KruxOS v0.0.2 — second release¶
Released: 2026-06-16 Status: Early beta — not for production use.
v0.0.2 is the largest KruxOS update so far. The dashboard has been rebuilt end to end, capability Packs now run inside the per-agent sandbox with a public authoring SDK, operators can connect Gmail and Slack accounts and have agents work against the synced data, the appliance can update itself from a signed release with automatic rollback if the new build is unhealthy, and every capability that touches the filesystem is now confined to the calling agent's own workspace.
This release builds on v0.0.1 — see the v0.0.1 release notes for the full platform inventory. Every feature exercised in the pre-tag hardware walk on the release-candidate appliance image is verified working; the couple of surfaces that ship but were not separately runtime-verified this cycle (Gmail connect, operator file uploads) are noted inline.
Highlights¶
- Redesigned dashboard. Every page — Home, Chat, Code, Agents, Approvals, Activity, Audit, Identities, Integrations, Settings, Health, Service Proxy, and the new Packs page — rebuilt on one design system with light/dark theming and a consistent visual language.
- Capability Packs that actually run. Install a pack from the
registry or upload one locally; its capabilities load and execute
inside the same per-agent sandbox as the built-ins, and appear in the
policy editor and the agent's capability list immediately — no
restart. Authors get a published
@kruxos/pack-sdkon npm plus Capability Design Guidelines. - Slack & Gmail connectors. Connect accounts from the dashboard; KruxOS keeps a synced local replica and routes the messaging capabilities (channels, send, reply, react, search, read) against it. Slack is verified working end-to-end on the appliance this release; Gmail connect ships on the same infrastructure but was not separately runtime-verified this cycle and needs your own Google Cloud OAuth app.
- Self-updating appliance. Check, download, apply, and reboot into a new release straight from Settings → Updates. Releases are signed; the appliance verifies the signature before applying, writes to the inactive A/B slot, and rolls back automatically if the new slot fails its health checks.
- Per-agent workspace isolation everywhere. Filesystem, git, and
process capabilities are all confined to the calling agent's own
workspace, not just
process.run.
What's new¶
Dashboard¶
The entire dashboard was rebuilt on a shared design system — new theming (light and dark), iconography, and typography, with a consistent layout across every page:
- Home, Chat, Code, Agents, Agent detail, Approvals, Activity, Audit, Identities, Integrations, Settings, Health, Service Proxy, and the new Packs page.
- Settings is now tabbed, including a dedicated Updates tab.
- Policy editor redesign — wildcard support, auto-save on visual edits, and an unsaved-changes warning before you navigate away.
- All five model-provider types and the OAuth device-code flow are preserved across the redesign.
Capability Packs¶
- Install from the registry or upload locally on the new
/packspage; list and remove installed packs. - Packs run in the sandbox. Each pack capability executes in the same forked, namespaced per-agent sandbox as the built-in capabilities — pack code is isolated exactly like first-party code.
- Visible to the platform. Installed pack capabilities show up in the agent's capability list, the policy editor, and the tool listing.
- No restart. Installing or removing a pack from the dashboard takes effect immediately.
- Public SDK.
@kruxos/pack-sdkis published to npm, with a getting-started guide and Capability Design Guidelines for authors.
Service Proxy — Slack & Gmail¶
- Connect accounts from the dashboard. The Service Proxy syncs a local replica of your messages in the background and exposes a manual re-sync. A new Service Proxy page shows connection state and token expiry.
- Slack is the runtime-verified connector this release. Its capabilities — channels, send, reply, react, search, read — operate against the synced replica and were exercised end-to-end on the appliance. A single failing channel no longer aborts the whole sync, and unfiltered search returns your synced messages.
- Gmail connect ships on the same Service Proxy infrastructure but was not separately runtime-verified this cycle. Connecting Gmail requires you to supply your own Google Cloud OAuth app; treat it as early/experimental until a future release exercises it on the appliance.
Self-updating appliance¶
- Settings → Updates walks you through check → download → apply → reboot, entirely from the dashboard.
- Signed releases. Updates are Ed25519-signed and verified against the appliance's baked-in public key before anything is applied.
- A/B slots with auto-rollback. Updates are written to the inactive root slot; a health monitor watches the freshly-booted slot and rolls back to the last known-good slot automatically if it fails its health checks.
