Get started Install Quickstart CLI reference

Philosophy Non-negotiables (ADR-0001)Depend on AgentsKit (ADR-0002)

Architecture overview @agentskit/os-core Workspace model Event bus (ADR-0005)Principal & RBAC (ADR-0006)Error model (ADR-0007)Distribution tiers (ADR-0014)

Packages @agentskit/os-core @agentskit/os-cli @agentskit/os-flow @agentskit/os-runtime @agentskit/os-runtime-agentskit @agentskit/os-storage @agentskit/os-audit @agentskit/os-plugins @agentskit/os-sandbox @agentskit/os-templates @agentskit/os-import @agentskit/os-marketplace-sdk

planned

@agentskit/os-desktop (planned)@agentskit/os-ui (planned)@agentskit/os-triggers (planned)@agentskit/os-marketplace (planned)@agentskit/os-observability (planned)@agentskit/os-security (planned)@agentskit/os-cloud-sync (planned)@agentskit/os-generative (planned)@agentskit/os-collab (planned)@agentskit/os-mcp-bridge (planned)

Flow overview Multi-agent patterns (RFC-0003)Run modes (ADR-0009)

Audit log signing (ADR-0008)Sandbox levels (ADR-0010)Egress default-deny (ADR-0011)

Roadmap Release readiness Architecture Decision Records Requests for Comments

Security

Egress default-deny (ADR-0011)

Per-workspace egress allowlist; outbound network blocked unless declared.

Outbound network access is denied by default. Each workspace declares an allowlist of domains the runtime may reach.

Why

LLM-driven tools can synthesize URLs at runtime — an allowlist prevents exfiltration to arbitrary destinations.
Multi-tenant deployments can scope egress per tenant.
Air-gapped deployments simply leave the allowlist empty.

Enforcement

The sandbox runtime intercepts socket creation.
Violations raise os.security.egress_denied (see error model).
Every denial is audited.

Source: ADR-0011.

Previous

Sandbox levels (ADR-0010)

Next

Roadmap

On this page

Why Enforcement