fix(deps): bump quinn-proto to 0.11.15 (RUSTSEC-2026-0185)#409
Merged
Conversation
Publishes pre-built, cosign-signed, multi-arch container images to PUBLIC ghcr.io/azure/kars-* and attaches the @kars/cli tarball to a public GitHub Release, so customers can run kars without cloning AGT or compiling. This is the interim GHCR path from docs/PUBLISHING.md; npmjs `@kars`, crates.io and MCR remain reserved for the ESRP-signed release. Includes a release-build correctness guard that fails if the sandbox image would fall back to the unpatched public AGT SDK instead of the vendored patched tarball. Working branch only — not wired until the published-binaries quick-setup is verified end-to-end. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The controller launches openclaw-sandbox (built FROM kars-sandbox-base + router + the OpenClaw plugin), which is also where the patched AGT SDK is baked in — not sandbox-base. Add a dedicated build-sandbox job that builds openclaw-sandbox after the base/router are pushed, with the patched-AGT correctness guard moved to the correct layer. Now the published set is a complete runnable OpenClaw graph: controller + inference-router + sandbox-base + openclaw-sandbox (+ a2a-gateway, conformance-runner). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Adds a build-agt-wheels job (clones the pinned AGT, builds the upstream governance wheels) feeding a build-runtimes matrix that publishes the six runtime adapter images: langgraph, hermes, maf-python, anthropic, openai-agents, pydantic-ai. Each bundles the upstream AGT wheels plus kars-agt-mesh (kars's spec-compliant Python MeshClient, COPYed hermetically from the in-repo runtimes/agt-mesh-python source). cosign + SBOM + public. Full published set: controller, inference-router, a2a-gateway, conformance-runner, sandbox-base, openclaw-sandbox + 6 runtimes + CLI tarball. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Every published artefact is now attested with actions/attest-build-provenance (GitHub-signed, verifiable via `gh attestation verify`): - all 13 container images (by digest, attestation pushed to the registry) - the Rust binaries (amd64 + arm64) - the @kars/cli tarball This is on top of the existing cosign keyless signatures + SBOMs (buildkit in-registry SBOM attestation + standalone SPDX-JSON on the Release) and buildkit inline SLSA provenance. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Two fixes surfaced by the first interim-release run: 1. build-binaries: the arm64 cross build of aws-lc-sys (BoringSSL C) failed with "sys/types.h: No such file or directory" because --no-install-recommends dropped the cross libc headers. Install libc6-dev-arm64-cross + linux-libc-dev-arm64-cross explicitly. 2. Five runtime adapters (langgraph, maf-python, anthropic, openai-agents, pydantic-ai) pinned a2a_agentmesh>=3.3.0,<4 and an UNUSED agent_sandbox dep, incompatible with the AGT 4.0.0 pin — pip fell back to PyPI and failed on a transitive agent-sandbox<4. Drop the unused agent_sandbox dep and bump a2a_agentmesh to <5. The a2a_agentmesh import is already behind a graceful try/except fallback. Verified locally: each adapter installs + imports cleanly against the 4.0.0 wheels. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The maf-python image failed to build: pip's resolver hit ResolutionTooDeep (986s, 200k rounds) on the `agent-framework` meta-package, whose transitive graph is too complex to solve. Depend on the split sub-packages instead — agent-framework-core (`tool`, Executor, …) + agent-framework-openai (`OpenAIChatClient`) — which resolve in seconds. Also modernise the adapter to MAF 1.x: `ai_function` was removed; swap the mesh-tool decorators to `@tool` (same name/description kwargs). Verified locally: adapter installs in ~12s and build_mesh_tools() yields mesh_inbox + mesh_send. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The openclaw-sandbox Dockerfile hard-COPYs mesh-plugin/dist/ (it ships @kars/mesh as a file: dep with the prepare script stripped), so dist/ must exist in the build context. The build-sandbox job was missing the build step → "/mesh-plugin/dist: not found". Add npm ci + npm run build for mesh-plugin before the buildx build, mirroring what the CLI's stage-mesh-plugin helper does locally. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Add a build-mesh job that builds the AGT relay + registry from the pinned
AGT checkout (agent-mesh/docker/Dockerfile, COMPONENT=relay|registry) and
publishes them as ghcr.io/azure/kars-agentmesh-{relay,registry}, signed +
SBOM'd + attested. This completes the published set so `kars dev --release`
can pull everything (sandbox + runtimes + relay + registry) with no AGT
