Add credential key, update backup state, and enhance event logging; refine documentation and gitignore

Author: thrashr888

.beads/.beads-credential-key

@@ -0,0 +1 @@
+疊�F�˒���܄O@ݮA�mS�������/

.beads/backup/backup_state.json

@@ -1,9 +1,9 @@
 {
-  "last_dolt_commit": "v5rpfuljv2dhcvvjua78j9c3hjqt265r",
-  "timestamp": "2026-03-24T22:53:07.635797Z",
+  "last_dolt_commit": "eat2n3m57g5fv1fe4vqrostlqqqqhmc9",
+  "timestamp": "2026-03-25T00:03:19.21048Z",
   "counts": {
     "issues": 212,
-    "events": 222,
+    "events": 224,
     "comments": 8,
     "dependencies": 203,
     "labels": 5,

.beads/backup/events.jsonl

@@ -220,3 +220,5 @@
 {"actor":"Paul Thrasher","comment":null,"created_at":"2026-03-23T09:58:35Z","event_type":"status_changed","id":"1e6014e6-af2b-4604-be8c-d857973a39c0","issue_id":"agentkernel-su2","new_value":"{\"status\":\"in_progress\"}","old_value":"{\"id\":\"agentkernel-su2\",\"title\":\"Cache config/policy initialization on VM manager hot path\",\"description\":\"While scaffolding autoresearch for startup/perf work, I found that VmManager::with_backend loads agentkernel.toml and reinitializes the enterprise policy engine on each manager construction. This shows up repeatedly during benchmark runs and likely affects end-to-end CLI startup, even though the current benchmark loop mostly measures lifecycle work after manager creation. Follow-up: cache parsed config / policy engine (or lazily initialize once), measure impact on 'agentkernel run' latency, and extend the benchmark/eval harness if needed so command-startup regressions are visible in total_score.\",\"status\":\"in_progress\",\"priority\":1,\"issue_type\":\"task\",\"assignee\":\"Paul Thrasher\",\"owner\":\"thrashr888@gmail.com\",\"created_at\":\"2026-03-23T16:02:59Z\",\"created_by\":\"Paul Thrasher\",\"updated_at\":\"2026-03-23T16:58:36Z\"}"}
 {"actor":"Paul Thrasher","comment":null,"created_at":"2026-03-23T09:58:35Z","event_type":"claimed","id":"3f5c539a-cebd-425f-9b3d-6776f918152d","issue_id":"agentkernel-su2","new_value":"{\"assignee\":\"Paul Thrasher\",\"status\":\"in_progress\"}","old_value":"{\"id\":\"agentkernel-su2\",\"title\":\"Cache config/policy initialization on VM manager hot path\",\"description\":\"While scaffolding autoresearch for startup/perf work, I found that VmManager::with_backend loads agentkernel.toml and reinitializes the enterprise policy engine on each manager construction. This shows up repeatedly during benchmark runs and likely affects end-to-end CLI startup, even though the current benchmark loop mostly measures lifecycle work after manager creation. Follow-up: cache parsed config / policy engine (or lazily initialize once), measure impact on 'agentkernel run' latency, and extend the benchmark/eval harness if needed so command-startup regressions are visible in total_score.\",\"status\":\"open\",\"priority\":1,\"issue_type\":\"task\",\"owner\":\"thrashr888@gmail.com\",\"created_at\":\"2026-03-23T16:02:59Z\",\"created_by\":\"Paul Thrasher\",\"updated_at\":\"2026-03-23T16:02:59Z\"}"}
