Skip to content

KruxOS v0.0.2 — second release

Released: 2026-06-16 Status: Early beta — not for production use.

v0.0.2 is the largest KruxOS update so far. The dashboard has been rebuilt end to end, capability Packs now run inside the per-agent sandbox with a public authoring SDK, operators can connect Gmail and Slack accounts and have agents work against the synced data, the appliance can update itself from a signed release with automatic rollback if the new build is unhealthy, and every capability that touches the filesystem is now confined to the calling agent's own workspace.

This release builds on v0.0.1 — see the v0.0.1 release notes for the full platform inventory. Every feature exercised in the pre-tag hardware walk on the release-candidate appliance image is verified working; the couple of surfaces that ship but were not separately runtime-verified this cycle (Gmail connect, operator file uploads) are noted inline.


Highlights

  • Redesigned dashboard. Every page — Home, Chat, Code, Agents, Approvals, Activity, Audit, Identities, Integrations, Settings, Health, Service Proxy, and the new Packs page — rebuilt on one design system with light/dark theming and a consistent visual language.
  • Capability Packs that actually run. Install a pack from the registry or upload one locally; its capabilities load and execute inside the same per-agent sandbox as the built-ins, and appear in the policy editor and the agent's capability list immediately — no restart. Authors get a published @kruxos/pack-sdk on npm plus Capability Design Guidelines.
  • Slack & Gmail connectors. Connect accounts from the dashboard; KruxOS keeps a synced local replica and routes the messaging capabilities (channels, send, reply, react, search, read) against it. Slack is verified working end-to-end on the appliance this release; Gmail connect ships on the same infrastructure but was not separately runtime-verified this cycle and needs your own Google Cloud OAuth app.
  • Self-updating appliance. Check, download, apply, and reboot into a new release straight from Settings → Updates. Releases are signed; the appliance verifies the signature before applying, writes to the inactive A/B slot, and rolls back automatically if the new slot fails its health checks.
  • Per-agent workspace isolation everywhere. Filesystem, git, and process capabilities are all confined to the calling agent's own workspace, not just process.run.

What's new

Dashboard

The entire dashboard was rebuilt on a shared design system — new theming (light and dark), iconography, and typography, with a consistent layout across every page:

  • Home, Chat, Code, Agents, Agent detail, Approvals, Activity, Audit, Identities, Integrations, Settings, Health, Service Proxy, and the new Packs page.
  • Settings is now tabbed, including a dedicated Updates tab.
  • Policy editor redesign — wildcard support, auto-save on visual edits, and an unsaved-changes warning before you navigate away.
  • All five model-provider types and the OAuth device-code flow are preserved across the redesign.

Capability Packs

  • Install from the registry or upload locally on the new /packs page; list and remove installed packs.
  • Packs run in the sandbox. Each pack capability executes in the same forked, namespaced per-agent sandbox as the built-in capabilities — pack code is isolated exactly like first-party code.
  • Visible to the platform. Installed pack capabilities show up in the agent's capability list, the policy editor, and the tool listing.
  • No restart. Installing or removing a pack from the dashboard takes effect immediately.
  • Public SDK. @kruxos/pack-sdk is published to npm, with a getting-started guide and Capability Design Guidelines for authors.

Service Proxy — Slack & Gmail

  • Connect accounts from the dashboard. The Service Proxy syncs a local replica of your messages in the background and exposes a manual re-sync. A new Service Proxy page shows connection state and token expiry.
  • Slack is the runtime-verified connector this release. Its capabilities — channels, send, reply, react, search, read — operate against the synced replica and were exercised end-to-end on the appliance. A single failing channel no longer aborts the whole sync, and unfiltered search returns your synced messages.
  • Gmail connect ships on the same Service Proxy infrastructure but was not separately runtime-verified this cycle. Connecting Gmail requires you to supply your own Google Cloud OAuth app; treat it as early/experimental until a future release exercises it on the appliance.

Self-updating appliance

  • Settings → Updates walks you through check → download → apply → reboot, entirely from the dashboard.
  • Signed releases. Updates are Ed25519-signed and verified against the appliance's baked-in public key before anything is applied.
  • A/B slots with auto-rollback. Updates are written to the inactive root slot; a health monitor watches the freshly-booted slot and rolls back to the last known-good slot automatically if it fails its health checks.

