Skip to main content

AgentNode Changelog

Release notes for the AgentNode SDK — the package manager and secure runtime for AI agent skills. The current release is v0.19.0 (July 6, 2026). Upgrade with pip install --upgrade agentnode-sdk.

Last updated: · Full engineering changelog: CHANGELOG.md on GitHub

0.19.0 Full setup wizard coverage

PyPIGitHub tag
Latest release

`agentnode setup` now covers the full first-class configuration surface with multiple-choice prompts and clearly marked recommended defaults. Accepting every recommendation reproduces the current default configuration, so upgrading changes nothing until you opt in.

  • ·The setup wizard covers installation behavior, trust level, permissions, guard posture, credentials, sandbox, and `sandbox.host_trust_policy` — each as a multiple-choice prompt with a marked (recommended) default
  • ·New Guard posture step: Balanced, Strict, Permissive, or Customize-each (drills into all nine guard action types)
  • ·Optional Advanced gate for niche first-class settings; deeply nested config (custom LLM endpoints, guard overrides) stays CLI-only by design
  • ·A stored LLM key provider can now be offered as the default provider, and invalid interactive input re-prompts instead of silently taking the recommended option

Wizard-only change; runtime behavior and the default configuration are unchanged.

0.18.0 User-controlled host-trust policy

PyPIGitHub tag

A new `sandbox.host_trust_policy` setting lets you decide which trust tiers may run directly on your host. AgentNode trusting a package's code is not the same as you trusting it with your machine — this setting closes that gap across toolpacks, MCP servers, and agents.

  • ·New `sandbox.host_trust_policy` setting: `default` (curated + trusted may run on the host, today's behavior), `curated_only` (trusted is sandboxed), or `none` (nothing runs directly on the host)
  • ·Honored uniformly by toolpacks, MCP servers, and agents through one shared decision; a tier the policy sandboxes is fail-closed — never a silent host fallback
  • ·Under a stricter policy the installer builds a sealed sandbox volume for trusted/curated packages at install time, and the lockfile records how each package was built
  • ·`agentnode sandbox doctor` is now policy-aware — it explains when a package is sandboxed by the policy and distinguishes a reinstall from a publisher-must-pin

Behavioral change: Not breaking by default — the default policy is exactly today's behavior. Opting into curated_only or none isolates more strongly and can break trusted/curated packages that expect the host filesystem, broad tools, host LLM keys, or network; after tightening the policy, reinstall affected packages and use `agentnode sandbox doctor` to see what each needs.

0.17.0 MCP network isolation

PyPIGitHub tag

Community MCP servers no longer have an open default-network path. A community MCP runs only when it is pinned and preinstalled into a sealed volume — with no network by default, or a sealed egress allowlist when it declares allowed domains — and non-preinstalled runtime-fetch servers are refused.

  • ·MCP servers no longer use an open default network path — networking is default-deny
  • ·Community MCPs must be pinned, preinstalled, and sealed, or they are refused (floating `npx`/`uvx`/`latest`/git/url runtime fetches are rejected)
  • ·Network access is granted only through a declared `mcp_allowed_domains` sealed egress allowlist; otherwise the container runs with no network
  • ·Credentialed MCP launches use default-deny networking plus sealed egress allowlists; cleanup and secret hygiene are enforced across launch, timeout, and failure paths

Behavioral change: Community MCP servers that ship only an mcp_command (floating npx/uvx runtime fetch) are now refused. Pin an exact mcp_install so the server is preinstalled into a sealed volume, and declare mcp_allowed_domains for any runtime egress; without declared domains the server runs with no network. Credentialed and curated/trusted host flows are unchanged.

0.16.0 Registry providers in auth CLI and setup wizard

PyPIGitHub tag

The auth CLI and setup wizard now surface every LLM provider from the registry — OpenAI, Anthropic, OpenRouter, DeepSeek, Mistral, Qwen, Gemini, and keyless local Ollama — with one source of truth and no hardcoded provider lists.

