Skip to content

v0.3.0

Choose a tag to compare

View all tags
@github-actions github-actions released this 14 Jun 21:22
v0.3.0
d37d52a
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

0.3.0 (2026-06-14)

Features

  • AAAA/IPv6 answers in the name egress allowlist (314104c)
  • add --rootfs-cow-dir and --template-rootfs flags to husk-stub (d957c7e)
  • add forkd NDJSON exec-stream endpoint and aggregate one-shot exec on it (51a679d)
  • add host vsock ExecStream over a dedicated connection (1be44f1)
  • add PatchDrive to the husk vmm interface (ea8a46a)
  • add per-pool claim-arrival demand tracker (0c8d1ff)
  • add pluggable KMS Wrapper with a local AES-256-GCM KEK provider (0c0709f)
  • add Python streaming exec callbacks and background process handle (bf7a185)
  • add TypeScript streaming exec callbacks and background process handle (3150202)
  • add vsock exec-stream frame protocol types (7beb8b9)
  • add warm-pool autoscale metrics (size, in-use, desired, scale events, latency) (896d353)
  • add warm-pool autoscaling fields to SandboxPool (fa5f9e2)
  • add warm-pool desired-count formula with scale-down cooldown (6d7d4d1)
  • agentrun CLI command tree and Backend interface (91a9dd8)
  • agentrun dev up/down and cluster backend (86485fc)
  • agentrun-mcp binary with an HTTP sandbox backend (05b8369)
  • agents.x-k8s.io facade controller maps Sandbox to our husk run path (cd3fa21)
  • attach volume drives, placeholder at snapshot, rebind per fork (cf44c07)
  • autoscale the husk warm pool from claim demand in the pool reconcile (c5f07c0)
  • benchstat percentile summarization and result formatting (36c03b6)
  • bind a sandbox to a workspace and hydrate/dehydrate its revisions (84aa350)
  • bounded CAS cache with LRU eviction and manifest pinning (8d0aaaa)
  • bulk workspace tar transfer over vsock and CAS hydrate/dehydrate helpers (041a285)
  • capacity-aware bin-packing node selection (6f0e3f6)
  • carry the trace id in the revision.created feed event; docs (ced246f)
  • CAS transfer interface and HTTP transport for incremental snapshot pull (2f63ee9)
  • claim activates a dormant husk pod in place via the mTLS control channel (1be9bb1)
  • claims pend on no capacity and fail cleanly after a bounded wait (e1d6728)
  • cli: cluster workspace backend (#21) (8dc7289)
  • cli: mitos ws create|ls|log|diff|fork|revert|rm|bind (#21) (f0458d4)
  • cli: workspace backend interface and fake (#21) (cf738dd)
  • clone per-activation rootfs at husk Prepare (328712c)
  • cmd/bench fork-exec and exec round-trip latency driver (f47453c)
  • complete epic W4 (durable, forkable agent workspaces) prod-grade (ffbcaef)
  • controller loads the KEK from --kek-file and injects it into the reconcilers (f2076a2)
  • controller owns the per-template encryption key Secret and delivers it (bd9146a)
  • controller passes template NetworkPolicy to forkd (44c5703)
  • controller wraps the DEK with the KMS and delivers the wrapped DEK over the RPCs (3723040)
  • controller: add husk fork-snapshot and remove control clients (d0875c1)
  • controller: build fork-child husk pods owned by the SandboxFork (020645f)
  • controller: live SandboxFork on the husk pod-native path with snapshot GC (9841e1e)
  • controller: mount fork snapshot dir and pin fork child husk pods (8d1ff8a)
  • controller: replicate husk PKI secrets into pool namespaces (30128b2)
  • controller: replicate husk PKI secrets per pool namespace on reconcile (731982c)
  • controller: set husk pod memory limit with headroom (1283946)
  • controller: wire husk fork config into the SandboxFork reconciler (11044e4)
  • controller: wire memory-snapshot seams behind a flag (#21) (b1d3915)
  • CoW-aware memory metering counts shared template memory once (9320294)
