npm - bulkhead-runtime - Versions diffs - 2026.4.5-beta.6 → 2026.4.5-beta.8 - Mend

bulkhead-runtime 2026.4.5-beta.6 → 2026.4.5-beta.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -6,7 +6,7 @@
 Each in its own OS namespace. Each with private memory, encrypted credentials, and an isolated filesystem.
 **No Docker. No cloud. One `npm install`.**
-![Features](docs/assets/features.png)
+Built on battle-tested subsystems extracted from [OpenClaw](https://github.com/nicepkg/openclaw) — model fallback, error classification, API key rotation, SSRF protection, embedding pipeline, and more.
 ---
@@ -68,11 +68,11 @@ app.post("/api/agent", async (req, res) => {
 ### Teams -- per-team agents, per-team secrets
-Different GitHub orgs, different databases, different cloud accounts. No credential leaks between teams.
+Different teams, different databases, different cloud accounts. No credential leaks.
 ```typescript
-const eng  = await platform.createWorkspace("engineering");
-const ops  = await platform.createWorkspace("ops");
+const eng = await platform.createWorkspace("engineering");
+const ops = await platform.createWorkspace("ops");
 eng.skills.enable("github-pr");
 ops.skills.enable("pagerduty");
@@ -81,22 +81,9 @@ await eng.credentials.store("github", { token: "ghp_eng..." });
 await ops.credentials.store("pagerduty", { token: "pd_..." });
 ```
-### Consulting -- client isolation, clean offboarding
-One `deleteWorkspace()` wipes everything -- memory, credentials, sessions. Gone.
-```typescript
-const acme = await platform.createWorkspace("client-acme");
-await acme.credentials.store("aws", { key: "...", secret: "..." });
-await acme.run({ message: "Check staging and open a Jira ticket if it failed" });
-// Client offboarded -- clean wipe
-await platform.deleteWorkspace("client-acme");
-```
 ### CI/CD -- ephemeral agents, zero state leaks
-Spin up per job, per PR, per deploy. The workspace is destroyed after. No state leaks between runs.
+Spin up per job, per PR, per deploy. Destroyed after.
 ```typescript
 const ws = await platform.createWorkspace(`deploy-${Date.now()}`);
@@ -112,35 +99,15 @@ await platform.deleteWorkspace(ws.userId);
 ![Architecture](docs/assets/architecture.png)
-> Agent A cannot see Agent B's files, memory, credentials, or processes. Not by policy. **By kernel enforcement.**
----
-## Why Bulkhead Over Alternatives
-|                                  | Docker per user    | E2B / Cloud          | **Bulkhead Runtime**                                      |
-| -------------------------------- | ------------------ | -------------------- | --------------------------------------------------------- |
-| **Isolation mechanism**          | Container per user | Cloud VM per session | **Linux namespaces**                                      |
-| **Credential security**          | DIY                | Not built-in         | **AES-256-GCM, never exposed to agent**                   |
-| **Persistent memory**            | DIY                | DIY                  | **SQLite + vector embeddings per tenant**                 |
-| **Embedding cache + batch**      | DIY                | DIY                  | **SQLite cache, batch with retry**                        |
-| **SSRF protection**              | DIY                | DIY                  | **DNS-validated, private-IP blocking, fail-closed** |
-| **Model fallback**               | DIY                | DIY                  | **Automatic multi-model fallback chains**                 |
-| **API key rotation**             | DIY                | DIY                  | **Multi-key with rate-limit rotation**                    |
-| **Parallel subagents**           | DIY                | DIY                  | **Built-in with depth limiting**                          |
-| **Skills with secret injection** | DIY                | DIY                  | **Credentials injected server-side**                      |
-| **Infrastructure**               | Docker daemon      | Cloud API + billing  | **Single npm package**                                    |
-| **Cold start**                   | ~2s                | ~5-10s               | **~50ms**                                                 |
-| **Embeddable in your app**       | No                 | No                   | **Yes — it's a library**                                  |
-| **License**                      | —                  | Proprietary          | **MIT**                                                   |
+When `workspace.run()` executes, Bulkhead spawns a **child process** with 5 layers of kernel isolation: user namespace, PID namespace, mount namespace (pivot_root), optional network namespace, and cgroups v2 resource limits. The agent **never runs in your application's process** and **cannot see anything outside its sandbox**.
