v0.1.0 — first public release
First public release of kennelbox: a firejail-sandboxed workspace that lets AI agents (OpenClaw, Hermes, Claude Code, any MCP client) work on a project directory without being trusted with the rest of your machine.
Security model
The firejail sandbox is the boundary; the allowlist is policy on top. kennelbox refuses to start without firejail — there is no software-only fallback.
- Whitelist-first filesystem profile: only the project directory is visible in the home tree; credential dirs (
~/.ssh,~/.gnupg,~/.aws,~/.config/gcloud, …) explicitly blacklisted; private/tmpand/dev - Network disabled by default (
--net=none), firejail default seccomp filter - All tool I/O runs inside the sandbox — file reads/writes/edits, not just commands
- Default-deny command allowlist, with inline code-execution flags (
-c,-e,--eval,--exec,-x,--command) blocked even for allowed interpreters - Path containment via
Path.relative_toafter symlink resolution; writes to.kennelbox/(the config dir) always denied - Dotfiles and sensitive filenames (
.env,.pem,.key,.cert,.pfx,.p12) unconditionally blocked - Resource caps: 10 MB file read/write, 1 MB command output (configurable)
MCP tools
read_file · write_file · edit_file (unique-match string replacement) · list_directory · run_command
Transports
- stdio (default) — for local agents
- HTTP (
--http) — for remote agents, e.g. over Tailscale. Bearer token required (auto-generated if omitted), constant-time comparison, binds127.0.0.1unless--hostis given, optional per-IP allowlist
Install
git clone https://github.com/datacarismo/kennelbox.git
cd kennelbox
bash install.sh # checks Python 3.10+, installs firejail via apt, prefers pipxThen in your project:
kennelbox init
kennelbox run --agent <name> # stdio
kennelbox run --agent <name> --http # HTTP, prints URL + tokenRequires Linux and Python 3.10+. See PRIORITIES.md for the security review this release closes out (11/11 items resolved).
🤖 Generated with Claude Code