docs(internal): announcement blog + 2026 H2 strategic plan + repo cleanup#407
Merged
Conversation
Synthesizes 7 separate strategy docs into one canonical 'where kars
is heading' document. Replaces them as the first-read entry point;
the 7 deep-dives remain authoritative for their topics.
Structure (9 sections):
1. What kars is (definitional)
2. Seven irreducible advantages (the moat)
3. Where we deliberately do not compete (gateway category, workload
primitive, in-house orchestration / no-code / marketplace)
4. Alignment story:
a. Microsoft AGT — what we lean on (AgentMesh, governance vocab,
DID format), what we add on top (pod-shape enforcement,
iptables egress-guard, multi-runtime adapters, KarsSREAction),
explicit per-NIST/OWASP-category coverage table
b. kubernetes-sigs/agent-sandbox — overlay mode + tracked PRs
(#854 trusted-init-containers, #967 Cilium egress, #850 Envoy
ext_proc)
c. agentgateway — composition framing (cluster-edge + per-pod)
d. NIST AI RMF Agentic Profile + OWASP Agentic Top 10
e. K8s baseline (KEP-753 sidecars, Pod Security restricted, NP)
5. Six customer insertion paths (Istio / agentgateway / SIG Sandbox /
greenfield / sovereign-airgapped / individual developer)
6. Roadmap by theme + by tier/quarter (Tier 1 Q3 2026, Tier 2 Q4,
Tier 3 Q1 2027)
7. Guardrails — 8 explicit will-NOT items to prevent feature creep
8. 12 open decision asks awaiting @pallakatos confirmation
9. How to use this document (per role)
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…T surface User pushback (2026-06-15 21:28): the roadmap was item-driven, not outcome-driven; SOTA gaps aren't the only frame; AGT capabilities (esp. its existing emergency termination primitive) were under-credited. Two changes: 1. §4.a AGT alignment expanded with the verified AGT capability surface — privilege rings, saga-orchestration, automatic agent termination, policy enforcement runtime (YAML/OPA Rego/Cedar), SLO-driven circuit breakers, cryptographic runtime evidence, framework adapters. Sources verified 2026-06-15. Per-NIST/OWASP-category table now explicit about which primitives AGT provides (emergency termination, SLO circuit breaker, compliance proofs) vs which are kars-side (egress-guard, K8s SA binding, K8s-CRD surfaces). New rule: 'We do not duplicate AGT primitives; we make them K8s-CRD-shaped.' 2. §6 roadmap rewritten as outcome-driven (32 items grouped by 7 customer outcomes), each item citing evidence stream E1-E5: E1 — Gartner / Forrester / Anthropic enterprise adoption blockers E2 — OWASP Agentic Top 10 / NIST RMF / AAGATE / MCPSHIELD E3 — production enterprise use-case categories E4 — upstream landscape (AGT / agentgateway / SIG) E5 — kars-shipped baseline Critical: original GAP-8 emergency-termination switch reframed as R-501 'KarsKillSwitch invokes AGT termination API' — we don't build a competing primitive. Same pattern for R-504 SLO-quarantine and R-505 compliance proofs. 3. §7 guardrails: #8 strengthened (require E1-E5 evidence). New #9: 'We will NOT duplicate AGT primitives that we can invoke.' Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
… kars vs agentgateway User pushback (2026-06-15 22:05): the §4.c framing was too soft — "complementary, here's how they compose" doesn't articulate the irreducible structural differences clearly enough to survive evaluator-conversation scrutiny. Specifically: "is the kars router redundant if I have agentgateway?" and "agentgateway proposes itself for inter-agent communication too." §4.c rewritten to lead with the hardest evaluator question and answer it with seven irreducible architectural differences: 1. What the agent process holds (zero credentials with kars vs some-credential with gateway-only) 2. Egress confinement at kernel level (UID-based iptables, not NetworkPolicy 5-tuple) 3. Per-pod blast radius (single point of compromise vs per-sandbox) 4. Sub-agent spawn governance (kars is an agent runtime; agentgateway isn't) 5. Confidential-VM compatibility (in-pod sidecar vs cluster-edge) 6. Per-sandbox compiled policy + cosign attestation 7. Multi-runtime governance (runtime-kind-aware policy) Plus an explicit response to "agentgateway does A2A too": its A2A is broker-in-trust-set TLS routing; AGT mesh via kars is Signal Protocol with broker-out-of-trust-set, forward secrecy, KNOCK gate. Structural difference about where encryption terminates — cannot be closed by adding features to agentgateway, same as HTTPS proxy not being PGP. Plus the honest case where agentgateway-alone IS sufficient (single team, no adversarial-agent threat model, no cross-org, no confidential VM, no multi-runtime fleet). We say so. We don't try to convert those customers. Composition story for the scenarios where kars earns its keep: agent → kars router (in-pod, mint creds, per-sandbox policy) → network → agentgateway (cluster-edge LLM traffic mgmt, virtual keys, content routing) → model. Each layer does what only it can. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…nning AI agents on Kubernetes"
Per user direction (2026-06-15 20:46): HTML format under docs/internal,
do not publish (user will publish), "here is a thoughtful take on"
tone since the project name is "Agent Reference Stack for Kubernetes",
author = Pal Lakatos-Toth.
Draws from the now-hardened §1, §2, §4 of 2026-h2-strategic-plan.md
to keep narrative consistent.
Structure:
- Lede: "After many months of building..."; "≥5 agents / ≥2 teams"
trigger up front so readers self-select
- "What kars is" — concise 1 paragraph
- "The thoughtful part" — 4 assumptions kars is built on (adversarial
agent code; uniform call-type governance; E2E inter-agent secrecy;
multi-runtime is the steady state)
- "Where I think the industry is converging — and where I deliberately
deviate" — three opinions:
* Per-pod sidecar pattern (KEP-753 + ambient mode argument)
* AgentMesh vs A2A (broker-trust-set distinction)
* Router as trust boundary, not "another gateway" (the agentgateway
composition + the 3 structural differences condensed for public
consumption)
- "Aligned with the broader ecosystem" — table covering AGT, SIG,
agentgateway, OWASP/NIST, K8s baseline
- "What's next" — 7 customer outcomes from the strategic plan roadmap
- "Come build with us" — contribution invitation, ranked by what we'd
most enjoy reviewing; explicit "what we will not accept" line
Self-contained HTML with minimal inline styles so it renders well on
Medium / Microsoft Tech Community / Substack / personal blogs without
further work. ~18.9 KB, ~2200 words rendered.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…audience tracks User feedback (2026-06-15 22:26): previous version read like a maintainer memento, not an announcement. Missed: - a diagram (architecture not visualised at all) - multi-audience comprehension (CIO, CISO, AI/Agentic AI lead, security engineer all need to land on different reasons in different sections) - the 7 customer outcomes pulled to the top (they were buried) New structure (top-down): 1. Hero + TL;DR (CIO summary: what, why now, position, composes-with, honest scope, repo) 2. **Architecture diagram (inline SVG, ~820x520)** — two sandbox pods each showing init egress-guard / agent container (zero credentials, UID 1000) / inference router sidecar (UID 1001), the E2E encrypted mesh between them with the relay shown as broker-out-of-trust-set, AGT cross-cutting governance plane, agentgateway at edge, external model deployment + MCP/tools + developer ingress. Color-coded legend (kars green/blue / AGT purple / upstream gray / external white). Renders as inline SVG — no external image asset, works on Medium / Tech Community / Substack / personal blog without further work. 3. **Seven outcomes** — pulled to the top, each in a styled card with strong claim + business framing. These are the new lede of the post. 4. "Five things the industry has gotten wrong" — the opinions are here, but framed as positioning not reminiscing 5. **Audience tracks** — four bordered, colour-coded callout blocks: CIO (business case, 90 seconds) CISO (security model in one page, 6 bullets) AI/Agentic AI lead (sub-agent gov / autonomy tiers / AgentMesh not just A2A / memory gov / multi-framework / SOTA-aware roadmap) Platform/security engineer (the shape on the cluster, deployment- level concretes) 6. Ecosystem alignment table (AGT / SIG / agentgateway / A2A / OWASP+NIST / K8s baseline — what they do, how kars uses them) 7. Honest scope statement (when kars is NOT the right choice — single agent/team, pure edge-only, single-framework, no K8s substrate) 8. Available today vs roadmap (concrete what-ships-now vs next-2Q, each roadmap item tagged with the outcome it moves) 9. Contribution invitation + explicit "we will not accept" list (4 moat-preserving constraints) 10. Closing CTA with green lede styling Self-contained HTML5; inline SVG (no external assets); cited works list at bottom for citation discipline. ~3700 words rendered, ~35 KB. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…e sections + fact-check corrections
Replaces the previous SVG diagram with a clean, professional infographic
using Microsoft FluentUI palette, Segoe UI typography, drop shadows, and
proper visual hierarchy. Also preserves the Excalidraw source file in
docs/internal/assets/ for reuse.