  • daemon stashes the wrapped DEK and KEK id from the mTLS request (4cfb8b6)
  • daemon: cap concurrent streams per sandbox (ae8383c)
  • daemon: LLM-legible error envelope with code and remediation (b8f4c02)
  • deploy the pod-native default stack (controller husk mode, device plugin, husk-stub image) (5d13cc0)
  • deploy: ship the ghcr-pull image pull secret manifest (7186314)
  • deploy: stage the guest kernel on KVM nodes via a DaemonSet (ade4725)
  • dev overlay deploys a mock control plane for agentrun dev up (a54c778)
  • encrypt template snapshots at rest in per-scope LUKS containers (c3d910b)
  • engine builds templates from OCI images and runs init in the VM (1cad6a5)
  • facade maps Sandbox pause/resume to warm-pool release and fast re-activation (8e1f92f)
  • facade maps SandboxClaim with warmpool policy to our fork-from-snapshot claim (e9b21d6)
  • facade maps SandboxTemplate and SandboxWarmPool to our template and pool (d0d5fbc)
  • feed warm-pool autoscaler from claim arrivals and record claim-wait latency (cf8d4a0)
  • fork: add on-disk sandbox journal for crash recovery (06869e0)
  • fork: add procfs PID-recycle guard for crash reconcile (d7d37fc)
  • forkd loads the local KEK from --kek-file and fails closed without it (18ae8e9)
  • forkd reports host memory total and per-template capacity estimates (bf23c94)
  • forkd runs the DNS proxy and points guests at it for name egress (7b639fb)
  • forkd serves its CAS and pulls templates from a peer (1979c4e)
  • forkd takes the encryption key from the mTLS request, not the node (eaa341c)
  • forkd unwraps the wrapped DEK via the KMS and zeroizes the plaintext (a0f1b26)
  • forkd: add POST /v1/run_code/stream NDJSON endpoint (b253ab9)
  • forkd: add token-gated WebSocket /v1/pty endpoint (f71fe7f)
  • fork: enforce MaxSandboxes host-DoS ceiling at Fork (bfda01f)
  • fork: reap or re-adopt pre-crash VMs on forkd startup (86cfbf4)
  • git rendezvous pushes workspace repo paths for fork-and-merge (1ba8931)
  • Grafana dashboard and completed conditions catalogue (31eb208)
  • guest mounts attached volume drives at their mount paths (df345e9)
  • guest: add in-guest Jupyter kernel driver for run_code (b694527)
  • guest: add kernel manager driving the in-guest run_code kernel (c48b60b)
  • guest: allocate PTY shell and pump bidirectional I/O over vsock (3aeebd0)
  • guest: route TypeRunCode to a persistent per-sandbox kernel (072cb4d)
  • husk Activate runs the fork-correctness handshake, fail-closed (7cc4d1a)
  • husk mode builds the snapshot and is the default; raw-forkd behind a flag (d39b3bd)
  • husk pod PDB, self-heal on delete, claim re-pend on pod loss, drain policy (dea5f86)
  • husk pod satisfies PSA restricted minus documented exceptions; networking reconciliation (778b09b)
  • husk pod spec and warm-pool lifecycle controller behind a flag (a421bbc)
  • husk stub mTLS network control server and controller activation client (c105902)
  • husk-probe measures CoW page sharing across cgroup v2 memcgs (cac40ad)
  • husk-stub: add fork-snapshot control client mode for CI (78714c5)
  • husk: add fork-snapshot control messages and codecs (4034e36)
  • husk: dispatch fork-snapshot and remove ops over mTLS control (5d4cd34)
  • husk: extend vmm interface with Pause and CreateSnapshot (f50074b)
  • husk: live SandboxFork on the husk pod-native default path (fffb2a4)
  • husk: snapshot the running source VM in place (fork-snapshot op) (fada0b4)
  • image: bake ipykernel and the run_code driver into the base image (1927dfa)
  • internal/cas content-addressed snapshot store with dedup (ef119ee)
  • internal/dnsproxy resolves allowlisted names and pins resolved IPs (a902f71)
  • internal/husk dormant-VMM stub with in-place activation (83b7188)
  • internal/mcp server, tool definitions, SandboxBackend interface (edb3c29)
