Skip to content

Release v0.1.0

Choose a tag to compare

@github-actions github-actions released this 06 Jun 01:10
v0.1.0
bfa4161

First public release — an agent-agnostic, local, containerised agent-orchestration MCP server you drive from your agent of choice. It runs untrusted shell, scripts, and AI coding agents in disposable OpenSandbox containers, with read-only host mounts and egress allowlists.

Tools

  • Sandboxessandbox_script (one-shot) plus sandbox_create / sandbox_exec / sandbox_upload / sandbox_download / sandbox_destroy (persistent) run shell and scripts in disposable containers.
  • Agentssandbox_agent and sandbox_research run a coding-agent CLI inside a sandbox: codex by default when Codex credentials are configured, otherwise claude-code. Each tool advertises its agent / model options filtered to the providers you have credentials for. Containerised agents can spawn child sandboxes and, with configuration, reach a read-only subset of the host's MCP server tools.

Security and orchestration

  • Read-only host inputs at /in; an output-only /out whose host directory defaults to ~/.demesne/out (always included in the mount allowlist); per-tool egress allowlists; agent outbound HTTPS confined to a credential-isolating per-sandbox proxy sidecar, so the agent never sees the real token.
  • Separate, tail-bounded stdout/stderr in tool results; indicative per-run cost reporting; a results roll-up across the child-sandbox tree.
  • Host MCP proxy: re-expose a curated, read-only subset of the stdio MCP servers from your Claude Code (DEMESNE_CLAUDE_CODE_MCP_CONFIG, default ~/.claude.json) and Codex (DEMESNE_CODEX_MCP_CONFIG, default ~/.codex/config.toml) configs — merged, with Codex winning on name conflicts — to containerised agents through a per-sandbox tunnel.
    The milestone sections below (M1–M6) are the per-feature development log that rolls into this release.

Caveats

  • This is a pre-1.0 release; APIs and the tool surface may change.