v0.8.1

0.8.1 (2026-06-19)

Bug Fixes

• controller: adopt an already-active fork child instead of looping forever (#183) (4b5ef38)
• controller: adopt an already-active fork child instead of looping forever (#183) (d11812e)
• controller: constrain template snapshot build to a pool's placement nodes (#172) (3fc1652)
• controller: constrain template snapshot build to a pool's placement nodes (#172) (c78ba53)
• controller: elide no-op SandboxPool status writes (#163) (3de2122)
• controller: elide no-op SandboxPool status writes (#163) (815b54a)
• forkd: sample lifetime memory metrics periodically (#3 fork-correctness Row 5) (979318c)
• forkd: sample lifetime memory metrics periodically (#3 fork-correctness Row 5) (40492ba)

v0.8.0

0.8.0 (2026-06-19)

Features

• controller: dedicatedNodes pool placement for hard tenant separation (#172) (10b74ad)
• controller: restrict husk-pod placement to placement-matching snapshot holders (#172) (de13d95)

Bug Fixes

• chart: make a fresh helm install come up out of the box (#173) (0ee5ccc)
• controller: cross-node husk failover (per-node activation digest + release label on failure) (#177) (d3ed0a7)
• controller: evict husk pods from a lost node in ~60s, not 300s (#177) (ec7cc72)
• controller: log the cause of a failed fork-child activation (#28) (91769f2)
• controller: pin each husk pod to one snapshot node + its own digest (#175) (873f182)
• controller: reflect backing-pod readiness in a Ready husk claim (#177) (e72c088)

v0.7.0

0.7.0 (2026-06-18)

Features

• controller: narrow controller Secrets RBAC to adopted pool namespaces (6a57b63)
• controller: rotate the per-namespace husk server leaf before expiry (9d3addd)
• fork: re-sample live memory in Metering for lifetime accounting (bfb725b)

Bug Fixes

• controller: mirror pool-secrets RBAC to kustomize + make the binding non-fatal (8abe700)
• rbac: grant list+watch on rolebindings so the cached informer syncs (8d60504)

v0.6.0

0.6.0 (2026-06-18)

Features

• controller: dial husk pods pinning the per-namespace identity (326533d)
• controller: husk pods serve the per-namespace leaf; stop replicating the forkd key (63bc29e)
• controller: issue a per-namespace husk server leaf (mitos-husk-tls) (3f11ed2)
• pki: ClientTLSConfigFor pins an arbitrary server name; ClientTLSConfig delegates (3654541)
• pki: issue per-namespace husk server leaves (husk.<ns>.mitos, server-auth) (d1cac0c)

Bug Fixes

• controller: bind claim spec.serviceAccount to authorization via admission webhook (5d80d2a)
• controller: require controller owner ref before activating a husk pod (8682306)
• deploy: verify guest kernel integrity and drop SA tokens on privileged pods (9e0ee4c)
• dnsproxy: block IPv6-embedded private targets in rebind filter (NAT64/6to4/site-local) (f50fc03)
• guest: fail closed when the fork RNG reseed is not credited (§1) (58614d6)
• husk: filter guest-to-pod-local traffic on the nftables input hook (52eb1bf)
• security audit remediation (6 findings) + fork-correctness reseed fail-closed (835f457)

v0.5.0

0.5.0 (2026-06-16)

Features

• controller: fleet-observability metrics (husk pod created/lost, node lost, refill latency) (d1629e3)
• controller: fleet-observability metrics (husk pod created/lost, node lost, refill latency) (6b79a92)
• deploy: Helm chart for the mitos control plane (#37) (28b6e8a)
• deploy: Helm chart for the mitos control plane (#37) (fa95761)

v0.4.0

0.4.0 (2026-06-16)

