Release v0.1.0
First public release — an agent-agnostic, local, containerised agent-orchestration MCP server you drive from your agent of choice. It runs untrusted shell, scripts, and AI coding agents in disposable OpenSandbox containers, with read-only host mounts and egress allowlists.
Tools
- Sandboxes —
sandbox_script(one-shot) plussandbox_create/sandbox_exec/sandbox_upload/sandbox_download/sandbox_destroy(persistent) run shell and scripts in disposable containers. - Agents —
sandbox_agentandsandbox_researchrun a coding-agent CLI inside a sandbox:codexby default when Codex credentials are configured, otherwiseclaude-code. Each tool advertises itsagent/modeloptions filtered to the providers you have credentials for. Containerised agents can spawn child sandboxes and, with configuration, reach a read-only subset of the host's MCP server tools.
Security and orchestration
- Read-only host inputs at
/in; an output-only/outwhose host directory defaults to~/.demesne/out(always included in the mount allowlist); per-tool egress allowlists; agent outbound HTTPS confined to a credential-isolating per-sandbox proxy sidecar, so the agent never sees the real token. - Separate, tail-bounded stdout/stderr in tool results; indicative per-run cost reporting; a results roll-up across the child-sandbox tree.
- Host MCP proxy: re-expose a curated, read-only subset of the stdio MCP servers from your Claude Code (
DEMESNE_CLAUDE_CODE_MCP_CONFIG, default~/.claude.json) and Codex (DEMESNE_CODEX_MCP_CONFIG, default~/.codex/config.toml) configs — merged, with Codex winning on name conflicts — to containerised agents through a per-sandbox tunnel.
The milestone sections below (M1–M6) are the per-feature development log that rolls into this release.
Caveats
- This is a pre-1.0 release; APIs and the tool surface may change.