Roadmap

May 31, 2026 ยท View on GitHub

Detailed project plan can be found in plan/project.md and related files.

m1: Devcontainer template (done)

  • Base + agent-specific images (images/)
  • Policy YAML for configurable domain allowlists
  • Reusable template (templates/claude/)
  • Documentation for adding to other projects

m2: Published images (done)

  • Build and publish images to GitHub Container Registry
  • Multi-platform support
  • Pin images by digest for reproducibility

m2.5: Shell customization (done)

  • Mount custom shell scripts via ~/.config/agent-sandbox/shell.d/
  • Support for dotfiles directory mounting
  • Read-only mounts to prevent agent modification

m3: Proxy enforcement (done)

  • mitmproxy sidecar for traffic logging and domain enforcement
  • Log mode (PROXY_MODE=log) to observe what endpoints agents need
  • Structured JSON logs for analysis
  • Two-layer enforcement: proxy allowlist + iptables to prevent bypass
  • SSH blocked, git over HTTPS only

m4: Multi-agent support (done)

  • Claude Code support
  • GitHub Copilot CLI support
  • Remaining agents promoted to individual milestones (m7, m9-m12)

m5: Deep customization (done)

  • Shell-init hooks survive user .zshrc replacement
  • Dotfiles support with recursive auto-symlinking
  • Language stack installer scripts (python, node, go, rust)
  • STACKS build arg for one-liner installation

m6: CLI (done)

  • agentbox init - interactive project setup (project name, agent, mode, IDE)
  • agentbox exec - start or attach to the agent container
  • agentbox edit policy - edit network policy and reload configuration in proxy container
  • agentbox edit compose - open compose file in editor
  • agentbox bump - pull latest images and pin to new digests
  • agentbox <command> - pass-through to docker compose
  • agentbox destroy - remove containers, volumes, and config
  • agentbox version - show version info
  • Initial Docker-based CLI distribution (retired after the Go CLI cutover)
  • Bash 3.2 compatibility (macOS default shell)

m7: Codex support (done)

  • agent-sandbox-codex image, CLI/devcontainer templates, and init/build integration
  • OpenAI Codex CLI installation from GitHub releases with its internal sandbox disabled in-container
  • Network policy, CI publishing, and daily version checks for Codex/OpenAI domains

m8: Agent switching (done)

  • agentbox switch --agent <name> shipped
  • Per-agent state volumes are preserved when switching
  • Layered user compose/policy customizations are preserved (shared + optional mode/agent overrides)
  • Policy layers are merged at proxy runtime
  • Runtime ownership split is explicit: CLI mode is agentbox-managed, devcontainer mode is IDE-managed
  • Legacy single-file setups now fail with explicit upgrade guidance instead of automatic migration tooling

m9: Gemini CLI support (done)

  • agent-sandbox-gemini image and templates
  • Google Gemini CLI installation and configuration
  • Network policy with Gemini API domains

m10: Factory support (done)

  • agent-sandbox-factory image and templates
  • Factory agent installation and configuration
  • Network policy with Factory API domains

m11: Pi support (done)

  • agent-sandbox-pi image and templates
  • Pi agent installation and configuration
  • Network policy with required API domains

m12: OpenCode support (done)

  • agent-sandbox-opencode image and templates
  • OpenCode installation and configuration
  • Network policy with required API domains

m13: Go CLI rewrite (done)

  • Rewrite agentbox CLI in Go using Cobra
  • GitHub Releases binaries are the install path
  • Legacy Bash CLI, parity harness, and Docker CLI image distribution removed after cutover
  • Native YAML handling (drop yq dependency)
  • Cross-compile for macOS (arm64, amd64) and Linux
  • Port all existing commands with improved testing

m14: Fine-grained proxy rules (done)

  • Request-aware policy rules for HTTP and HTTPS using scheme, method, path, and exact query matching
  • Nested rule objects under domains entries with deterministic layered merge behavior and merge_mode: replace
  • Semantic service catalog mappings, including repo-scoped GitHub API and Git smart-HTTP restrictions
  • Domain-only rules remain backward-compatible and keep the CONNECT fast path
  • agentbox proxy reload and agentbox edit policy hot-reload policy changes with last-known-good fallback

m15: Proxy-side secret injection (done)

  • Make proxy injection the primary mechanism for HTTP-native credentials
  • Store raw secret values in a host-only source and mount them into the proxy only
  • Inject headers directly on matched outbound requests with redacted audit logging
  • First rollout: git over HTTPS with repo-level scoping
  • Keep GitHub tokens out of the agent container for clone, fetch, and push over smart HTTP
  • Evaluate other HTTP-native clients after the GitHub Git flow is proven

m16: Hermes support (done)

  • agent-sandbox-hermes image and templates for the Nous Research Hermes agent
  • Installation from upstream shell installer with a pinned version
  • Network policy with the Hermes service domains (TBD during discovery)
  • Provider-agnostic posture: Hermes supports Nous Portal, OpenRouter, OpenAI, and custom endpoints; users add the relevant provider service to their policy
  • Scope limited to CLI mode; non-CLI integrations (Telegram, Discord, Slack, etc.) are out of scope

m17: Provider API-key injection (planned)

  • Extend proxy-side secret injection from GitHub Git auth to model-provider API-key traffic
  • Add raw-header injection for provider headers whose value is the secret itself
  • Add service-catalog auth expansion for OpenAI, Anthropic, and Gemini API patterns
  • Add a generic renderer-owned fake env shim primitive, first used for clients that require OPENAI_API_KEY, ANTHROPIC_API_KEY, or GEMINI_API_KEY
  • Support Codex, Claude API-key mode, Gemini API-key mode, and provider-backed Pi/OpenCode flows where practical
  • Explicitly exclude OAuth, browser login, device-code, subscription-login, and helper-protocol flows

m18: GitHub REST wrapper (planned)

  • Repo-scoped GitHub wrapper using REST-only endpoints
  • Keep repo identity visible in request URLs so m14 policies can constrain access to one repo
  • Support a curated set of high-value GitHub workflows that fit REST plus URL-based policy matching
  • Prefer a standalone binary if practical; Go plus google/go-github is the leading candidate
  • Define and document the supported subset and explicitly exclude GraphQL-dependent gh flows
  • Use m15 proxy-side credential injection where practical instead of storing GitHub tokens in the agent container

m19: CLI monitoring and policy management (planned)

  • Filtered log view for blocked requests
  • Interactive unblock workflow
  • Integration with hot reload for immediate policy updates
  • UI approach TBD (filtered stream, TUI, or hybrid)

m20: Host credential service (planned)

  • Secondary credential path for flows that cannot be handled by proxy injection
  • Host-side service bridging container to native credential store or helper backend
  • Container shim implements a helper protocol for clients that must receive credentials locally
  • Keep credentials off disk inside the container even when direct injection is not viable
  • Integrated into agentbox CLI lifecycle