Features

• controller: add NET_ADMIN to husk pod for in-pod egress firewall (23ffe77)
• controller: emit best-effort husk NetworkPolicy (default-deny egress) (4e52c2b)
• controller: ensure husk NetworkPolicy during pool reconcile (795000f)
• controller: thread template egress policy + allowlist into husk activate (1954a03)
• husk-network: complete name-based egress datapath (DNS upstream + SNAT) (8a39a74)
• husk-network: set pod-netns ip_forward via a scoped init container, no node change (a203c6f)
• husk-stub: wire exec netfilter runner + dns upstream flags (aa34340)
• husk: apply in-pod egress filter + DNS proxy at activate (0fd8929)
• husk: carry egress policy + allowlist in the activate control message (347cc26)
• husk: in-pod egress filter orchestration reusing netconf (5640778)
• husk: per-pod DNS proxy for name-allowlist egress (4b98c6e)
• netconf: unconditional cloud-metadata drop in every sandbox chain (381a88f)

Bug Fixes

• ci-runner: grant runner networkpolicies read for the husk-network e2e (db950fa)
• ci-runner: grant runner networkpolicies read for the husk-network e2e (6d95158)
• controller: drop the terminate finalizer when the bound workspace is gone (8e5e772)
• deviceplugin: re-register with the kubelet after it restarts (5bc2d93)
• deviceplugin: start the kubelet.sock watch before registering (08a4045)
• dnsproxy: refuse to pin non-public resolved addresses (DNS-rebind defense) (6b43bcf)
• dnsproxy: refuse to pin non-public resolved addresses (DNS-rebind defense) (b916d75)
• husk-network: bind the in-pod DNS resolver IP to the tap (9febb1a)
• husk-network: enable pod-netns ip_forward via kubelet sysctl, fail open-safe (c9c1616)
• husk-network: guest configures eth0 via rtnetlink, not the missing ip binary (a4a0271)
• husk: enable forkd networking so the template bakes the eth0 NIC (#150) (200e348)
• husk: forkd image needs iproute2 + nftables; re-enable networking; mirror base image (66bacb3)
• husk: husk-stub image needs iproute2 + nftables for the in-pod egress filter (22254e5)
• husk: husk-stub image needs iproute2 + nftables for the in-pod egress filter (1feb8f8)
• husk: readiness probe gates the pod on the dormant control listener (96c5dcc)
• husk: wait for the template rootfs at Prepare instead of crash-looping (04c0f42)
• security: fail closed when a forked VM does not reseed its RNG (#137) (92a04eb)
• security: four hardening fixes (husk SA token, gRPC fail-closed, vsock read deadline, clock residual) (#136) (8977aed)
• security: per-fork rootfs CoW on raw-forkd to stop cross-fork write bleed (#138) (e72bd34)

v0.3.0

0.3.0 (2026-06-14)

