Skip to content

agentproto 0.5.0 — auth, sandbox, and observability

Choose a tag to compare

@github-actions github-actions released this 08 Jul 14:52
6da5363

agentproto 0.5.0

Released 2026-07-08. Tagged on npm as @agentproto/cli@0.5.0,
@agentproto/runtime@0.5.0, with 37 packages published in total — including
six new ones: @agentproto/auth, @agentproto/secrets,
@agentproto/sandbox, @agentproto/sandbox-e2b,
@agentproto/storage-github, and @agentproto/egress.

Upgrade:

npm i -g @agentproto/cli

Theme

0.4 made the daemon a supervision surface. 0.5 makes it one you can trust with
credentials, run somewhere other than your laptop, and actually measure.

Three arcs land together. Auth: a real credential broker with device-code
login, keychain storage, and brokered headers forwarded to child MCP servers —
the secret never touches env or config. Isolation: an AIP-36 sandbox
provider interface plus an E2B implementation, so any workflow step can declare
a sandbox instead of running against your filesystem. Observability: an eval
harness with vendor-neutral LLM-judge scoring, Langfuse telemetry, dependency-free
redaction, and per-session cost/token accounting that refuses to fabricate a
price it can't source.

Plus the smaller things you'll actually feel day to day: gateway presets for
DeepSeek, Moonshot/Kimi and OpenRouter; a role registry with a spawn-time
privilege gate; and a live PTY panel.

Full 37-package detail: these notes cover the CLI-facing arc. The complete
consolidated announcement for this batch — including the claude-sdk adapter,
FileStore's AES-256-GCM at rest, and the full auth.md claim ceremony — is at
agentproto — July 2026 release.
(That tag is misnamed release/2025-07; it shipped July 2026. Kept as-is so
existing links don't break — releases from 0.6 on are dated correctly.)

What's new

Add pluggable credential brokering and device-code auth (@agentproto/auth@0.1.0, @agentproto/secrets@0.1.0)

@agentproto/auth is a new first-party package that implements AIP-50 end to end. It ships three CredentialStore backends (Keychain, Memory, File), a CredentialBroker that resolves ready-to-use Authorization headers by provider path, and a full RFC 8628 device-code flow engine with daemon-side credential persistence.

The CredentialBroker handles proactive refresh (credentials are renewed 60 s before expiry), audience scoping, and the distinction between PAT / OAT / daemon tokens (served as Bearer directly) and assertion-style tokens (exchanged by a flow engine first). agentproto auth login is now rewritten onto this engine, and agentproto auth cred set|list|rm lets you seed credentials for brokered child-MCP servers at spawn time.

import { CredentialBroker, KeychainStore, getAuthProvider } from "@agentproto/auth"

const broker = new CredentialBroker({
  store: new KeychainStore(),
  getProvider: getAuthProvider,
})
// Returns { Authorization: "Bearer <token>" }, refreshing silently when stale.
const headers = await broker.resolveHeaders({ path: "guilde" })

@agentproto/secrets@0.1.0 adds the complementary mcp-header SecretExposure variant and resolveMcpHeaderExposure, so brokered headers can be forwarded to child-MCP servers at session spawn time — the secret never appears in env or config.


Run agents in isolated sandboxes (@agentproto/sandbox@0.1.0, @agentproto/sandbox-e2b@0.1.0)

@agentproto/sandbox defines the AIP-36 SandboxProvider interface — a backend-agnostic boot/connect/pause/stop lifecycle — and createSandboxAgentSessionHost, which resolves secrets into env, boots the provider's box, connects an agentproto daemon to the exposed MCP URL, and returns a typed session host. Sandbox reconnect and AIP-36 lifecycle pause are supported: a paused sandbox can be reconnected later via provider.connect(sandboxId, …).