Diagram changes:
- 3 sandbox cards: researcher (blue), writer (blue), kars-sre (purple
with wrench icon to mark it as the cluster's own SRE agent)
- Each card now shows the correct security model:
* agent box: "+ Signal session" (since the Signal endpoint IS in the
agent process, not the router)
* router box: "+ Entra Agent ID, + policy & budget, + audit chain"
plus "WS-bridges ciphertext" footnote
- E2E encrypted arc now originates from AGENT boxes (not routers) to
reflect that Signal session is agent-owned. Routers only WS-bridge
opaque ciphertext.
- "Entra Agent ID" replaces incorrect "Workload Identity" labels
(kars uses per-sandbox microsoft.graph.agentIdentity in the
--mesh-trust=entra mode)
- kars-sre card explicitly shows: READ cluster-wide (kars CRs +
apiextensions + workloads), WRITE gated by one-shot approval,
"no sub-agents · not on the mesh · gated by ToolPolicy"
- Pod Sandboxing banner: subtle pill stating opt-in via
spec.isolation: confidential → Kata + AMD SEV-SNP
- AGT foundation bar at the bottom: full-width with "consumed, never
re-implemented" badge on the right
Blog content corrections (from research-agent fact-check):
- Fix: `agentmesh = "3.1.0"` → `agentmesh = "4.0.0"` (workspace dep,
currently pinned to kars-sdk-pop-signing branch SHA 3322175d)
- Fix: "CycloneDX SBOM" → "SPDX-JSON SBOM" (Syft default)
- Fix: PSA "restricted" → "baseline" (sandbox namespaces need
enforce: privileged because egress-guard init requires NET_ADMIN;
only the kars-system namespace uses restricted)
- Fix: `claw attest` → `kars attest`
- Fix: kagent migration is `kars migrate from-kagent`; sigs/agent-sandbox
is `kars convert`
- Fix: CI dep-scan runs on dependency-touching PRs, not literally every
PR (cargo-audit + cargo-deny + Trivy paths-filter)
- Soften cross-runtime claim: kind unconditional, AKS requires manual
RBAC provisioning per new sandbox
Blog content additions:
- TL;DR: now mentions Pod Sandboxing as a one-field opt-in
- New "Try it in 5 minutes" inline code block with 3 commands
- New "Spotlight — Pod Sandboxing & confidential agents" section that
shows the spec.isolation: confidential YAML, what the controller
reconciles (runtimeClassName: kata-vm-isolation, sandbox-kata
nodeSelector, Standard_D4as_v6 SEV-SNP nodes, encryption-at-host),
and what you get (per AKS Pod Sandboxing doc)
- New "On Azure Linux" section explaining current AL3 base story and
the planned moves: ACL (Flatcar-derived, GA on AKS v1.34+) for node
OS, AL4 distroless (currently preview) for compiled binary images;
cites the techcommunity announcement blogs for both
- Updated upstream contributions list: PRs #2090, #2659, #2719 merged;
#2772 in review
- Added concrete syscall numbers: 175 allowed / 41 explicit-deny in
kars-strict seccomp profile
Diagram source artifact: docs/internal/assets/kars-architecture.excalidraw
(Excalidraw JSON, opens in https://aka.ms/excalidraw for further edits)
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
… ID nuance User correction: kars production mode uses per-sandbox Microsoft Entra Agent ID (microsoft.graph.agentIdentity via auth-sidecar), not generic Workload Identity. Workload Identity is the anonymous-mode fallback. Updates the three remaining references in the outcomes block and CISO audience block to explicitly mention: - Production: --mesh-trust=entra → per-sandbox Entra Agent ID - Anonymous: shared cluster Workload Identity (fallback) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…ame to "Agent Reference Stack for Azure"
PRODUCT NAME (legal/marketing approved per user):
- All references "for Kubernetes" → "for Azure" (kars remains the short form)
- Header, meta, alt text, ledes all updated
NARRATIVE ANCHOR (new):
- Lede + footer cite Brendan Burns's announcement "From open source to
agentic systems" (May 2026) so kars is framed as the K8s-native
composition of the open agentic stack Brendan describes, running on
the Azure Linux substrate he announces
- Brendan's blog also linked in the ecosystem table
DIAGRAM (redesigned):
- Cluster header now reads "AKS CLUSTER · on Azure Linux today ·
Azure Container Linux + AL 4.0 distroless on the way" — blends the
Azure Linux story naturally into the diagram
- Two sandbox cards now DIFFERENTIATED:
* researcher = ENHANCED isolation pill (green)
* writer = CONFIDENTIAL isolation pill (purple) + annotation
"+ Kata + AMD SEV-SNP, scheduled on Standard_DC4as_v5"
This addresses both "two identical cards waste real estate" and
"isolation enum never defined" critiques
- ⚠ emoji replaced with vector shield-x icons on agent boxes (which
imply isolation, not danger) and shield-check on egress-guard
- kars-sre demoted to small control-plane card on the right with
wrench icon, distinct dark accent strip, READ/WRITE colored labels,
and a separate small "Try:" CLI hint box
- Lock + encryption label cleaned up, Signal session annotation
reflects agent-process ownership; routers labeled with the four
things they actually hold (Entra Agent ID, policy & budget, audit
chain) and "WS-bridges opaque ciphertext" subtitle
- Typography bumped (annotations 11.5px, body 13px, headers 15-16px)
- Color discipline: Microsoft blue for kars/router, purple for
AGT/confidential, orange-amber for egress-guard, single-color shields
- Figcaption tightened from 95 words to ~50
3-AGENT CRITIQUE FIXES (Tier 1, consensus):
- Headline: kept "Agent Reference Stack for Azure" (per legal/marketing
constraint) but tightened lede to single sharp paragraph (was hedged
60-word sentence)
- TL;DR cut from 8 dense bullets to 5 snappy ones
- "Try it" timing fixed: "5 min on local kind, ~15 min on fresh AKS"
(was implausible "5 min" for AKS)
- "openclaw" now explained inline in the install command comment
- isolation enum (standard | enhanced | confidential) defined inline
in the Spotlight YAML
- SKU consistency: Standard_DC4as_v5 (DC-series = AMD SEV-SNP) used
throughout, with note that the codebase katapool also uses D4as_v6
for non-SEV-SNP Kata-only nodes
- "AGT consumed, never re-implemented" repetition reduced from 6+ to
2 (TL;DR mention + ecosystem table); diagram doesn't say it
- "moat" language removed entirely