+> **[Read the full isolation architecture &rarr;](docs/isolation.md)**
 ---
 ## Single-User Mode
-The fastest path for prototyping or single-agent use. No platform needed.
+For prototyping or single-agent use. No platform needed.
 ```typescript
 import { createRuntime } from "bulkhead-runtime";
@@ -155,448 +122,101 @@ const result = await runtime.run({
 });
 ```
-The agent runs inside a Linux namespace sandbox with full coding tools (read, write, edit, bash, grep, find, ls) and autonomous memory (`memory_store`, `memory_search`).
 ---
-## Multi-Tenant Isolation
-This is the core of Bulkhead Runtime. Each user gets a **workspace** — a fully isolated environment with its own memory, encrypted credentials, enabled skills, and session history. Workspaces are physically separated at the OS level.
-```typescript
-import { createPlatform } from "bulkhead-runtime";
-const platform = createPlatform({
-  stateDir: "/var/bulkhead-runtime",
-  credentialPassphrase: process.env.BULKHEAD_CREDENTIAL_KEY,
-});
-const alice = await platform.createWorkspace("alice", {
-  provider: "anthropic",
-  model: "claude-sonnet-4-20250514",
-});
-const bob = await platform.createWorkspace("bob", {
-  provider: "google",
-  model: "gemini-2.5-flash",
-});
-```
-### What "isolated" actually means
-When `workspace.run()` executes, Bulkhead spawns a **child process** with 5 layers of kernel isolation. The agent **never runs in your application's process**.
-![Execution Flow](docs/assets/execution-flow.png)
-The agent gets coding tools (bash, file read/write/edit) because the mount namespace restricts its entire filesystem view. **It literally cannot see anything outside its sandbox.**
----
-## Credential Security
-Credentials are **AES-256-GCM encrypted** at rest. PBKDF2 key derivation with 100k iterations (SHA-512). The agent **never** sees raw secrets — not through tools, not through IPC, not through environment variables.
-```typescript
-await alice.credentials.store("github", { token: "ghp_alice_secret" });
-await alice.credentials.store("openai", { apiKey: "sk-..." });
-```
-![Credential Flow](docs/assets/credential-flow.png)
-System environment variables (`PATH`, `HOME`, `NODE_ENV`) are protected from credential key collision. Skill IDs are validated against prototype pollution.
+## Features
+| Feature | What It Does | Docs |
+|---------|-------------|------|
+| **OS-level Isolation** | 5 layers: user, PID, mount, network namespaces + cgroups v2 | [docs/isolation.md](docs/isolation.md) |
+| **Encrypted Credentials** | AES-256-GCM at rest, PBKDF2 key derivation, never exposed to agent | [docs/credentials.md](docs/credentials.md) |
+| **Hybrid Memory** | Vector + FTS5 fusion, MMR diversity, temporal decay, 7-language query expansion | [docs/memory.md](docs/memory.md) |
+| **Per-Workspace Skills** | Global registry, per-tenant enablement, credentials injected server-side | [docs/skills.md](docs/skills.md) |
+| **Session Continuity** | Named sessions, JSONL transcripts, context pruning | [docs/sessions.md](docs/sessions.md) |
+| **Model Fallback** | Automatic multi-model chains, error classification, cooldown tracking | [docs/fallback.md](docs/fallback.md) |
+| **API Key Rotation** | Multi-key per provider, automatic rotation on rate limits | [docs/fallback.md](docs/fallback.md) |
+| **Subagent Orchestration** | Parallel execution, depth limiting, registry | [docs/subagents.md](docs/subagents.md) |
+| **Structured Logging** | JSON/pretty/compact, file output, subsystem tagging | [docs/logging.md](docs/logging.md) |
+| **SSRF Protection** | DNS pinning, private IP blocking, hostname allowlists, fail-closed | [docs/memory.md](docs/memory.md) |
+| **Embedding Pipeline** | Batch with retry, SQLite cache, 5 providers (including local Ollama) | [docs/memory.md](docs/memory.md) |
 ---
-## Per-Workspace Skills
-Skills are registered globally and **enabled per workspace**. Each workspace gets exactly the capabilities it needs — nothing more.
