Skip to content

Changelog

All notable changes to agentkernel are documented here. See GitHub Releases for downloadable binaries.

v0.6.0 — Enterprise Policy Engine

February 1, 2026

Added

  • Cedar policy engine — declarative authorization using AWS Cedar with default-deny evaluation, role-based and attribute-based access control (--features enterprise)
  • JWT/OIDC identity — authenticate users via JWT tokens with JWKS validation and OIDC device authorization flow for CLI login
  • Multi-tenant policy hierarchy — organization and team scoping with inheritance for policy evaluation
  • Policy bundle signing — Ed25519 signature verification with trust anchors, version rollback protection, and expiry enforcement
  • Policy cache — offline operation with configurable modes (default_policy, cached_only, cached_with_expiry) and FNV-1a integrity hashing
  • Audit logging — OCSF-compatible policy decision logs with structured JSON output and SIEM-ready event streaming
  • HTTP API policy endpointsGET /policy/status, POST /policy/check, POST /policy/reload for runtime policy management
  • CLI policy commandspolicy status, policy check, policy audit-log for local policy inspection
  • Policy enforcement in HTTP API — all /run, /create, /exec, /attach endpoints enforce Cedar authorization
  • AgentKernelPolicy CRD — namespaced Kubernetes Custom Resource for Cedar policies, managed via kubectl apply and GitOps (shortname: akp)
  • ClusterAgentKernelPolicy CRD — cluster-scoped Cedar policy CRD for global rules (shortname: cakp)
  • K8s policy operator — watches policy CRs, validates Cedar syntax, aggregates by scope and priority, hot-reloads the evaluation engine
  • Sandbox policy enforcement — operator evaluates Create action against Cedar engine before creating pods, blocks denied requests with status update
  • Example Cedar policies — default permit, RBAC, MFA-required, runtime restrictions, and org isolation examples in examples/enterprise/
  • Compliance mapping — SOC 2, HIPAA, and FedRAMP control mapping documentation

Changed

  • Default featureskubernetes, nomad, and enterprise features are now included in default builds
  • generate_crd_manifests() — returns Vec<String> instead of tuple, includes all 4 CRDs (sandbox, pool, policy, cluster-policy)
  • run_operator() — accepts optional CedarEngine and PolicyAuditLogger, runs 3 controllers concurrently when enterprise is enabled

Docs

  • Kubernetes orchestration docs updated with policy CRD reference, evaluation order, identity annotations, and examples
  • Enterprise policy examples README with K8s-native and GitOps workflow documentation
  • Kubernetes example README with policy CRD quickstart

Full Changelog: v0.5.1...v0.6.0

v0.5.1 — Docker Images, Nomad Pack & Docs

February 1, 2026

Added

  • Docker image publishingghcr.io/thrashr888/agentkernel:latest and versioned tags built automatically on each release
  • Helm OCI publishingoci://ghcr.io/thrashr888/charts/agentkernel published automatically on each release
  • Nomad Pack — configurable Nomad deployment via nomad-pack run with variables for count, backend, resources, and Consul service registration

Fixed

  • Dockerfile — bumped Rust from 1.83 to 1.88 (required for edition 2024 let-chains)
  • K8s labels — replaced fictional agentkernel.io/ domain prefix with bare agentkernel/ in all labels and CRDs
  • Deploy docs — replaced local file paths with git clone / curl from GitHub; added honest notes about OCI/Docker image availability
  • CI — added checks: write permission for rustsec/audit-check workflow

Changed

  • Docs restructure — deploy content inlined into orchestration-kubernetes.md and orchestration-nomad.md; deploy.md slimmed to shared concerns only
  • README — added Kubernetes and Nomad to platform table and orchestration section

Full Changelog: v0.5.0...v0.5.1

v0.5.0 — Kubernetes & Nomad Orchestration

January 31, 2026

Added

  • Kubernetes backend — run sandboxes as Pods on any K8s cluster with NetworkPolicy isolation, optional gVisor/Kata RuntimeClass, and warm pool support (--features kubernetes)
  • Nomad backend — run sandboxes as Nomad job allocations with Docker/exec/raw_exec drivers and Consul/Vault integration (--features nomad)
  • Kubernetes operator — CRD types (AgentSandbox, AgentSandboxPool) and controller for declarative sandbox management
  • Warm pool managers for both K8s (label-based warm→active) and Nomad (parameterized batch jobs) backends
  • Helm chart for Kubernetes deployment (deploy/helm/agentkernel/)
  • Nomad job spec for Nomad deployment (deploy/nomad/agentkernel.nomad.hcl)
  • Orchestrator config[orchestrator] section in agentkernel.toml for namespace, warm pool size, runtime class, and driver settings
  • Security mapping for K8s Pod security contexts and Nomad cap_drop to existing permission profiles
  • remote_id and remote_namespace fields on SandboxState for tracking cluster-side resources

Performance

  • O(1) sandbox state detection — batch state queries instead of per-sandbox checks across all backends
  • Optimized K8s and Nomad backend latency (~570ms one-shot, faster with warm pools)

Docs

  • Orchestration documentation with separate Kubernetes and Nomad pages
  • Benchmark results for K8s and Nomad backends
  • Updated backend comparison table

Fixed

  • K8s and Nomad backend fixes from live integration testing
  • CI rustsec/audit-check now has checks: write permission

