Roadmap
May 31, 2026 ยท View on GitHub
Detailed project plan can be found in plan/project.md and related files.
m1: Devcontainer template (done)
- Base + agent-specific images (
images/) - Policy YAML for configurable domain allowlists
- Reusable template (
templates/claude/) - Documentation for adding to other projects
m2: Published images (done)
- Build and publish images to GitHub Container Registry
- Multi-platform support
- Pin images by digest for reproducibility
m2.5: Shell customization (done)
- Mount custom shell scripts via
~/.config/agent-sandbox/shell.d/ - Support for dotfiles directory mounting
- Read-only mounts to prevent agent modification
m3: Proxy enforcement (done)
- mitmproxy sidecar for traffic logging and domain enforcement
- Log mode (
PROXY_MODE=log) to observe what endpoints agents need - Structured JSON logs for analysis
- Two-layer enforcement: proxy allowlist + iptables to prevent bypass
- SSH blocked, git over HTTPS only
m4: Multi-agent support (done)
- Claude Code support
- GitHub Copilot CLI support
- Remaining agents promoted to individual milestones (m7, m9-m12)
m5: Deep customization (done)
- Shell-init hooks survive user .zshrc replacement
- Dotfiles support with recursive auto-symlinking
- Language stack installer scripts (python, node, go, rust)
- STACKS build arg for one-liner installation
m6: CLI (done)
agentbox init- interactive project setup (project name, agent, mode, IDE)agentbox exec- start or attach to the agent containeragentbox edit policy- edit network policy and reload configuration in proxy containeragentbox edit compose- open compose file in editoragentbox bump- pull latest images and pin to new digestsagentbox <command>- pass-through to docker composeagentbox destroy- remove containers, volumes, and configagentbox version- show version info- Initial Docker-based CLI distribution (retired after the Go CLI cutover)
- Bash 3.2 compatibility (macOS default shell)
m7: Codex support (done)
- agent-sandbox-codex image, CLI/devcontainer templates, and init/build integration
- OpenAI Codex CLI installation from GitHub releases with its internal sandbox disabled in-container
- Network policy, CI publishing, and daily version checks for Codex/OpenAI domains
m8: Agent switching (done)
agentbox switch --agent <name>shipped- Per-agent state volumes are preserved when switching
- Layered user compose/policy customizations are preserved (shared + optional mode/agent overrides)
- Policy layers are merged at proxy runtime
- Runtime ownership split is explicit: CLI mode is agentbox-managed, devcontainer mode is IDE-managed
- Legacy single-file setups now fail with explicit upgrade guidance instead of automatic migration tooling
m9: Gemini CLI support (done)
- agent-sandbox-gemini image and templates
- Google Gemini CLI installation and configuration
- Network policy with Gemini API domains
m10: Factory support (done)
- agent-sandbox-factory image and templates
- Factory agent installation and configuration
- Network policy with Factory API domains
m11: Pi support (done)
- agent-sandbox-pi image and templates
- Pi agent installation and configuration
- Network policy with required API domains
m12: OpenCode support (done)
- agent-sandbox-opencode image and templates
- OpenCode installation and configuration
- Network policy with required API domains
m13: Go CLI rewrite (done)
- Rewrite agentbox CLI in Go using Cobra
- GitHub Releases binaries are the install path
- Legacy Bash CLI, parity harness, and Docker CLI image distribution removed after cutover
- Native YAML handling (drop yq dependency)
- Cross-compile for macOS (arm64, amd64) and Linux
- Port all existing commands with improved testing
m14: Fine-grained proxy rules (done)
- Request-aware policy rules for HTTP and HTTPS using scheme, method, path, and exact query matching
- Nested rule objects under
domainsentries with deterministic layered merge behavior andmerge_mode: replace - Semantic service catalog mappings, including repo-scoped GitHub API and Git smart-HTTP restrictions
- Domain-only rules remain backward-compatible and keep the CONNECT fast path
agentbox proxy reloadandagentbox edit policyhot-reload policy changes with last-known-good fallback
m15: Proxy-side secret injection (done)
- Make proxy injection the primary mechanism for HTTP-native credentials
- Store raw secret values in a host-only source and mount them into the proxy only
- Inject headers directly on matched outbound requests with redacted audit logging
- First rollout: git over HTTPS with repo-level scoping
- Keep GitHub tokens out of the agent container for clone, fetch, and push over smart HTTP
- Evaluate other HTTP-native clients after the GitHub Git flow is proven
m16: Hermes support (done)
- agent-sandbox-hermes image and templates for the Nous Research Hermes agent
- Installation from upstream shell installer with a pinned version
- Network policy with the Hermes service domains (TBD during discovery)
- Provider-agnostic posture: Hermes supports Nous Portal, OpenRouter, OpenAI, and custom endpoints; users add the relevant provider service to their policy
- Scope limited to CLI mode; non-CLI integrations (Telegram, Discord, Slack, etc.) are out of scope
m17: Provider API-key injection (planned)
- Extend proxy-side secret injection from GitHub Git auth to model-provider API-key traffic
- Add raw-header injection for provider headers whose value is the secret itself
- Add service-catalog auth expansion for OpenAI, Anthropic, and Gemini API patterns
- Add a generic renderer-owned fake env shim primitive, first used for clients that require
OPENAI_API_KEY,ANTHROPIC_API_KEY, orGEMINI_API_KEY - Support Codex, Claude API-key mode, Gemini API-key mode, and provider-backed Pi/OpenCode flows where practical
- Explicitly exclude OAuth, browser login, device-code, subscription-login, and helper-protocol flows
m18: GitHub REST wrapper (planned)
- Repo-scoped GitHub wrapper using REST-only endpoints
- Keep repo identity visible in request URLs so m14 policies can constrain access to one repo
- Support a curated set of high-value GitHub workflows that fit REST plus URL-based policy matching
- Prefer a standalone binary if practical; Go plus
google/go-githubis the leading candidate - Define and document the supported subset and explicitly exclude GraphQL-dependent
ghflows - Use
m15proxy-side credential injection where practical instead of storing GitHub tokens in the agent container
m19: CLI monitoring and policy management (planned)
- Filtered log view for blocked requests
- Interactive unblock workflow
- Integration with hot reload for immediate policy updates
- UI approach TBD (filtered stream, TUI, or hybrid)
m20: Host credential service (planned)
- Secondary credential path for flows that cannot be handled by proxy injection
- Host-side service bridging container to native credential store or helper backend
- Container shim implements a helper protocol for clients that must receive credentials locally
- Keep credentials off disk inside the container even when direct injection is not viable
- Integrated into agentbox CLI lifecycle