Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,8 @@
# agent-vm
# BoundaryKit

> **BoundaryKit** (formerly **agent-vm**) is a public reference architecture for governing untrusted autonomous workloads with explicit runtime boundaries, promotion controls, rollback paths, and evidence-backed validation.
>
> The project repository and public site remain hosted at `sambegui/agent-vm` and `agent-vm.sabe.dev`.

**A framework-agnostic sandbox skeleton for governed AI-agent workloads that are treated as untrusted.**

Expand Down
2 changes: 1 addition & 1 deletion docs/architecture/00-overview.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ Most enterprise AI usage still happens through isolated browser tabs or ad hoc a
fragments context, hides execution state, and gives reviewers little evidence about what ran, what
authority was available, or how recovery would work.

`agent-vm` presents a governed runtime architecture for autonomous AI-agent workloads that are
`BoundaryKit` presents a governed runtime architecture for autonomous AI-agent workloads that are
treated as untrusted. Agents can process approved messages, attached documents, external links,
transcripts, API responses, and structured outputs, but the platform does not trust the agent or the
inputs it receives.
Expand Down
2 changes: 1 addition & 1 deletion docs/evidence/governed-agent-workload-case-study.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Case Study: Treating an Agent as an Untrusted Workload

This case study is an illustrative, vendor-neutral walkthrough for reading the `agent-vm`
This case study is an illustrative, vendor-neutral walkthrough for reading the `BoundaryKit`
architecture. It is not a product claim, customer deployment claim, or proof that a production
workload is ready. Its purpose is to show how the repository's trust boundaries, operational
controls, and evidence model apply when an autonomous AI-agent workload handles untrusted input.
Expand Down
4 changes: 2 additions & 2 deletions platform/tests/docs-public-contract-test
Original file line number Diff line number Diff line change
Expand Up @@ -94,9 +94,9 @@ require_text "$ROOT/site/index.html" 'rel="canonical"'
require_text "$ROOT/site/index.html" 'property="og:title"'
require_text "$ROOT/site/index.html" 'name="twitter:card"'
require_text "$ROOT/site/index.html" 'aria-controls="nav-links"'
require_text "$ROOT/site/docs/architecture/00-overview.html" "<title>00 — Architecture overview · agent-vm specs</title>"
require_text "$ROOT/site/docs/architecture/00-overview.html" "<title>00 — Architecture overview · BoundaryKit specs</title>"
require_text "$ROOT/site/docs/architecture/00-overview.html" '<meta name="description"'
require_text "$ROOT/site/docs/evidence/governed-agent-workload-case-study.html" "<title>Case Study: Treating an Agent as an Untrusted Workload · agent-vm specs</title>"
require_text "$ROOT/site/docs/evidence/governed-agent-workload-case-study.html" "<title>Case Study: Treating an Agent as an Untrusted Workload · BoundaryKit specs</title>"
require_text "$ROOT/docs/operations/operator-quickstart.md" "reference implementation + acceptance suite"
require_text "$ROOT/docs/operations/operator-quickstart.md" "make provision"
require_text "$ROOT/docs/operations/operator-quickstart.md" "AGENT_VM_SSH"
Expand Down
2 changes: 1 addition & 1 deletion site/assets/trust-boundary.svg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
4 changes: 2 additions & 2 deletions site/build_docs.py
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="{description}">
<title>{title} · agent-vm specs</title>
<title>{title} · BoundaryKit specs</title>
<style>
:root {{
color-scheme: dark;
Expand Down Expand Up @@ -307,7 +307,7 @@
</main>

<footer>
agent-vm security substrate · open-source verification receipt
BoundaryKit security substrate · open-source verification receipt
</footer>
</div>
</body>
Expand Down
6 changes: 3 additions & 3 deletions site/docs/architecture/00-overview.html
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="Most enterprise AI usage still happens through isolated browser tabs or ad hoc automation. That model fragments context, hides execution state, and gives reviewers little...">
<title>00 — Architecture overview · agent-vm specs</title>
<title>00 — Architecture overview · BoundaryKit specs</title>
<style>
:root {
color-scheme: dark;
Expand Down Expand Up @@ -296,7 +296,7 @@ <h2 id="shifting-from-chatbot-tabs-to-governed-persistent-agent-workloads">Shift
<p>Most enterprise AI usage still happens through isolated browser tabs or ad hoc automation. That model
fragments context, hides execution state, and gives reviewers little evidence about what ran, what
authority was available, or how recovery would work.</p>
<p><code>agent-vm</code> presents a governed runtime architecture for autonomous AI-agent workloads that are
<p><code>BoundaryKit</code> presents a governed runtime architecture for autonomous AI-agent workloads that are
treated as untrusted. Agents can process approved messages, attached documents, external links,
transcripts, API responses, and structured outputs, but the platform does not trust the agent or the
inputs it receives.</p>
Expand Down Expand Up @@ -367,7 +367,7 @@ <h2 id="how-to-read-this-directory">How to read this directory</h2>
</main>