- Absolute claims softened: "the host kernel is not in the trust set"
with "designed to protect guest memory from the host" qualifier
- CIO block: was wall of text → now 4 bullets + explicit CTA
- CISO block: was bullet list → now threat/answer table (GPT-5.5
suggested format) + CTA
- AI Lead block: still has bullets but YAML moved to Spotlight only,
emphasis on "your existing agents run unchanged" first + CTA
- Engineer block: was paragraph brick → now structured into 4
sub-sections (What lands / Day-2 ops / Substrate / CLI) + CTA
- Each persona block now ends with a "→ do this now" CTA line
- "Why I built this — 5 things" compressed to 3 sharper convictions
(was 5 long paragraphs)
AZURE LINUX BLENDED IN (per user direction "not an extra episode"):
- Standalone "On Azure Linux" H2 section DELETED
- Substrate story now appears in:
* Lede: "on the Azure Linux family"
* Diagram cluster header: "on Azure Linux today · ACL + AL 4.0 on the way"
* Engineer block § "The substrate" sub-section: AL3 today, ACL/AL4
forward path with links to both techcommunity announcements
* Ecosystem alignment table: dedicated Azure Linux row
* Roadmap: "Substrate refresh" theme
* Footer citations: ACL + AL 4.0 + Brendan's keynote post
KEPT EXACTLY (3-agent consensus praised):
- "Try it in 5 minutes" instinct (with corrected timing)
- "Honest scope statement — when kars is NOT for you" section
- "The threat model is closer to running customer-submitted code than
to running a service you wrote" line
- "Change one CRD field" framing for confidential agents
- File-line citation pattern (controller/src/reconciler/mod.rs:87) as
verifiability anchor
CONTRIBUTION SECTION REFRAMED (Gemini + GPT-5.5):
- Now leads with "Where we want help" (invitation-first)
- "Some invariants are non-negotiable" follows (instead of opening with
defensive "what we will not accept" list)
Word count: ~6,400 words rendered. Single coherent narrative top-to-bottom.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…dmap from strategic plan DIAGRAM POLISH: - kars-sre card unified: the previously separate "Try:" CLI-hint box is now folded INTO the kars-sre card as a soft-purple code block. Result: three equal-height cards (researcher, writer, kars-sre) at 285px each; no more visual gap on the right side. - The CLI hint sits in a light-purple inset box matching the kars-sre control-plane accent. ROADMAP REWRITE (from docs/internal/2026-h2-strategic-plan.md §6.b): - Replaced the previous 8-bullet "implementation themes" roadmap with the outcome-driven roadmap from the strategic plan, structured around 7 customer outcomes (① through ⑦): ① 30-minute adoption + operators trust the result ② Per-agent autonomy oversight (Gartner-flagged uniform-governance fix) ③ Multi-team agents with provable cost + governance separation ④ Cross-runtime, cross-org agent collaboration ⑤ Behavioural observability + automated remediation ⑥ Developers spin up purposeful agents without becoming kars experts ⑦ Defensible long-term bet (v1 + CNCF + community) - Each outcome shows 3-6 highlight items with concrete CRD names (KarsKillSwitch, KarsRecipe, KarsTask, KarsArtifact, KarsProject, SandboxClaim, SandboxTemplate, etc.) and what they unblock. - Added "Tier sequencing" subsection: Tier 1 Q3 2026 (6-8 wks), Tier 2 Q4 2026 (8-10 wks), Tier 3 Q1 2027 — with the actual items scheduled per tier. - Total effort estimate: ~80-100 engineer-weeks across Tier 1-3. - Links back to the strategic plan as the source of truth for full per-item effort/evidence/AGT-vs-kars-split. This roadmap version is dramatically stronger than the previous one: - Frames every item in customer-outcome language (CIO/CISO-readable) rather than implementation theme (engineer-only) - Cites the underlying evidence base (Gartner / Forrester / Anthropic / NIST AI RMF Agentic Profile / OWASP Agentic Top 10 / AAGATE) - Shows the actual sequencing so readers can see "where in time" each capability lands rather than an unsorted wishlist - Demonstrates kars-AGT split per item (where we lean on AGT primitives vs where kars provides the K8s-native surface) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Per user feedback: previous 7-outcome × 3-6-items-each roadmap was too long for a launch post. Replace with 5 planned themes, each framed as "Planned: <theme>" — these are the items the strategic plan identifies as highest-impact in 2026-H2: 1. Planned: per-agent Autonomy Tiers (1..5) with default policy bundles — closes the Gartner-flagged uniform-governance failure mode (R-201) 2. Planned: multi-cloud LLM providers in the router + native guardrails — Anthropic, Bedrock, Vertex, Ollama, vLLM + Bedrock Guardrails / Model Armor / OpenAI Moderation (R-301, R-302) 3. Planned: per-team virtual keys + unified action-cost ledger spanning model + tool + MCP + mesh + spawn, with Grafana dashboard (R-303, R-304, R-305) 4. Planned: KarsKillSwitch + behavioural drift + SLO→AGT-quarantine — operator-grade fleet observability and one-CRD emergency pause (R-501, R-502, R-504) 5. Planned: developer experience layer — KarsRecipe + KarsTask + browser conversation ingress + Web UI (R-601, R-602, R-603, R-604) Closing paragraph keeps the tier sequencing in one line (Tier 1 Q3 2026 / Tier 2 Q4 2026 / Tier 3 Q1 2027) + total ~80-100 engineer-weeks + the "Tier 1 alone is what makes kars credible at the enterprise- procurement stage" anchor sentence. Links back to the strategic plan as the source of truth for the full backlog, per-item evidence trail, and AGT-vs-kars split. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
User feedback: arrows looked bad, text went outside boxes, alignment was off.
Fixes:
- Encryption arc: removed the chunky blue triangle arrowheads
(marker-start/marker-end) that pierced INTO the agent boxes.
Replaced with subtle blue dot endpoints (r=3.5) at the agent box
bottoms. The curve is now a clean, professional bidirectional
channel with the lock badge as the visual focal point.
- "+ Kata + AMD SEV-SNP, scheduled on Standard_DC4as_v5" annotation
was hanging in space BELOW the writer card. Moved INSIDE the card
at y=276 (card height is 285), and shortened to
"+ Kata + AMD SEV-SNP nodes (Standard_DC4as_v5)".