 {"actor":"Paul Thrasher","comment":null,"created_at":"2026-03-24T15:53:07Z","event_type":"created","id":"ab40ce6e-865a-4976-b52b-f3d3b03a32a4","issue_id":"agentkernel-aeqr","new_value":"","old_value":""}
+{"actor":"Paul Thrasher","comment":null,"created_at":"2026-03-24T15:53:15Z","event_type":"updated","id":"1ca9460a-eae4-4591-8391-77437fa2c2db","issue_id":"agentkernel-aeqr","new_value":"{\"description\":\"While extending benchmark/autoresearch for end-to-end agentkernel run timing, `agentkernel benchmark --backends apple` fails during the spawned CLI run step with: No container runtime available (need Docker or Podman). Internal apple lifecycle benchmarking starts, but the top-level `run -B apple` path does not currently execute cleanly for the end-to-end harness. Follow-up: make explicit Apple backend one-shot runs work in the CLI fast path or teach the benchmark harness to use the correct Apple-specific end-to-end invocation.\"}","old_value":"{\"id\":\"agentkernel-aeqr\",\"title\":\"Apple backend end-to-end run path fails in benchmark harness\",\"description\":\"While extending benchmark/autoresearch for end-to-end  timing, Benchmarking 1 backend × 1 iteration (image: alpine:3.20)\\n\\nBackend             Create      Start       Exec       Stop     Remove      Total\\n-------------------------------------------------------------------------------------\\napple                  4ms      734ms       50ms     1226ms        0ms     2015ms\\n\\n1 iteration complete. fails during the spawned CLI run step with: 'No container runtime available (need Docker or Podman)'. Internal apple lifecycle benchmarking starts, but the top-level  path does not currently execute cleanly for the end-to-end harness. Follow-up: make explicit Apple backend one-shot runs work in the CLI fast path or teach the benchmark harness to use the correct Apple-specific end-to-end invocation.\",\"status\":\"open\",\"priority\":1,\"issue_type\":\"bug\",\"owner\":\"thrashr888@gmail.com\",\"created_at\":\"2026-03-24T22:53:08Z\",\"created_by\":\"Paul Thrasher\",\"updated_at\":\"2026-03-24T22:53:08Z\"}"}
+{"actor":"Paul Thrasher","comment":null,"created_at":"2026-03-24T16:06:46Z","event_type":"closed","id":"5e755962-49db-49e7-acda-5b85fe4fe2ae","issue_id":"agentkernel-aeqr","new_value":"Fixed Apple end-to-end one-shot benchmark path by adding Apple native container run --rm fast path and wiring it into run_ephemeral_with_backend; validated with apple benchmark runs and saved comparison reports.","old_value":""}