Agents & capabilities¶
- Per-agent workspace isolation now spans every filesystem-touching
capability —
filesystem.*,git.*,process.*— through a single enforced chokepoint. Each agent gets its own workspace, created on add and backfilled at boot, and its system prompt only advertises that workspace. git.init— agents can now initialize a new repository in their workspace.- Reliable
/chatunder errors and large results. A capability that errors mid-conversation — or a tool result too large to fit the context window — no longer kills the conversation: the error is returned to the agent as a normal result and it adapts, and oversized results are capped with a clear[truncated]marker (re-read in slices withoffset/limit). The cap applies across every transport —/chatand the MCP bridge — so a single large read can't blow out an agent's context. Conversation context is also rendered deterministically, so an error turn no longer silently re-sends the history. process.runhonours itstimeoutfor foreground commands (up to the one-hour maximum) instead of being cut off early; a timed-out command and its child processes are reliably terminated and stay visible toprocess.list/process.kill. Its captured output is now clean (no sandbox diagnostic noise —echo hireturns exactlyhi), and thecommandfield is documented accurately: a bare executable plusargs, withsh -cfor pipelines andfilesystem.search_contentfor searching inside files.- Sandbox confinement is surfaced, not silent. If the running kernel
can't fully enforce the Landlock confinement KruxOS requests for
process.runchildren, that now raises a first-class operator alert (a structured journal error plus a/healthentry) instead of a warning buried inside a tool result. - Agents ship with built-in efficiency guidance so they reach for the most efficient capability for each task by default.
Known limitation. Agent scripts run via
process.runcannot yet see their workspace directory directly. Use thefilesystem.*capabilities for workspace files, and reserveprocess.runscripting for data supplied over stdin or for non-workspace paths. Full workspace visibility insideprocess.runis planned for the next release.
Vault¶
kruxos vault unlocknow unlocks for the whole CLI. Sibling commands see the unlocked vault instead of each reporting "locked".- Re-authenticate a bad model provider from the dashboard — removing a provider clears its leftover secret, and a re-auth button lets you re-link an OAuth provider without hand-editing the vault.
Code sessions & CLI integrations¶
/codeimprovements — rename tabs, a "gateway restarted, please refresh" banner, a re-attach hint when you close a tab, a directory picker for the working directory, and dark-mode-visible pickers.- Terminal rendering — the CLI terminal sizes itself to the visible pane and no longer clips text under the scrollbar.
- Claude Code / Codex sign-in persists across code sessions.
- Integrations page — per-CLI Update and Uninstall buttons, a working View Config, and corrected config-path text.
Approvals & audit¶
- Approval rows now show which CLI (Claude Code or Codex) initiated the request.
- The audit row-expand view surfaces the related approval-request id.
Operator file transfer¶
- A new Uploads page and file API give operators a documented way to move files to and from the appliance. (The page ships this release; it was not separately runtime-verified in the pre-tag walk.)
First-boot wizard¶
- OpenAI/Codex OAuth no longer blocks first boot (retry-or-disable); a OAuth-completed provider is linked as the new agent's default model; clearer Skip/Continue on the CLI-install step; and the license step reflects the current pricing model.
Platform & security¶
gitnow ships on the appliance, so a raw-shell fallback no longer hitsgit: not found. (TheghGitHub CLI is intentionally not bundled — KruxOS exposes a curatedgithub.*capability surface instead.)- No SSH, by design. The dead TCP 22 rule was dropped from the default firewall — no SSH daemon ships in the appliance, so the port was never reachable. Operator file transfer goes through the new Uploads page and file API instead.
- Firewall reliability fix. The appliance firewall now loads correctly on boot on both architectures.
- All v0.0.1 security properties carry forward — KruxOS remains the single approval and policy-enforcement surface, mass-destruction commands stay blocked unconditionally, per-principal soft-delete trash, dashboard TLS, and console-root-bound-to-vault-passphrase. See the v0.0.1 release notes for the full list.
Documentation¶
The public documentation has been brought in line with what the appliance actually ships — dashboard pages, the Gmail/Slack connect flow, operator file transfer, Pack authoring, and a number of command-reference corrections.
Reporting issues¶
- Security disclosures:
/.well-known/security.txtorsecurity@altvale.com. - Bug reports + feature requests: GitHub Issues on this repository.
Community¶
Join the KruxOS Discord for community support, discussion, and idea brainstorming: discord.gg/VXvQKNv6Jn.