  • internal/network Linux tap and nftables egress manager (c227f5c)
  • internal/ociroot pulls and flattens OCI images into an ext4 rootfs (91d44ed)
  • internal/storecrypt per-scope LUKS containers with crypto-shred (b0dbb94)
  • internal/volume node backend with Fresh and reflink Snapshot policies (785e7ef)
  • kubectl sandbox logs and exec; Box competitor positioning (7e7de26)
  • kubectl sandbox plugin with ls and ps (d6f2e07)
  • kubectl sandbox tree and top operator verbs (19a1b51)
  • kvm device plugin advertises agentrun.dev/kvm and injects /dev/kvm (25ac7bb)
  • memory-snapshot pairing makes a workspace head resumable (543a537)
  • metering endpoint, CoW disk accounting, corrected metrics (7702738)
  • mount writable rootfs CoW dir and pass clone flags to husk pod (a3ead1c)
  • netconf identity allocator, nftables rendering, command builders (7d899be)
  • OpenTelemetry tracing across the claim and fork path (51651d7)
  • pending-claims, orphan-sweep, and claim-error metrics (a400fa2)
  • per-sandbox network identity and NIC attach wired into the engine (3834ec3)
  • per-sandbox nftables dynamic allow set for resolved names (58c45dd)
  • plumb template volumes and fork policies through to forkd (f5331b9)
  • pool reconciler builds a template once and distributes by pull (128222f)
  • production deploy manifests with RBAC and a kustomize base (1f13978)
  • PrometheusRule alerts and runbooks for the exported metrics (20e4527)
  • proto carries the wrapped DEK and its KEK id (ddaa12b)
  • rebind rootfs drive to per-activation clone at husk Activate (8f29a7e)
  • register per-sandbox stream path in forkd and sandbox-server fork paths (e60814a)
  • remove per-activation rootfs clone on husk teardown (eb43a79)
  • rendezvous: authenticated git-http rendezvous server (#21) (2976086)
  • sandbox-server: mount the PTY WebSocket route (9422834)
  • SandboxServer and cluster AgentRun TypeScript clients (035c497)
  • sdk-python: add async create_pty on AsyncSandbox (3057a97)
  • sdk-python: add Execution/Result/ExecutionError types (f32e8f1)
  • sdk-python: add run_code with streaming callbacks (729ef7d)
  • sdk-python: add sandbox.pty interactive terminal handle (sync + async) (075dc1a)
  • sdk-python: AsyncAgentRun and AsyncSandbox for the hot paths (9667bfc)
  • sdk-python: one-liner sandbox(image=...) with a lazy default pool (b7b312b)
  • sdk-python: structured AgentRunError parsed from the server envelope (a2b3999)
  • sdk-python: wait_until_ready() and from_name() durable handles (313e762)
  • sdk-python: Workspace handle and git verbs (#21) (be8bc85)
  • sdk-ts: add Execution/Result/ExecutionError types (69d43d0)
  • sdk-ts: add runCode with streaming callbacks (997dfb6)
  • sdk-ts: add sandbox PTY interactive terminal client (b5fe0d5)
  • sdk-ts: parse the server error envelope; sandbox(image) and fromName (cc1fddd)
  • sdk-ts: Workspace handle and git verbs (#21) (23e325c)
  • snapshot format version and compatibility contract (snapcompat) (3d99f8e)
  • stamp and enforce snapshot compatibility on load (43fcf81)
  • stamp the reconcile trace id onto the workspace revision; dehydrate span (541c840)
  • stream guest exec stdout/stderr over vsock with pgroup kill (34b5861)
  • Talos machine configs for KVM-capable worker nodes (21ce7bb)
  • toggleable structured audit log of exec and file operations (3d0aad4)
  • TypeScript SDK package, types, HTTP transport, Sandbox surface (00e7f01)
  • verify-on-load snapshot integrity with digest in pool status (#9) (78f4ac9)
  • vsock: add bidirectional PTY methods to StreamConn (0dabdc4)
  • vsock: add host-side RunCode streaming client method (bd5ee8f)
  • vsock: add PTY request and frame protocol types (37ab5c0)
  • vsock: add TypeRunCode and result/error stream frames (91a0395)