-```typescript
-const frontend = await platform.createWorkspace("team-frontend");
-const backend  = await platform.createWorkspace("team-backend");
-frontend.skills.enable("github-issues");
-backend.skills.enable("github-issues");
-backend.skills.enable("db-migration");
-await frontend.credentials.store("github", { token: "ghp_frontend_token" });
-await backend.credentials.store("github", { token: "ghp_backend_token" });
-await backend.credentials.store("database", { url: "postgres://prod:5432/app" });
-```
-```javascript
-// skills/github-issues/execute.js
-const params = JSON.parse(await readStdin());
-const token = process.env.token;
-const res = await fetch(`https://api.github.com/repos/${params.repo}/issues`, {
-  headers: { Authorization: `Bearer ${token}` },
-});
-console.log(JSON.stringify(await res.json()));
-```
-Skills run with a minimal env (`PATH`, `HOME`, `NODE_ENV` + credentials), 30s timeout, and 10 MB stdout/stderr cap.
----
-## Memory Isolation
-Each workspace has its own SQLite database. Memories never cross workspace boundaries — not by access control, **by physical separation**.
-```typescript
-await alice.memory.store("Project uses React and TypeScript");
-await bob.memory.store("Project uses Vue and Python");
-const search = await alice.memory.search("framework");
-// → "React and TypeScript"
-// Bob's data doesn't exist in Alice's universe.
-```
-### Autonomous Agent Memory
-The agent decides what to remember. Memory persists across sessions, across restarts.
-```typescript
-// Session 1
-await runtime.run({
-  message: "My name is Juan, I work in fintech, I prefer TypeScript",
-  sessionId: "onboarding",
-});
-// Session 2 — different session, memory persists
-await runtime.run({
-  message: "Set up a new project for me",
-  sessionId: "new-project",
-});
-// Agent searches memory → finds preferences → scaffolds TypeScript project
-```
-**Hybrid search engine under the hood:**
-| Stage               | Algorithm                                            |
-| ------------------- | ---------------------------------------------------- |
-| **Vector search**   | Cosine similarity against stored embeddings          |
-| **Keyword search**  | SQLite FTS5 with BM25 ranking                        |
-| **Fusion**          | Weighted merge of vector + keyword scores            |
-| **Temporal decay**  | Exponential time-based score attenuation             |
-| **Diversity**       | MMR (Maximal Marginal Relevance) re-ranking          |
-| **Query expansion** | 7-language keyword extraction (EN/ES/PT/ZH/JA/KO/AR) |
+## Why Bulkhead Over Alternatives
-Works without any embedding API key — falls back to FTS5 keyword search.
+|                                  | Docker per user    | E2B / Cloud          | **Bulkhead Runtime**                         |
+| -------------------------------- | ------------------ | -------------------- | -------------------------------------------- |
+| **Isolation mechanism**          | Container per user | Cloud VM per session | **Linux namespaces**                         |
+| **Credential security**          | DIY                | Not built-in         | **AES-256-GCM, never exposed to agent**      |
+| **Persistent memory**            | DIY                | DIY                  | **SQLite + vector embeddings per tenant**    |
+| **SSRF protection**              | DIY                | DIY                  | **DNS-validated, private-IP blocking**       |
+| **Model fallback**               | DIY                | DIY                  | **Automatic multi-model fallback chains**    |
+| **API key rotation**             | DIY                | DIY                  | **Multi-key with rate-limit rotation**       |
+| **Skills with secret injection** | DIY                | DIY                  | **Credentials injected server-side**         |
+| **Infrastructure**               | Docker daemon      | Cloud API + billing  | **Single npm package**                       |
+| **Cold start**                   | ~2s                | ~5-10s               | **~50ms**                                    |
+| **Embeddable in your app**       | No                 | No                   | **Yes — it's a library**                     |
+| **License**                      | —                  | Proprietary          | **MIT**                                      |
 ---
-## Session Continuity
-```typescript
-await workspace.run({
-  message: "Create a REST API for user management",
-  sessionId: "api-project",
-});
-// Later — agent sees the full conversation history
-await workspace.run({
-  message: "Add input validation to those endpoints",
-  sessionId: "api-project",
-});
-```
-Sessions are per-workspace, stored as JSONL transcripts with async locking.