  • ·`agentnode auth status` lists all registry providers with storage backend and effective source; Ollama shows as a local keyless provider
  • ·`agentnode auth test` validates any compatible provider via a free no-completion probe; `auth test ollama` is a reachability check that never starts Ollama
  • ·Setup wizard offers all providers in a grouped menu (Recommended / More / Local); selecting Ollama never asks for an API key
  • ·Custom endpoints configured under `llm.providers.<name>` appear in status and test automatically

0.15.0 Generic OpenAI-compatible LLM providers

PyPIGitHub tag

The LLM runtime can bind any endpoint that speaks the OpenAI-compatible protocol. Built-in presets cover OpenRouter, DeepSeek, Mistral, Qwen, Gemini, and Ollama — the first key-free, cost-free local agent path.

  • ·Custom endpoints are plain config entries (`llm.providers.<name>` with base_url and model) — no code change per provider
  • ·Ollama as an opt-in keyless local provider: no account, no per-token cost, never bound by surprise
  • ·Per-provider credentials via environment variable or stored vault key; environment always wins
  • ·Sandboxed agents inherit every provider automatically — keys stay host-side, the container only sees RPC completions

0.14.0 Setup wizard: guided credentials + sandbox onboarding

PyPIGitHub tag

`agentnode setup` now walks through optional LLM credentials and local-sandbox readiness — store a key in the OS keychain, diagnose Docker/image state, and optionally pull the pinned sandbox image, all in one guided flow.

  • ·Credential screen with hidden input or env import, honest storage label, and an optional free key test
  • ·Sandbox screen shows the doctor's diagnosis and offers the digest-pinned image pull (TTY-only, explicit Yes)
  • ·Optional 'enable sandboxed community agents' prompt — only offered when the sandbox is fully ready, default No
  • ·No keys in output or config files; pull failures never abort setup

0.13.0 Credential vault for LLM providers

PyPIGitHub tag

API keys now live in the OS keychain (Windows Credential Manager, macOS Keychain, Linux Secret Service) instead of plaintext files, and the LLM runtime finally reads stored credentials — including the sandboxed-agent broker, where keys never enter the container.

  • ·`agentnode auth set <provider>` stores keys in the OS keychain, with an honest plaintext-file (0600) fallback when no keychain exists
  • ·`agentnode auth test <provider>` validates the effective key via a free endpoint — no completion call, no cost
  • ·`auth status` shows the effective source per provider, including when an environment variable shadows a stored key
  • ·Keys are never printed, logged, echoed from provider responses, or sent into the sandbox container

0.12.1 agent_sandbox config fix

PyPIGitHub tag

Fixes the config loader silently stripping a hand-written agent_sandbox section, so the documented `agent_sandbox.enabled` config path and the host LLM ceiling now actually take effect.

  • ·`agentnode config set agent_sandbox.enabled true|false` works and stores a real boolean
  • ·The nested `agent_sandbox.llm` host ceiling survives config loading

0.12.0 Sandboxed community agents (flag-gated)

PyPIGitHub tag

Community agents can now run sandbox-or-fail-closed in the pinned container image — never on the host — with a host-side LLM broker, default-deny credential policy, per-run caps, and a sanitized audit record. Default OFF; opt in via AGENTNODE_AGENT_SANDBOX=1.

  • ·Verified/unverified agents run in the sandbox or not at all — no host fallback anywhere on the path
  • ·Host-side LLM broker: provider API keys never enter the container (container env is PYTHONPATH only)
  • ·`llm_access` manifest block is default-deny, with max_calls / max_input_chars / max_output_chars caps and an optional model allowlist; the host ceiling always wins
  • ·Every sandboxed run writes one aggregated, sanitized audit record — never prompts, keys, or raw provider errors

0.11.4 Publish confirm gate

PyPIGitHub tag

`agentnode publish` now asks for confirmation before uploading; non-interactive publishes require an explicit `--yes`.

  • ·Interactive prompt (default No) prevents accidental publishes; `--yes` for CI

Behavioral change: Non-interactive publish without --yes now refuses instead of uploading silently.

