agentproto 0.5.0 — auth, sandbox, and observability
agentproto 0.5.0
Released 2026-07-08. Tagged on npm as @agentproto/cli@0.5.0,
@agentproto/runtime@0.5.0, with 37 packages published in total — including
six new ones: @agentproto/auth, @agentproto/secrets,
@agentproto/sandbox, @agentproto/sandbox-e2b,
@agentproto/storage-github, and @agentproto/egress.
Upgrade:
npm i -g @agentproto/cli
Theme
0.4 made the daemon a supervision surface. 0.5 makes it one you can trust with
credentials, run somewhere other than your laptop, and actually measure.
Three arcs land together. Auth: a real credential broker with device-code
login, keychain storage, and brokered headers forwarded to child MCP servers —
the secret never touches env or config. Isolation: an AIP-36 sandbox
provider interface plus an E2B implementation, so any workflow step can declare
a sandbox instead of running against your filesystem. Observability: an eval
harness with vendor-neutral LLM-judge scoring, Langfuse telemetry, dependency-free
redaction, and per-session cost/token accounting that refuses to fabricate a
price it can't source.
Plus the smaller things you'll actually feel day to day: gateway presets for
DeepSeek, Moonshot/Kimi and OpenRouter; a role registry with a spawn-time
privilege gate; and a live PTY panel.
Full 37-package detail: these notes cover the CLI-facing arc. The complete
consolidated announcement for this batch — including theclaude-sdkadapter,
FileStore's AES-256-GCM at rest, and the full auth.md claim ceremony — is at
agentproto — July 2026 release.
(That tag is misnamedrelease/2025-07; it shipped July 2026. Kept as-is so
existing links don't break — releases from 0.6 on are dated correctly.)
What's new
Add pluggable credential brokering and device-code auth (@agentproto/auth@0.1.0, @agentproto/secrets@0.1.0)
@agentproto/auth is a new first-party package that implements AIP-50 end to end. It ships three CredentialStore backends (Keychain, Memory, File), a CredentialBroker that resolves ready-to-use Authorization headers by provider path, and a full RFC 8628 device-code flow engine with daemon-side credential persistence.
The CredentialBroker handles proactive refresh (credentials are renewed 60 s before expiry), audience scoping, and the distinction between PAT / OAT / daemon tokens (served as Bearer directly) and assertion-style tokens (exchanged by a flow engine first). agentproto auth login is now rewritten onto this engine, and agentproto auth cred set|list|rm lets you seed credentials for brokered child-MCP servers at spawn time.
import { CredentialBroker, KeychainStore, getAuthProvider } from "@agentproto/auth"
const broker = new CredentialBroker({
store: new KeychainStore(),
getProvider: getAuthProvider,
})
// Returns { Authorization: "Bearer <token>" }, refreshing silently when stale.
const headers = await broker.resolveHeaders({ path: "guilde" })@agentproto/secrets@0.1.0 adds the complementary mcp-header SecretExposure variant and resolveMcpHeaderExposure, so brokered headers can be forwarded to child-MCP servers at session spawn time — the secret never appears in env or config.
Run agents in isolated sandboxes (@agentproto/sandbox@0.1.0, @agentproto/sandbox-e2b@0.1.0)
@agentproto/sandbox defines the AIP-36 SandboxProvider interface — a backend-agnostic boot/connect/pause/stop lifecycle — and createSandboxAgentSessionHost, which resolves secrets into env, boots the provider's box, connects an agentproto daemon to the exposed MCP URL, and returns a typed session host. Sandbox reconnect and AIP-36 lifecycle pause are supported: a paused sandbox can be reconnected later via provider.connect(sandboxId, …).
@agentproto/sandbox-e2b@0.1.0 ships the first concrete provider, backed by the E2B SDK. The runtime wires this up via agent_start.sandbox so any AgentStep in a workflow can declare a sandbox — no bespoke spawn plumbing required.
import { createSandboxAgentSessionHost } from "@agentproto/sandbox"
import { e2bSandboxProvider } from "@agentproto/sandbox-e2b"
const host = await createSandboxAgentSessionHost({
provider: e2bSandboxProvider,
spec: sandboxHandle,
secrets: { slugs: ["ANTHROPIC_API_KEY"] },
})
// host is a full DaemonAgentSessionHost — prompt, export, stop, pause all work.
await host.stop() // closes daemon connection then tears down the E2B boxAdd @agentproto/eval eval harness with LLM-judge scoring (@agentproto/eval@0.2.0, @agentproto/eval-reporters@0.2.0)
runEval runs a suite of typed cases through a target function, scores each output with one or more bound scorers (each of which is an AIP-14 tool), and aggregates a full EvalReport. Four deterministic built-in scorers ship in evalScorersProvider: exact-match, regex-match, json-schema-valid, and latency-budget.