- kars-sre CLI hint "$ kars sre install / talk / diagnose" was
clipping ("diagnose" cut). Changed separator from / to · and
reduced monospace font from 12px to 11px. Now fits cleanly
inside the 251px inset box.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…ed spacing
User feedback specifically: (1) END-TO-END ENCRYPTED label overlapped
the curve, (2) egress-guard text still clipped, (3) agent/router
vertical alignment was top-heavy.
All three fixed:
1. Encryption label moved CENTERED BELOW the curve (y=535/554, text-
anchor middle) instead of inline with the lock. The curve now sits
cleanly above with the lock badge at the apex, and the two-line
label sits cleanly below — no visual overlap.
2. Egress-guard text shortened from
"egress-guard init blocks UID 1000 from the network"
to
"egress-guard · iptables default-deny on UID 1000"
— fits inside the 316px banner with no clipping. Same wording on
both sandbox cards.
3. Agent + router box vertical layout rebalanced:
- icon moved up 2px (y=14 instead of 16)
- title moved up to y=56 (was 68)
- subtitle to y=76 (was 90)
- bullets at y=104,124 (agent) / y=100,118,136 (router)
- now visually centered with even margins top + bottom
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…n story User direction: kars-sre doesn't have to be in the diagram; that lets the AgentMesh encryption story sit naturally in the middle. Changes: - DELETE the kars-sre card (and its CLI hint inset) entirely from the SVG. kars-sre is now mentioned only in the figcaption with a link to docs/sre.md. - Re-position the two remaining sandbox cards CENTERED in the cluster boundary: * Card A (researcher): x=100, width=400 (was 65/360) * Card B (writer): x=700, width=400 (was 450/360) * Gap between: 600px → 200px of space for the encryption visual - Re-position the encryption arc to span agent-A bottom (x=206, y=450) to agent-B bottom (x=806, y=450), with lock badge centered at the apex (x=506, y=470). - Encryption label now centered horizontally at x=506 below the curve. - Egress-guard banner widened from 316 to 356 px → "egress-guard · iptables default-deny on UID 1000" now fits cleanly with margin to spare, on both cards. - Internal agent + router boxes widened from 150 to 168 px each (gap reduced from 18 to 20 px), so each card uses its full 400 px well. Result: the AgentMesh-encrypted-between-two-agents story is the visual hero of the bottom half. AGT bar is the foundation. No overlap, no clipping, no hanging text. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…nter AGT text User feedback: 1. Encryption visual should be naturally centered with curve+lock+text aligned to the middle 2. Underneath the cluster grey box needs more padding (text was at the bottom edge) 3. AGT bar should come closer to the cluster 4. AGT bar text should be center-aligned All four fixed: 1. Encryption arc + lock + label now form a vertically-centered cluster between the sandbox cards (bottom y=445) and the cluster bottom edge (y=580). Curve at y=460-490, lock at y=474-490 (centered on the arc apex), text at y=533/552. ~25px bottom padding inside the cluster. 2. Cluster boundary extended from height 450 → 470 so the encryption text has clear bottom padding instead of sitting on the edge. 3. AGT bar moved up to y=590 (10px gap from cluster bottom 580 — was 30+px gap). Tight visual connection between cluster and its governance foundation. 4. AGT bar text changed from left-aligned at x=22 to center-aligned at x=560 (1120/2) with text-anchor="middle". Both title and subtitle row now centered. Matches the visual rhythm of the encryption label above (also centered). viewBox tightened to 670 (was 700) since the layout is now more compact and we removed dead space below the AGT bar. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
… Linux subtitle User feedback rolled in: 1. Connection points moved to BOTTOM-MIDDLE of each sandbox card (x=260 for researcher, x=940 for writer — center of each card's bottom edge) so the curve spans CENTERED between the two cards instead of anchoring to the left-side agent boxes. 2. Curve apex at x=600 (midpoint of 260+940), with the lock badge centered on it. Encryption label centered at x=600 below. 3. Cluster extended to height 490 (was 380) to give proper padding below the encryption label. AGT bar at y=615 close to cluster bottom (y=600). 4. Removed the 'on Azure Linux today · Azure Container Linux + AL 4.0 distroless on the way' subtitle from the AKS CLUSTER tag — the Azure Linux story already lives in the engineer block + the ecosystem table + the roadmap; doesn't need to clutter the diagram. viewBox: 0 0 1200 700. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
… net) Per user feedback: format the agent box state list as bullets so they read as a proper enumerated list rather than two floating phrases. Both researcher and writer cards now show: agent UID 1000 · read-only • no credentials • no public net (Router box keeps the '+ ' prefix because those items describe what the router ADDS — capability list — not state, so semantically different.) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…of 270) Bug introduced in previous edit: outer shadow group for writer card moved to translate(740, 270) but inner content group still at translate(740, 160) — caused writer's interior to render at the top of the diagram, overlapping the external row. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…rtical middle Per user feedback: 'you had previously one version when you connected the boxes in the middle of them not the curved arrow under so the boxes were closer to each other making the space better aligned'. Restored layout: - Sandbox cards moved closer: x=100 (was 60) and x=700 (was 740). Gap between cards: 200px (was 280). - Encryption connection: horizontal line at the cards' vertical middle (y=412), broken in the middle by the lock badge. - Lock badge at (584, 396) — centered between cards horizontally and at the cards' vertical mid-line. - Encryption text centered between the cards, below the lock, on 4 lines: 'END-TO-END' / 'ENCRYPTED' / 'AGT AgentMesh · Signal Protocol' / '(X3DH + Double Ratchet)' — fits within the 200px gap without overlapping cards. Now matches what the user liked: connection IS the middle, boxes are closer, space is balanced. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…note in-cluster mesh User correction: 'outside the trust boundary' is not accurate for all four boxes: - Model providers (Foundry, etc.) are called WITH valid credentials, so they're semi-trusted endpoints (not 'untrusted') - MCP / web / tools ARE untrusted by default — that's correct - AgentMesh relay + registry CAN be deployed local to the kars cluster (in the agentmesh namespace) OR externally; they're broker-out-of- trust-set regardless of location, but they're not necessarily 'external' Reframed as 'DEPENDENCIES · EXTERNAL OR SHARED INFRASTRUCTURE' header, and updated each box to convey its own trust posture in the subtitle: - Model providers: 'Azure AI Foundry · Bedrock · Anthropic · Gemini …' (broadens beyond just Foundry — there will be more, per the roadmap R-301 multi-provider work) - MCP / web / tools: 'untrusted; L7 allowlist + OISD / URLhaus mediation' — explicitly names them as untrusted - AgentMesh relay: 'in-cluster or external · ciphertext only · not in trust set' — acknowledges deployment flexibility + trust property - AgentMesh registry: 'in-cluster or external · prekeys + discovery' Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Per user feedback: 'fonts are too small'. Uniform increase across the diagram (no layout changes, just font sizes): h-title 30 → 34 h-sub 15 → 17 tag-cluster 11.5 → 13 card-title 16 → 18 card-sub 12.5 → 14 iso-pill 11 → 12.5 h-component 15 → 18 body 13 → 15 body-bold 13 → 15 annotation 11.5 → 13 agt-title 15 → 17 agt-body 12.5 → 14 lock-text 14 → 17 lock-sub 12 → 14 Removed unused .sre-* classes (kars-sre card is no longer in the diagram; classes were dead code). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…(no more clipping) With the recent font-size increase, the long subtitles on the four dependency boxes started clipping at the right edge. Tightened all four subtitles to fit cleanly inside their 240-260px boxes: Azure AI Foundry · Bedrock · Anthropic · Gemini … → Foundry · Bedrock · Anthropic · … MCP servers · web · tools → MCP · web · tools (title also tightened) untrusted; L7 allowlist + OISD / URLhaus mediation → untrusted · mediated by router in-cluster or external · ciphertext only · not in trust set → ciphertext only · not in trust set in-cluster or external · prekeys + discovery → prekeys + discovery The 'in-cluster or external' nuance is now carried by the body text of the blog (the engineer block + ecosystem table both note the deployment flexibility), not crammed into a 260px label. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…ger render + shorter header
User feedback:
1. 'make everything else bigger - the total diagram would look good if
proportionally it would be all aligned'
2. 'DEPENDENCIES · EXTERNAL OR SHARED INFRASTRUCTURE I would just say
external or shared infra - not dependencies'
Changes:
1. .diagram-wrap CSS now breaks out of the 820px body column:
- position: relative + left: 50% + transform: translateX(-50%)
- width: min(95vw, 1200px)
- Diagram now renders at ~1100-1200px wide on desktop instead of
constrained to 820px. Everything scales up proportionally
(since the SVG viewBox is fixed at 1200x800, a wider render =
larger visible everything: fonts, boxes, spacing, encryption
visual, lock badge, AGT bar — all bigger together).