@agentproto/sandbox-e2b@0.1.0 ships the first concrete provider, backed by the E2B SDK. The runtime wires this up via agent_start.sandbox so any AgentStep in a workflow can declare a sandbox — no bespoke spawn plumbing required.

import { createSandboxAgentSessionHost } from "@agentproto/sandbox"
import { e2bSandboxProvider } from "@agentproto/sandbox-e2b"

const host = await createSandboxAgentSessionHost({
  provider: e2bSandboxProvider,
  spec: sandboxHandle,
  secrets: { slugs: ["ANTHROPIC_API_KEY"] },
})
// host is a full DaemonAgentSessionHost — prompt, export, stop, pause all work.
await host.stop() // closes daemon connection then tears down the E2B box

Add @agentproto/eval eval harness with LLM-judge scoring (@agentproto/eval@0.2.0, @agentproto/eval-reporters@0.2.0)

runEval runs a suite of typed cases through a target function, scores each output with one or more bound scorers (each of which is an AIP-14 tool), and aggregates a full EvalReport. Four deterministic built-in scorers ship in evalScorersProvider: exact-match, regex-match, json-schema-valid, and latency-budget.

eval.llm-judge is a model-backed scorer whose judge is an injected JudgeFn — the package carries no LLM SDK. makeLlmJudgeDriver(judge) wraps any async function that returns { value, passed?, rationale? } into a driver that plugs into the same bindScorer/runEval pipeline as the deterministic scorers.

import { runEval, llmJudge, bindScorer } from "@agentproto/eval"

const report = await runEval(
  {
    id: "summarise-suite",
    cases: [{ id: "c1", input: longDoc, expected: "concise summary" }],
    scorers: [
      bindScorer(llmJudge({
        id: "quality",
        judge: myAgentJudge,          // any async fn satisfying JudgeFn
        criteria: "Is the summary accurate, concise, and free of hallucinations?",
        mapOutput: ({ output }) => output,
      })),
    ],
  },
  { target: async (doc) => summarise(doc) },
)
// report.passedCount, report.meanValue, report.cases[].scores

@agentproto/eval-reporters@0.2.0 adds a Langfuse adapter that forwards eval events to Langfuse as a structured span tree, with dedup-safe envelope ids and per-case span nesting.


Ship @agentproto/telemetry and Langfuse session tracing (@agentproto/telemetry@0.2.0, @agentproto/telemetry-langfuse@0.2.0)

@agentproto/telemetry now exports a full OTel adapter (otelTelemetry) alongside the existing arrayTelemetry / composeTelemetry / stderrTelemetry sinks, with a typed TelemetryEvent port that both the eval harness and the runtime consume.

@agentproto/telemetry-langfuse@0.2.0 ships langfuseTelemetry — a sink that ingests agent session turn events into Langfuse as traces, with atomic-drain flush on shutdown, per-case span trees, and trace input/output metadata. The runtime wires this in as langfuseSessionTracer, enabled per-session via filterSessionObserver.


Add @agentproto/redaction — dependency-free payload redaction (@agentproto/redaction@0.2.0)

Four composable Redactor implementations with no external dependencies:

  • denyListRedactor — deep-walks JSON and masks values whose keys match a built-in set of sensitive patterns (authorization, password, secret, token, apikey, bearer, cookie, private_key, credential, …) plus any caller-supplied extras. Case-insensitive, never mutates the input.
  • truncateRedactor — caps long strings (default 2 000 chars) and long arrays (default 100 items) with a …[+N chars/items] suffix.
  • valueScanRedactor — scans string values for well-known secret shapes regardless of their key — PEM blocks, JWTs, sk- prefixed API keys, AWS access key ids, GitHub tokens, Slack tokens, Google API keys, and Bearer/Basic scheme headers.
  • chainRedactors — pipes output of one redactor into the next.
import { chainRedactors, denyListRedactor, valueScanRedactor } from "@agentproto/redaction"

const redact = chainRedactors([denyListRedactor(), valueScanRedactor()])
const safe = redact.redact({ Authorization: "Bearer sk-ant-abc…", note: "use sk-live-xyz" })
// → { Authorization: "[redacted]", note: "use [redacted]" }

The runtime's default telemetry tracer is now set to the "secrets" redactor slug so turn events are scrubbed before leaving the process.


Per-session cost and token observability (@agentproto/acp@0.4.0, @agentproto/runtime@0.5.0)

usage_update ACP stream events now carry tokensIn, tokensOut, and cost. The runtime's deriveSessionUsage resolves these into a SessionUsage snapshot with a four-way source tag: "adapter" (the agent reported a cost directly), "computed" (tokens priced against the in-repo LLM catalog), "no-pricing" (tokens exist but the model isn't in the catalog — no fabricated price), or "none" (nothing measured). The snapshot is accessible live via the session_usage MCP tool and durable in the transcript's usage_snapshot event. Hermes and Mastracode adapters now both emit usage_update events.