eval.llm-judge is a model-backed scorer whose judge is an injected JudgeFn — the package carries no LLM SDK. makeLlmJudgeDriver(judge) wraps any async function that returns { value, passed?, rationale? } into a driver that plugs into the same bindScorer/runEval pipeline as the deterministic scorers.
import { runEval, llmJudge, bindScorer } from "@agentproto/eval"
const report = await runEval(
{
id: "summarise-suite",
cases: [{ id: "c1", input: longDoc, expected: "concise summary" }],
scorers: [
bindScorer(llmJudge({
id: "quality",
judge: myAgentJudge, // any async fn satisfying JudgeFn
criteria: "Is the summary accurate, concise, and free of hallucinations?",
mapOutput: ({ output }) => output,
})),
],
},
{ target: async (doc) => summarise(doc) },
)
// report.passedCount, report.meanValue, report.cases[].scores@agentproto/eval-reporters@0.2.0 adds a Langfuse adapter that forwards eval events to Langfuse as a structured span tree, with dedup-safe envelope ids and per-case span nesting.
Ship @agentproto/telemetry and Langfuse session tracing (@agentproto/telemetry@0.2.0, @agentproto/telemetry-langfuse@0.2.0)
@agentproto/telemetry now exports a full OTel adapter (otelTelemetry) alongside the existing arrayTelemetry / composeTelemetry / stderrTelemetry sinks, with a typed TelemetryEvent port that both the eval harness and the runtime consume.
@agentproto/telemetry-langfuse@0.2.0 ships langfuseTelemetry — a sink that ingests agent session turn events into Langfuse as traces, with atomic-drain flush on shutdown, per-case span trees, and trace input/output metadata. The runtime wires this in as langfuseSessionTracer, enabled per-session via filterSessionObserver.
Add @agentproto/redaction — dependency-free payload redaction (@agentproto/redaction@0.2.0)
Four composable Redactor implementations with no external dependencies:
denyListRedactor— deep-walks JSON and masks values whose keys match a built-in set of sensitive patterns (authorization,password,secret,token,apikey,bearer,cookie,private_key,credential, …) plus any caller-supplied extras. Case-insensitive, never mutates the input.truncateRedactor— caps long strings (default 2 000 chars) and long arrays (default 100 items) with a…[+N chars/items]suffix.valueScanRedactor— scans string values for well-known secret shapes regardless of their key — PEM blocks, JWTs,sk-prefixed API keys, AWS access key ids, GitHub tokens, Slack tokens, Google API keys, andBearer/Basicscheme headers.chainRedactors— pipes output of one redactor into the next.
import { chainRedactors, denyListRedactor, valueScanRedactor } from "@agentproto/redaction"
const redact = chainRedactors([denyListRedactor(), valueScanRedactor()])
const safe = redact.redact({ Authorization: "Bearer sk-ant-abc…", note: "use sk-live-xyz" })
// → { Authorization: "[redacted]", note: "use [redacted]" }The runtime's default telemetry tracer is now set to the "secrets" redactor slug so turn events are scrubbed before leaving the process.
Per-session cost and token observability (@agentproto/acp@0.4.0, @agentproto/runtime@0.5.0)
usage_update ACP stream events now carry tokensIn, tokensOut, and cost. The runtime's deriveSessionUsage resolves these into a SessionUsage snapshot with a four-way source tag: "adapter" (the agent reported a cost directly), "computed" (tokens priced against the in-repo LLM catalog), "no-pricing" (tokens exist but the model isn't in the catalog — no fabricated price), or "none" (nothing measured). The snapshot is accessible live via the session_usage MCP tool and durable in the transcript's usage_snapshot event. Hermes and Mastracode adapters now both emit usage_update events.
Add Anthropic-compatible gateway presets (@agentproto/provider-presets@0.2.0, @agentproto/adapter-claude-code@0.2.0, @agentproto/adapter-claude-sdk@0.2.0)
@agentproto/provider-presets ships three Anthropic-compatible gateway presets usable with both the claude-code and claude-sdk adapters (both honor ANTHROPIC_BASE_URL + ANTHROPIC_AUTH_TOKEN):
| Preset id | Provider | Notes |
|---|---|---|
moonshot |
Moonshot / Kimi | kimi-k2.7-code, thinking required |
openrouter |
OpenRouter | Any OpenRouter model id |
deepseek |
DeepSeek | deepseek-v4-pro default; thinking supported |
The ambient ANTHROPIC_API_KEY is automatically scrubbed from env when a gateway base_url is set, so it never leaks to a third-party host. adapter-claude-sdk@0.2.0 also gains auth_token support, gateway model-tier pinning, and an idle watchdog that prevents frozen sessions on long thinking turns.