----
+## Provider Support
-## Subagent Orchestration
+### LLM Providers
-Agents can spawn sub-agents for parallel or complex work. Sub-agents run concurrently with controlled parallelism and depth limiting.
+Any provider supported by [pi-ai](https://github.com/nicepkg/pi-ai):
-```typescript
-const result = await runtime.run({
-  message: "Review this PR for security and performance",
-  enableSubagents: true,
-});
-```
+| Provider | Example Model |
+|----------|---------------|
+| **Anthropic** | `claude-sonnet-4-20250514` |
+| **Google** | `gemini-2.5-flash` |
+| **OpenAI** | `gpt-4o` |
+| **Groq** | `llama-3.3-70b-versatile` |
+| **Cerebras** | `llama-3.3-70b` |
+| **Mistral** | `mistral-large-latest` |
+| **xAI** | `grok-3` |
-Or programmatically:
+### Embedding Providers
-```typescript
-import { spawnSubagentsParallel } from "bulkhead-runtime";
-const results = await spawnSubagentsParallel({
-  tasks: [
-    { id: "security", task: "Audit for SQL injection and XSS", label: "Security" },
-    { id: "perf", task: "Profile hot paths and suggest optimizations", label: "Performance" },
-    { id: "docs", task: "Check all public APIs have JSDoc", label: "Documentation" },
-  ],
-  maxConcurrent: 3,
-  run: async (task) => {
-    const r = await runtime.run({
-      message: task.task,
-      systemPrompt: `You are a ${task.label} expert.`,
-    });
-    return r.response;
-  },
-});
-```
+| Provider | Default Model | Local |
+|----------|--------------|-------|
+| **OpenAI** | `text-embedding-3-small` | |
+| **Gemini** | `gemini-embedding-001` | |
+| **Voyage** | `voyage-3-lite` | |
+| **Mistral** | `mistral-embed` | |
+| **Ollama** | `nomic-embed-text` | **Yes** |
 ---
 ## Lifecycle Hooks
+6 hook points for audit logging, billing, and custom logic:
 ```typescript
 workspace.hooks.register("before_tool_call", async ({ toolName, input }) => {
   await auditLog.write({ tool: toolName, input, timestamp: Date.now() });
 });
 workspace.hooks.register("after_agent_end", async ({ sessionId, result }) => {
-  await billing.recordUsage(workspace.id, sessionId);
-});
-```
-6 hook points: `session_start` · `session_end` · `before_agent_start` · `after_agent_end` · `before_tool_call` · `after_tool_call`
----
-## Model Fallback & API Key Rotation
-When a model fails, Bulkhead automatically falls back to the next candidate. The error classification engine — ported from [OpenClaw](https://github.com/nicepkg/openclaw)'s battle-tested failover system — covers rate limits, billing, auth, overload, timeout, model not found, context overflow, and provider-specific patterns (Bedrock, Groq, Azure, Ollama, Mistral, etc.). Providers in cooldown are skipped automatically. When a key is rate-limited, it rotates to the next one.
-```typescript
-const result = await runtime.run({
-  message: "Analyze this codebase",
-  provider: "anthropic",
-  model: "claude-sonnet-4-20250514",
-  fallbacks: ["openai/gpt-4o", "google/gemini-2.5-flash"],
-  apiKeys: [process.env.ANTHROPIC_KEY_1!, process.env.ANTHROPIC_KEY_2!],
+  await billing.recordUsage(workspace.userId, sessionId);
 });
 ```
-Or set keys via environment variables:
-```bash
-ANTHROPIC_API_KEY=sk-ant-...