.beads/backup/issues.jsonl

@@ -82,7 +82,7 @@
 {"acceptance_criteria":"","actor":"","agent_state":"","assignee":null,"await_id":"","await_type":"","close_reason":"Duplicate of agentkernel-4il.2 (toast notifications bug)","closed_at":"2026-02-08T01:42:03Z","closed_by_session":"","compacted_at":null,"compacted_at_commit":null,"compaction_level":0,"content_hash":"939cc5a582ff87bb6bd5b2a0bfe69a725a22fed2a1ba950a491b3255511619a2","created_at":"2026-02-08T01:41:20Z","created_by":"Paul Thrasher","crystallizes":0,"defer_until":null,"description":"We have Toaster mounted in AppShell but zero mutations show toasts. Add onSuccess/onError toast calls to every mutation: create/remove/start/stop sandbox, take/restore/delete snapshot, extend TTL, save settings. This is the same as the error handling bug - toasts solve both.","design":"","due_at":null,"ephemeral":0,"estimated_minutes":null,"event_kind":"","external_ref":null,"hook_bead":"","id":"agentkernel-a7u.4","is_template":0,"issue_type":"task","last_activity":null,"metadata":"{}","mol_type":"","no_history":0,"notes":"","original_size":null,"owner":"thrashr888@gmail.com","payload":"","pinned":0,"priority":1,"quality_score":null,"rig":"","role_bead":"","role_type":"","sender":"","source_repo":"","source_system":"","spec_id":"","status":"closed","target":"","timeout_ns":0,"title":"Add toast notifications for all mutations","updated_at":"2026-02-08T01:42:03Z","waiters":"","wisp_type":"","work_type":""}
 {"acceptance_criteria":"","actor":"","agent_state":"","assignee":null,"await_id":"","await_type":"","close_reason":"Implemented TTL extension CLI/HTTP/MCP and Snapshots HTTP/MCP endpoints","closed_at":"2026-02-06T06:10:06Z","closed_by_session":"","compacted_at":null,"compacted_at_commit":null,"compaction_level":0,"content_hash":"2da89a768554ece3eab88dd62ac7f1b240e5ac097e048125aa276196969a606f","created_at":"2026-02-04T06:34:21Z","created_by":"Paul Thrasher","crystallizes":0,"defer_until":null,"description":"Snapshots CLI already works. Add REST endpoints (POST/GET/DELETE /snapshots) and MCP tools (snapshot_take, snapshot_list, snapshot_delete, snapshot_restore).","design":"","due_at":null,"ephemeral":0,"estimated_minutes":null,"event_kind":"","external_ref":null,"hook_bead":"","id":"agentkernel-a7z","is_template":0,"issue_type":"task","last_activity":null,"metadata":"{}","mol_type":"","no_history":0,"notes":"","original_size":null,"owner":"thrashr888@gmail.com","payload":"","pinned":0,"priority":3,"quality_score":null,"rig":"","role_bead":"","role_type":"","sender":"","source_repo":"","source_system":"","spec_id":"","status":"closed","target":"","timeout_ns":0,"title":"Expose snapshots via HTTP API and MCP","updated_at":"2026-02-06T06:10:06Z","waiters":"","wisp_type":"","work_type":""}
 {"acceptance_criteria":"","actor":"","agent_state":"","assignee":null,"await_id":"","await_type":"","close_reason":"Command policies enforced in all exec paths (exec_cmd_with_env, run_pooled, run_ephemeral_with_files). PolicyViolation audit events and agentkernel audit CLI working. DomainConfig.is_allowed() wired into Config.validate() with warnings. DNS filtering proxy and seccomp profiles deferred to Firecracker backend.","closed_at":"2026-01-30T08:30:55Z","closed_by_session":"","compacted_at":null,"compacted_at_commit":null,"compaction_level":0,"content_hash":"fdda838c7266dd2e9869c62cbe7b4dd38272beb6939c5920c4632c404a85f818","created_at":"2026-01-22T10:32:43Z","created_by":"Paul Thrasher","crystallizes":0,"defer_until":null,"description":"Fine-grained network domain allowlists, command restrictions, seccomp profiles, and audit logging.