Agents & capabilities

  • Per-agent workspace isolation now spans every filesystem-touching capability — filesystem.*, git.*, process.* — through a single enforced chokepoint. Each agent gets its own workspace, created on add and backfilled at boot, and its system prompt only advertises that workspace.
  • git.init — agents can now initialize a new repository in their workspace.
  • Reliable /chat under errors and large results. A capability that errors mid-conversation — or a tool result too large to fit the context window — no longer kills the conversation: the error is returned to the agent as a normal result and it adapts, and oversized results are capped with a clear [truncated] marker (re-read in slices with offset/limit). The cap applies across every transport — /chat and the MCP bridge — so a single large read can't blow out an agent's context. Conversation context is also rendered deterministically, so an error turn no longer silently re-sends the history.
  • process.run honours its timeout for foreground commands (up to the one-hour maximum) instead of being cut off early; a timed-out command and its child processes are reliably terminated and stay visible to process.list / process.kill. Its captured output is now clean (no sandbox diagnostic noise — echo hi returns exactly hi), and the command field is documented accurately: a bare executable plus args, with sh -c for pipelines and filesystem.search_content for searching inside files.
  • Sandbox confinement is surfaced, not silent. If the running kernel can't fully enforce the Landlock confinement KruxOS requests for process.run children, that now raises a first-class operator alert (a structured journal error plus a /health entry) instead of a warning buried inside a tool result.
  • Agents ship with built-in efficiency guidance so they reach for the most efficient capability for each task by default.

Known limitation. Agent scripts run via process.run cannot yet see their workspace directory directly. Use the filesystem.* capabilities for workspace files, and reserve process.run scripting for data supplied over stdin or for non-workspace paths. Full workspace visibility inside process.run is planned for the next release.

Vault

  • kruxos vault unlock now unlocks for the whole CLI. Sibling commands see the unlocked vault instead of each reporting "locked".
  • Re-authenticate a bad model provider from the dashboard — removing a provider clears its leftover secret, and a re-auth button lets you re-link an OAuth provider without hand-editing the vault.

Code sessions & CLI integrations

  • /code improvements — rename tabs, a "gateway restarted, please refresh" banner, a re-attach hint when you close a tab, a directory picker for the working directory, and dark-mode-visible pickers.
  • Terminal rendering — the CLI terminal sizes itself to the visible pane and no longer clips text under the scrollbar.
  • Claude Code / Codex sign-in persists across code sessions.
  • Integrations page — per-CLI Update and Uninstall buttons, a working View Config, and corrected config-path text.

Approvals & audit

  • Approval rows now show which CLI (Claude Code or Codex) initiated the request.
  • The audit row-expand view surfaces the related approval-request id.

Operator file transfer

  • A new Uploads page and file API give operators a documented way to move files to and from the appliance. (The page ships this release; it was not separately runtime-verified in the pre-tag walk.)

First-boot wizard

  • OpenAI/Codex OAuth no longer blocks first boot (retry-or-disable); a OAuth-completed provider is linked as the new agent's default model; clearer Skip/Continue on the CLI-install step; and the license step reflects the current pricing model.

Platform & security

  • git now ships on the appliance, so a raw-shell fallback no longer hits git: not found. (The gh GitHub CLI is intentionally not bundled — KruxOS exposes a curated github.* capability surface instead.)
  • No SSH, by design. The dead TCP 22 rule was dropped from the default firewall — no SSH daemon ships in the appliance, so the port was never reachable. Operator file transfer goes through the new Uploads page and file API instead.
  • Firewall reliability fix. The appliance firewall now loads correctly on boot on both architectures.
  • All v0.0.1 security properties carry forward — KruxOS remains the single approval and policy-enforcement surface, mass-destruction commands stay blocked unconditionally, per-principal soft-delete trash, dashboard TLS, and console-root-bound-to-vault-passphrase. See the v0.0.1 release notes for the full list.

Documentation

The public documentation has been brought in line with what the appliance actually ships — dashboard pages, the Gmail/Slack connect flow, operator file transfer, Pack authoring, and a number of command-reference corrections.


Reporting issues

  • Security disclosures: /.well-known/security.txt or security@altvale.com.
  • Bug reports + feature requests: GitHub Issues on this repository.

Community

Join the KruxOS Discord for community support, discussion, and idea brainstorming: discord.gg/VXvQKNv6Jn.