Positioning: a local, self-hosted sandbox that lets any coding agent or untrusted dependency run wide-open on your machine without exfiltrating your secrets. Not a hosted cloud, not single-vendor, not CI-only, not a dev-environment service. The unserved space: developers who won't ship code to a SaaS, want it tool-agnostic, and want drop-in simplicity.
v1 = #1-#3 done well + #4 in basic form. That's the minimum that survives "how is this different?" - #1-#4 make it defensible, #5-#6 make it adoptable.
Toward 1.0. The CLI surface stayed intentionally changeable through 0.x rather than guessing the
final shape early. The lock-before-1.0 review is done: the verb surface is frozen (decided
2026-06-01 - build/rebuild/update stay verbs, being frequent + side-effect-distinct; smoke
stays, harmless + CI-useful). Amended 2026-06: diff/apply landed with SLUICE_WORKSPACE=overlay,
so sluice help now lists 19 task verbs - the help output is the canonical list. sluice is a
flat-verb task runner, not noun-verb.
1.0 = a stability commitment, not new features. The v1 cut line is met and #1-#6 are landed, so cutting 1.0 is gated on locking the surface + closing (or consciously accepting) the confidence items below - not on building anything new.
A. Lock the surface (the hard gate - a decision + a doc change):
- Decide
smoke: KEEP (decided 2026-06-01). Verb set frozen (amended 2026-06 withdiff/apply, above). - Freeze the verb set + their flags as the 1.0 CLI; freeze the
SLUICE_*knob names + thesluice.config.shcontract (POSIX-sh sourced, space/newline strings, no bash arrays) as the stable config API. - Write a compatibility promise - landed in the README Stability section.
- Remove the pre-1.0 caveats: the README "> Pre-1.0: the command surface is still stabilizing" note. At the cut, lead the v1.0.0 release notes with Highlights + Install + Docs links.
B. Close for confidence (or consciously accept the gap):
- #3 live agent round-trips verified (2026-06-03, manual with real keys) - claude/aider/opencode run live daily and the credential-gated four (amp/cursor/codex/gemini) were round-tripped end to end, so the wedge is "verified end-to-end," not just cred-free.
- #2 real Linux dev-box run (done 2026-06-02). On a stock Ubuntu 24.04 / Docker 29.5.2 box, non-sudo
(docker group):
install.shcurl|sh from main ->sluice buildon the unpatched Dockerfile -> egress matrix holds (registry.npmjs.org reached, example.com DROP) ->doctorclean. The livesluice agent <name>round-trip was tracked separately as #3 above, not part of this smoke.
C. Quality bar (should already mostly hold - audit before cutting):
- All tests green: the gate bats suites (acceptance, init-detection, the no-Docker CLI + installer
units, security) and the
nightly-*bats suites (agents / runtimes / lock / learn / control-plane / nix - sharingtest/test_helper/common.bash; gated in nightly). - Docs current + consistent: README, THREAT_MODEL, SECURITY.md, EXTENDING.md, core/README.md, src/README.md, examples/, sluice.config.example.sh, and help all match the locked surface (knob table = the frozen knobs; command list = the frozen verbs).
- Distribution intact (already done): signed GHCR base + cosign-verify, signed release tarballs (cosign keyless + SHA256SUMS), tap, install.sh, SECURITY.md, LICENSE, SBOM, the version + opt-out update notice.
D. Cut 1.0.0: bump SLUICE_VERSION, signed tag, publish-base + release (the Highlights + Install +
Docs format), tap bump. The README then no longer says "pre-1.0."
Explicitly NOT 1.0 (so they're not silently missing): everything in Candidate features below - the control plane, stronger isolation, Windows/GPU, etc. - is deferred past 1.0. 1.0 adds nothing new; it's the stability commitment.
No new features needed - every claim here is backed by shipped code. This is about not fumbling first contact with a skeptical, Linux-heavy dev/security crowd landing on the repo.
- Linux dev-box smoke (landed 2026-06-02). The real first-try path on a throwaway cloud Linux VM ran clean, credential-free and non-sudo; the stock build needs no manual patch. (Closes #2; detail in B above.)
- Demo assets (landed 2026-06-02). Two capability GIFs in the README (real pasted commands): doctor and learn. The cage hero GIF was dropped as low-value (2026-06-02, prose leads instead); a dedicated agent demo GIF stays optional.
- Top-of-README quickstart (landed 2026-06-01). Value prop -> copy-paste quickstart.
- Issue templates + CONTRIBUTING (landed 2026-06-02). Bug + feature forms (bug form collects
version/engine/OS/
doctor), blank issues disabled + security routed toSECURITY.md, leanCONTRIBUTING.md.
The forward backlog. Everything here is additive (semver-minor), so it fits 0.9.x / 1.x without disturbing the 1.0 stability lock above - 1.0 is the freeze, these ride the minors around it. Each item rides the lowest extension rung that fits (preset / knob / flag, not a new verb); see EXTENDING.md for the ladder and the in-scope test. Tiered by sequencing; all consolidated from the planks' deferred notes + the threat model + the isolation spike (nothing new invented), with rough effort (S/M/L) and the gap each closes.