-ANTHROPIC_API_KEYS=sk-ant-key1,sk-ant-key2,sk-ant-key3
-ANTHROPIC_API_KEY_1=sk-ant-...
-ANTHROPIC_API_KEY_2=sk-ant-...
-```
+`session_start` · `session_end` · `before_agent_start` · `after_agent_end` · `before_tool_call` · `after_tool_call`
 ---
-## Context Window Guards
+## Demos
-Prevents silent failures from models with insufficient context windows.
+12 runnable demos covering every feature. 4 require an API key, 8 run fully local.
-```typescript
-import { resolveContextWindowInfo, evaluateContextWindowGuard } from "bulkhead-runtime";
-const info = resolveContextWindowInfo({
-  modelContextWindow: model.contextWindow,
-  configContextTokens: 16_000,
-});
+> **[See all demos &rarr;](docs/demos.md)**
-const guard = evaluateContextWindowGuard({ info });
-// guard.shouldWarn  → true if below 32,000 tokens
-// guard.shouldBlock → true if below 16,000 tokens
-```
-The runtime applies these guards automatically before every agent execution.
----
-## Retry with Compaction
-Transient errors (rate limits, timeouts, context overflow) trigger automatic retry with exponential backoff.
-```typescript
-const result = await runtime.run({
-  message: "Refactor the auth module",
-  maxRetries: 3,
-});
-// On context overflow → SDK compaction reduces history
-// On 429/5xx → exponential backoff + jitter
-```
----
-## Embedding Pipeline
-### Embedding Cache
-Embeddings are cached in SQLite to avoid re-embedding unchanged content. Enabled by default.
-```typescript
-const memory = createSimpleMemoryManager({
-  dbDir: "/var/data/memory",
-  embeddingProvider: createEmbeddingProvider({ provider: "openai", apiKey: "..." }),
-  enableEmbeddingCache: true,
-  maxCacheEntries: 50_000,
-});
-```
-### Batch Embedding with Retry
-```typescript
-import { embedBatchWithRetry } from "bulkhead-runtime";
-const result = await embedBatchWithRetry(
-  ["text 1", "text 2", "text 3"],
-  {
-    provider: embeddingProvider,
-    cache: memory.embeddingCache ?? undefined,
-    batchSize: 100,
-    concurrency: 2,
-    retryAttempts: 3,
-  },
-);
-// result: { embeddings: [...], cached: 150, computed: 50, errors: 0 }
-```
-### SSRF Protection
-All embedding provider HTTP calls are protected against Server-Side Request Forgery by default. The SSRF engine — ported from [OpenClaw](https://github.com/nicepkg/openclaw) — resolves DNS and pins IPs before connecting, blocks private/link-local ranges, and enforces a hostname allowlist. Fail-closed by default.
-```typescript
-import { validateUrl, buildBaseUrlPolicy } from "bulkhead-runtime";
-const provider = createEmbeddingProvider({
-  provider: "openai",
-  apiKey: "...",
-  enableSsrf: true,
-});
-await validateUrl("https://api.openai.com/v1/embeddings"); // OK
-await validateUrl("http://169.254.1.1/steal");              // throws SSRF error
-```
----
-## File-based Memory Indexing
-Automatically watches `MEMORY.md` and `memory/` directory for changes and re-indexes them into the memory system.
-```typescript
-import { createFileIndexer } from "bulkhead-runtime";
-const indexer = createFileIndexer({
-  workspaceDir: "/path/to/workspace",
-  memory,
-  watchPaths: ["docs/"],
-  debounceMs: 2000,
-});
-indexer.start();
-indexer.stop();
-```
----
-## Session Transcript Indexing
-Indexes session transcripts into memory for cross-session search. Supports post-compaction re-indexing. Ported from [OpenClaw](https://github.com/nicepkg/openclaw)'s memory-core extension.
