DEV Community

Cover image for agentproto 0.5.0 — credentials, sandboxes, and cost accounting that refuses to lie
Agentik
Agentik

Posted on

agentproto 0.5.0 — credentials, sandboxes, and cost accounting that refuses to lie

Released 2026-07-08 · npm i -g @agentproto/cli · source · Apache-2.0

0.4
turned the daemon into a supervision surface. 0.5 makes it one you can hand a
credential to, run somewhere other than your laptop, and actually measure.

37 packages went out, six of them new. Three arcs are worth your time.

Arc 1 — Auth: the secret never touches your env

@agentproto/auth@0.1.0 implements AIP-50 end to end. Three CredentialStore
backends (Keychain, Memory, File), a full RFC 8628 device-code flow engine, and
a CredentialBroker that hands you ready-to-use headers by provider path:

import { CredentialBroker, KeychainStore, getAuthProvider } from "@agentproto/auth"

const broker = new CredentialBroker({
  store: new KeychainStore(),
  getProvider: getAuthProvider,
})
// → { Authorization: "Bearer <token>" }, refreshed silently when stale.
const headers = await broker.resolveHeaders({ path: "guilde" })
Enter fullscreen mode Exit fullscreen mode

The broker refreshes 60s before expiry, scopes by audience, and knows the
difference between tokens it can serve directly (PAT / OAT / daemon) and
assertion-style tokens that need a flow engine first.

The part I like most is the companion: @agentproto/secrets@0.1.0 adds an
mcp-header SecretExposure variant. Brokered headers get forwarded to child
MCP servers at spawn time — the secret never appears in env, never appears in
config, never sits in a file the agent can read. If you've ever handed an agent
a .env and felt something die inside, this is the fix.

agentproto auth login is rewritten onto this engine, and
agentproto auth cred set|list|rm seeds credentials for brokered child-MCP auth.

Arc 2 — Sandboxes: stop running agents against your filesystem

@agentproto/sandbox@0.1.0 defines the AIP-36 SandboxProvider interface — a
backend-agnostic boot/connect/pause/stop lifecycle.
@agentproto/sandbox-e2b@0.1.0 is the first concrete implementation.

import { createSandboxAgentSessionHost } from "@agentproto/sandbox"
import { e2bSandboxProvider } from "@agentproto/sandbox-e2b"

const host = await createSandboxAgentSessionHost({
  provider: e2bSandboxProvider,
  spec: sandboxHandle,
  secrets: { slugs: ["ANTHROPIC_API_KEY"] },
})
// a full DaemonAgentSessionHost — prompt, export, stop, pause all work
await host.stop()  // closes the daemon connection, then tears down the box
Enter fullscreen mode Exit fullscreen mode

The runtime wires it through agent_start.sandbox, so any AgentStep in a
workflow can declare a sandbox with no bespoke plumbing. Paused boxes reconnect
later via provider.connect(sandboxId, …).

Pair it with @agentproto/storage-github@0.1.0 — an AIP-35 WorkspaceSync over
git, with configurable branching (main / per-conversation / per-turn) and
opt-in PR creation. The token goes through GIT_HTTP_EXTRAHEADER, never the
command line, never the repo URL. Its pairsWith: "sandbox" metadata is not
decoration: sandbox + GitHub storage is the combination that lets an agent work
on a real repo without touching your disk.

Arc 3 — Observability, including the honest kind

Eval. runEval runs typed cases through a target, scores with bound scorers,
aggregates a report. Four deterministic scorers ship (exact-match,
regex-match, json-schema-valid, latency-budget). The LLM judge is
vendor-neutral by construction — the package carries no LLM SDK. You inject a
JudgeFn:

import { runEval, llmJudge, bindScorer } from "@agentproto/eval"

const report = await runEval({
  id: "summarise-suite",
  cases: [{ id: "c1", input: longDoc, expected: "concise summary" }],
  scorers: [bindScorer(llmJudge({
    id: "quality",
    judge: myAgentJudge,        // any async fn satisfying JudgeFn
    criteria: "Accurate, concise, no hallucinations?",
    mapOutput: ({ output }) => output,
  }))],
}, { target: async (doc) => summarise(doc) })
Enter fullscreen mode Exit fullscreen mode

Telemetry. @agentproto/telemetry@0.2.0 ships an OTel adapter alongside the
existing sinks. @agentproto/telemetry-langfuse@0.2.0 ingests session turns into
Langfuse as traces, with atomic-drain flush on shutdown and per-case span trees.

