Vanta v0.5.0

v0.5.0 — Autonomous boxed agents + universal live reasoning

Vanta can now run another agent fully autonomously inside an OS-enforced Docker box scoped to exactly the folders it's given — and a model's thinking streams live in the TUI across every provider.

✨ Autonomous Docker-boxed agent runs

call_agent(autonomous:true) runs claude --dangerously-skip-permissions inside a Docker container scoped to exactly the folders Vanta mounts — the mount-set is the boundary. Live-proven end-to-end: the boxed agent authenticated, built a file in its mount, and provably could not read or write any host path outside it (network off).

Safe-by-design: opt-in · kernel-gated approval showing the exact boundary · runs non-root · credential forwarded as env (never the host keychain or argv) · mount-scope derives the blast radius from the task · a destructive task gets an OS-enforced read-only dry-run. One command to set up: vanta agent-image build. Powerful — enable deliberately.

🧠 Universal live reasoning

Any reasoning model's thinking now streams live in the TUI — DeepSeek-R1, OpenRouter reasoning models, Ollama, Gemini, any custom OpenAI-compatible endpoint (reasoning_content/reasoning), and Anthropic extended thinking (thinking_delta; Anthropic gained streaming — it had none). Backends that hide reasoning (e.g. codex) fall back to a spinner.

Also

• Codex prompt-routing sync — vanta skills sync-triggers --codex writes skill routing into ~/.codex/AGENTS.md (cross-agent auto-fire: Vanta / Claude / Codex).
• Branded install — curl -fsSL https://vanta.theft.studio/install.sh | bash
• Fixes — vanta update pulls origin/<branch> explicitly (no upstream-tracking needed); security scan clean (0 findings, no suppression).

---

Ship-preflight green: kernel 67/67 · 11,178 TS tests · tsc + size gate clean · 0 secrets. Prebuilt kernels for macOS + Linux (arm64 / x64) attached.

Install: curl -fsSL https://vanta.theft.studio/install.sh | bash

Vanta v0.4.0

Vanta v0.4.0 — Security + Modularity

A security-skills pack you can run on any repo, every fixable CVE cleared, and a codebase-wide modularity pass — all behavior-preserving (full suite green throughout).

Install / upgrade: curl -fsSL https://raw.githubusercontent.com/jpoindexter/Vanta/main/bootstrap.sh | bash — the installer pulls this release's prebuilt kernel automatically. Only git required.

✨ Added

• security-skills pack — secret-scan, dependency-audit, sast-scan, security-preflight: grounded SKILL.md runbooks plus a runnable scan.sh one-command gate (secrets → dependency CVEs → SAST, no agent required). Bundled into Vanta and published standalone at jpoindexter/security-skills.
• Live provider-recovery proof — scripts/reliability-recovery.sh verifies the transient-retry actually recovers (not just stops) on a real stalled provider call; VANTA_CODEX_BASE_URL makes the codex endpoint overridable.

🔒 Fixed (security)

• Shipped runtime is clean — 0 secrets across 2,003 commits, 0 runtime CVEs, kernel zero-dependency.
• Every vanta-ts dev-tooling CVE cleared (incl. a vitest 9.8 critical) by migrating to vitest 3 / vite 6 + an esbuild override → osv-scanner reports 0 vulnerabilities.
• Docs site: serialize-javascript RCE/DoS → override 7.0.6; uuid bounds bug → override 11.1.1 (docusaurus build verified). The full triage is recorded in SECURITY.md §7b.

🧱 Modularity (no behavior change)

• The size gate now has zero exemptions — the factory/* autonomous-loop code was brought into compliance, with the is_protected_path kernel-mirror kept byte-identical.
• 65 source files modularized under the 200-line soft target (70 → 5) across 6 verified waves — pure-helper / parser / sub-concern extractions, public exports re-exported so importers and tests needed zero edits. The 5 remaining files are deliberately-cohesive registries / type-systems, left whole on purpose.

✅ Verified

Full suite 977 files / 11,132 tests green · 67 kernel tests · tsc clean · size gate clean across 1,272 files · release build OK.

Full changelog: CHANGELOG.md · compare v0.3.0...v0.4.0

Vanta v0.3.0

Full Changelog: v0.1.0...v0.3.0

Vanta v0.2.0

What's Changed

• Integrate the autonomous roadmap-grind: 39 commits (vision + security + org-layer) by @jpoindexter in #3
• refactor(memory): brain is the one memory (retire vault tier + heartbeat pollution) by @jpoindexter in #2
• perf(compress): winnow dedupeBlocks pass in applyCompression by @jpoindexter in #1
• refactor(modularity): salvage the 3 unique ports from feat/modularity-ports by @jpoindexter in #4

New Contributors

• @jpoindexter made their first contribution in #3

Full Changelog: v0.1.0...v0.2.0