Releases sandbox-v0.2.0
Compare
Sorry, something went wrong.
No results found
0.2.0 (2026-06-13)Features
AAAA/IPv6 answers in the name egress allowlist (314104c )
add --rootfs-cow-dir and --template-rootfs flags to husk-stub (d957c7e )
add forkd NDJSON exec-stream endpoint and aggregate one-shot exec on it (51a679d )
add ForkRunning to ForkEngine interface and MockEngine (c1366a5 )
add host vsock ExecStream over a dedicated connection (1be44f1 )
add PatchDrive to the husk vmm interface (ea8a46a )
add pluggable KMS Wrapper with a local AES-256-GCM KEK provider (0c0709f )
add Python streaming exec callbacks and background process handle (bf7a185 )
add TypeScript streaming exec callbacks and background process handle (3150202 )
add vsock exec-stream frame protocol types (7beb8b9 )
agentrun CLI command tree and Backend interface (91a9dd8 )
agentrun dev up/down and cluster backend (86485fc )
agentrun-mcp binary with an HTTP sandbox backend (05b8369 )
agents.x-k8s.io facade controller maps Sandbox to our husk run path (cd3fa21 )
attach volume drives, placeholder at snapshot, rebind per fork (cf44c07 )
benchstat percentile summarization and result formatting (36c03b6 )
bind a sandbox to a workspace and hydrate/dehydrate its revisions (84aa350 )
bounded CAS cache with LRU eviction and manifest pinning (8d0aaaa )
bulk workspace tar transfer over vsock and CAS hydrate/dehydrate helpers (041a285 )
capacity-aware bin-packing node selection (6f0e3f6 )
carry the trace id in the revision.created feed event; docs (ced246f )
CAS transfer interface and HTTP transport for incremental snapshot pull (2f63ee9 )
claim activates a dormant husk pod in place via the mTLS control channel (1be9bb1 )
claim finalizer reaps the backing VM on delete (a4a2fba )
claims on lost nodes transition to a terminal NodeLost condition (5f41d75 )
claims pend on no capacity and fail cleanly after a bounded wait (e1d6728 )
clone per-activation rootfs at husk Prepare (328712c )
cmd/bench fork-exec and exec round-trip latency driver (f47453c )
configure message on the vsock protocol (180afaa )
controller calls forkd over gRPC for Fork and ForkRunning (cabc81c )
controller loads the KEK from --kek-file and injects it into the reconcilers (f2076a2 )
controller owns the per-template encryption key Secret and delivers it (bd9146a )
controller passes template NetworkPolicy to forkd (44c5703 )
controller PKI bootstrap and mTLS dialing to forkd (26d8209 )
controller wraps the DEK with the KMS and delivers the wrapped DEK over the RPCs (3723040 )
controller: replicate husk PKI secrets into pool namespaces (30128b2 )controller: replicate husk PKI secrets per pool namespace on reconcile (731982c )CoW-aware memory metering counts shared template memory once (9320294 )
daemon stashes the wrapped DEK and KEK id from the mTLS request (4cfb8b6 )
deploy the pod-native default stack (controller husk mode, device plugin, husk-stub image) (5d13cc0 )
deploy: ship the ghcr-pull image pull secret manifest (7186314 )deploy: stage the guest kernel on KVM nodes via a DaemonSet (ade4725 )dev overlay deploys a mock control plane for agentrun dev up (a54c778 )
encrypt template snapshots at rest in per-scope LUKS containers (c3d910b )
engine builds templates from OCI images and runs init in the VM (1cad6a5 )
facade maps Sandbox pause/resume to warm-pool release and fast re-activation (8e1f92f )
facade maps SandboxClaim with warmpool policy to our fork-from-snapshot claim (e9b21d6 )
facade maps SandboxTemplate and SandboxWarmPool to our template and pool (d0d5fbc )
forkd activity tracking and ListSandboxes RPC (48a537d )
forkd delivers claim env+secrets to the guest, strict on real engines (5433dff )
forkd gRPC requires controller mTLS identity when TLS is configured (9c127aa )
forkd loads the local KEK from --kek-file and fails closed without it (18ae8e9 )
forkd notifies guests on fork; restore without reseed fails closed (527d8a8 )
forkd pod discovery with capacity heartbeats (706b857 )
forkd reports host memory total and per-template capacity estimates (bf23c94 )
forkd runs Firecracker under the jailer; daemonset drops privileged (f7c51fc )
forkd runs the DNS proxy and points guests at it for name egress (7b639fb )
forkd serves its CAS and pulls templates from a peer (1979c4e )
forkd takes the encryption key from the mTLS request, not the node (eaa341c )
forkd unwraps the wrapped DEK via the KMS and zeroizes the plaintext (a0f1b26 )
GC reconciler terminates orphan VMs and reconciles after controller restart (dba061f )
generate forkd gRPC code from proto (5abceba )
git rendezvous pushes workspace repo paths for fork-and-merge (1ba8931 )
Grafana dashboard and completed conditions catalogue (31eb208 )
guest agent applies configured env+secrets to exec sessions (ce56697 )
