You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+14-2Lines changed: 14 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -110,11 +110,23 @@ OpenClaw embedded runs now materialize a SparseKernel task lease and transcript
110
110
111
111
The product name of this repository is **Sparse Kernel**. The implementation crates, binaries, and package names use `sparsekernel` where package ecosystems prefer a compact identifier.
112
112
113
+
## Production Readiness
114
+
115
+
Sparse Kernel's production goal is a local multi-agent runtime that can run many durable logical agents on ordinary machines while keeping expensive and sensitive resources bounded, leased, audited, and brokered by trust zone.
116
+
117
+
Production readiness is an executable gate, not a blanket isolation claim. Use the strict acceptance lane before cutover:
For OpenClaw deployments, `openclaw runtime acceptance --strict --current-platform --run --include-recommended` checks the same runtime surface alongside the operator's configured session, transcript, tool, browser, sandbox, egress, worker-identity, and plugin subprocess settings.
124
+
113
125
## Current Status
114
126
115
-
V0 proves the foundation: migrations, the runtime ledger, transcript events, embedded-run task leases, artifact primitives, capability checks, audit records, browser/sandbox broker records, a CLI, a daemon, and a TypeScript client.
127
+
V0 now covers the production cutover foundation: migrations, the runtime ledger, transcript events, embedded-run task leases, artifact primitives, capability checks, audit records, browser/sandbox broker records, a CLI, a daemon, a TypeScript client, strict acceptance lanes, brokered CDP browser contexts/actions, egress proxy and firewall-helper planning, worker-identity provisioning plans, and plugin subprocess policy hooks.
116
128
117
-
It does not yet implement production Playwright browser process pooling, production sandbox backends, host-level egress proxy enforcement, plugin subprocess isolation, or a full OpenClaw runtime rewrite.
129
+
Sparse Kernel still does not claim a universal host security boundary. BrowserContext isolation is session isolation, local/no-isolation sandboxing is accounting only, and host-level egress is as strong as the configured proxy, firewall, sandbox, VM, or operator helper. OpenClaw compatibility paths remain intentionally staged while the strict ledger-primary path, brokered tools, browser brokering, sandbox policy, and plugin subprocess controls harden behind acceptance gates.
0 commit comments