Ship @agentproto/storage-github — AIP-35 GitHub WorkspaceSync (@agentproto/storage-github@0.1.0)
defineGithubStorage creates a StorageHandle whose factory returns a GithubFilesystem implementing WorkspaceSync (pull/push). Branching strategy is configurable (main / per-conversation / per-turn), PR creation is opt-in (prPolicy: "auto"), and the token is passed via GIT_HTTP_EXTRAHEADER — never on the command line or in the repo URL. The pairsWith: "sandbox" capability metadata signals that GitHub storage is designed to pair with a sandbox session host (AIP-36).
Add role registry and spawn-time privilege gate (@agentproto/runtime@0.5.0)
Agents now spawn into one of two built-in role profiles (executor or supervisor) or a custom role loaded from ~/.agentproto/roles/<slug>/ROLE.md or from an adapter package's metadata.roles. The role_list MCP tool enumerates available roles. A maxGrantableDelegation cap in ~/.agentproto/config.json prevents role packs from self-granting delegation above the operator's configured ceiling — a pack that declares toolPolicy.delegation: "allow" at a level above the cap is silently forced to "deny".
Extend worktree workflows with sandbox and linkPaths (@agentproto/worktree@0.2.0, @agentproto/workflow-runtime@0.3.0)
worktree.provision now accepts linkPaths — an array of gitignored directories or files to symlink from the host repo into the fresh worktree before running depsCmd. This lets a pnpm install --prefer-offline inside the worktree resolve the local node_modules graph without a full reinstall. AgentStep in @agentproto/workflow-runtime gains a cwd selector that binds to the worktree's provisioned path, wiring the worktree-agent workflow cleanly: provision → agent (cwd = worktree) → gate → approval → cleanup.
Add @agentproto/agent-runtime@0.1.0 — swarm runner fixes and telemetry re-exports
@agentproto/agent-runtime ships fixes for the run-swarm role path resolver, a claude-code permission hang during multi-participant spawns, and per-participant model config. It also re-exports Telemetry types and sinks from @agentproto/telemetry, removing inline duplicates from the prior release.
Add agentproto_terminal MCP app — live PTY over WebSocket (@agentproto/runtime@0.5.0)
The new agentproto_terminal MCP app exposes a live PTY terminal as a panel in the MCP UI bridge. terminal_input gains enter and b64 options for reliable TUI key submission (carriage-return enter is sent as an isolated write to avoid paste-safe conflicts), and the panel's connectDomains CSP is updated to trust the cli.agentproto.sh origin.
Add global defaults block to config and --pack fan-out for skills (@agentproto/cli@0.5.0, @agentproto/runtime@0.5.0)
A new defaults block in ~/.agentproto/config.json sets global and per-adapter skills and options that are auto-applied to every agent_start spawn. A normalized skills: string[] is folded into the adapter's native option shape (e.g. Hermes uses comma-joined --skills a,b); adapters with no declared skills option are a no-op.
agentproto install --pack fans out skill installation across all compatible adapters in one command, and agentproto pack skill --source adds a cross-repo sourceDir override for building a skill pack from a different repo root.
Rename adapter-kit → provider-kit (@agentproto/provider-kit@0.2.0, @agentproto/adapter-kit@0.3.0)
@agentproto/adapter-kit is renamed to @agentproto/provider-kit to better reflect its role (a slug-keyed registry for tunnel, browser, sandbox, and CLI adapter families). @agentproto/adapter-kit@0.3.0 is a backward-compatibility shim that re-exports everything from the new package name — no changes needed for code that still imports the old name.
Add per-mode support status and models.deny to AIP-45 manifests (@agentproto/driver-agent-cli@0.4.0)
Agent-CLI adapter manifests can now declare a support field per mode (active | noop | planned), making it explicit which modes are fully wired vs. intentionally no-op vs. roadmap. models.deny lets an adapter reserve model families — adapter-hermes now reserves Anthropic models for adapter-claude-code, so Anthropic models no longer appear in Hermes' model picker.
Add YtDlp caption-first video ingestion to corpus import-web (@agentproto/corpus@0.2.1, @agentproto/corpus-cli@0.3.0)
import-web now uses YtDlpCaptionsFetcher as the primary ingestion path for video URLs — fetching subtitle tracks first (fast, no transcription cost) and falling back to audio transcription only when captions are absent. The ffmpegLocation option and hardened yt-dlp args were added in 0.2.0.