Next (build-ready):
SLUICE_RUNTIMEmicro-VM isolation - LANDED (opt-in).SLUICE_RUNTIME=kataruns the box under an own-kernel runtime (Kata Containers, via containerd/nerdctl) so a kernel escape can't reach the host - closing the #1 admitted THREAT_MODEL gap (shared kernel) as an opt-in.$ENGINEstill builds the image; the box runs under nerdctl and the image is loaded across (the$RUNNERsplit, default unset = unchanged). Verified on the spike VM 2026-06-02: the firewall/squid stack comes up unchanged. Edera is Track B (itsprotectlaunch interface, pending the access key). Runbook:spike/terraform/.- More agent presets - S. The wedge; a preset is "just a file" (tool + API hosts + auth var). Cheap adoption, and the preset library is community moat.
Later (adoption-gated / bigger):
- Hosted control plane / fleet - L. The OSS seams already shipped (
lswith posture/orphan/filters +--egress, cross-dir-b/--boxtargeting,prune --orphans,doctor/egress --json, a deny-capable central policy). The SaaS aggregator/dashboard + fleetls+ signed policy bundles + credential brokering wait on adoption pull - the monetization (open-core), not first. - Supply-chain depth - M - pinned replay LANDED.
sluice lock --pinwrites asluice.pin(base @sha256 digest + exact apk/npm/pip/gem/go/cargo versions);SLUICE_PIN=1replays it into a build that is verified againstsluice.lock(fails closed on drift) - inventory-identical, not bit-for-bit (Wolfi apk is rolling; an aged-out version fails closed, andsluice updatere-resolves + re-pins). (CycloneDX + cosign SBOM attestation + cargo inventory + SPDX output +lock --enforcestrict gate shipped earlier.) Remaining depth: a full APKINDEX snapshot for offline replay of aged-out versions.
Deferred (on real demand / not now): Windows/WSL2, GPU passthrough, further stack detection beyond
the current 11 (the generic base + SLUICE_EXTRA_PKGS/SLUICE_RUN_CMD, or a Procfile/Makefile run target,
already run any language), a non-server batch/data-job demo, and multi-tenant adversarial isolation (a different
product - sluice is anti-exfil for code you mostly trust, not hostile-tenant isolation).
The old enforcement (resolve domains -> IPv4 -> ipset at boot) leaked: rotating CDN IPs, direct-IP/SNI bypass, DoH, IPv6. Shipped instead: the in-box squid intercept proxy allowing by Host/TLS-SNI, which survives IP rotation and fails closed. Mechanics, caveats, and the TLS-interception opt-in: THREAT_MODEL.md.
bin/sluice is engine-agnostic; the Linux Docker leg is the CI gate, rootless Podman is best-effort.
Rootful Podman is unsupported: its netavark backend leaves the box's dnsmasq unable to
enumerate interfaces (Permission denied), so the firewall never comes up. Two Linux-only bugs the
nightly surfaced and fixed: bind mounts keeping the host uid (the entrypoint chowns to 1000), and a
squid Host-forgery 409 on rotating-CDN hosts (fixed by the in-box caching dnsmasq pinning a name to
one IP set per session). The real dev-box smoke ran clean 2026-06-02.
sluice agent <name> scaffolds a preset and drops you in; nine ship, all defaulting to skip-approvals
since the sandbox is the gate. Cred-free harness (nightly-agents.bats + a weekly drift smoke) plus
live keyed round-trips (manual, 2026-06-03). Sessions persist via SLUICE_STATE_DIRS. Running agents:
docs/agents.md; the preset contract: agents/README.md.
squid logs the SNI/Host of every blocked connection; sluice learn proposes the allowlist and applies
it live (no rebuild), every run prints an at-exit egress receipt and appends to a hash-chained audit
log (egress --export/--verify), and learn --audit covers trusted fetchers that abort on the first
block. Walkthrough: examples/README.md.
Apache-2.0 (open-core; the control plane is the moat), SECURITY.md, install.sh, and a Homebrew tap
pinning the cosign-signed release tarball; released through v0.9.0. Signed GHCR base image (opt-in) with
an attested SBOM, plus the lock audit/drift/SBOM/scan surface. Honest scope: audit/drift, not
reproducibility (Wolfi apk is rolling) - the remaining depth is in the backlog above. Mechanics:
docs/supply-chain.md.
sluice init detects 11 stacks and scaffolds a working config (POSIX-clean, no engine needed);
init --update re-detects without clobbering manual edits, and F2 dep prefetch fetches lockfile deps at
build. Build-verified end-to-end per stack via nightly-runtimes.bats; elixir detection ships but its
deps don't yet compile on Wolfi (an erlang-headers gap). The examples/ gallery is six capability
demos - webapp, overlay, firewall, database, jupyter, nix.