Where Kastellan stands

Development phases, in build order

• Phase 0 — A core that can jail things SHIPPED

  Cross-platform kernel sandboxing (bubblewrap + Landlock + seccomp on Linux, Seatbelt on macOS) with negative tests proving that denials deny. JSON-RPC workers, service supervision, Postgres with an append-only audit log.

• Phase 1 — Memory & the agent loop SHIPPED

  Three-lane memory recall (semantic, lexical, graph), the task scheduler, CASSANDRA plan review, a prompt-injection guard on worker output, encrypted secrets, and an operator-approved skill system.

• Phase 3 — Web egress IN PROGRESS

  Web search and web fetch shipped behind host allowlists. The egress proxy — the single chokepoint all worker traffic will be forced through — has its first slice shipped and force-routing in design. ← currently being built

• Phase 2 — Channels PLANNED

  Telegram, Signal, and email — how you’ll actually talk to it. Inbound first (read-only), outbound after the egress proxy hardens.

• Phase 4 — python-exec & agent-authored skills PLANNED

  Python in a no-network scratch jail, and a catalog of named skills with trust tiers and human approval gates.

• Phase 5 — Frontier escalation & hardening PLANNED

  A policy gate deciding when a frontier LLM may be consulted, TLS-pinned egress, and a 7-day adversarial soak test.