Full Changelog: v0.4.0...v0.5.0

v0.4.0 — API Surfaces & SDK Updates

January 30, 2026

Added

  • File operations API — read, write, and delete files inside running sandboxes via PUT/GET/DELETE /sandboxes/{name}/files/{path}
  • Batch execution API — run multiple commands in parallel via POST /batch/run
  • Sandbox logs API — retrieve audit log entries via GET /sandboxes/{name}/logs
  • Resource limits — set vcpus and memory_mb when creating sandboxes
  • Security profiles via API — pass profile (permissive/moderate/restrictive) on sandbox creation
  • SDK support for all new endpoints across Node.js, Python, Rust, Go, and Swift SDKs
  • OpenAPI spec updated to 0.4.0 with full schema coverage
  • Terminal size detection for session recording
  • Domain config validation (DomainConfig.is_allowed())
  • Command policy enforcement and attach session recording

Fixed

  • Fully-qualified tap name for brew services
  • MkDocs internal links now use directory URLs
  • Idempotency check for GitHub Packages publish

Docs

  • SDK documentation pages updated with file ops, batch, and logs examples
  • Session recording, audit events, and config validation docs
  • Integration levels and native sandbox links for all agents
  • SDK links and TypeScript example on docs home and README

Full Changelog: v0.3.1...v0.4.0

v0.3.1 — Setup Auto-Installs Agent Plugins

January 30, 2026

Fixed

  • agentkernel setup now auto-installs agent plugins
  • Crates.io OIDC token handling for publish workflow

Full Changelog: v0.3.0...v0.3.1

v0.3.0 — Agent-in-Sandbox & SDKs

January 30, 2026

Added

  • Agent-in-sandbox with PTY support, environment variable passthrough, and example images (#1)
  • Client SDKs for Node.js, Python, Rust, Go, and Swift
  • Agent plugins for Claude Code, OpenCode, Codex, and Gemini CLI
  • Plugin installeragentkernel plugin install command
  • Homebrew servicebrew services start agentkernel
  • SSE streaming/run/stream endpoint for real-time command output
  • Audit logging for all sandbox operations
  • Session recording in asciicast v2 format with agentkernel replay
  • OpenAPI 3.1 spec for the HTTP API
  • Docker image to ext4 rootfs conversion for Firecracker
  • Seccomp profile support for Docker backend
  • Domain and command filtering config
  • OIDC trusted publishing for npm, PyPI, and crates.io
  • Comparisons page and benchmarks documentation
  • MkDocs documentation site with Material theme

Changed

  • Default port changed from 8080888018888
  • Claude plugin moved to agent-native paths

Fixed

  • CI Rust bumped to 1.88 for let-chains stabilization
  • Missing sandbox backend handling in tests

Full Changelog: v0.2.0...v0.3.0

v0.2.0 — Multi-Backend & Hyperlight

January 22, 2026

Added

  • Unified Sandbox trait for all backends (Docker, Podman, Firecracker, Apple Containers, Hyperlight)
  • Hyperlight WebAssembly backend for sub-millisecond sandboxes (~68ms startup, ~3,300 RPS)
  • Apple Containers backend for macOS 26+ with native container support
  • Daemon mode with Firecracker VM pool for persistent fast execution
  • Container pool for 5.8x faster ephemeral runs
  • WAT support — WebAssembly text format compilation
  • File operations on the Sandbox trait and agentkernel cp command
  • --backend CLI flag for backend selection
  • Vsock connection caching and single-RPC daemon exec
  • Per-agent pool configuration and MCP skill docs
  • Agent compatibility modes with preset profiles
  • Dockerfile support with auto-detection and caching
  • [[files]] config section for file injection at startup
  • AllBeads onboarding for issue tracking

Performance

  • Docker/Podman optimized with direct run --rm for ephemeral execution
  • Apple containers optimized with single-operation ephemeral runs
  • Hyperlight sandbox pooling with warm_to() for precise pre-warming

Full Changelog: v0.1.2...v0.2.0

v0.1.2 — Container Pooling & Firecracker Exec

January 21, 2026

Added

  • Container pool for pooled vs non-pooled execution comparison
  • Persistent exec channel for Docker backend
  • Guest agent wired up for Firecracker exec via vsock
  • Firecracker vsock support via Unix socket protocol

Performance

  • 110ms boot time achieved (89% faster) with i8042 disable
  • Optimized Firecracker boot args for 35% faster startup

Fixed

  • Proper KVM permission detection (not just existence check)
  • Docker image to Firecracker runtime auto-mapping
  • Rootfs ownership after Docker build
  • Setup improvements for new users

Full Changelog: v0.1.1...v0.1.2

v0.1.1 — Security Hardening & Performance

January 20, 2026

Security

  • Input validation — sandbox names, runtime names, and Docker images validated against strict patterns
  • Command injection — fixed potential injection via sandbox names and Docker filters
  • Path traversal — prevented directory traversal in rootfs resolution
  • SBPL injection — validated paths used in macOS Seatbelt profiles
  • TOCTOU fixes — atomic operations for socket cleanup

See SECURITY.md for the full security policy.

Performance

Docker backend 33% faster:

Metric Before After
Total (10 sandboxes) 6.70s 4.50s
Avg start 258ms 174ms
Avg stop 172ms 109ms
  • Removed redundant container existence checks
  • Added --rm flag for automatic cleanup
  • Combined stop+remove into single operation
  • 1-second stop timeout for ephemeral containers

Docs

Full Changelog: v0.1.0...v0.1.1

v0.1.0 — Initial Release

January 20, 2026

Features

  • Firecracker microVM management — create, start, stop, remove, and exec in isolated VMs
  • Sub-125ms boot times — lightweight ~25MB images with minimal Linux kernel
  • Multiple runtimes — base, Python, Node, Rust, Go with auto-detection
  • Security profiles — permissive, moderate, and restrictive isolation levels
  • MCP server — Claude Code integration via JSON-RPC over stdio
  • HTTP API — programmatic access for automation
  • macOS support — Seatbelt sandbox fallback, Docker KVM host for nested virtualization
  • Cross-platform — Linux (native KVM) and macOS (Docker Desktop)

Full Changelog: v0.1.0