0.11.3 Test hygiene + multi-tool run guidance

PyPIGitHub tag

Clearer `agentnode run` errors for multi-tool packs (lists available tools and the slug:tool syntax) and a stale lock-integrity test fix.

  • ·Multi-tool packs without an explicit tool name get an actionable error instead of a generic import failure

0.11.2 CLI run resolution fixes

PyPIGitHub tag

`agentnode run <slug>` auto-selects a single-tool pack's tool, and the `slug:tool` form resolves the real package trust level and lockfile entry.

  • ·Single-tool packs run without naming the tool; multi-tool packs are never guessed
  • ·`slug:tool` no longer downgrades the package to unverified — the sandbox/trust gate keys on the real slug

0.11.1 Bugfix + hardening

PyPIGitHub tag

Installs now target the running Python interpreter (fixes pipx and unactivated-venv setups), and the agent trust gate is locked by a named regression test.

  • ·`installer.resolve_python()` returns sys.executable first — install and run use the same Python
  • ·Agent execution-vector invariant documented and regression-tested

0.11.0 Execution Sandbox (isolated or not at all)

PyPIGitHub tag

The execution plane is now sandboxed: community and unverified code — toolpack builds, toolpack runs, MCP servers — runs inside a hardened, digest-pinned container or not at all. There is no host fallback.

  • ·Hardened container execution: read-only, cap-drop ALL, non-root, network none by default, no host mounts, no secrets
  • ·Digest-pinned runner image, acquired explicitly via `agentnode sandbox pull` — never a tag, never auto-pulled
  • ·`agentnode sandbox` CLI: pull, doctor (diagnose readiness per package), status
  • ·Real network-permission enforcement for toolpack runs: allowlist, unknown = deny

Behavioral change: Behavioral change vs 0.5.x: community code requires a container runtime plus the pinned sandbox image; without them execution is blocked (sandbox_unavailable). Curated/trusted packages run on the host as before.

PyPI jumps 0.5.1 → 0.11.0. The 0.5.2–0.10.1 changes below were tagged in git but not published to PyPI.

0.10.1 AsyncAgentNode registry trust parity

GitHub tag

The async client verifies registry response signatures on trust-critical endpoints, matching the sync clients.

  • ·Signature verification parity across AgentNodeClient, AgentNode, and AsyncAgentNode

Tagged in git; first published to PyPI as part of 0.11.0.

0.10.0 Registry response authenticity

GitHub tag

Trust-critical registry responses are cryptographically verified against pinned Ed25519 keys — a compromised registry or a MitM with a valid TLS cert can no longer serve an attacker's public key.

  • ·Ed25519 signature verification of registry responses (X-AgentNode-Signature header), exact-byte, no canonicalization
  • ·Compile-time pinned trust anchors — no env override, no config file, no network fetch
  • ·Differentiated error codes for stripped headers (downgrade), bad signatures (tampering), and unknown/expired keys

Tagged in git; first published to PyPI as part of 0.11.0.

0.9.0 Online key verification & publisher identity

GitHub tag

Completes the publisher trust chain: install-time revocation checks against the registry, `agentnode lock verify --online`, and integrity-protected publisher identity in the lockfile.

  • ·Install blocks packages whose publisher key the registry reports as revoked
  • ·`lock verify --online` reports active/revoked/unknown/mismatch per signed package, fail-closed
  • ·publisher_slug stored write-once in the lockfile and covered by the integrity hash

Tagged in git; first published to PyPI as part of 0.11.0.

0.8.0 Publisher signatures

GitHub tag

Cryptographic proof of package origin: publishers sign packages with Ed25519 keys at publish time, installs verify before writing the lockfile, and an invalid signature is a hard block with no override.

  • ·Deterministic Ed25519 signatures over the canonical package payload, created automatically by `agentnode publish`
  • ·Install verification against the cached public key; invalid signatures block before any lockfile write
  • ·Missing signatures warn but never block — publisher adoption is gradual, but never silent
  • ·`lock verify` and `inspect` show signature status per package

Tagged in git; first published to PyPI as part of 0.11.0.

