agentkernel 0.1.0

Run AI coding agents in secure, isolated microVMs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155

# CLAUDE.md

This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.

## Project Overview

**agentkernel** is a Firecracker-based microVM runtime for running AI coding agents (Claude Code, Gemini CLI, Codex, OpenCode) in true hardware-isolated sandboxes. It provides per-project isolation with sub-125ms boot times, ~25MB images, and real kernel-level isolation via KVM.

**Key difference from containers**: Each sandbox runs in its own virtual machine with a dedicated Linux kernel, not a shared kernel like Docker. This provides stronger isolation guarantees.

## Build Commands

```bash
# Build
cargo build

# Build release
cargo build --release

# Run tests
cargo test

# Run stress test (100 VMs, requires Firecracker implementation)
cargo test --test stress_test -- --nocapture --ignored

# Quality gates (run before commits)
cargo fmt -- --check && cargo clippy -- -D warnings && cargo test

# Run the CLI
cargo run -- <command>
```

## Building VM Images

```bash
# Build kernel (via Docker, works on macOS)
cd images/build
docker build -t agentkernel-kernel-builder -f Dockerfile.kernel-builder .
docker run --rm -v "$(pwd)/../kernel:/kernel" agentkernel-kernel-builder 6.1.70

# Output: images/kernel/vmlinux-6.1.70-agentkernel (~4MB)
```

## Architecture

```
src/
├── main.rs           # CLI entry point (clap-based), command dispatch
├── config.rs         # Config parsing for agentkernel.toml
├── permissions.rs    # Security profiles and permission management
├── agents.rs         # Multi-agent support (Claude, Gemini, Codex, OpenCode)
├── http_api.rs       # HTTP REST API server
├── mcp.rs            # MCP server for Claude Code integration
├── docker_backend.rs # Docker/Podman container backend
├── vmm.rs            # Virtual machine manager (abstracts backends)
├── languages.rs      # Language/runtime detection
└── setup.rs          # Setup and installation management

images/
├── kernel/
│   ├── microvm.config              # Minimal kernel config for Firecracker
│   └── vmlinux-*-agentkernel       # Built kernel (after build)
├── rootfs/                          # Rootfs images (TODO)
└── build/
    ├── build-kernel.sh             # Kernel build script
    └── Dockerfile.kernel-builder    # Docker build environment

tests/
└── stress_test.rs                   # 100 VM parallel stress test

plan/
└── firecracker-pivot.md            # Full architecture plan
```

### Key Components (In Development)

- **Firecracker VMM**: Direct API integration for microVM lifecycle
- **Guest Agent**: vsock-based daemon inside VM for command execution
- **Kernel**: Minimal Linux build (~4MB) with virtio, vsock, ext4
- **Rootfs**: Alpine-based images with runtime stacks (Python, Node, Rust)

### Platform Strategy

| Platform | How it works |
|----------|--------------|
| Linux | Direct Firecracker + /dev/kvm |
| macOS | Docker Desktop provides KVM-capable Linux VM, Firecracker runs inside |

### Configuration Schema (agentkernel.toml)

```toml
[sandbox]
name = "my-project"
base_image = "python:3.12-alpine"  # Or use runtime shorthand

[agent]
preferred = "claude"      # claude, gemini, codex, opencode

[resources]
vcpus = 2
memory_mb = 512

[security]
profile = "restrictive"   # permissive, moderate, restrictive
network = false           # Override: disable network
mount_cwd = false         # Override: mount current directory

[network]
vsock_cid = 3             # Auto-assigned if not specified
```

### Security Profiles

| Profile | Network | Mount CWD | Mount Home | Pass Env | Read-only |
|---------|---------|-----------|------------|----------|-----------|
| permissive | Yes | Yes | Yes | Yes | No |
| moderate | Yes | No | No | No | No |
| restrictive | No | No | No | No | Yes |

## Key Dependencies

- `clap` with derive - CLI argument parsing
- `tokio` - async runtime
- `anyhow` - error handling
- `serde/toml` - config parsing
- (Planned) Firecracker API client via REST/Unix socket

## Performance Targets

| Metric | Target |
|--------|--------|
| Boot time | <125ms |
| Shutdown | <50ms |
| Memory overhead | <10MB per VM |
| 100 VM test | <30s total |

## Security Model

MicroVM isolation provides:
- **Separate kernel**: Each VM runs its own Linux kernel
- **Hardware isolation**: KVM/VT-x enforced memory boundaries
- **Minimal attack surface**: Firecracker is ~50k lines of Rust
- **No container escapes**: Not sharing host kernel
- **Security profiles**: `restrictive` (default in examples), `moderate`, `permissive`
- **Network control**: `--no-network` flag or config override

## Beads Issue Tracking

```bash
bd ready              # Show unblocked work
bd show <id>          # View issue details
bd update <id> --status in_progress
bd close <id>
bd sync               # Sync with git (run at session end)
```