Package versions
| Package | Version | Bump |
|---|---|---|
@agentproto/acp |
0.4.0 |
minor |
@agentproto/adapter-claude-code |
0.2.0 |
minor |
@agentproto/adapter-claude-sdk |
0.2.0 |
minor |
@agentproto/adapter-codex |
0.1.2 |
patch |
@agentproto/adapter-hermes |
0.2.0 |
minor |
@agentproto/adapter-kit |
0.3.0 |
minor (compat shim) |
@agentproto/adapter-mastra-agent |
0.1.2 |
patch |
@agentproto/adapter-mastracode |
0.2.1 |
patch |
@agentproto/adapter-mastracode-inprocess |
0.2.1 |
patch |
@agentproto/adapter-openclaw |
0.1.2 |
patch |
@agentproto/adapter-opencode |
0.1.2 |
patch |
@agentproto/agent-runtime |
0.1.0 |
new |
@agentproto/auth |
0.1.0 |
new |
@agentproto/cli |
0.5.0 |
minor |
@agentproto/connector |
0.1.1 |
patch |
@agentproto/corpus |
0.2.1 |
patch |
@agentproto/corpus-cli |
0.3.0 |
minor |
@agentproto/corpus-presets |
0.2.1 |
patch |
@agentproto/driver-agent-cli |
0.4.0 |
minor |
@agentproto/egress |
0.1.0 |
new |
@agentproto/eval |
0.2.0 |
minor |
@agentproto/eval-reporters |
0.2.0 |
minor |
@agentproto/harness |
0.2.0 |
minor |
@agentproto/mastra |
0.2.1 |
patch |
@agentproto/provider-kit |
0.2.0 |
minor |
@agentproto/provider-presets |
0.2.0 |
minor |
@agentproto/redaction |
0.2.0 |
minor |
@agentproto/runtime |
0.5.0 |
minor |
@agentproto/runtime-profile-standard |
0.1.1 |
patch |
@agentproto/sandbox |
0.1.0 |
new |
@agentproto/sandbox-e2b |
0.1.0 |
new |
@agentproto/secrets |
0.1.0 |
new |
@agentproto/storage-github |
0.1.0 |
new |
@agentproto/telemetry |
0.2.0 |
minor |
@agentproto/telemetry-langfuse |
0.2.0 |
minor |
@agentproto/workflow-runtime |
0.3.0 |
minor |
@agentproto/worktree |
0.2.0 |
minor |
Installing / upgrading
npm install \
@agentproto/auth@latest \
@agentproto/sandbox@latest \
@agentproto/sandbox-e2b@latest \
@agentproto/secrets@latest \
@agentproto/storage-github@latest \
@agentproto/eval@latest \
@agentproto/eval-reporters@latest \
@agentproto/telemetry@latest \
@agentproto/telemetry-langfuse@latest \
@agentproto/redaction@latest \
@agentproto/acp@latest \
@agentproto/runtime@latest \
@agentproto/cli@latest \
@agentproto/driver-agent-cli@latest \
@agentproto/workflow-runtime@latest \
@agentproto/worktree@latest \
@agentproto/provider-kit@latest \
@agentproto/provider-presets@latest \
@agentproto/adapter-claude-code@latest \
@agentproto/adapter-claude-sdk@latest \
@agentproto/adapter-hermes@latest \
@agentproto/corpus@latest \
@agentproto/corpus-cli@latestFull changelogs
- packages/acp/CHANGELOG.md
- packages/adapter-kit/CHANGELOG.md
- packages/agent-runtime/CHANGELOG.md
- packages/auth/CHANGELOG.md
- packages/cli/CHANGELOG.md
- packages/connector/CHANGELOG.md
- packages/corpus/CHANGELOG.md
- packages/corpus-cli/CHANGELOG.md
- packages/corpus-presets/CHANGELOG.md
- packages/driver/agent-cli/CHANGELOG.md
- packages/egress/CHANGELOG.md
- packages/eval/CHANGELOG.md
- packages/eval-reporters/CHANGELOG.md
- packages/harness/CHANGELOG.md
- packages/mastra/CHANGELOG.md
- packages/provider-kit/CHANGELOG.md
- packages/provider-presets/CHANGELOG.md
- packages/redaction/CHANGELOG.md
- packages/runtime/CHANGELOG.md
- packages/runtime-profile-standard/CHANGELOG.md
- packages/sandbox/CHANGELOG.md
- packages/sandbox-e2b/CHANGELOG.md
- packages/secrets/CHANGELOG.md
- packages/storage-github/CHANGELOG.md
- packages/telemetry/CHANGELOG.md
- packages/telemetry-langfuse/CHANGELOG.md
- packages/workflow-runtime/CHANGELOG.md
- packages/worktree/CHANGELOG.md
- adapters/claude-code/CHANGELOG.md
- adapters/claude-sdk/CHANGELOG.md
- adapters/codex/CHANGELOG.md
- adapters/hermes/CHANGELOG.md
- adapters/mastra-agent/CHANGELOG.md
- adapters/mastracode/CHANGELOG.md
- adapters/mastracode-inprocess/CHANGELOG.md
- adapters/openclaw/CHANGELOG.md
- adapters/opencode/CHANGELOG.md