Add Anthropic-compatible gateway presets (@agentproto/provider-presets@0.2.0, @agentproto/adapter-claude-code@0.2.0, @agentproto/adapter-claude-sdk@0.2.0)

@agentproto/provider-presets ships three Anthropic-compatible gateway presets usable with both the claude-code and claude-sdk adapters (both honor ANTHROPIC_BASE_URL + ANTHROPIC_AUTH_TOKEN):

Preset id Provider Notes
moonshot Moonshot / Kimi kimi-k2.7-code, thinking required
openrouter OpenRouter Any OpenRouter model id
deepseek DeepSeek deepseek-v4-pro default; thinking supported

The ambient ANTHROPIC_API_KEY is automatically scrubbed from env when a gateway base_url is set, so it never leaks to a third-party host. adapter-claude-sdk@0.2.0 also gains auth_token support, gateway model-tier pinning, and an idle watchdog that prevents frozen sessions on long thinking turns.


Ship @agentproto/storage-github — AIP-35 GitHub WorkspaceSync (@agentproto/storage-github@0.1.0)

defineGithubStorage creates a StorageHandle whose factory returns a GithubFilesystem implementing WorkspaceSync (pull/push). Branching strategy is configurable (main / per-conversation / per-turn), PR creation is opt-in (prPolicy: "auto"), and the token is passed via GIT_HTTP_EXTRAHEADER — never on the command line or in the repo URL. The pairsWith: "sandbox" capability metadata signals that GitHub storage is designed to pair with a sandbox session host (AIP-36).


Add role registry and spawn-time privilege gate (@agentproto/runtime@0.5.0)

Agents now spawn into one of two built-in role profiles (executor or supervisor) or a custom role loaded from ~/.agentproto/roles/<slug>/ROLE.md or from an adapter package's metadata.roles. The role_list MCP tool enumerates available roles. A maxGrantableDelegation cap in ~/.agentproto/config.json prevents role packs from self-granting delegation above the operator's configured ceiling — a pack that declares toolPolicy.delegation: "allow" at a level above the cap is silently forced to "deny".


Extend worktree workflows with sandbox and linkPaths (@agentproto/worktree@0.2.0, @agentproto/workflow-runtime@0.3.0)

worktree.provision now accepts linkPaths — an array of gitignored directories or files to symlink from the host repo into the fresh worktree before running depsCmd. This lets a pnpm install --prefer-offline inside the worktree resolve the local node_modules graph without a full reinstall. AgentStep in @agentproto/workflow-runtime gains a cwd selector that binds to the worktree's provisioned path, wiring the worktree-agent workflow cleanly: provision → agent (cwd = worktree) → gate → approval → cleanup.


Add @agentproto/agent-runtime@0.1.0 — swarm runner fixes and telemetry re-exports

@agentproto/agent-runtime ships fixes for the run-swarm role path resolver, a claude-code permission hang during multi-participant spawns, and per-participant model config. It also re-exports Telemetry types and sinks from @agentproto/telemetry, removing inline duplicates from the prior release.


Add agentproto_terminal MCP app — live PTY over WebSocket (@agentproto/runtime@0.5.0)

The new agentproto_terminal MCP app exposes a live PTY terminal as a panel in the MCP UI bridge. terminal_input gains enter and b64 options for reliable TUI key submission (carriage-return enter is sent as an isolated write to avoid paste-safe conflicts), and the panel's connectDomains CSP is updated to trust the cli.agentproto.sh origin.


Add global defaults block to config and --pack fan-out for skills (@agentproto/cli@0.5.0, @agentproto/runtime@0.5.0)

A new defaults block in ~/.agentproto/config.json sets global and per-adapter skills and options that are auto-applied to every agent_start spawn. A normalized skills: string[] is folded into the adapter's native option shape (e.g. Hermes uses comma-joined --skills a,b); adapters with no declared skills option are a no-op.

agentproto install --pack fans out skill installation across all compatible adapters in one command, and agentproto pack skill --source adds a cross-repo sourceDir override for building a skill pack from a different repo root.