- On mobile, falls back gracefully via min(95vw, …).
- SVG explicit width:100%; height:auto for proper scaling.
- Figcaption text bumped from 0.9rem to 0.95rem + centered.
2. Section header changed from:
'DEPENDENCIES · EXTERNAL OR SHARED INFRASTRUCTURE'
to:
'EXTERNAL OR SHARED INFRA'
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
User feedback:
1. egress-guard text overflows the banner
2. AGT AgentMesh · Signal Protocol touches both sandbox cards
3. ENHANCED / CONFIDENTIAL pills not nicely aligned
4. kars-sre is mentioned in figcaption but not in diagram —
add it creatively below the two sandboxes
All four fixed in one coordinated change:
1. Egress-guard text shortened:
'egress-guard · iptables default-deny on UID 1000'
→ 'egress-guard init · UID 1000 default-deny'
Now fits with margin to spare inside the 356px banner.
2. Cards spread apart for encryption breathing room:
Card A x=100 → 80, Card B x=700 → 720
Gap between cards: 200px → 240px
The 'AGT AgentMesh · Signal Protocol' and '(X3DH + Double Ratchet)'
text lines now have 25+ px clearance from each card edge.
3. ENHANCED + CONFIDENTIAL pills standardised:
ENHANCED was 100px wide at x=285
CONFIDENTIAL was 120px wide at x=265
→ both now 130px wide at x=255 (same position, same width).
Right edge of both pills at x=385 of card; consistent visual rhythm.
4. kars-sre added back as a full-width control-plane bar BELOW the two
sandbox cards (inside the cluster, above the AGT foundation):
- dark accent strip on the left (distinct from blue/purple sandboxes)
- wrench icon + 'kars-sre — the cluster's own operator agent'
- middle column: READ cluster-wide / WRITE one-shot approval
(with colored READ green + WRITE orange tags)
- right column: '$ kars sre install' / '$ kars sre talk · diagnose'
Doesn't disturb the two-sandbox layout above; reads as 'and here's
the special control-plane agent that runs alongside'.
Cluster height extended from 380 → 490 to accommodate the kars-sre bar.
AGT foundation bar pushed from y=600 → y=730.
viewBox height: 700 → 810.
Figcaption updated: kars-sre is now in the diagram itself, so removed
the 'documented separately in docs/sre.md' note.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
User feedback:
1. ENHANCED / CONFIDENTIAL pills still not nicely aligned
2. Horizontal line next to 'AKS CLUSTER' text touches the text
3. '+ Kata + AMD SEV-SNP nodes (Standard_DC4as_v5)' annotation
has too little space above it (sits right on the router box)
4. 'no credentials' / 'no public net' read as casual phrases,
not professional/technical statements
Fixes:
1. Pills narrowed from 130 → 110 px wide at x=275 (was x=255).
Now both pills are right-aligned at x=385 of their card AND
clearly separated from the subtitle text 'kars sandbox · namespace
kars-…' which extends across the card. No more visual collision.
2. AKS CLUSTER separator line moved from x1=160 → x1=200 — gives
the cluster tag text room to breathe before the line begins.
3. Card height bumped from 285 → 305 px to give vertical breathing
room for the SEV-SNP annotation. Annotation y moved from 276 → 290,
so there is now ~25 px between the router box bottom and the
annotation baseline. Cluster height extended 490 → 510. All
downstream y-positions shifted +10:
- encryption line: y=412 → 422
- lock badge: 396 → 406
- encryption text: 455/472/492/508 → 465/482/502/518
- kars-sre bar: 600 → 620
- AGT bar: 730 → 750
viewBox: 810 → 830.
4. Wording sharpened:
'no credentials' → 'zero credentials'
'no public net' → 'kernel-blocked egress'
Both phrasings are how the kars repo's security.md + STRIDE doc
actually describe these properties. Reads as security-engineering
language, not user-facing copy.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Per user feedback: bullets should be 'higher a bit and on the right'.
Repositioned the two security state indicators in the agent box:
- From bottom-left bullets to upper-right tagged check marks
- Now sit at x=88 y=28/46 next to the shield-x icon at top-left
- Shorter wording: 'zero credentials' → '✓ no creds' /
'kernel-blocked egress' → '✓ no net'
(full phrasing didn't fit in the right half of the 168px box)
Re-organised the rest of the agent box to use the freed-up bottom space
for a third, more technical detail line:
Top row: [shield icon] [✓ no creds] [✓ no net]
Middle: agent
Bottom: UID 1000 · read-only
drop-ALL caps · seccomp
Now the box has visible content in both the top-right AND the bottom,
not the top-left-only-then-empty layout.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…he pill User caught: the ENHANCED pill at x=275-385 visually overlaps with the right end of the subtitle text 'kars sandbox · namespace kars-researcher' which extends to approximately x=347. Even though pill (y=22-44) and subtitle (y=46-55) are on different rows, they sit close enough that the overlap reads as a layout collision. Fix: drop the 'kars sandbox' prefix (redundant — the card itself IS the sandbox, the type is implicit from the diagram context): 'kars sandbox · namespace kars-researcher' → 'namespace kars-researcher' 'kars sandbox · namespace kars-writer' → 'namespace kars-writer' New subtitle widths (24 / 21 chars) end at approximately x=226 / x=200, leaving 49-75 px clearance before the pill at x=275. No overlap. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…lel checklist layouts
User feedback: 'the agent and router should be at the same height and
additional info under'.
