v0.1.0-internal.1 (Internal Preview)

Internal Preview Release — v0.1.0-internal.1

🔒 This is a wall-off release. Every artefact is private:

• Container images live in ghcr.io/azure/kars-* (private GHCR)
• npm package tarballs are attached below (NOT published to npmjs.com)
• Rust crate tarballs are attached below (NOT published to crates.io)
• Binaries + SBOMs + Trivy reports + checksums all attached

To go public: this release sits behind the wall until issue #384
(ESRP onboarding) is closed. Once ESRP is wired (ADO pipeline
.github/pipelines/esrp-publish.yml), Microsoft signs and republishes
the same artefacts to public registries.

Container images

All pushed to ghcr.io/azure/kars-*:v0.1.0-internal.1 (PRIVATE).
Pull with docker pull ghcr.io/azure/kars-controller:v0.1.0-internal.1
after docker login ghcr.io with a PAT that has read:packages.

Cosign attestations

Every container image was signed via cosign keyless OIDC.
Verify with:

cosign verify ghcr.io/azure/kars-controller:v0.1.0-internal.1 \
  --certificate-identity-regexp 'https://github.com/Azure/kars' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com

npm packages

4 .tgz files attached. Install locally:
npm install ./kars-cli-*.tgz etc.

Rust libraries

2 .crate files attached. Vendor them by extracting and pointing
Cargo.toml path = at the unpacked directory.

Binaries

4 statically-linked glibc 2.35 binaries attached with SHA256SUMS.

Manifest of everything: release-manifest.json.

