Enclave

Reference

Changelog

How Enclave came together, newest first. Each phase is validated before it's called done — see the evidence report in the repo.

Nextplanned

Phase 2 — computer-use

  • Reuse the same control-plane core to run a computer-use loop: a model driving a headless browser inside the sandbox.
  • Harden pids_exceeded on the live Kubernetes path (podPidsLimit) and broaden live e2e coverage.
Phase 1.2shipped

Production console + end-to-end auth

  • The control plane now enforces auth and org-scoped tenancy: user JWTs and API keys, scoped session routes, cross-org 404s.
  • A console-api identity authority (login → JWT, orgs, members/RBAC, API keys, introspection) and the React console wired to it.
  • RBAC enforced server-side in both services — a viewer is rejected by the control plane, not just hidden in the UI.
Phase 1.1shipped

Local Docker backend

  • A Docker backend executes workloads in local containers — macOS-friendly, no Kubernetes.
  • A dev convenience, not a security boundary: host kernel, no gVisor, no allowlist-egress enforcement.
Phase 1.0shipped

Containment core

  • Backend-pluggable control plane: an honest non-executing SimulatorBackend and a KubernetesBackend behind one interface.
  • Credential withholding, default-deny egress, secure pod defaults, per-session quotas, immutable audit log, SSE streaming, webhooks.
  • 40 hermetic tests, 5 live Kubernetes e2e (k3d), and a 5/5 adversarial demo. gVisor enforcement on the home k3s cluster.