clone and no local build.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Adds a no-compile, no-AGT-clone path: `kars dev --release v0.1.0-interim.N` pulls the published images from ghcr.io/azure/* at the given tag instead of building anything locally: - openclaw-sandbox → the agent image (skips the local sandbox build) - kars-agentmesh-relay / -registry → pulled + tagged :dev for the run path It forces --build off, skips the AGT auto-clone + wheel build entirely, and errors clearly if combined with --build or --target local-k8s (docker only for now). Typecheck + lint clean; 798 CLI tests pass. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Lets the exec-brief harness bring the sandbox up from published images via `kars dev --release <ver>` (no local build, no AGT clone) by setting KARS_RELEASE=v0.1.0-interim.N. Verifies the released quick-setup path. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Add a foolproof "fastest path" to README + getting-started: install the CLI from a published release tarball and `kars dev --release <tag>` to launch from pre-built, cosign-signed images — no Rust, no AGT checkout, no local image build. The from-source path is preserved for contributors. Clarifies the AGT-mesh clone is source-builds-only (--release pulls relay/registry). NOTE: describes v0.1.0-interim.6 (first release carrying the --release CLI). Pending end-to-end verification of the released quick-setup before merge. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
cli/src/commands/dev.ts gains a capability (--release pulls published images), which the security-audit-required CI gate flags. Add the audit: threat model (image tamper, isolation parity, supply chain, AGT-clone skip), scope, and test posture. Force-added (docs/internal/ is gitignored). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The mesh-source and channels prompts fired unconditionally, crashing `kars dev` (ExitPromptError) in non-interactive contexts — scripts, CI, and the e2e harness — before the sandbox even came up. Guard both with process.stdin.isTTY: non-interactive runs default to local mesh + no channels. Interactive terminals are unchanged. This makes `kars dev` (incl. --release) scriptable end-to-end. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…Macs) The amd64-only openclaw-sandbox crashes under Rosetta on Apple Silicon (rosetta error: rt_tgsigqueueinfo failed) — verified via the e2e harness on an arm64 Mac. The vendored sandbox wheels (vendor/sandbox-wheels/) already ship aarch64 manylinux variants, so the arm64 image installs pre-built wheels (no source compile). Build sandbox-base + openclaw-sandbox for linux/amd64,linux/arm64 so they run natively on Macs. QEMU + larger timeouts for the arm64 leg. Also corrects README + getting-started: the no-compile --release path is amd64/Linux today; Apple Silicon uses the from-source build until the arm64 images land (this release). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
QEMU multi-arch for sandbox-base + openclaw-sandbox was far too slow (>40 min for sandbox-base alone). Build each arch on its native GitHub-hosted runner instead (amd64 → ubuntu-22.04, arm64 → ubuntu-24.04-arm, free for public repos), push per-arch tags, then merge into multi-arch manifests with imagetools + sign/attest/SBOM on the merged manifest. The fast Rust images stay multi-arch via QEMU (trivial binary COPYs). This gives a native arm64 openclaw-sandbox so kars dev --release runs on Apple Silicon without the Rosetta rt_tgsigqueueinfo crash. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
openclaw-sandbox is now published multi-arch (amd64 + arm64), but --release hardcoded `--platform linux/amd64`, so Apple Silicon pulled the amd64 variant and crashed under Rosetta (rt_tgsigqueueinfo). Pull dockerPlatform (the host arch) instead — arm64 Macs now get the native arm64 image and run it without emulation. Verified: container Up (healthy), gateway HTTP 200 on an M-series Mac. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…mage
The published openclaw-sandbox shipped the UNPATCHED npm SDK (3.7.0, no
proof-of-possession), so the agent's mesh client sent bare connect frames.
The relay rejected them ("missing did/public_key/timestamp/signature") and
the sandbox entered a reconnect flood — sub-agent collaboration never came up.
Root cause: the Dockerfile's `COPY .agt-sdk/` resolves against the build
CONTEXT root (the repo root — `context: .`), but the release workflow staged
the patched SDK tarball into `sandbox-images/openclaw/.agt-sdk/`. The COPY
never saw it, so the Dockerfile silently fell back to the public npm SDK.
The CLI from-source build always staged into `<repo-root>/.agt-sdk/`
(cli/src/commands/dev.ts), which is why dev mode worked but `--release` didn't.
Fixes:
- release-public-interim.yml: stage the tarball into <repo-root>/.agt-sdk/
(matching the Dockerfile COPY context) and pass MESH_PROVIDER=agt.
- openclaw/Dockerfile: when AGT_SDK_TARBALL is set but the file is absent,
FAIL the build loudly instead of silently installing the unpatched npm SDK.
This makes the staging-path class of bug impossible to ship again.
- e2e-harness/platforms/docker.sh: `kars dev --name X` creates container
`kars-X`; use the prefixed name for docker exec/logs/ps.
Verified locally: rebuilt openclaw-sandbox with the corrected staging →
image now bundles @microsoft/agent-governance-sdk@4.0.0 with POP signing
(proof_timestamp present in registry-client.js + x3dh.js).
