Skip to content

Releases: datacarismo/kennelbox

v0.1.1 — first PyPI release

Choose a tag to compare

@datacarismo datacarismo released this 12 Jul 05:16

First version published to PyPI: pipx install kennelbox (or pip install kennelbox).

Changes since v0.1.0

  • HTTP transport (--http) for remote agents — bearer token required (auto-generated if omitted), constant-time comparison, binds 127.0.0.1 unless --host is given, optional --allowed-ip filtering. Every remote request goes through the same allowlist + firejail pipeline as stdio.
  • Fixed wheel packaging — v0.1.0's wheel omitted the default config files, breaking kennelbox init on non-editable installs. config/ is now a proper package.
  • Project URLs in package metadata (pip show kennelbox links back here).

See the v0.1.0 notes for the full feature and security-model rundown.

🤖 Generated with Claude Code

v0.1.0 — first public release

Choose a tag to compare

@datacarismo datacarismo released this 12 Jul 04:21

First public release of kennelbox: a firejail-sandboxed workspace that lets AI agents (OpenClaw, Hermes, Claude Code, any MCP client) work on a project directory without being trusted with the rest of your machine.

Security model

The firejail sandbox is the boundary; the allowlist is policy on top. kennelbox refuses to start without firejail — there is no software-only fallback.

  • Whitelist-first filesystem profile: only the project directory is visible in the home tree; credential dirs (~/.ssh, ~/.gnupg, ~/.aws, ~/.config/gcloud, …) explicitly blacklisted; private /tmp and /dev
  • Network disabled by default (--net=none), firejail default seccomp filter
  • All tool I/O runs inside the sandbox — file reads/writes/edits, not just commands
  • Default-deny command allowlist, with inline code-execution flags (-c, -e, --eval, --exec, -x, --command) blocked even for allowed interpreters
  • Path containment via Path.relative_to after symlink resolution; writes to .kennelbox/ (the config dir) always denied
  • Dotfiles and sensitive filenames (.env, .pem, .key, .cert, .pfx, .p12) unconditionally blocked
  • Resource caps: 10 MB file read/write, 1 MB command output (configurable)

MCP tools

read_file · write_file · edit_file (unique-match string replacement) · list_directory · run_command

Transports

  • stdio (default) — for local agents
  • HTTP (--http) — for remote agents, e.g. over Tailscale. Bearer token required (auto-generated if omitted), constant-time comparison, binds 127.0.0.1 unless --host is given, optional per-IP allowlist

Install

git clone https://github.com/datacarismo/kennelbox.git
cd kennelbox
bash install.sh    # checks Python 3.10+, installs firejail via apt, prefers pipx

Then in your project:

kennelbox init
kennelbox run --agent <name>            # stdio
kennelbox run --agent <name> --http     # HTTP, prints URL + token

Requires Linux and Python 3.10+. See PRIORITIES.md for the security review this release closes out (11/11 items resolved).

🤖 Generated with Claude Code