Features

• AAAA/IPv6 answers in the name egress allowlist (314104c)
• add --rootfs-cow-dir and --template-rootfs flags to husk-stub (d957c7e)
• add forkd NDJSON exec-stream endpoint and aggregate one-shot exec on it (51a679d)
• add host vsock ExecStream over a dedicated connection (1be44f1)
• add PatchDrive to the husk vmm interface (ea8a46a)
• add per-pool claim-arrival demand tracker (0c8d1ff)
• add pluggable KMS Wrapper with a local AES-256-GCM KEK provider (0c0709f)
• add Python streaming exec callbacks and background process handle (bf7a185)
• add TypeScript streaming exec callbacks and background process handle (3150202)
• add vsock exec-stream frame protocol types (7beb8b9)
• add warm-pool autoscale metrics (size, in-use, desired, scale events, latency) (896d353)
• add warm-pool autoscaling fields to SandboxPool (fa5f9e2)
• add warm-pool desired-count formula with scale-down cooldown (6d7d4d1)
• agentrun CLI command tree and Backend interface (91a9dd8)
• agentrun dev up/down and cluster backend (86485fc)
• agentrun-mcp binary with an HTTP sandbox backend (05b8369)
• agents.x-k8s.io facade controller maps Sandbox to our husk run path (cd3fa21)
• attach volume drives, placeholder at snapshot, rebind per fork (cf44c07)
• autoscale the husk warm pool from claim demand in the pool reconcile (c5f07c0)
• benchstat percentile summarization and result formatting (36c03b6)
• bind a sandbox to a workspace and hydrate/dehydrate its revisions (84aa350)
• bounded CAS cache with LRU eviction and manifest pinning (8d0aaaa)
• bulk workspace tar transfer over vsock and CAS hydrate/dehydrate helpers (041a285)
• capacity-aware bin-packing node selection (6f0e3f6)
• carry the trace id in the revision.created feed event; docs (ced246f)
• CAS transfer interface and HTTP transport for incremental snapshot pull (2f63ee9)
• claim activates a dormant husk pod in place via the mTLS control channel (1be9bb1)
• claims pend on no capacity and fail cleanly after a bounded wait (e1d6728)
• cli: cluster workspace backend (#21) (8dc7289)
• cli: mitos ws create|ls|log|diff|fork|revert|rm|bind (#21) (f0458d4)
• cli: workspace backend interface and fake (#21) (cf738dd)
• clone per-activation rootfs at husk Prepare (328712c)
• cmd/bench fork-exec and exec round-trip latency driver (f47453c)
• complete epic W4 (durable, forkable agent workspaces) prod-grade (ffbcaef)
• controller loads the KEK from --kek-file and injects it into the reconcilers (f2076a2)
• controller owns the per-template encryption key Secret and delivers it (bd9146a)
• controller passes template NetworkPolicy to forkd (44c5703)
• controller wraps the DEK with the KMS and delivers the wrapped DEK over the RPCs (3723040)
• controller: add husk fork-snapshot and remove control clients (d0875c1)
• controller: build fork-child husk pods owned by the SandboxFork (020645f)
• controller: live SandboxFork on the husk pod-native path with snapshot GC (9841e1e)
• controller: mount fork snapshot dir and pin fork child husk pods (8d1ff8a)
• controller: replicate husk PKI secrets into pool namespaces (30128b2)
• controller: replicate husk PKI secrets per pool namespace on reconcile (731982c)
• controller: set husk pod memory limit with headroom (1283946)
• controller: wire husk fork config into the SandboxFork reconciler (11044e4)
• controller: wire memory-snapshot seams behind a flag (#21) (b1d3915)
• CoW-aware memory metering counts shared template memory once (9320294)
• daemon stashes the wrapped DEK and KEK id from the mTLS request (4cfb8b6)
• daemon: cap concurrent streams per sandbox (ae8383c)
• daemon: LLM-legible error envelope with code and remediation (b8f4c02)
• deploy the pod-native default stack (controller husk mode, device plugin, husk-stub image) (5d13cc0)
• deploy: ship the ghcr-pull image pull secret manifest (7186314)
• deploy: stage the guest kernel on KVM nodes via a DaemonSet (ade4725)
• dev overlay deploys a mock control plane for agentrun dev up (a54c778)
• encrypt template snapshots at rest in per-scope LUKS containers (c3d910b)
• engine builds templates from OCI images and runs init in the VM (1cad6a5)
• facade maps Sandbox pause/resume to warm-pool release and fast re-activation (8e1f92f)
• facade maps SandboxClaim with warmpool policy to our fork-from-snapshot claim (e9b21d6)
• facade maps SandboxTemplate and SandboxWarmPool to our template and pool ([...

sandbox: v0.2.0

0.2.0 (2026-06-13)