guest mounts attached volume drives at their mount paths (df345e9 )
guest NotifyForked reseeds RNG, steps clock, signals userspace (769e400 )
guestenv.Merge with base<configured<request precedence (c9882b7 )
husk Activate runs the fork-correctness handshake, fail-closed (7cc4d1a )
husk mode builds the snapshot and is the default; raw-forkd behind a flag (d39b3bd )
husk pod PDB, self-heal on delete, claim re-pend on pod loss, drain policy (dea5f86 )
husk pod satisfies PSA restricted minus documented exceptions; networking reconciliation (778b09b )
husk pod spec and warm-pool lifecycle controller behind a flag (a421bbc )
husk stub mTLS network control server and controller activation client (c105902 )
husk-probe measures CoW page sharing across cgroup v2 memcgs (cac40ad )
implement forkd gRPC service over ForkEngine (fc9007b )
internal PKI with mTLS configs and peer identity extraction (2f61329 )
internal/cas content-addressed snapshot store with dedup (ef119ee )
internal/dnsproxy resolves allowlisted names and pins resolved IPs (a902f71 )
internal/husk dormant-VMM stub with in-place activation (83b7188 )
internal/mcp server, tool definitions, SandboxBackend interface (edb3c29 )
internal/network Linux tap and nftables egress manager (c227f5c )
internal/ociroot pulls and flattens OCI images into an ext4 rootfs (91d44ed )
internal/storecrypt per-scope LUKS containers with crypto-shred (b0dbb94 )
internal/volume node backend with Fresh and reflink Snapshot policies (785e7ef )
jailer launch path with per-VM uid, chroot, and path translation (b1ccf4e )
kubectl sandbox logs and exec; Box competitor positioning (7e7de26 )
kubectl sandbox plugin with ls and ps (d6f2e07 )
kubectl sandbox tree and top operator verbs (19a1b51 )
kvm device plugin advertises agentrun.dev/kvm and injects /dev/kvm (25ac7bb )
live forks of secret-holding sandboxes require explicit opt-in (8f0f0ee )
maxLifetime and idleTimeout reap claims to a terminal Terminated phase (d13d337 )
memory-snapshot pairing makes a workspace head resumable (543a537 )
metering endpoint, CoW disk accounting, corrected metrics (7702738 )
mount writable rootfs CoW dir and pass clone flags to husk pod (a3ead1c )
netconf identity allocator, nftables rendering, command builders (7d899be )
NodeInfo.HTTPEndpoint and NodesWithTemplate (f08d680 )
OpenTelemetry tracing across the claim and fork path (51651d7 )
pending-claims, orphan-sweep, and claim-error metrics (a400fa2 )
per-sandbox bearer tokens on the forkd sandbox API (39bd36b )
per-sandbox network identity and NIC attach wired into the engine (3834ec3 )
per-sandbox nftables dynamic allow set for resolved names (58c45dd )
plumb template volumes and fork policies through to forkd (f5331b9 )
pool controller tracks and creates snapshots via forkd (dbfa1bf )
pool reconciler builds a template once and distributes by pull (128222f )
production deploy manifests with RBAC and a kustomize base (1f13978 )
PrometheusRule alerts and runbooks for the exported metrics (20e4527 )
proto carries the wrapped DEK and its KEK id (ddaa12b )
rebind rootfs drive to per-activation clone at husk Activate (8f29a7e )
register per-sandbox stream path in forkd and sandbox-server fork paths (e60814a )
remove per-activation rootfs clone on husk teardown (eb43a79 )
SandboxServer and cluster AgentRun TypeScript clients (035c497 )
snapshot format version and compatibility contract (snapcompat) (3d99f8e )
stamp and enforce snapshot compatibility on load (43fcf81 )
stamp the reconcile trace id onto the workspace revision; dehydrate span (541c840 )
stream guest exec stdout/stderr over vsock with pgroup kill (34b5861 )
Talos machine configs for KVM-capable worker nodes (21ce7bb )
toggleable structured audit log of exec and file operations (3d0aad4 )
TTL cleanup of finished claims for etcd hygiene (c8b29e8 )
TypeScript SDK package, types, HTTP transport, Sandbox surface (00e7f01 )
verify-on-load snapshot integrity with digest in pool status (#9 ) (78f4ac9 )
wildcard suffix names in the egress allowlist with anchored matching (1f2fac5 )
Workspace and WorkspaceRevision CRD types (2113f67 )
Workspace controller with revision lineage, retention, and status (b89f77f )
workspace outputs extraction with path filter and revision diff (97d1c22 )
workspace revision change feed via CloudEvents and Kubernetes Events (b11d33c )
Bug Fixes
agentrun help works without a kubeconfig (a46ef4a )
bench measures fork to first exec, teardown excluded (913ae5e )
bounded, unhealthy-tolerant termination so claim deletion never wedges (97eeeaf )
CAS CI phase uses guaranteed real files; chmod kvm in snapshot step (ec6f687 )
CAS removes partial output on verify failure, single-pass PutSnapshot (71613f5 )