Both boxes now use the same structure:
- Icon at (14/16, 14) — top-left
- Label ('agent' / 'router') at y=56 — same height
- Three info items at y=82, 102, 122 — checklist with prefix
Agent box (yellow):
✓ UID 1000 · read-only
✓ no credentials
✓ no public net
Router box (blue):
+ Entra Agent ID
+ policy & budget
+ audit chain
Removed:
- The 'UID 1000 · read-only' subtitle from the router box (UID detail
is implicit; the router's three items are what it ADDS, hence the
'+' prefix)
- The duplicate top-right 'no creds / no net' tags from the agent box
(their content is now the first two checklist items)
- The 'drop-ALL caps · seccomp' line from the agent box (mentioned in
the body text + maturity matrix; not needed in the diagram)
Result: visual parity between the two boxes — same label height, same
three info rows, same overall rhythm. The '+' prefix on router /
'✓' prefix on agent signals the semantic difference (router ADDS
capabilities; agent HAS these isolation properties).
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…el layout
Previous commit only updated the writer sandbox. The researcher sandbox
still had the old asymmetric layout (agent label at y=84, router at y=56).
Now both sandboxes use IDENTICAL agent + router structure:
agent box (yellow):
[shield-x icon]
agent
✓ UID 1000 · read-only
✓ no credentials
✓ no public net
router box (blue):
[key icon]
router
+ Entra Agent ID
+ policy & budget
+ audit chain
Both labels at y=56, both have 3 checklist items below at y=82/102/122.
Perfect visual parity between agent and router; perfect parity between
researcher and writer sandboxes.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…ags from researcher agent box Leftover from the previous iteration that bolted ✓ tags onto the upper right while ALSO adding them as a checklist below. The checklist below makes those upper-right tags redundant. Removed: <text x="88" y="28" class="body" ...>✓ no creds</text> <text x="88" y="46" class="body" ...>✓ no net</text> Now the researcher agent box matches the writer agent box and both match the router boxes: [icon] + label + 3 checklist items. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…t from kars at scale User correction: 'Single-framework shop, no multi-runtime requirement. Run your framework on K8s and adopt AGT directly.' is not true. A single-framework deployment at scale still benefits from kars: - per-pod kernel-confined isolation (zero credentials in agent process) - per-sandbox Microsoft Entra Agent ID - hash-chained audit chain via AGT consumed through K8s CRDs - per-agent policy & budget enforcement - E2E encrypted mesh between agents - operator-grade UX (CLI, TUI, GitOps lifecycle) - Pod Sandboxing (Kata + SEV-SNP) as one-field opt-in None of these require multi-runtime support. Adopting AGT directly in your framework gives you policy + audit; it does NOT give you the K8s-native isolation substrate, Entra Agent ID lifecycle, or operator surface that kars provides. Removed the bullet. Honest scope now has three cases: 1. Single agent + no scale + no threat model → serverless 2. Pure cluster-edge LLM gateway → agentgateway 3. No K8s substrate → kars has no target Added a closing note clarifying that multi-runtime is one of seven things kars does well, not the reason kars exists. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…t/migrate claims; reduce Brendan mentions
User feedback:
1. 'sigs/agent-sandbox / kagent / agentgateway — these are not entirely
coming through as alignment. Convert is a migration translator, not
an alignment story. We have to have a better story there.'
2. 'This whole section should be more blog style and opinion style, not
a table, especially until we don't have a strong story.'
3. 'There is a bit too much of Brendan says this or that.'
Changes:
1. Removed the ecosystem table entirely. Replaced with 7 short opinion
paragraphs, one per project / project group. Each paragraph is honest
about what kars actually does today vs what's roadmap and what's just
posture.
2. The sigs/agent-sandbox + kagent + agentgateway paragraph is now
explicit that 'migration translator shipping today' is NOT the
alignment story we want, and names the concrete next move:
contributing the kars-hardened SandboxTemplate upstream so users on
the SIG primitive get the kars trust boundary via a SandboxClaim
(R-306 in the strategic plan). For agentgateway, the section names
the composition pattern: agentgateway at the cluster edge for
multi-LLM traffic management; kars per-pod for trust boundary with
adversarial-code threat model. 'Different layers, different jobs.'
3. Brendan references reduced from 3 places to 1:
- Kept: the lede paragraph (where the announcement anchor genuinely
adds context)
- Removed: 'Brendan announcement frames it precisely…' opening of the
ecosystem section (now opens with kars's own framing)
- Removed: 'aligned with the upstream landscape Brendan described'
closing CTA (now just 'aligned with the upstream landscape')
4. Added explicit 'what kars deliberately doesn't want to do' closing
line per user direction: 're-implement what these other projects
already do well, or pretend that being early in v0.1.0 means we've
earned the right to call anyone else's primitive legacy.'
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…meta-line User feedback: - 'this part I would marginally reduce' - 'sentence like this: I'll be honest: a one-liner labeled migration translator shipping today is not yet the alignment story I want. << just don't.' Changes: - Cut the section from 8 paragraphs to 5 - Removed the apologetic / self-referential 'I'll be honest…' line about the migration translator story. The substantive content (R-306 SandboxTemplate plan, agentgateway composition pattern) is preserved as direct statement instead of confessional framing - Merged the MAF + AAIF + A2A short paragraphs into one (each is now a single sentence with the relevant detail) - Merged the Azure Linux + K8s baseline closing into one paragraph - Removed the closing 'What kars deliberately doesn't want to do…' paragraph entirely — its content was already implied by the section framing - Removed the 'we want kars to be one of the proof points' aspirational line from the AAIF paragraph Result: same substantive positions, less hedging, ~40% less prose. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…up, condense ecosystem + roadmap, AgentMesh-unique to TL;DR
User feedback:
1. 'Who this is for can also be left out or massively condensed'
2. 'Why this design should come after the diagram naturally'
3. 'How kars fits the broader open agentic stack: max 2-3 sentences'
4. 'What's planned: massively reduce too'
5. 'I really like Come build with us — has roadmap blended in'
6. 'Somewhere in TL;DR mention inter-agent-runtime messaging via
AgentMesh is unique'
Changes:
1. TL;DR — added a 4th bullet:
'Unique today: end-to-end encrypted inter-runtime messaging —
agents written in OpenClaw, Hermes, MAF, LangGraph, etc. talk on
the same Signal-Protocol mesh; the broker sees only ciphertext.
No other K8s-native agent runtime ships this.'
2. 'Who this is for' section + four audience cards (CIO / CISO / AI
Lead / Engineer) — REMOVED entirely. The content was already
conveyed by the diagram + outcomes table + Why-this-design.
The Come-build-with-us section + the persona CTAs that lived
inside the audience cards are preserved in 'Come build with us'.
3. 'Why this design' moved up to immediately follow the diagram.
Reads as a natural progression: see the architecture → understand
the three convictions behind it.
4. 'Why this design' point 3 expanded to mention the cross-runtime
uniqueness inline (matches the TL;DR claim).
5. 'How kars fits the broader open agentic stack' — collapsed from
5 paragraphs to a single dense paragraph naming the alignment
(AGT 4 traits + upstream PRs, MAF as runtime, A2A as gateway,
SIG/kagent/agentgateway translators + R-306 next move, Azure Linux
substrate, K8s baseline hard requirement). ~85% reduction.