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The exec-brief `check_relay_pairs` resolved sibling DIDs via `kubectl get
pods` / `kubectl logs`, which returns nothing in docker mode (no K8s
pods/namespaces). The check therefore always fell to the "0/3 sub-agents
had router chat activity" fallback and FAILED on docker even when the mesh
worked perfectly.
The harness already collects each agent's gateway log into OUT_DIR on every
platform (`<sub>-gateway.log`). Those logs authoritatively record outbound
sibling sends:
AGT sub-agent mesh_transfer_file: to=writer file=/sandbox/...
AGT relay: sent to viz (did:mesh:...) via E2E encrypted relay
Parse those instead — the log's owner is the sender, the parsed peer the
target — so the check is correct on docker, kind, and AKS alike. The legacy
kubectl/registry heuristic is kept as a fallback when no gateway logs were
collected.
Verified: exec-brief now PASSES 3/3 sibling pairs (analyst↔viz, analyst↔
writer, viz↔writer) and 9/9 overall on docker with the patched POP-aware SDK.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The operator's `securityStates` and `egressByAgent` maps were keyed by the
bare sandbox `name`. Agent names are NOT unique across runtimes/clusters —
the same name (e.g. "analyst") can exist at once as a docker container, a
kind pod, and an AKS pod. With overlapping agents present, a stale/empty
same-named entry overwrote the live one, so the operator showed no DID and
no audit entries for the shadowed agent (observed: the docker "analyst",
whose router actually reported did:agentmesh:analyst + 157 audit entries,
rendered blank while viz/writer — with fewer duplicates — rendered fine).
Add `sandboxKey(sb)` = `${kubeContext ?? runtime}::${namespace}::${name}`
and use it at every set/get site in operator.ts and the security/topology
render paths. Same-named agents across docker/kind/aks now get distinct
keys, so each renders its own DID, trust scores, and audit log.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The sandbox images are now multi-arch (amd64 + arm64, built on native arm64 runners) and `kars dev --release` pulls the host-arch variant automatically. Remove the obsolete "linux/amd64 only / crashes under Rosetta" caveat and the "build from source on Apple Silicon" workaround; bump the quick-start tag to v0.1.0-interim.9 (the first release with the patched POP-aware mesh SDK). Verified end-to-end on an M-series Mac: the full multi-agent exec-brief scenario passes 9/9 via `--release v0.1.0-interim.9`. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Extends the published-images path to `--target local-k8s` (kind) and makes the AGT relay/registry multi-arch so they run on arm64 kind nodes. Workflow: - build-mesh now builds agentmesh-relay/registry on NATIVE per-arch runners (amd64→ubuntu-22.04, arm64→ubuntu-24.04-arm), pushing :VERSION-<arch>. - new merge-mesh job fuses them into multi-arch manifests + attest + SBOM + cosign + make-public (mirrors merge-sandbox). release job needs it. Previously amd64-only → "exec format error" on an Apple Silicon kind node. CLI: - `kars dev --release <tag> --target local-k8s` now works: runLocalK8s pulls the published controller/router/sandbox + relay/registry, tags them as the local dev aliases the existing kind-load + chart plumbing expects, and skips every from-source build. local-k8s still needs the repo (Helm chart + agentmesh manifest); only image *building* is skipped. - deployAgentMesh pulls published relay/registry in release mode instead of building from an AGT checkout. Harness: - platforms/local-k8s.sh honors KARS_RELEASE=<tag> to drive the released path on kind (mirrors platforms/docker.sh). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
A new RustSec advisory (RUSTSEC-2026-0185) was published for quinn-proto: remote memory exhaustion via unbounded out-of-order stream reassembly. It surfaced on main right after #408 merged (cargo-audit fetches the live advisory DB, so it passed on the PR run hours earlier). Transitive-only; the fix is a semver-compatible patch bump to 0.11.15. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Dependency ReviewThe following issues were found:
License Issuesruntimes/anthropic/pyproject.toml
runtimes/langgraph/pyproject.toml
runtimes/maf-python/pyproject.toml
runtimes/openai-agents/pyproject.toml
runtimes/pydantic-ai/pyproject.toml
OpenSSF ScorecardScorecard details
Scanned Files
|
| MeshHealth, | ||
| } from "./operator/types.js"; | ||
| import { timeSince, kctl, platformTag, clusterOriginTag } from "./operator/helpers.js"; | ||
| import { timeSince, kctl, platformTag, clusterOriginTag, sandboxKey } from "./operator/helpers.js"; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
New RustSec advisory RUSTSEC-2026-0185 (quinn-proto remote memory exhaustion) was published after #408 merged, turning main's Rust Dependency Audit red. Transitive-only; semver-compatible patch bump 0.11.14→0.11.15.
cargo auditclean +cargo check --workspacepasses locally.