org/your-repo.git
cd your-repo
autohand -p "Inspect this repository and update AGENTS.md with build, test, and style instructions for future headless jobs" --restrictedStep 6: Run the first EC2 job
Start with restricted mode so you can confirm access, model credentials, and logging before allowing changes.
source ~/.autohand/env
cd ~/work/your-repo
git pull --ff-only
autohand -p "Review the latest repository state and summarize the highest-priority issues" \
--restricted \
--output-format stream-json | tee -a ~/logs/review.jsonlStep 7: Schedule or trigger jobs
Use cron for simple scheduled work. Use EventBridge, Systems Manager Run Command, GitHub Actions over SSH, or a small webhook process for triggered work.
crontab -e# Weekday review at 08:00 UTC
0 8 * * 1-5 . $HOME/.autohand/env && cd $HOME/work/your-repo && git pull --ff-only && autohand -p "Review changes from the last 24 hours and list action items" --restricted --output-format json >> $HOME/logs/daily-review.jsonl 2>&1Operations checklist
- Enable CloudWatch or your normal log shipper for
~/logsif jobs need central visibility. - Use EBS snapshots before changing runner images or allowing write jobs.
- Rotate SSH keys, Git deploy keys, and model provider keys separately.
- Prefer
--restrictedfor review jobs and explicit--yesonly for narrow trusted write jobs. - Terminate unused instances so idle runners do not continue accruing cost.