6. 'What's planned' — collapsed from 5 long bullets + Tier-sequencing
paragraph to 5 short bullets only. ~60% reduction. Tier-sequencing
moved to the strategic plan doc only.
7. 'Come build with us' — kept exactly as-is. User noted this section
works well; the where-we-want-help list there already serves the
audience-CTA purpose.
Net effect: ~30% shorter overall blog. Tighter, more confident prose.
Same substantive claims; less hedging and less corporate-template
structure.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…mesh, clarify relay/registry wording
User feedback:
1. "relay and registry could have clearer text under — saying
'ciphertext only' might make people think it's not encrypted"
2. "the 2 sandboxes — we could somehow show they can be hermes,
openclaw... they can talk to each other via agentmesh"
3. "capability, trustscore and feedback could be also somehow shown,
along with the Entra Agent ID per sandbox"
Changes to Figure 1:
- AgentMesh relay subtitle: "ciphertext only - not in trust set"
-> "forwards encrypted frames - can't read". Removes the misread
that the wire is plaintext; states the relay handles encrypted
frames it cannot decrypt.
- AgentMesh registry subtitle: "prekeys + discovery"
-> "public prekeys - peer discovery". Clarifies the registry only
holds public key material, never message content.
- Sandbox cards now name their runtime: researcher = "OpenClaw
runtime", writer = "Hermes runtime". Makes the heterogeneity
explicit: two different frameworks in the same cluster.
- Encrypted-mesh label gained "OpenClaw <-> Hermes - any pair",
showing the two different runtimes talk to each other over the
same AgentMesh wire.
- Figcaption rewritten: the two sandboxes "running different agent
runtimes ... talk to each other over the AgentMesh -- OpenClaw,
Hermes, MAF, LangGraph and the other adapters all share one
Signal-Protocol wire format."
- Router box now surfaces the per-sandbox AGT governance primitives
alongside identity (4 lines, one concept each):
+ Entra Agent ID
+ capability grant
+ trust score
+ feedback signal
Policy / budget / audit remain represented in the AGT foundation
bar at the bottom, so nothing is lost.
- agent + router labels re-aligned to the same baseline (y=52) now
that the router carries a 4th line.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…gent, not the router
User feedback: the capability / trust / feedback lines were under the
router, but the agent owns the session key and the E2E channel.
Verified against code:
- Encryption / session keys = AGENT. runtimes/openclaw/src/index.ts:908
"This runs AFTER E2E decryption (handled by SDK) - encryption is not
affected." The mesh SDK in the agent process owns the Signal session
(X3DH + Double Ratchet); the router never holds the keys.
- Trust / capability / policy / feedback STORE = ROUTER. The agent
consults it: _routerCall("GET", /agt/trust/<peer>) and POST
/agt/evaluate hit the router's in-process TrustManager / PolicyEngine
(inference-router/src/governance/{mod,trust_ops}.rs).
So the agent owns the *encryption*; the router hosts the authoritative
AGT governance *store* the agent queries on each peer message. The
diagram now reflects exactly that:
- Agent box gains a 4th line "owns session keys" (key glyph, blue) -
makes explicit that the untrusted agent is the sole holder of the
E2E session keys; the router only ever sees ciphertext.
- Router box keeps Entra Agent ID + capability / trust / feedback
(the governance store), which the agent consults.
- Both boxes now have four parallel lines, labels aligned at y=52.
- Figcaption restated: "each agent owns its own session keys; the
relay only forwards opaque ciphertext and cannot decrypt. The
per-pod router holds the Entra Agent ID and the AGT governance the
agent consults on every peer message (trust, capability, policy,
audit)."
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…prose User feedback: "this part of the blog is not so human readable" — the section was a single dense paragraph of provider-trait identifiers and clipped clauses. Rewrote as two flowing paragraphs that keep every verified fact and link but read like a person talking: - Frames kars as a "consumer and composer" of open primitives, not a competitor. - Keeps the four AGT seams (mesh/policy/audit/signing) and the agentmesh = "4.0.0" crate fact, but de-jargons the trait-name soup (dropped MeshProvider/PolicyDecisionProvider/AuditSink/SigningProvider as literal type names; the concepts remain). - Keeps upstream PRs #2090/#2659/#2719, MAF-as-runtime, A2A inbound mTLS-pinned gateway, the sigs/agent-sandbox + kagent + agentgateway translators + R-306 co-evolution, Azure Linux substrate, and the K8s baseline hard-requirement — all intact, just readable. No factual changes; pure readability pass. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
User feedback:
1. "do we really overlap with those? ... since this space is growing
so fast we want to align to those upstream over time but also move
with pace ... long term we definitely want to align upstream"
2. "the strategic plan is an internal doc you can't refer to that —
neither mention R-306 and things like that in an announcement blog"
Changes:
How kars fits — reframed the ecosystem paragraph:
- Drops the "real overlap ... ships translators today" framing, which
(a) overclaimed competition and (b) wrongly lumped agentgateway in
with the translators.
- New tone matches the user's intent: "this space is young and moving
fast ... move at pace now, align upstream over time ... the
long-term goal is genuine convergence on the shared open primitives,
not a parallel stack."
- Translator claims now match the code exactly:
* kars convert -> sigs/agent-sandbox manifest -> KarsSandbox
(cli/src/commands/convert.ts, tested)
* kars migrate from-kagent -> kagent resource -> KarsSandbox
(cli/src/commands/migrate.ts + migrate/from_kagent.ts, tested)
agentgateway is correctly described as COMPLEMENTARY (cluster-edge
gateway vs kars's per-pod sidecar) — kars composes with it, there is
no agentgateway translator.
Removed both links to docs/internal/2026-h2-strategic-plan.md and the
"R-306" roadmap ID — that plan is an internal (gitignored) document and
must not be referenced from a public announcement:
- "How kars fits": dropped the "(tracked as R-306 in the strategic
plan)" clause.
- "What's planned": intro changed from "all detailed ... in the
strategic plan" to "A few things high on the near-term roadmap:".
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
User asked 'what is PSA?' — the acronym appeared unexplained in the K8s-baseline list. Spelled it out inline so a general reader doesn't need prior Kubernetes admission-controller knowledge. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…", add dev-mode welcome User feedback: the "I take credibility seriously" opener doesn't fit an announcement blog; the content (which situations aren't targeted) is good, but note that "pretty much everyone is targeted if they use dev mode to play around with it". Changes to "The honest scope statement": - Replaced the first-person credibility opener with a neutral line: "No tool is right for every situation. Here's an honest list of where kars probably isn't the call:" - Kept the three not-for-you bullets unchanged. - Added a dev-mode welcome paragraph: kars dev brings the whole stack up locally (plain Docker container, or a kind cluster that mirrors the AKS layout per cli/src/commands/dev.ts target modes), so anyone can try sandboxing + mesh + governance on a laptop. Clarifies the not-for-you list is "about where it earns its keep, not about who's allowed to kick the tyres." Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
User feedback: "kars up demo --runtime openclaw will start docker not
kind — we should have proper commands across the whole article."