-```typescript
-import { createSessionIndexer } from "bulkhead-runtime";
-const indexer = createSessionIndexer({
-  sessionsDir: path.join(stateDir, "sessions"),
-  memory,
-  deltaBytes: 4096,
-  deltaMessages: 10,
-});
-await indexer.indexAllSessions();
-indexer.onTranscriptUpdate(sessionFile);
-```
----
-## Structured Logging
-Structured JSON logging with file output, rotation, and configurable levels.
-```typescript
-import { configureLogger, createSubsystemLogger } from "bulkhead-runtime";
-configureLogger({
-  level: "debug",
-  file: "/var/log/bulkhead-runtime.log",
-  maxFileBytes: 10 * 1024 * 1024,
-  json: true,
-});
-const log = createSubsystemLogger("my-module");
-log.info("agent started", { userId: "alice", model: "claude-sonnet-4-20250514" });
-```
-Or via environment:
-```bash
-BULKHEAD_LOG_LEVEL=debug
-BULKHEAD_LOG_FILE=/var/log/bulkhead-runtime.log
-```
----
-## Security Architecture
-### 5 Layers of Sandbox Isolation
-All layers are **fail-closed** — if any layer can't be applied, the sandbox refuses to start.
-![Security Layers](docs/assets/security-layers.png)
-### Defense in Depth
-| Defense                       | Mechanism                                                                                            |
-| ----------------------------- | ---------------------------------------------------------------------------------------------------- |
-| **Env allowlist**             | Only `PATH`, `HOME`, `NODE_ENV` + the single API key the agent needs. Everything else dropped.       |
-| **Credential proxy**          | Secrets decrypted server-side, injected into skill execution. Never sent over IPC.                   |
-| **Path traversal blocklist**  | `/proc`, `/sys`, `/home/`, `/etc/shadow`, `/run/docker.sock`, and more are blocked from bind mounts. |
-| **Symlink rejection**         | `additionalBinds` sources must not be symlinks (prevents TOCTOU attacks).                            |
-| **IPC rate limiting**         | 200 calls/sec per method. Prevents resource exhaustion from rogue agents.                            |
-| **IPC buffer limit**          | 50 MB max. Peer stops on overflow to prevent memory exhaustion.                                      |
-| **Prototype pollution guard** | `__proto__`, `constructor`, `prototype` rejected as skill/credential IDs.                            |
-| **Stdout interception**       | IPC uses a dedicated fd. All other stdout is redirected to stderr.                                   |
-| **Sensitive path validation** | `workspaceDir`, `projectDir`, `nodeExecutable`, `additionalBinds` all validated.                     |
-| **Atomic writes**             | Config, credentials, sessions, skill state — all use tmp+rename pattern.                             |
----
-## Provider Support
-### LLM Providers
-Any provider supported by [pi-ai](https://github.com/nicepkg/pi-ai):
-| Provider      | Example Model              |
-| ------------- | -------------------------- |
-| **Anthropic** | `claude-sonnet-4-20250514` |
-| **Google**    | `gemini-2.5-flash`         |
-| **OpenAI**    | `gpt-4o`                   |
-| **Groq**      | `llama-3.3-70b-versatile`  |
-| **Cerebras**  | `llama-3.3-70b`            |
-| **Mistral**   | `mistral-large-latest`     |
-| **xAI**       | `grok-3`                   |
-### Embedding Providers
-Optional — keyword search works without any API key.