Rename adapter-kitprovider-kit (@agentproto/provider-kit@0.2.0, @agentproto/adapter-kit@0.3.0)

@agentproto/adapter-kit is renamed to @agentproto/provider-kit to better reflect its role (a slug-keyed registry for tunnel, browser, sandbox, and CLI adapter families). @agentproto/adapter-kit@0.3.0 is a backward-compatibility shim that re-exports everything from the new package name — no changes needed for code that still imports the old name.


Add per-mode support status and models.deny to AIP-45 manifests (@agentproto/driver-agent-cli@0.4.0)

Agent-CLI adapter manifests can now declare a support field per mode (active | noop | planned), making it explicit which modes are fully wired vs. intentionally no-op vs. roadmap. models.deny lets an adapter reserve model families — adapter-hermes now reserves Anthropic models for adapter-claude-code, so Anthropic models no longer appear in Hermes' model picker.


Add YtDlp caption-first video ingestion to corpus import-web (@agentproto/corpus@0.2.1, @agentproto/corpus-cli@0.3.0)

import-web now uses YtDlpCaptionsFetcher as the primary ingestion path for video URLs — fetching subtitle tracks first (fast, no transcription cost) and falling back to audio transcription only when captions are absent. The ffmpegLocation option and hardened yt-dlp args were added in 0.2.0.


Package versions

Package Version Bump
@agentproto/acp 0.4.0 minor
@agentproto/adapter-claude-code 0.2.0 minor
@agentproto/adapter-claude-sdk 0.2.0 minor
@agentproto/adapter-codex 0.1.2 patch
@agentproto/adapter-hermes 0.2.0 minor
@agentproto/adapter-kit 0.3.0 minor (compat shim)
@agentproto/adapter-mastra-agent 0.1.2 patch
@agentproto/adapter-mastracode 0.2.1 patch
@agentproto/adapter-mastracode-inprocess 0.2.1 patch
@agentproto/adapter-openclaw 0.1.2 patch
@agentproto/adapter-opencode 0.1.2 patch
@agentproto/agent-runtime 0.1.0 new
@agentproto/auth 0.1.0 new
@agentproto/cli 0.5.0 minor
@agentproto/connector 0.1.1 patch
@agentproto/corpus 0.2.1 patch
@agentproto/corpus-cli 0.3.0 minor
@agentproto/corpus-presets 0.2.1 patch
@agentproto/driver-agent-cli 0.4.0 minor
@agentproto/egress 0.1.0 new
@agentproto/eval 0.2.0 minor
@agentproto/eval-reporters 0.2.0 minor
@agentproto/harness 0.2.0 minor
@agentproto/mastra 0.2.1 patch
@agentproto/provider-kit 0.2.0 minor
@agentproto/provider-presets 0.2.0 minor
@agentproto/redaction 0.2.0 minor
@agentproto/runtime 0.5.0 minor
@agentproto/runtime-profile-standard 0.1.1 patch
@agentproto/sandbox 0.1.0 new
@agentproto/sandbox-e2b 0.1.0 new
@agentproto/secrets 0.1.0 new
@agentproto/storage-github 0.1.0 new
@agentproto/telemetry 0.2.0 minor
@agentproto/telemetry-langfuse 0.2.0 minor
@agentproto/workflow-runtime 0.3.0 minor
@agentproto/worktree 0.2.0 minor

Installing / upgrading

npm install \
  @agentproto/auth@latest \
  @agentproto/sandbox@latest \
  @agentproto/sandbox-e2b@latest \
  @agentproto/secrets@latest \
  @agentproto/storage-github@latest \
  @agentproto/eval@latest \
  @agentproto/eval-reporters@latest \
  @agentproto/telemetry@latest \
  @agentproto/telemetry-langfuse@latest \
  @agentproto/redaction@latest \
  @agentproto/acp@latest \
  @agentproto/runtime@latest \
  @agentproto/cli@latest \
  @agentproto/driver-agent-cli@latest \
  @agentproto/workflow-runtime@latest \
  @agentproto/worktree@latest \
  @agentproto/provider-kit@latest \
  @agentproto/provider-presets@latest \
  @agentproto/adapter-claude-code@latest \
  @agentproto/adapter-claude-sdk@latest \
  @agentproto/adapter-hermes@latest \
  @agentproto/corpus@latest \
  @agentproto/corpus-cli@latest

Full changelogs