AI 에이전트가 호스트에 접근하기 전에 가역성과 거버넌스를 제공하세요.

EnvPod v0.1.6 — Zero-trust governance environments for AI agents Author: Mark Amo-Boateng, PhD · [email protected] Copyright 2026 Xtellix Inc. Envpod is the zero-trust governance layer for AI agents. Docker isolates environments. Envpod governs access to real ones. AI agents are useful only when they can work with real local context: your code, files, tools, shell state, and workflows. But direct host access creates a broken trust model. Docker forces a tradeoff: either the agent works in an isolated environment and loses real context, or you bind-mount the host and lose meaningful control. Envpod removes that tradeoff — agents work with your real environment through a copy-on-write layer, with review, rollback, audit, approval gates, secret isolation, and per-pod DNS governance. Isolation is a wall. Governance is a policy. Docker was built for microservices. Envpod was built for agents. $ envpod diff my-agent M .gitconfig A src/utils.py A src/helper.py D tests/old_test.py A node_modules/... (47 files) $ envpod commit my-agent src/ --rollback-rest Committed 2 file(s). Rolled back 48. Because Docker gives you coarse isolation, not fine-grained governance. With Docker, you usually end up in one of two modes: - Strong isolation, weak usefulness — the agent works in a separate environment, losing access to your real files, tools, and working context. - Strong access, weak control — you bind-mount the host so the agent can work on real files, but lose the review-and-commit model. Envpod lets the agent work with real local context through a copy-on-write layer, while keeping changes reviewable and adding controls: audit, approval, secret isolation, and per-pod DNS policy. See Docker vs Envpod for a full comparison. COW Foundation — OverlayFS copy-on-write. Every write goes to a private overlay — the host is untouched. Review changes with diff , accept with commit , discard with rollback . The foundation makes everything else reversible. Processor Wall — cgroups v2 (CPU, memory, PID limits), seccomp-BPF syscall filtering, CPU affinity. A runaway agent cannot starve the host. Network Wall — Each pod gets its own network namespace with veth pairs. Embedded DNS resolver per pod with allowlist, denylist, or monitor modes. Every DNS query is logged. Memory Wall — PID, mount, UTS, and user namespace separation. Processes in the pod cannot see or signal host processes. Devices Wall — Selective GPU, display, and audio passthrough. Hardware access without escaping governance. Credential Vault — Secrets stored encrypted (ChaCha20-Poly1305), injected as environment variables at runtime. Vault proxy injection (v0.2) goes further: a transparent HTTPS proxy intercepts API requests, strips dummy auth headers, and injects real credentials at the transport layer — the agent never has access to real API keys in env vars, memory, or config files. Web Dashboard — Browser-based fleet management UI (envpod dashboard ). Real-time pod overview with resource monitoring, audit trail viewer, filesystem diff inspector, and one-click commit/rollback/freeze/resume actions. Create, destroy, and clone pods from the browser. Session-token authenticated — blocks CSRF and local process attacks. See Dashboard Guide. Action Queue — Actions classified by reversibility: immediate (COW-protected), delayed (auto-execute after timeout), staged (human approval required), blocked (denied). Audit Trail — Append-only JSONL logs for every action. Static security analysis of pod configurations via envpod audit --security . Monitoring Agent — Background policy engine polls resource usage and can autonomously freeze or restrict a pod based on configurable rules. Remote Control — Freeze, resume, kill, or restrict a running pod in real time via envpod remote . Live DNS Mutation — Update a pod's DNS allow/deny lists without restarting via envpod dns . Undo Registry — Every executed action records its undo mechanism. envpod undo reverses any reversible action. Display + Audio Forwarding — GPU passthrough, Wayland/X11 display forwarding, PipeWire/PulseAudio audio forwarding for GUI agents. Auto-install desktop environments (xfce, openbox, sway) via devices.desktop_env . Web Display (noVNC) — Run a full browser desktop inside a pod, accessible from any browser at localhost:6080. Envpod auto-brands the interface, auto-connects (no click needed), and includes a file upload button (files go to /tmp/uploads/ ). Built-in audio streaming via PulseAudio + Opus/WebM with toast notifications for upload status. All supervisor processes auto-restart on crash. Works on headless servers, SSH sessions, no host display needed. Three desktop environments: xfce (~200MB), openbox (~50MB), sway (~150MB). Default ports: 6080 (display), 6081 (audio), 5080 (upload). Snapshots — Save and restore the agent's overlay state at any point. envpod snapshot create/ls/restore/destroy/prune/promote . Auto-snapshot before every run. Promote any snapshot to a clonable base pod. Configurable retention. Po