  • wildcard suffix names in the egress allowlist with anchored matching (1f2fac5)
  • Workspace and WorkspaceRevision CRD types (2113f67)
  • Workspace controller with revision lineage, retention, and status (b89f77f)
  • workspace outputs extraction with path filter and revision diff (97d1c22)
  • workspace revision change feed via CloudEvents and Kubernetes Events (b11d33c)
  • workspace: fork/revert verbs with LLM-legible rejection (#21, #28) (a7253f0)
  • workspace: per-workspace encryption key (#31, #21) (b84e751)
  • workspace: S3 object-store backend (#21) (10e2b18)
  • workspace: Secret-backed git rendezvous credentials (#21) (3d610d5)
  • workspace: wire live husk workspace hydrate/dehydrate transport (#21) (3316ace)

Bug Fixes

  • accurate NoCapacity condition per re-pend cause; document husk hard-node-loss latency (46c2fc2)
  • agentrun help works without a kubeconfig (a46ef4a)
  • bench measures fork to first exec, teardown excluded (913ae5e)
  • CAS CI phase uses guaranteed real files; chmod kvm in snapshot step (ec6f687)
  • CAS removes partial output on verify failure, single-pass PutSnapshot (71613f5)
  • ci-runner: e2e namespace must be PSA enforce: privileged for husk hostPaths (995dffe)
  • ci-runner: e2e namespace PSA enforce privileged (husk hostPaths) (cd78401)
  • ci-runner: grant runner daemonsets get/patch for forkd deploy-under-test (d40c082)
  • ci-runner: grant runner workspaces/workspacerevisions for the W4 e2e (34c461e)
  • ci-runner: grant the runner daemonsets get/patch (forkd deploy-under-test) (48d6590)
  • ci-runner: make the self-hosted runner + cluster-e2e actually work (verified live) (3daa57f)
  • ci-runner: registration entrypoint, runAsUser pin, ghcr pull secret (2b9fba4)
  • conflict-tolerant facade test spec updates (67aa819)
  • conflict-tolerant facade test spec updates (7dcb7b9)
  • controller: clean up per-pool demand entry and metric labels on pool delete (3af993f)
  • controller: do not let GC node-loss fail a recoverable husk claim (6dfd6dd)
  • controller: enforce MaxSandboxes count ceiling at schedule time (6b63af6)
  • controller: re-pend raw-forkd claim on ResourceExhausted/Unavailable (6e9e4ad)
  • controller: settle an unplaceable husk claim so it stops hot-looping (#130) (4b92e6c)
  • controller: tie node health to a forkd liveness probe (a5f6a1c)
  • cow: keep the template mount read-write so snapshot load opens the baked rootfs (646a15d)
  • default controller namespace to mitos (was mitos-system, inconsistent with the deploy namespace + namespace.yaml after the rename) (7529d7f)
  • deploy: enforce privileged PodSecurity on pool namespaces (56110f3)
  • deploy: enforce privileged PodSecurity on the mitos namespace (4d7e2c7)
  • deploy: forkd agent-bin, privileged, DOCKER_CONFIG, drop jailer args (ffe8592)
  • deploy: grant leases to the dev mock controller for leader election (3ef03e4)
  • deploy: wire ghcr-pull onto the controller serviceaccount (6db590d)
  • device-plugin e2e proves /dev/kvm injection on the kvm-capable runner (7f179b5)
  • dnsproxy refuses when the source guest has no tap mapping (12dbc96)
  • drop husk-pod reuse so an evicted claim recovers onto a fresh pod (c190523)
  • drop husk-pod reuse so an evicted claim recovers onto a fresh pod (868f235)
  • e2e: thread fork timeout in SDK; make husk-e2e PTY stage best-effort (a731016)
  • e2e: thread fork timeout in SDK; make husk-e2e PTY stage best-effort (95bf424)
  • emit phase.changed from an uncached read so the event is never dropped (617808d)
  • encryption cleanup on failed build, destroy in-memory key on shred, serialize container open (0fc2843)
  • enforce run_code timeout so a runaway cell cannot wedge the kernel (95821bf)
  • error on truncated run_code stream in both SDKs (515562f)