Redaction. @agentproto/redaction@0.2.0, zero dependencies, four composable
redactors:

const redact = chainRedactors([denyListRedactor(), valueScanRedactor()])
redact.redact({ Authorization: "Bearer sk-ant-abc…", note: "use sk-live-xyz" })
// → { Authorization: "[redacted]", note: "use [redacted]" }
Enter fullscreen mode Exit fullscreen mode

valueScanRedactor is the useful one — it catches secret shapes regardless of
the key name: PEM blocks, JWTs, sk- keys, AWS access key ids, GitHub and Slack
tokens. The runtime now defaults its telemetry tracer to the secrets redactor,
so turn events are scrubbed before they leave the process.

Cost, honestly. usage_update events now carry tokensIn, tokensOut, and
cost. deriveSessionUsage resolves them into a snapshot with a four-way
source tag:

source meaning
adapter the agent reported a real cost
computed tokens priced against the in-repo LLM catalog
no-pricing tokens exist, model isn't in the catalog — no price invented
none nothing measured

That no-pricing state is deliberate. A dashboard that shows a confident wrong
number is worse than one that admits it doesn't know. (More on why per-token
pricing misleads you: cheaper per token is not cheaper per outcome.)

Also in the box

  • Gateway presetsmoonshot (Kimi), openrouter, deepseek, usable from both claude-code and claude-sdk adapters. The ambient ANTHROPIC_API_KEY is scrubbed from env when a gateway base_url is set, so it can't leak to a third-party host.
  • Role registry + spawn-time privilege gate. Agents spawn as executor or supervisor, or a custom role from ROLE.md. A maxGrantableDelegation cap stops a role pack from self-granting delegation above your ceiling — a pack asking for more than the cap gets forced to deny. Why that gate exists: an agent that can spawn agents is a fork bomb with good intentions.
  • Worktree linkPaths — symlink gitignored dirs (read: node_modules) from the host repo into a fresh worktree, so pnpm install --prefer-offline resolves without a full reinstall. AgentStep.cwd binds to the provisioned path: provision → agent → gate → approval → cleanup.
  • agentproto_terminal — a live PTY panel over WebSocket in the MCP UI bridge.
  • Global defaults config — per-adapter skills/options auto-applied to every spawn, folded into each adapter's native option shape.
  • adapter-kitprovider-kit rename. @agentproto/adapter-kit@0.3.0 is a compat shim that re-exports everything. Old imports keep working.
  • Caption-first video ingestion in corpus import-web — subtitles first (fast, free), transcription only when captions are absent.

Go deeper

Each arc in this release is an argument made in code. Here's the argument in
prose — why the design went this way, and what it's defending against:

What shipped in 0.5 The thinking behind it
Credential broker, mcp-header exposure --approve-all is how your agent ships the dangerous one (hands-on)
Role registry, maxGrantableDelegation cap, sandboxes An agent that can spawn agents is a fork bomb with good intentions
Cost source tags, gateway presets Cheaper per token is not cheaper per outcome
Eval harness, LLM-judge scoring Your agent says the tests passed. It didn't run them.
Telemetry, redaction, the whole observability arc You're optimizing the part of your agent you don't own
Caption-first corpus import-web A folder of docs is not a knowledge base (hands-on) · Your coding agent knows the internet's average (hands-on)
npm i -g @agentproto/cli
Enter fullscreen mode Exit fullscreen mode

Full notes: the 0.5.0 release.


agentproto is an open-source (Apache-2.0) orchestration layer that runs on top
of your existing stack — it doesn't replace your coding agent, it supervises it.
File an issue.

Building agentproto in the open — follow @theagentproto and @agentik_ai on X.

Top comments (0)