Skip to content

v0.8.0 — machine policy, transparent proxy, hardened call log

Choose a tag to compare

@github-actions github-actions released this 10 Jul 07:20

The runtime control plane grows teeth: a machine-level policy layer no repo can loosen, a transparent proxy mode for standard MCP clients, and a hardened call log.

Machine-level policy with deny precedence

Your own [policy.tools] in ~/.agentstack/agentstack.toml is now checked before the project's on every brokered call — a cloned repo's policy cannot loosen it, and machine refusals name their layer in the error and the call log.

# ~/.agentstack/agentstack.toml — applies to every project on this machine
[policy.tools]
"*" = ["!delete_*"]            # rename-proof: no server may delete_*, whatever a repo names it
github = ["get_*", "list_*"]   # servers named github are read-only

Be precise about what a rule binds to: named rules match the manifest-chosen server name (which a repo controls); the new "*" wildcard key constrains every server regardless of name. explain <server> shows both layers; doctor flags an unreadable machine manifest (which fails open to project-only policy).

Transparent mode: a drop-in MCP proxy

agentstack mcp --transparent (register with connect --transparent) advertises the policy-filtered upstream tools as <server>__<tool> in tools/list — any standard MCP client can use the proxied surface with zero agentstack knowledge. Compact mode (bounded tool context via tools_search) stays the default. Auto-project mode announces the lazily built, trust-gated gateway via notifications/tools/list_changed.

Call log hardening

  • No upstream-authored text: failed calls log a fixed error class (unresolved-secret / timeout / spawn-failed / http-error / upstream-error) — a malicious server can no longer write into the log.
  • Keyed argument digests: a per-machine random secret (audit/key, 0600) keys the digests, so an exfiltrated log alone can't confirm guessed argument values.
  • Private files: log, key, and audit dir are created (and re-tightened) 0600/0700.
  • Honest docs: it's a best-effort local diagnostic call log — not durable, not tamper-evident.

Also

  • Gateway per-upstream concurrency shipped in the previous tag now drains in-flight calls at session end instead of dropping responses.
  • The gateway's module contract and reference docs updated throughout.

Upgrading from ≤ v0.6.x: the v0.7.0 trust-digest change applies — previously trusted projects re-gate once; re-run agentstack trust <dir> after reviewing.