  • facade warmpool status selector matches husk pod labels; document podTemplate metadata exceptions (2964cfd)
  • fork: close MaxSandboxes admission TOCTOU with an atomic slot reservation (bc5ec29)
  • forkd: build the guest agent into the image at /usr/local/bin/agent (47a573d)
  • fork: re-verify pid before killing a re-adopted VM (TOCTOU) (0336421)
  • grant the dev mock controller workspace RBAC (0508896)
  • guest: thread dispatcher scanner into PTY handler to preserve coalesced input (c6336f1)
  • husk stub verifies the snapshot (digest + snapcompat) on activate, fail-closed (d175d6b)
  • husk warm pool self-heals independent of the snapshot build (f37251e)
  • husk-stub keeps the activated VM alive until shutdown (183c99c)
  • husk: clone fork child rootfs from source, snapshot source once (5146bb3)
  • husk: define the --forks-dir flag the controller emits to husk-stub (e1dbbd5)
  • husk: gate husk-stub sandbox API on the token, not a fixed id (12f7273)
  • husk: gate husk-stub sandbox API on the token, not a fixed id (ecc5be1)
  • husk: make husk fork child creation idempotent fixed-slot set (c4379ae)
  • husk: mount husk PKI TLS Secrets on fork child pods (887a7ee)
  • kernel driver enforces timeout and reports kernel death (88a8020)
  • kvm device plugin container starts under read-only /dev; e2e diagnostics (8a87301)
  • leader election + warm-pool refill/recycle/reuse (f2dd2b6)
  • make husk activation work on real KVM (bare-metal validation) (e322fb5)
  • MCP server ctx-cancel shutdown, empty-file writes, id path safety, fork partial ids (9881e93)
  • netconf: pin exact /30 block on crash re-adoption (c78e68b)
  • nolint the deprecated GetEventRecorderFor in the feed wiring (16b2728)
  • optimistic-lock husk pod claim; serve token-gated sandbox API in the husk stub (de9ff7a)
  • per-pod husk VM id and read-only template mount (0ab3f5e)
  • per-sandbox nftables dispatch chains, ForkRunning fails closed on networking (87d7bca)
  • prevent git argument injection in workspace rendezvous (-- separator, ref + scheme guards) (183be91)
  • re-assert the validateVMID barrier at TemplateManager entry points (fe0c003)
  • rebind husk rootfs drive while paused, before resume (2c4416b)
  • refuse to deliver the encryption key over a non-mTLS channel (0c6e455)
  • reliable phase.changed emit (uncached read) and conflict-tolerant test setup (870a93a)
  • safe-join archive extraction against parent symlink traversal (codeql) (b15b827)
  • scope husk rootfs CoW clone to a per-pod VM id (4069942)
  • sdk: kill() deterministically tears down the background stream (dac810b)
  • sdk: lazy-import optional async websockets; e2e tests the checked-out SDK (5672ed4)
  • sdk: lazy-import the optional async websockets; e2e installs the checked-out SDK (81321f1)
  • sdk: truncated stream, TS abort, Python background+kill scoping (1d1fd85)
  • sdk: verify image on default-pool reuse and harden slug (f4df9e0)
  • serve CAS on a separate TLS listener; peer token via env; traversal test (9db4d7b)
  • validate CAS digests to block path traversal (codeql) (07c67b6)
  • validate volume names and bake read-only for Share volumes (c6013f1)
  • validateVMID barrier at TemplateManager entry points (f6c3634)
  • vol-smoke seeds the snapshot volume via mkfs -d, no host mount (fb5a2da)
  • wait for agent readiness before snapshot, plumb Spec.Init through the controller (0f2aca3)
  • warm-pool refills per claim + claim release recycles the husk pod (12d5a5b)
  • workspace: allow cross-workspace fork lineage so forks commit + advance the head (1adb8a5)
  • workspace: reject userinfo in git rendezvous remote URL (8f5f9af)
  • workspace: wire husk diff + best-effort git on dehydrate-on-terminate (b405f04)
Assets 2
Loading