\n\n**RICE Score: 40** (Priority #3)\n- Reach: 50 (power users, enterprises)\n- Impact: 2 (high - required for enterprise use)\n- Confidence: 0.8 (DNS proxy adds complexity)\n- Effort: 2 weeks\n\n**Plan:** plan/03-access-policies.md\n\n**Key deliverables:**\n- [security.network] domain allowlist/blocklist\n- [security.commands] binary allow/deny rules\n- DNS filtering proxy\n- Seccomp profile integration (pre-built + custom)\n- Audit logging (JSONL violations log)\n- agentkernel audit CLI command","design":"","due_at":null,"ephemeral":0,"estimated_minutes":null,"event_kind":"","external_ref":null,"hook_bead":"","id":"agentkernel-adh","is_template":0,"issue_type":"epic","last_activity":null,"metadata":"{}","mol_type":"","no_history":0,"notes":"2026-01-29: Wired up command policy enforcement in all exec paths (exec_cmd, run_pooled, run_ephemeral). Commands blocked by [security.commands] now log PolicyViolation audit events. Remaining: DNS filtering proxy (blocked on Firecracker), network domain enforcement at runtime.","original_size":null,"owner":"thrashr888@gmail.com","payload":"","pinned":0,"priority":2,"quality_score":null,"rig":"","role_bead":"","role_type":"","sender":"","source_repo":"","source_system":"","spec_id":"","status":"closed","target":"","timeout_ns":0,"title":"[RICE:40] Fine-Grained Access Policies","updated_at":"2026-01-30T08:30:55Z","waiters":"","wisp_type":"","work_type":""}
-{"acceptance_criteria":"","actor":"","agent_state":"","assignee":null,"await_id":"","await_type":"","close_reason":"","closed_at":null,"closed_by_session":"","compacted_at":null,"compacted_at_commit":null,"compaction_level":0,"content_hash":"ab0c628ce13cfb86d2c7ec1b9b963f725628a24b2053dc6da81b74c9ea9d0fcd","created_at":"2026-03-24T22:53:08Z","created_by":"Paul Thrasher","crystallizes":0,"defer_until":null,"description":"While extending benchmark/autoresearch for end-to-end  timing, Benchmarking 1 backend × 1 iteration (image: alpine:3.20)\n\nBackend             Create      Start       Exec       Stop     Remove      Total\n-------------------------------------------------------------------------------------\napple                  4ms      734ms       50ms     1226ms        0ms     2015ms\n\n1 iteration complete. fails during the spawned CLI run step with: 'No container runtime available (need Docker or Podman)'. Internal apple lifecycle benchmarking starts, but the top-level  path does not currently execute cleanly for the end-to-end harness. Follow-up: make explicit Apple backend one-shot runs work in the CLI fast path or teach the benchmark harness to use the correct Apple-specific end-to-end invocation.","design":"","due_at":null,"ephemeral":0,"estimated_minutes":null,"event_kind":"","external_ref":null,"hook_bead":"","id":"agentkernel-aeqr","is_template":0,"issue_type":"bug","last_activity":null,"metadata":"{}","mol_type":"","no_history":0,"notes":"","original_size":null,"owner":"thrashr888@gmail.com","payload":"","pinned":0,"priority":1,"quality_score":null,"rig":"","role_bead":"","role_type":"","sender":"","source_repo":"","source_system":"","spec_id":"","status":"open","target":"","timeout_ns":0,"title":"Apple backend end-to-end run path fails in benchmark harness","updated_at":"2026-03-24T22:53:08Z","waiters":"","wisp_type":"","work_type":""}
+{"acceptance_criteria":"","actor":"","agent_state":"","assignee":null,"await_id":"","await_type":"","close_reason":"Fixed Apple end-to-end one-shot benchmark path by adding Apple native container run --rm fast path and wiring it into run_ephemeral_with_backend; validated with apple benchmark runs and saved comparison reports.","closed_at":"2026-03-24T23:06:46Z","closed_by_session":"","compacted_at":null,"compacted_at_commit":null,"compaction_level":0,"content_hash":"ab0c628ce13cfb86d2c7ec1b9b963f725628a24b2053dc6da81b74c9ea9d0fcd","created_at":"2026-03-24T22:53:08Z","created_by":"Paul Thrasher","crystallizes":0,"defer_until":null,"description":"While extending benchmark/autoresearch for end-to-end agentkernel run timing, `agentkernel benchmark --backends apple` fails during the spawned CLI run step with: No container runtime available (need Docker or Podman). Internal apple lifecycle benchmarking starts, but the top-level `run -B apple` path does not currently execute cleanly for the end-to-end harness. Follow-up: make explicit Apple backend one-shot runs work in the CLI fast path or teach the benchmark harness to use the correct Apple-specific end-to-end invocation.","design":"","due_at":null,"ephemeral":0,"estimated_minutes":null,"event_kind":"","external_ref":null,"hook_bead":"","id":"agentkernel-aeqr","is_template":0,"issue_type":"bug","last_activity":null,"metadata":"{}","mol_type":"","no_history":0,"notes":"","original_size":null,"owner":"thrashr888@gmail.com","payload":"","pinned":0,"priority":1,"quality_score":null,"rig":"","role_bead":"","role_type":"","sender":"","source_repo":"","source_system":"","spec_id":"","status":"closed","target":"","timeout_ns":0,"title":"Apple backend end-to-end run path fails in benchmark harness","updated_at":"2026-03-24T23:06:46Z","waiters":"","wisp_type":"","work_type":""}