<footer>
agent-vm security substrate · open-source verification receipt
BoundaryKit security substrate · open-source verification receipt
</footer>
</div>
</body>
Expand Down
4 changes: 2 additions & 2 deletions site/docs/architecture/01-isolation-substrate.html
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="The substrate is a golden VM (agent-platform) defined as code on a nested-virtualization host. Agents never run on the host directly; the VM is the first boundary, and inside...">
<title>01 — Isolation substrate · agent-vm specs</title>
<title>01 — Isolation substrate · BoundaryKit specs</title>
<style>
:root {
color-scheme: dark;
Expand Down Expand Up @@ -391,7 +391,7 @@ <h2 id="provisioned-as-code">Provisioned as code</h2>
</main>

<footer>
agent-vm security substrate · open-source verification receipt
BoundaryKit security substrate · open-source verification receipt
</footer>
</div>
</body>
Expand Down
4 changes: 2 additions & 2 deletions site/docs/architecture/02-promotion-control-plane.html
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="The control plane is a host-side set of small, idempotent scripts plus versioned Markdown &quot;truth&quot; files. It deploys agent runtimes over ssh against immutable releases — live...">
<title>02 — Promotion control plane · agent-vm specs</title>
<title>02 — Promotion control plane · BoundaryKit specs</title>
<style>
:root {
color-scheme: dark;
Expand Down Expand Up @@ -382,7 +382,7 @@ <h2 id="library">Library</h2>
</main>

<footer>
agent-vm security substrate · open-source verification receipt
BoundaryKit security substrate · open-source verification receipt
</footer>
</div>
</body>
Expand Down
4 changes: 2 additions & 2 deletions site/docs/architecture/03-gateway-runtime-layout.html
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="A single agent runtime often serves several profiles at once (a primary channel gateway, an HTTP API surface, an MCP/SSE endpoint, …). The failure this layer prevents: many...">
<title>03 — Gateway runtime layout · agent-vm specs</title>
<title>03 — Gateway runtime layout · BoundaryKit specs</title>
<style>
:root {
color-scheme: dark;
Expand Down Expand Up @@ -408,7 +408,7 @@ <h2 id="alignment-proof">Alignment proof</h2>
</main>

<footer>
agent-vm security substrate · open-source verification receipt
BoundaryKit security substrate · open-source verification receipt
</footer>
</div>
</body>
Expand Down
4 changes: 2 additions & 2 deletions site/docs/architecture/04-production-governance.html
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="The substrate makes workloads isolatable; governance decides what a given workload is allowed to be, and gates it from lab to production with controls proportional to its blast...">
<title>04 — Production governance · agent-vm specs</title>
<title>04 — Production governance · BoundaryKit specs</title>
<style>
:root {
color-scheme: dark;
Expand Down Expand Up @@ -491,7 +491,7 @@ <h2 id="production-ready-means-evidence-not-unit-creation">Production-ready mean
</main>

<footer>
agent-vm security substrate · open-source verification receipt
BoundaryKit security substrate · open-source verification receipt
</footer>
</div>
</body>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="Agent previews are useful because reviewers need to see the actual running surface, not only a screenshot or a local build log. They are risky because an agent runtime or...">
<title>05 — Secure gated agent preview access · agent-vm specs</title>
<title>05 — Secure gated agent preview access · BoundaryKit specs</title>
<style>
:root {
color-scheme: dark;
Expand Down Expand Up @@ -674,7 +674,7 @@ <h2 id="non-goals">Non-goals</h2>
</main>

<footer>
agent-vm security substrate · open-source verification receipt
BoundaryKit security substrate · open-source verification receipt
</footer>
</div>
</body>
Expand Down
8 changes: 4 additions & 4 deletions site/docs/evidence/governed-agent-workload-case-study.html
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,8 @@
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="This case study is an illustrative, vendor-neutral walkthrough for reading the agent-vm architecture. It is not a product claim, customer deployment claim, or proof that a...">
<title>Case Study: Treating an Agent as an Untrusted Workload · agent-vm specs</title>
<meta name="description" content="This case study is an illustrative, vendor-neutral walkthrough for reading the BoundaryKit architecture. It is not a product claim, customer deployment claim, or proof that a...">
<title>Case Study: Treating an Agent as an Untrusted Workload · BoundaryKit specs</title>
<style>
:root {
color-scheme: dark;
Expand Down Expand Up @@ -292,7 +292,7 @@
</header>
<main>
<h1 id="case-study-treating-an-agent-as-an-untrusted-workload">Case Study: Treating an Agent as an Untrusted Workload</h1>
<p>This case study is an illustrative, vendor-neutral walkthrough for reading the <code>agent-vm</code>
<p>This case study is an illustrative, vendor-neutral walkthrough for reading the <code>BoundaryKit</code>
architecture. It is not a product claim, customer deployment claim, or proof that a production
workload is ready. Its purpose is to show how the repository's trust boundaries, operational
controls, and evidence model apply when an autonomous AI-agent workload handles untrusted input.</p>
Expand Down Expand Up @@ -448,7 +448,7 @@ <h2 id="reviewer-takeaway">Reviewer takeaway</h2>
</main>