CI go-test installs envtest assets for the controller suite (421688f )
CI lint timeout + SDK readme; add API spec v2 (8f59b0e )
conflict-tolerant facade test spec updates (67aa819 )
conflict-tolerant facade test spec updates (7dcb7b9 )
cow: keep the template mount read-write so snapshot load opens the baked rootfs (646a15d )default controller namespace to mitos (was mitos-system, inconsistent with the deploy namespace + namespace.yaml after the rename) (7529d7f )
deploy: enforce privileged PodSecurity on pool namespaces (56110f3 )deploy: enforce privileged PodSecurity on the mitos namespace (4d7e2c7 )deploy: forkd agent-bin, privileged, DOCKER_CONFIG, drop jailer args (ffe8592 )deploy: grant leases to the dev mock controller for leader election (3ef03e4 )deploy: wire ghcr-pull onto the controller serviceaccount (6db590d )device-plugin e2e proves /dev/kvm injection on the kvm-capable runner (7f179b5 )
discovery data race, conn carry-forward, test-only fake forkd helper (089c133 )
dnsproxy refuses when the source guest has no tap mapping (12dbc96 )
drop husk-pod reuse so an evicted claim recovers onto a fresh pod (c190523 )
drop husk-pod reuse so an evicted claim recovers onto a fresh pod (868f235 )
emit phase.changed from an uncached read so the event is never dropped (617808d )
encryption cleanup on failed build, destroy in-memory key on shred, serialize container open (0fc2843 )
facade warmpool status selector matches husk pod labels; document podTemplate metadata exceptions (2964cfd )
forkd: build the guest agent into the image at /usr/local/bin/agent (47a573d )ForkRunning metrics parity, agent-registration logging, GetConnection race (33c8076 )
GC respects live claims by name and TTLs early-failed claims (0630043 )
grant the dev mock controller workspace RBAC (0508896 )
guestenv passes through base entries without '='; note additive configure merge (22c025e )
husk stub verifies the snapshot (digest + snapcompat) on activate, fail-closed (d175d6b )
husk warm pool self-heals independent of the snapshot build (f37251e )
husk-stub keeps the activated VM alive until shutdown (183c99c )
kvm device plugin container starts under read-only /dev; e2e diagnostics (8a87301 )
leader election + warm-pool refill/recycle/reuse (f2dd2b6 )
make husk activation work on real KVM (bare-metal validation) (e322fb5 )
MCP server ctx-cancel shutdown, empty-file writes, id path safety, fork partial ids (9881e93 )
NodeRegistry zero-value safety; use constructor everywhere (d1aedd6 )
nolint the deprecated GetEventRecorderFor in the feed wiring (16b2728 )
optimistic-lock husk pod claim; serve token-gated sandbox API in the husk stub (de9ff7a )
per-pod husk VM id and read-only template mount (0ab3f5e )
per-sandbox nftables dispatch chains, ForkRunning fails closed on networking (87d7bca )
prevent git argument injection in workspace rendezvous (-- separator, ref + scheme guards) (183be91 )
Python SDK k8s mode speaks the forkd /v1 sandbox API (9435333 )
re-assert the validateVMID barrier at TemplateManager entry points (fe0c003 )
rebind husk rootfs drive while paused, before resume (2c4416b )
refuse to deliver the encryption key over a non-mTLS channel (0c6e455 )
regexp allowlist barrier for vm ids clears codeql path-injection (252443d )
reject parent-directory traversal in jailer paths (codeql path-injection) (c1558b9 )
relative vsock uds path so forks do not collide; CI fork-correctness phase (c41e014 )
reliable phase.changed emit (uncached read) and conflict-tolerant test setup (870a93a )
safe-join archive extraction against parent symlink traversal (codeql) (b15b827 )
scope husk rootfs CoW clone to a per-pod VM id (4069942 )
sdk: kill() deterministically tears down the background stream (dac810b )sdk: truncated stream, TS abort, Python background+kill scoping (1d1fd85 )secrets in dedicated proto field, threat-model/roadmap truth pass, gofmt (747cb36 )
serve CAS on a separate TLS listener; peer token via env; traversal test (9db4d7b )
stream interceptor, verified-only peer identity, per-identity EKUs (acaaeb5 )
transient NotFound handling, locked node lookup, bounded template builds (b0ef739 )
validate CAS digests to block path traversal (codeql) (07c67b6 )
validate sandbox ids, contain chroot paths, reap before uid release, add SYS_CHROOT (1cd75a7 )
validate volume names and bake read-only for Share volumes (c6013f1 )
validateVMID barrier at TemplateManager entry points (f6c3634 )
vol-smoke seeds the snapshot volume via mkfs -d, no host mount (fb5a2da )
wait for agent readiness before snapshot, plumb Spec.Init through the controller (0f2aca3 )
warm-pool refills per claim + claim release recycles the husk pod (12d5a5b )
zero golangci-lint findings, kind-e2e config file (a72ac0d )
You can’t perform that action at this time.