-| Provider    | Default Model            | Local   |
-| ----------- | ------------------------ | ------- |
-| **OpenAI**  | `text-embedding-3-small` |         |
-| **Gemini**  | `gemini-embedding-001`   |         |
-| **Voyage**  | `voyage-3-lite`          |         |
-| **Mistral** | `mistral-embed`          |         |
-| **Ollama**  | `nomic-embed-text`       | **Yes** |
+Highlights:
+- **[demo-workspace-real](demos/demo-workspace-real.ts)** — Full multi-tenant DevOps platform with 2 teams, skills, memory, credentials, and live agent execution
+- **[demo-subagents](demos/demo-subagents.ts)** — Orchestrator delegates to specialist sub-agents
+- **[demo-fallback](demos/demo-fallback.ts)** — Model fallback chains with simulated failures
 ---
@@ -613,7 +233,6 @@ src/
 │   ├── rootfs.ts          Minimal rootfs with bind mounts
 │   ├── ipc.ts             Bidirectional JSON-RPC 2.0 over stdio
 │   ├── seccomp.ts         BPF syscall filter profiles
-│   ├── seccomp-apply.ts   seccomp-BPF application via C helper
 │   ├── proxy-tools.ts     memory/skill tools proxied to host via IPC
 │   └── worker.ts          Agent entry point inside sandbox
 ├── credentials/       AES-256-GCM encrypted store + credential proxy
@@ -621,24 +240,15 @@ src/
 ├── runtime/           createRuntime() — single-user mode
 │   ├── failover-error.ts   Error classification (ported from OpenClaw)
 │   ├── model-fallback.ts   Fallback chains + cooldown tracking
-│   ├── context-guard.ts    Context window guards (16K/32K thresholds)
-│   ├── retry.ts            Exponential backoff with jitter + retryAfterMs
 │   ├── api-key-rotation.ts Per-provider key rotation
 │   ├── subagent.ts         Parallel execution + lifecycle + registry
-│   ├── session-pruning.ts  Trim old tool results in context
-│   ├── tool-result-truncation.ts  Truncate oversized tool output
-│   ├── memory-flush.ts     Pre-compaction memory save
-│   └── stream-adapters.ts  Per-provider stream configuration
+│   └── ...                 context-guard, retry, session-pruning, memory-flush
 ├── memory/            Hybrid search engine
 │   ├── hybrid.ts          Vector + FTS5 fusion scoring
 │   ├── mmr.ts             Maximal Marginal Relevance re-ranking
-│   ├── temporal-decay.ts  Exponential time-based scoring
-│   ├── query-expansion.ts 7-language keyword expansion
-│   ├── embedding-cache.ts SQLite embedding cache
-│   ├── embedding-batch.ts Batch embedding with retry
-│   ├── file-indexer.ts    File-based memory indexing with fs.watch
-│   ├── session-indexer.ts Session transcript indexing
-│   └── ssrf.ts            SSRF protection for HTTP calls
+│   ├── embeddings.ts      5-provider embedding support
+│   ├── ssrf.ts            SSRF protection for HTTP calls
+│   └── ...                temporal-decay, query-expansion, cache, indexers
 ├── hooks/             6 lifecycle hook points
 ├── logging/           Structured JSON logging with file output
 ├── sessions/          File-based store with async locking
@@ -674,25 +284,21 @@ Every file is workspace-scoped. No shared state between tenants.
 ## Built on OpenClaw
-Bulkhead Runtime stands on the shoulders of [OpenClaw](https://github.com/nicepkg/openclaw). Several production-critical subsystems were ported directly from OpenClaw's codebase:
-| Subsystem                                 | Origin                                                                    |
-| ----------------------------------------- | ------------------------------------------------------------------------- |
-| **Model fallback & error classification** | `src/agents/model-fallback.ts`, `failover-error.ts`, `failover-policy.ts` |
-| **API key rotation**                      | `src/agents/api-key-rotation.ts`, `live-auth-keys.ts`                     |
-| **Context window guards**                 | `src/agents/context-window-guard.ts`                                      |
-| **Retry with backoff**                    | `src/infra/retry.ts`                                                      |
-| **SSRF protection**                       | `src/infra/net/ssrf.ts`, `fetch-guard.ts`                                 |