 {"acceptance_criteria":"","actor":"","agent_state":"","assignee":null,"await_id":"","await_type":"","close_reason":"Prometheus /metrics endpoint implemented with 8 metrics, docs added","closed_at":"2026-02-13T05:44:49Z","closed_by_session":"","compacted_at":null,"compacted_at_commit":null,"compaction_level":0,"content_hash":"a548639402563bb25923e7785971f450ffae9a87296225f525aa451647fef909","created_at":"2026-02-04T06:37:08Z","created_by":"Paul Thrasher","crystallizes":0,"defer_until":null,"description":"Expose metrics via OTEL and/or Prometheus endpoint: sandbox lifecycle (create/start/stop latency, concurrent count), exec duration, API request rate/latency/errors, resource usage per sandbox. Valuable for K8s/Nomad production deployments.","design":"","due_at":null,"ephemeral":0,"estimated_minutes":null,"event_kind":"","external_ref":null,"hook_bead":"","id":"agentkernel-ait","is_template":0,"issue_type":"feature","last_activity":null,"metadata":"{}","mol_type":"","no_history":0,"notes":"","original_size":null,"owner":"thrashr888@gmail.com","payload":"","pinned":0,"priority":3,"quality_score":null,"rig":"","role_bead":"","role_type":"","sender":"","source_repo":"","source_system":"","spec_id":"","status":"closed","target":"","timeout_ns":0,"title":"Add OpenTelemetry/Prometheus telemetry","updated_at":"2026-02-13T05:44:49Z","waiters":"","wisp_type":"","work_type":""}
 {"acceptance_criteria":"","actor":"","agent_state":"","assignee":null,"await_id":"","await_type":"","close_reason":"","closed_at":null,"closed_by_session":"","compacted_at":null,"compacted_at_commit":null,"compaction_level":0,"content_hash":"21cd8f07220b70cbab95a7856c9dd1f75058662bd74da4d6e7a1833be0782f02","created_at":"2026-02-13T06:08:30Z","created_by":"Paul Thrasher","crystallizes":0,"defer_until":null,"description":"Git worktree isolation per agent, devcontainer.json support, and IDE plugins (VS Code, JetBrains). Ecosystem features for broader developer adoption.","design":"","due_at":null,"ephemeral":0,"estimated_minutes":null,"event_kind":"","external_ref":null,"hook_bead":"","id":"agentkernel-aki","is_template":0,"issue_type":"epic","last_activity":null,"metadata":"{}","mol_type":"","no_history":0,"notes":"","original_size":null,"owner":"thrashr888@gmail.com","payload":"","pinned":0,"priority":3,"quality_score":null,"rig":"","role_bead":"","role_type":"","sender":"","source_repo":"","source_system":"","spec_id":"","status":"open","target":"","timeout_ns":0,"title":"Ecosystem \u0026 IDE Integration","updated_at":"2026-02-13T06:08:30Z","waiters":"","wisp_type":"","work_type":""}
 {"acceptance_criteria":"","actor":"","agent_state":"","assignee":null,"await_id":"","await_type":"","close_reason":"","closed_at":null,"closed_by_session":"","compacted_at":null,"compacted_at_commit":null,"compaction_level":0,"content_hash":"8c0de022a5e257bcf10f96ec089a1a66e0e543c861174ebe5863a56123a78c89","created_at":"2026-02-13T06:13:14Z","created_by":"Paul Thrasher","crystallizes":0,"defer_until":null,"description":"On sandbox create, auto-create a git worktree with a dedicated branch. Agent works in isolation without conflicting with other agents. Clean up worktree on sandbox remove.","design":"","due_at":null,"ephemeral":0,"estimated_minutes":null,"event_kind":"","external_ref":null,"hook_bead":"","id":"agentkernel-aki.1","is_template":0,"issue_type":"feature","last_activity":null,"metadata":"{}","mol_type":"","no_history":0,"notes":"","original_size":null,"owner":"thrashr888@gmail.com","payload":"","pinned":0,"priority":3,"quality_score":null,"rig":"","role_bead":"","role_type":"","sender":"","source_repo":"","source_system":"","spec_id":"","status":"open","target":"","timeout_ns":0,"title":"Git worktree isolation per agent","updated_at":"2026-02-13T06:13:14Z","waiters":"","wisp_type":"","work_type":""}