<footer>
agent-vm security substrate · open-source verification receipt
BoundaryKit security substrate · open-source verification receipt
</footer>
</div>
</body>
Expand Down
4 changes: 2 additions & 2 deletions site/docs/evidence/substrate-validation-receipt.html
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="This receipt summarizes the public, non-secret evidence recorded in platform/state/substrate-validation.md. It is a sanitized public evidence packet, not a live infrastructure log.">
<title>Substrate validation receipt · agent-vm specs</title>
<title>Substrate validation receipt · BoundaryKit specs</title>
<style>
:root {
color-scheme: dark;
Expand Down Expand Up @@ -405,7 +405,7 @@ <h2 id="follow-up-evidence-needed-for-production-readiness">Follow-up evidence n
</main>

<footer>
agent-vm security substrate · open-source verification receipt
BoundaryKit security substrate · open-source verification receipt
</footer>
</div>
</body>
Expand Down
4 changes: 2 additions & 2 deletions site/docs/llms-full.txt
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# agent-vm full LLM guide
# BoundaryKit full LLM guide

Purpose:
agent-vm documents a public, agent-agnostic reference architecture and validation suite for running AI-agent workloads in governed, isolated runtime layers. It separates public design claims, static checks, host-dependent substrate checks, and production-readiness evidence.
BoundaryKit (formerly agent-vm) is a public reference architecture for governing untrusted autonomous workloads with explicit runtime boundaries, promotion controls, rollback paths, and evidence-backed validation. It documents a public, agent-agnostic reference architecture and validation suite for running AI-agent workloads in governed, isolated runtime layers. It separates public design claims, static checks, host-dependent substrate checks, and production-readiness evidence.

Primary pages:
- / : Public landing page with the trust-boundary map, validated scope, and evidence links.
Expand Down
4 changes: 2 additions & 2 deletions site/docs/llms.txt
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# agent-vm LLM guide
# BoundaryKit LLM guide

agent-vm is a public reference implementation and validation suite for governing untrusted autonomous AI-agent workloads inside isolated runtime layers. Treat it as a reference architecture and reproducible skeleton, not as a claim that every production operation is turnkey.
BoundaryKit (formerly agent-vm) is a public reference architecture for governing untrusted autonomous workloads with explicit runtime boundaries, promotion controls, rollback paths, and evidence-backed validation. It is a reference implementation and validation suite for governing untrusted autonomous AI-agent workloads inside isolated runtime layers — treat it as a reproducible skeleton, not as a claim that every production operation is turnkey.

Start here:
- Home: /
Expand Down
4 changes: 2 additions & 2 deletions site/docs/security-methodology.html
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="This document describes the security methodology used to design and review the reference architecture. It applies to the walking-skeleton code in platform/ and control-plane/.">
<title>Security methodology · agent-vm specs</title>
<title>Security methodology · BoundaryKit specs</title>
<style>
:root {
color-scheme: dark;
Expand Down Expand Up @@ -423,7 +423,7 @@ <h3 id="post-session">Post-session</h3>
</main>

<footer>
agent-vm security substrate · open-source verification receipt
BoundaryKit security substrate · open-source verification receipt
</footer>
</div>
</body>
Expand Down
4 changes: 2 additions & 2 deletions site/docs/threat-model.html
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="This reference architecture treats AI agents as untrusted, tool-wielding workloads. The platform assumes an agent can be misdirected by untrusted input or compromised through...">
<title>Threat model · agent-vm specs</title>
<title>Threat model · BoundaryKit specs</title>
<style>
:root {
color-scheme: dark;
Expand Down Expand Up @@ -454,7 +454,7 @@ <h2 id="security-invariants">Security invariants</h2>
</main>

<footer>
agent-vm security substrate · open-source verification receipt
BoundaryKit security substrate · open-source verification receipt
</footer>
</div>
</body>
Expand Down
4 changes: 2 additions & 2 deletions site/docs/verification.html
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="This repository separates static validation, host-dependent substrate validation, and production-readiness evidence. Do not collapse those into one claim.">
<title>Verification model · agent-vm specs</title>
<title>Verification model · BoundaryKit specs</title>
<style>
:root {
color-scheme: dark;
Expand Down Expand Up @@ -386,7 +386,7 @@ <h2 id="claim-discipline">Claim discipline</h2>
</main>

<footer>
agent-vm security substrate · open-source verification receipt
BoundaryKit security substrate · open-source verification receipt
</footer>
</div>
</body>
Expand Down
Loading
Loading