What's Changed

Performance

• OIDC discovery timeout — Provider discovery now has a 5s default timeout (configurable via auth.oidc.discovery_timeout) instead of blocking for ~30s when the issuer is unreachable from sandboxed environments.
• Mount probe timeout — Reduced the mount() syscall probe from 2s to 500ms. The probe returns nearly instantly in practice; the timeout only guards against hangs.
• Parallel DNS resolution — eBPF allowlist domain resolution now runs concurrently instead of sequentially, reducing N×600ms to a single ~600ms wait.
• Parallel platform detection — FUSE and iptables capability checks now run concurrently during platform initialization.

What's Changed

Features

• Configurable HTTP client timeout — New --client-timeout flag and AGENTSH_CLIENT_TIMEOUT env var (default: 30s). Fixes context deadline exceeded errors when commands take longer than 30s through seccomp_unotify file monitoring (e.g. Node.js startup in Firecracker VMs).

Bug Fixes

• Normalize hostnames in DNS/connect redirect matching — DNS redirect matching was case-sensitive and didn't handle trailing dots, allowing policy bypasses with mixed-case hostnames. Inputs are now normalized consistently. (Fixes #97)

What's Changed

Features

• AGENTSH_SHIM_FORCE env var for sandbox platforms — Sandbox platforms (Blaxel, E2B) run commands via HTTP APIs without a TTY. The v0.10.1 non-interactive stdin bypass caused the shim to skip policy enforcement entirely in these environments. Set AGENTSH_SHIM_FORCE=1 to override the bypass and restore policy enforcement for non-interactive sandbox APIs.

What's Changed

Shell Shim: Non-Interactive Stdin Bypass (#96)

• Fix binary data corruption: When stdin is not a TTY (piped data), the shim now execs the real shell directly instead of going through agentsh exec. This fixes binary data corruption when orchestrators pipe data through docker exec -i container sh -c "cat > /file" < binary.
• Root cause: The non-PTY exec path sends commands to the server as JSON but never reads from os.Stdin — piped binary data was silently dropped.
• --bash-only flag: New install-shell flag that shims only /bin/bash, leaving /bin/sh untouched for orchestrators that need a clean data-transfer path.
• New unit and integration tests for binary stdin passthrough across all supported distros

Build & Maintenance

• Update Go toolchain to 1.25.7
• Bump Dockerfile integration test versions to v0.10.1

What's Changed

OpenTelemetry Event Export (#95)

• New OTEL store backend that exports audit events as OTLP log records to a configured collector
• Support for both gRPC and HTTP transports with full TLS/mTLS configuration and custom headers
• Configurable event filtering by type (glob patterns), category, and risk level
• Semantic convention-aligned attributes (process.pid, host.name, user.id) plus agentsh.* namespace for domain-specific fields
• Severity mapping from policy decisions: allow→INFO, redirect/approve→WARN, deny→ERROR
• Batch processor with configurable timeout, max batch size, and export interval
• Environment variable overrides: AGENTSH_OTEL_ENDPOINT, OTEL_EXPORTER_OTLP_ENDPOINT, AGENTSH_OTEL_PROTOCOL
• Docker-based integration test against a real OTEL Collector with file exporter
• 30 new unit tests across config, filter, converter, and store packages

Configuration

audit:
  otel:
    enabled: true
    endpoint: "localhost:4317"
    protocol: "grpc"
    tls:
      enabled: true
      cert_file: "/path/to/cert.pem"
      key_file: "/path/to/key.pem"
    headers:
      Authorization: "Bearer token"
    signals:
      logs: true
    batch:
      max_size: 512
      timeout: "5s"
    filter:
      include_categories: ["file", "process"]
      min_risk_level: "medium"
    resource:
      service_name: "agentsh"
      labels:
        env: "production"

Other

• Add macOS and Windows platform limitation notes to README
• Add OpenTelemetry event export design plan
• Fix: events without a risk_level now pass through min_risk_level filter instead of being silently dropped

What's Changed

Deferred FUSE Mounting

• Extract mountFUSEForSession helper to eliminate ~90% code duplication between immediate and deferred FUSE mount paths
• Add Recheck() to FilesystemInterceptor interface for runtime FUSE availability re-probing
• Replace hardcoded E2B-specific /dev/fuse enable logic with configurable deferred_marker_file and deferred_enable_command
• Add 9 test cases for ensureFUSEMount with mock platform injection
• Add config parsing tests for new deferred fields
• Document deferred FUSE mounting in SECURITY.md

Configuration

sandbox:
  fuse:
    enabled: true
    deferred: true
    deferred_marker_file: "/tmp/.agentsh-fuse-enabled"
    deferred_enable_command: ["sudo", "/bin/chmod", "666", "/dev/fuse"]

Other

• Add seccomp file monitor design plan

Changelog

• 04b7b66 fix: Landlock addPathRule strips dir-only rights for file inodes

Changelog

• a89a868 fix: allow network in Landlock wrapper, add read access to write paths

Changelog

• 9ff91e6 fix: Landlock writeAccess missing TRUNCATE and read permissions

What's New

Landlock Filesystem Enforcement

Added kernel-enforced filesystem access control via Linux Landlock LSM to agentsh-unixwrap. Landlock restricts filesystem access at the kernel level, even for root processes (requires kernel 5.13+).

How it works:

• agentsh-unixwrap applies Landlock restrictions before exec'ing child commands
• The agentsh server detects Landlock ABI and derives path rules from the policy
• Workspace gets full read/write/execute access
• System paths get read-only access (derived from file rules)
• Sensitive paths (/etc/shadow, /etc/sudoers) are explicitly denied
• Graceful degradation if Landlock is unavailable

Changes

• agentsh-unixwrap: Apply Landlock ruleset before exec'ing child process
• core.go, wrap.go: Detect Landlock ABI and pass config to wrapper via AGENTSH_SECCOMP_CONFIG
• engine.go: Add Policy() accessor for Landlock path derivation

Full Changelog

• f5d1a84 feat: add Landlock filesystem enforcement to agentsh-unixwrap

Full Changelog: v0.9.4...v0.9.5