Audited every command in the blog against cli/src/commands/*. The
Quickstart was wrong on several counts and a few other invocations
drifted from the real flags. Fixes:
Quickstart + TL;DR "Try it":
- `kars up demo --runtime openclaw --model gpt-4o` was invalid:
* there is no `demo` subcommand; `--demo` is a FLAG that *simulates*
an AKS provision read-only and creates nothing (up/demo.ts).
* `kars up` has no `--runtime` and no `--aks` flag; it provisions
Azure/AKS by default (not local kind).
* default model is `gpt-4.1`, not `gpt-4o`.
Rewrote the local path to the real command: `kars dev` (Docker by
default; `--target local-k8s` runs on a kind cluster that mirrors
AKS — cli/src/commands/dev.ts), then `kars connect dev-agent --local`
(connect.ts `--local` = local Docker sandbox; dev default name is
`dev-agent`).
- Added a production note with the real AKS flow: `kars up` →
`kars add <name> --runtime <kind>` (the eight real runtime kinds from
add.ts: openclaw, hermes, openai-agents, microsoft-agent-framework,
langgraph, anthropic, pydantic-ai, byo) → `kars connect <name>`.
- TL;DR "Try it" line now: "kars dev runs a governed agent on your
laptop in minutes (Docker, or kind via --target local-k8s); kars up
provisions the full stack on AKS."
Confidential/Kata:
- `kars add --kata` -> `kars add <name> --isolation confidential`
(`add` exposes `--isolation standard|enhanced|confidential`; there is
no `--kata` flag — add.ts).
Diagram (kars-sre bar):
- `$ kars sre talk · diagnose` -> `$ kars sre talk · approve`. `sre`
has no `diagnose` subcommand (install/uninstall/status/talk/approve/
reject/actions/show — sre.ts). `talk` + `approve` also pairs cleanly
with the WRITE "one-shot approval per action" line.
("kars hardening" and "kars <-> kars mesh" in the prose are descriptive
text, not command invocations — left as-is.)
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…ked-none artifacts
The repo root had accumulated 46 one-off diagram/screenshot iteration
PNGs (audit*.png, blog-*.png, diag-*.png, svg-*.png, excal-*.png) and a
1.9 MB .playwright-mcp/ session directory — all untracked local scratch
from blog/diagram work. Deleted them and added ignore rules so they
don't clutter git status going forward:
- .playwright-mcp/ (Playwright MCP session artifacts)
- /*.png (root-level scratch images only; nested PNGs such
as docs assets are unaffected)
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
…ishing
The Tech Community blog platform doesn't render the self-contained HTML
(inline SVG + inline CSS), so add a portable Markdown version plus the
architecture diagram as a raster image.
- docs/internal/assets/kars-architecture.png — the inline SVG diagram
rendered to a clean 3600x2493 PNG (headless Chromium, deviceScaleFactor 3).
- docs/internal/announcement-blog.md — GitHub-flavored Markdown converted
from the HTML via pandoc, then post-processed:
* inline SVG <figure> -> 
followed by the figure caption as italic text
* all custom <div> wrappers (header/tldr/quickstart/spotlight/footer)
stripped; inner content preserved
* pill <span>s -> plain "launch · v0.1.0 · open source · MIT · AKS"
tagline
* indented code -> fenced ```bash / ```yaml blocks
* pandoc backslash-escapes (\#2090) cleaned up
Verified: zero leftover raw HTML, all links + the PR references
(#2090/#2659/#2719) intact, GFM table renders, image path resolves
relative to docs/internal/.
The HTML source of record (announcement-blog.html) is kept alongside.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…rm-safe Markdown
The Tech Community editor strips <style> blocks and class CSS and can't
render inline SVG, but it does keep inline style="" attributes and
accepts uploaded images. Add two paste-ready variants:
1. announcement-blog.techcommunity.html — paste into the HTML source view.
- Inline SVG diagram replaced with <img src="assets/kars-architecture.png">
(swap src for the uploaded image URL on the platform).
- ALL CSS inlined onto each element via juice (removeStyleTags), so the
dark TL;DR card, the blue Try-it/quickstart box, the pills, code
chips, dark code blocks, lede bar and footer all render with zero
external stylesheet. Verified rendered with no <style> present.
2. announcement-blog.md — made portable for the platform's limited
Markdown (per the supported-syntax list: no tables, no horizontal
rules):
- "What v0.1.0 ships" table -> bold-label bullet list with the
"why it matters" as italic.
- Pandoc horizontal rules (---) -> "· · ·" text separators.
- Figure caption un-wrapped from outer italic (it contains nested
bold + inline code) to a "**Figure 1** —" bold-label paragraph.
Source-of-record announcement-blog.html is unchanged.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Some blog platforms accept JPG only. Added a high-quality JPG render of the architecture diagram (sips, quality 92, 3600x2493) and switched the image references in the two publish variants (techcommunity.html, .md) to assets/kars-architecture.jpg. Note: the PNG (436 KB) is kept as the lossless source — for a flat-colour diagram with text it actually compresses smaller and crisper than the JPG (960 KB). Use PNG where the platform allows it; JPG is the fallback. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The diagram looked blurry once uploaded to the blog platform. Two causes: (1) the JPG used default 4:2:0 chroma subsampling, which smears coloured text/edges, and (2) blog platforms re-compress uploads, which compounds it. Fixes: - Re-rendered the SVG at deviceScaleFactor 4 -> 4800x3324 (was 3600x2493), giving resolution headroom so the platform's downscale/recompress stays sharp. - PNG: optimized lossless (516 KB) — sharpest; use where the platform accepts PNG. - JPG: re-encoded with chromaSubsampling 4:4:4 (no subsampling), quality 95, mozjpeg, white-flattened (1.1 MB) — text edges stay crisp. Verified on a 1:1 text crop. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…und) Tech Community hard-caps inline images at 999px wide and serves its own re-encoded derivative (confirmed from the published markup: image-dimensions=999x689, width=999). Uploading the 4800px master forces the platform's resampler to do a 4.8:1 downscale + lossy recompress, which softens the text. Added two pre-sized PNGs so the platform does minimal work: - kars-architecture-1998.png — 2x the cap; platform does a clean 2:1 downscale (sharpest practical inline result). Try this first. - kars-architecture-999.png — exactly the cap; platform does no downscale at all, only its recompress. Master 4800px PNG/JPG retained for the click-to-enlarge full view. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Lands the Job 2 (announcement blog) and Job 3 (consolidated strategic plan) work, plus a small repo-hygiene cleanup, onto
main.All three docs live under
docs/internal/(gitignored by default; force-tracked as internal reference, same convention as the security-audit docs). The actual announcement will be published via the Microsoft Tech Community blog — the HTML here is the internal source of record.Files
docs/internal/announcement-blog.htmldocs/internal/2026-h2-strategic-plan.mddocs/internal/assets/kars-architecture.excalidraw.gitignore.playwright-mcp/session dir and root scratch*.png; 46 stray iteration PNGs + the 1.9 MB session dir removedAccuracy
Every claim and CLI command in the blog was verified against the codebase, including:
kars dev,kars up,kars add --runtime/--isolation,kars connect,kars sre talk/approve)Note
Docs-only +
.gitignore; no code paths touched.Suggest squash-merge — the branch carries ~40 blog-iteration commits.