-| **Embedding cache & batch**               | `extensions/memory-core/src/memory/manager-embedding-ops.ts`              |
-| **File indexer**                          | `extensions/memory-core/src/memory/manager-sync-ops.ts`                   |
-| **Session transcript indexer**            | `extensions/memory-core/src/memory/manager-sync-ops.ts`                   |
-| **Subagent orchestration**                | `src/agents/subagent-*.ts`                                                |
-| **Structured logging**                    | `src/logging/logger.ts`, `subsystem.ts`, `levels.ts`                      |
-| **Transcript events**                     | `src/sessions/transcript-events.ts`                                       |
+Bulkhead Runtime stands on the shoulders of [OpenClaw](https://github.com/nicepkg/openclaw). Several production-critical subsystems were ported directly:
+| Subsystem | Origin |
+|-----------|--------|
+| **Model fallback & error classification** | `src/agents/model-fallback.ts`, `failover-error.ts` |
+| **API key rotation** | `src/agents/api-key-rotation.ts`, `live-auth-keys.ts` |
+| **Context window guards** | `src/agents/context-window-guard.ts` |
+| **Retry with backoff** | `src/infra/retry.ts` |
+| **SSRF protection** | `src/infra/net/ssrf.ts`, `fetch-guard.ts` |
+| **Embedding cache & batch** | `extensions/memory-core/` |
+| **File & session indexers** | `extensions/memory-core/` |
+| **Subagent orchestration** | `src/agents/subagent-*.ts` |
+| **Structured logging** | `src/logging/logger.ts`, `subsystem.ts` |
-OpenClaw solved these problems in production. We extracted, adapted, and integrated them into Bulkhead's multi-tenant architecture. Full credit where it's due.
+OpenClaw solved these problems in production. We extracted, adapted, and integrated them into Bulkhead's multi-tenant architecture.
 ---
@@ -704,4 +310,4 @@ OpenClaw solved these problems in production. We extracted, adapted, and integra
 ## License
-[MIT](LICENSE)
+[MIT](LICENSE)

package/dist/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "bulkhead-runtime",
-  "version": "2026.4.5-beta.5",
+  "version": "2026.4.5-beta.8",
   "description": "Multi-tenant AI agent runtime with OS-level isolation. Sandboxed execution, encrypted credentials, private memory per tenant — one server, no Docker.",
   "license": "MIT",
   "repository": {
@@ -29,6 +29,35 @@
     "@mariozechner/pi-ai": "0.55.3",
     "@mariozechner/pi-coding-agent": "0.55.3"
   },
+  "keywords": [
+    "ai-agent",
+    "ai-agents",
+    "agent",
+    "agent-runtime",
+    "autonomous-agent",
+    "multi-agent",
+    "ai",
+    "llm",
+    "ai-infrastructure",
+    "ai-security",
+    "agent-security",
+    "mcp",
+    "model-context-protocol",
+    "tool-use",
+    "sandbox",
+    "secure-sandbox",
+    "sandboxing",
+    "runtime",
+    "isolation",
+    "process-isolation",
+    "tenant-isolation",
+    "multi-tenant",
+    "multitenant",
+    "security",
+    "credentials",
+    "encrypted-credentials",
+    "containerless"
+  ],
   "engines": {
     "node": ">=22.12.0"
   },

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "bulkhead-runtime",
-  "version": "2026.4.5-beta.6",
+  "version": "2026.4.5-beta.8",
   "description": "Multi-tenant AI agent runtime with OS-level isolation. Sandboxed execution, encrypted credentials, private memory per tenant — one server, no Docker.",
   "license": "MIT",
   "repository": {
@@ -45,6 +45,35 @@
     "typescript": "^5.9.3",
     "vitest": "^4.1.2"
   },
+  "keywords": [
+    "ai-agent",
+    "ai-agents",
+    "agent",
+    "agent-runtime",
+    "autonomous-agent",
+    "multi-agent",
+    "ai",
+    "llm",
+    "ai-infrastructure",
+    "ai-security",
+    "agent-security",
+    "mcp",
+    "model-context-protocol",
+    "tool-use",
+    "sandbox",
+    "secure-sandbox",
+    "sandboxing",
+    "runtime",
+    "isolation",
+    "process-isolation",
+    "tenant-isolation",
+    "multi-tenant",
+    "multitenant",
+    "security",
+    "credentials",
+    "encrypted-credentials",
+    "containerless"
+  ],
   "engines": {
     "node": ">=22.12.0"
   },