0.7.0 Lockfile integrity

GitHub tag

Every security-critical lockfile field is covered by a per-entry SHA-256 hash — post-install tampering is detected before any code executes, warned by default and denied in strict mode.

  • ·`agentnode lock seal` / `lock verify` CLI plus automatic sealing at install time
  • ·Runtime integrity check before policy checks; strict mode denies tampered entries
  • ·Sensitive-change detection flags runtime swaps, entrypoint changes, endpoint redirects, and permission escalation

Tagged in git; first published to PyPI as part of 0.11.0.

0.6.2 Connector/remote runtime hardening

GitHub tag

Credentials for remote/connector tools are domain-bound and HTTPS-only before any request leaves the process.

  • ·HTTPS-only credential enforcement; empty domain binding is a hard deny
  • ·Advisory method/action-type and payload-size checks with safe-metadata audit fields

Tagged in git; first published to PyPI as part of 0.11.0.

0.6.1 Runtime audit parity & input guard escalation

GitHub tag

Unified dispatch-level audit events for all runtimes, and path-traversal/URL-anomaly findings escalate from warning to prompt (interactive) or deny (non-interactive).

  • ·runtime_run and mcp_run audit events with no kwargs or result data
  • ·Input guard fail-closed when no human is present to confirm

Tagged in git; first published to PyPI as part of 0.11.0.

0.6.0 Guard: pre-execution policy gateway

GitHub tag

AgentNode Guard classifies every tool invocation by action type (read, write, delete, execute, credential use, network egress, …) and applies configurable allow/prompt/deny policy — before any code runs.

  • ·9 action types with safe defaults, strict mode for production/CI, and per-tool overrides
  • ·Composite risk scoring; critical risk is always denied, unoverridable
  • ·`agentnode guard` CLI: status, set, unset, check (dry-run), reset
  • ·Rate limiting, MCP argument inspection, install-time risk preview, and full audit integration

Tagged in git; first published to PyPI as part of 0.11.0.

0.5.3 Configurable risk policies

GitHub tag

Computed risk flags (like external_write_capable) get user-configurable reactions: allow, log, prompt, or deny — default stays audit-only.

  • ·`risk_policies` config section evaluated between the permission check and execution

Tagged in git; first published to PyPI as part of 0.11.0.

0.5.2 Usage risk profile

Per-package usage risk scoring, separate from the verification score: static signals (permissions, trust, credentials) plus runtime signals produce a 0–100 score with semantic risk flags.

  • ·`get_risk_profile(slug)` API and Usage Risk section in `agentnode inspect`

Untagged development release; first published to PyPI as part of 0.11.0.

0.5.1 Security visibility & guardrails

PyPI

Visibility hardening: `agentnode inspect`, input guard warnings, plan-level risk warnings, LLM tool-output marking, and an agent auto-install guard — all informational, nothing blocking.

  • ·`agentnode inspect <slug>` — security-focused report for installed packages
  • ·Untrusted tool output is truncated and delimiter-wrapped before reaching the LLM

0.5.0 Intelligence, planner & hardening

PyPIGitHub tag

Multi-step planner with policy-checked piping, a typed capability graph powering gap detection and recommendations, credential/audit/logs CLI, and a broad security hardening pass (trust TTL refresh, atomic writes, file locking).

  • ·`agentnode run "extract from report.pdf then translate to german"` — multi-step execution with full policy and audit per step
  • ·Capability graph with typed edges; doctor and recommend rewritten on top of it
  • ·`agentnode auth`, `agentnode audit`, `agentnode logs`, `--json`/`--explain`/`--dry-run` across the CLI
  • ·Trust TTL refresh, atomic config/lockfile/credential writes, cross-platform file locking

0.4.1 Security & correctness

PyPI

run_tool(mode="auto") now always executes via subprocess isolation regardless of trust level, making the documented isolation guarantee true by default — plus async-client URL and install-tracking fixes.

  • ·Subprocess isolation by default; mode="direct" remains an explicit opt-in
  • ·500 MB download ceiling with per-chunk enforcement

Behavioral change: Tools relying on shared in-process state must pass mode="direct" explicitly.