Features

• AAAA/IPv6 answers in the name egress allowlist (314104c)
• add --rootfs-cow-dir and --template-rootfs flags to husk-stub (d957c7e)
• add forkd NDJSON exec-stream endpoint and aggregate one-shot exec on it (51a679d)
• add ForkRunning to ForkEngine interface and MockEngine (c1366a5)
• add host vsock ExecStream over a dedicated connection (1be44f1)
• add PatchDrive to the husk vmm interface (ea8a46a)
• add pluggable KMS Wrapper with a local AES-256-GCM KEK provider (0c0709f)
• add Python streaming exec callbacks and background process handle (bf7a185)
• add TypeScript streaming exec callbacks and background process handle (3150202)
• add vsock exec-stream frame protocol types (7beb8b9)
• agentrun CLI command tree and Backend interface (91a9dd8)
• agentrun dev up/down and cluster backend (86485fc)
• agentrun-mcp binary with an HTTP sandbox backend (05b8369)
• agents.x-k8s.io facade controller maps Sandbox to our husk run path (cd3fa21)
• attach volume drives, placeholder at snapshot, rebind per fork (cf44c07)
• benchstat percentile summarization and result formatting (36c03b6)
• bind a sandbox to a workspace and hydrate/dehydrate its revisions (84aa350)
• bounded CAS cache with LRU eviction and manifest pinning (8d0aaaa)
• bulk workspace tar transfer over vsock and CAS hydrate/dehydrate helpers (041a285)
• capacity-aware bin-packing node selection (6f0e3f6)
• carry the trace id in the revision.created feed event; docs (ced246f)
• CAS transfer interface and HTTP transport for incremental snapshot pull (2f63ee9)
• claim activates a dormant husk pod in place via the mTLS control channel (1be9bb1)
• claim finalizer reaps the backing VM on delete (a4a2fba)
• claims on lost nodes transition to a terminal NodeLost condition (5f41d75)
• claims pend on no capacity and fail cleanly after a bounded wait (e1d6728)
• clone per-activation rootfs at husk Prepare (328712c)
• cmd/bench fork-exec and exec round-trip latency driver (f47453c)
• configure message on the vsock protocol (180afaa)
• controller calls forkd over gRPC for Fork and ForkRunning (cabc81c)
• controller loads the KEK from --kek-file and injects it into the reconcilers (f2076a2)
• controller owns the per-template encryption key Secret and delivers it (bd9146a)
• controller passes template NetworkPolicy to forkd (44c5703)
• controller PKI bootstrap and mTLS dialing to forkd (26d8209)
• controller wraps the DEK with the KMS and delivers the wrapped DEK over the RPCs (3723040)
• controller: replicate husk PKI secrets into pool namespaces (30128b2)
• controller: replicate husk PKI secrets per pool namespace on reconcile (731982c)
• CoW-aware memory metering counts shared template memory once (9320294)
• daemon stashes the wrapped DEK and KEK id from the mTLS request (4cfb8b6)
• deploy the pod-native default stack (controller husk mode, device plugin, husk-stub image) (5d13cc0)
• deploy: ship the ghcr-pull image pull secret manifest (7186314)
• deploy: stage the guest kernel on KVM nodes via a DaemonSet (ade4725)
• dev overlay deploys a mock control plane for agentrun dev up (a54c778)
• encrypt template snapshots at rest in per-scope LUKS containers (c3d910b)
• engine builds templates from OCI images and runs init in the VM (1cad6a5)
• facade maps Sandbox pause/resume to warm-pool release and fast re-activation (8e1f92f)
• facade maps SandboxClaim with warmpool policy to our fork-from-snapshot claim (e9b21d6)
• facade maps SandboxTemplate and SandboxWarmPool to our template and pool (d0d5fbc)
• forkd activity tracking and ListSandboxes RPC (48a537d)
• forkd delivers claim env+secrets to the guest, strict on real engines (5433dff)
• forkd gRPC requires controller mTLS identity when TLS is configured (9c127aa)
• forkd loads the local KEK from --kek-file and fails closed without it (18ae8e9)
• forkd notifies guests on fork; restore without reseed fails closed (527d8a8)
• forkd pod discovery with capacity heartbeats (706b857)
• forkd reports host memory total and per-template capacity estimates (bf23c94)
• forkd runs Firecracker under the jailer; daemonset drops privileged (f7c51fc)
• forkd runs the DNS proxy and points guests at it for name egress (7b639fb)
• forkd serves its CAS and pulls templates from a peer (1979c4e)
• forkd takes the encryption key from the mTLS request, not the node (eaa341c)
• forkd unwraps the wrapped DEK via the KMS and zeroizes the plaintext (a0f1b26)
• GC reconciler terminates orphan VMs and reconciles after controller restart ([dba061f](https://github.com/paperclipinc/...