What's Changed

• Slice 0: honesty events — introduce Compiled phase + Warning Events by @pallakatos in #251
• Slice 1a: router PolicyStatusRegistry + GET /internal/policy-status by @pallakatos in #252
• Slice 1b: ToolPolicy.spec.agtProfile.inline (producer side) by @pallakatos in #253
• Slice 1c — controller router-confirmation poller closes ToolPolicy Compiled→Ready loop by @pallakatos in #254
• Slice 2 prep: extract shared router-confirmation I/O helper by @pallakatos in #255
• Slice 2a prep: lift RouterEnforcementState + decide_enforcement_state shared by @pallakatos in #256
• Slice 2a: InferencePolicy perRequestTokens enforcement + router echo by @pallakatos in #257
• Slice 2b: InferencePolicy daily/monthly token budgets + UTC-calendar persistence by @pallakatos in #258
• Slice 2c: InferencePolicy contentSafety floors + requirePromptShields fail-closed by @pallakatos in #259
• Slice 2d.1: InferencePolicy modelPreference.primary.deployment override by @pallakatos in #260
• Slice 1d: azureclaw inspect <sandbox> CLI by @pallakatos in #261
• Slice 1d.2: Headlamp 'Router enforcement' panel by @pallakatos in #262
• Slice 1e phase 1: BundledProfileInUse deprecation condition by @pallakatos in #263
• Slice 5 §7: docs reframe — router is the policy point, NetworkPolicy + egress-guard are safety nets by @pallakatos in #264
• Slice 1e §2: remove bundled AGT_POLICY_PROFILE fallback by @pallakatos in #265
• Slice 2d.2: health-aware modelPreference fallback failover by @pallakatos in #266
• Slice 3a: ClawMemory router-echo (§3 Ready ⇔ router echo closure) by @pallakatos in #267
• Slice 3b.1: ClawMemory operator UX (inspect CLI + Headlamp panel) by @pallakatos in #268
• Slice 3b.2: pin ClawMemory no-inherit invariant for sub-agent spawn by @pallakatos in #269
• Slice 3b.3: foundry.memory MCP tool prefers ClawMemory binding store_name by @pallakatos in #270
• controller: Slice 3b.4 — ClawMemory Degraded=AuthMisconfigured for router-reported 403s by @pallakatos in #271
• router: Slice 3b.4-producer — foundry.memory records AuthMisconfigured on 401/403 by @pallakatos in #272
• clawmemory: Slice 3b.5 — MemoryStoreMissing Degraded on Foundry 404 by @pallakatos in #273
• router: hot-reload InferencePolicy + ClawMemory loaders (Slice 2/3 DoD) by @pallakatos in #283
• router: auto-provision Foundry Memory Store on 404 (Slice 3c.1) by @pallakatos in #284
• slice-2 dod #7: inference_policy_digest on every inference audit log by @pallakatos in #285
• slice-2 dod #6: sub-agent inherits parent-CR labels on spawn by @pallakatos in #286
• slice-4a: durable JSONL audit sink (Slice 4 DoD #4) by @pallakatos in #287
• ci(e2e): align InferencePolicy + ClawMemory tests with §3 honest states (Slice 2a/3a) by @pallakatos in #288
• feat(cli): azureclaw audit tail — stream durable JSONL audit log (Slice 4b) by @pallakatos in #289
• feat(router): AuditSink trait + Azure Monitor remote sink (Slice 4c — DoD #5) by @pallakatos in #290
• Slice 4d.1 — mcpServerRefs plural CRD field + admission CEL by @pallakatos in #291
• Slice 4d.2 — per-server McpServer mounts + router discovery (DoD #1 + #6) by @pallakatos in #292
• Slice 4d.3 — multi-issuer OAuth verification for per-server JWKS (DoD #3 — OAuth half) by @pallakatos in #293
• Slice 4d.4: namespaced MCP tool forwarder (DoD #3 dispatch half) by @pallakatos in #294
• Slice 4e: docs consolidation — Slice 4 DoD #8 by @pallakatos in #295
• Slice 5a: surface blocked egress attempts (DoD #1) by @pallakatos in #296
• slice-5b: egressMode enum replaces learnEgress bool by @pallakatos in #297
• slice-5f: security.md egress reframe (DoD #6) by @pallakatos in #298
• Slice 5c.1 — egress allowlist mount + router echo, decorative removal by @pallakatos in #299
• Slice 5c.2: AllowlistVerified=Unsigned warning + helm requireSigned fail-closed toggle by @pallakatos in #300
• Slice 5d: structured AllowlistDrift summary + Headlamp banner by @pallakatos in #301
• Slice 1c.1: PolicyKind trait + policy_canonical module extraction by @pallakatos in #302
• Slice 1c.2: ToolPolicy.spec.agtProfile.bundleRef (signed OCI artifact) by @pallakatos in #303
• Slice 1c.3 — InferencePolicy.spec.bundleRef (signed OCI artifact) by @pallakatos in #304
• Slice 1c.4: ClawMemory.spec.bundleRef (signed OCI artifact) by @pallakatos in #305
• Slice 1c.5 — McpServer.spec.bundleRef (signed OCI artifact) by @pallakatos in #306
• Slice 1c.6 — SignerPolicy.ed25519Keys forward-compat + unified policy sign --kind CLI by @pallakatos in #307
• Slice 5e.1 — EgressApproval CRD shape + CEL + Helm install by @pallakatos in #308
• Slice 5e.2 — EgressApproval reconciler + router consumer wired end-to-end by @pallakatos in #309
• Slice 5e.3 — EgressApproval CLI + Headlamp panel by @pallakatos in #310
• Slice 5e.4 — EgressApproval E2E tests + docs by @pallakatos in #311
• Slice 6.1 — EvalCorpus library: parser, judge, 5 built-in corpora by @pallakatos in #312
• Slice 6.2 — conformance-runner: extracts eval-corpus to its own crate + new runner binary that replays scenarios against the router by @pallakatos in #313
• Slice 6.3: ClawEval policy-conformance reconciler by @pallakatos in #314
• Slice 6.4 — ClawEval CLI + Headlamp + eval-corpus signing by @pallakatos in #315
• Slice 6.5 — conformance-runner endpoint corrections + CI build-once-reuse by @pallakatos in #316
• slice 6.5 follow-up: CLI help, claweval doc, E2E ownerRefs, CI prebuild cache by @pallakatos in #317
• headlamp: reason-aware chip + MCP fleet card; memory store docs refresh by @pallakatos in #318
• ci: dev→main promotion hygiene fixes for #320 by @pallakatos in #321
• test(controller): de-flake eval_corpus cache tests by @pallakatos in #322
• release: promote dev → main (Slices 1c–6.5 + EgressApproval + ClawEval + Headlamp) by @pallakatos in #320
• feat: cluster-aware memory scope + policy quintet round-out + dev-flow improvements by @pallakatos in #323
• chore(security): PR A — critical hygiene batch (C1, C2, C3, C6, C7, C8, C9) by @pallakatos in #324
• docs: OSS-readiness pass — strip internal jargon + correct overclaims by @pallakatos in #325
• docs: deep OSS-launch audit — API, diagrams, security, README by @pallakatos in #326
• docs(readme): cross-ref inference backend bullets to arch s...