Roadmap

Active early development

jackin' is not production-ready. It is intentionally in active early development while the core concept, runtime integrations, CLI/TUI workflows, schemas, and documentation are still being refined. Major breaking changes are expected before a stable release; features may be redesigned, replaced, or removed when that leads to a better project. Early adopters are welcome, but the priority right now is concept quality and fast iteration rather than freezing today's behavior.

Current status

jackin’ is a functional proof of concept, not a stable product line. Claude Code, Codex, Amp, Kimi, and OpenCode ship today as built-in agent runtimes, with namespaced roles, workspace management, per-mount isolation for parallel agents, layered authentication forwarding (including 1Password references), and an interactive operator console (TUI). The roadmap below is expected to change aggressively as the project learns which concepts deserve to survive.

Completed

• Claude Code and Codex agent runtimes with full-speed mode (--dangerously-skip-permissions / YOLO) inside the container boundary
• Layered authentication forwarding per (workspace × role × agent) — sync / api_key / oauth_token / ignore for Claude Code, and sync / api_key / ignore for Codex, Amp, Kimi, and OpenCode (none supports oauth_token)
• Docker container isolation with Docker-in-Docker
• Interactive operator console (TUI) with workspace, role, and agent selection
• Workspace management (create, edit, remove, prune, list, show, plus env and claude-token subcommands) — CLI and TUI
• Global mount configuration with role scoping
• Role repository contract validation
• Derived Dockerfile generation with UID/GID remapping
• State persistence across sessions
• Agent identity (display names)
• UID/GID host user mapping
• GitHub CLI authentication state persists across container restarts (forwarding host login on launch is tracked separately under GitHub CLI authentication strategy)
• Homebrew distribution via jackin-project/homebrew-tap
• Namespaced roles (e.g., chainargos/frontend-engineer)
• Last-agent memory per workspace
• Custom Claude Code plugin marketplaces in jackin.role.toml — see the role manifest reference
• Sensitive mount path warnings (warn-and-confirm for ~/.ssh, ~/.aws, etc.) — see the Mounts guide and the Security model
• Automatic orphaned DinD cleanup (pre-launch garbage collection)
• ${env.VAR} interpolation in env var prompts and defaults for dependent variables
• JACKIN_DIND_HOSTNAME environment variable for agents to discover the DinD sidecar hostname — see the Environment variables guide
• Agent source trust model (trust-on-first-use verification for third-party role repos)
• DinD TLS authentication with auto-generated certificates — see the Security model and Architecture
• JACKIN_DEBUG environment variable — verbose tracing for shell commands and jackin internals; documented inline in every command page
• MSRV toolchain pin — rust-toolchain.toml enforced in CI
• Worktree cleanup on container removal — orphaned host-side worktrees no longer accumulate
• jackin eject — stop and clean per-container state (with --all and --purge)
• jackin prune family — orphaned roles, derived images, cache, and instance state
• jackin config trust grant | revoke | list — explicit CLI management of role-source trust beyond the trust-on-first-use prompts
• Per-workspace git_pull_on_entry — opt-in host repo refresh at launch via --git-pull / --no-git-pull
• macOS keep-awake reconciler — --keep-awake / --no-keep-awake workspace flags hold the system awake while an agent is active
• Per-mount isolation for parallel agents — shared | worktree | clone modes implemented in V1
• Split config.toml into per-workspace files — ~/.config/jackin/workspaces/<name>.toml layout shipped with per-file version stamps and migration
• Global mount visibility and editing — workspace views show applicable global mounts separately, and the console has a dedicated global mounts editor for ~/.config/jackin/config.toml. See the Mounts guide
• Settings TUI — the console has a tabbed Settings shell covering existing jackin config surfaces: global mounts, global/per-role env vars, global auth forwarding modes, and role source trust
• Project structure map refresh — PROJECT_STRUCTURE.md now covers the root file/workflow map and delegates detailed source navigation to the Codebase Map
• Unique container identity and restore — DNS-safe unique container identities, per-instance manifests and rebuildable index, hardline/load/console recovery flows, durable per-instance agent home restore, related-instance recovery/rebuild, moved ad-hoc path recovery, guarded purge, hardline --new, and Java Testcontainers DinD smoke coverage have shipped; operator workflow is documented in Parallel Agents, contributor details live in Runtime Instance Model, and reconnectable named sessions plus persistent lifecycle history are tracked separately
• Role authoring CLI — desktop role creation, validation, and migration are documented in the role command reference and Creating a Role; the standalone CI/Renovate-style validator split is documented in Architecture and Schema Versions
• Async Docker API via bollard — DockerApi trait, BollardDockerClient, FakeDockerClient, ContainerState (all 9 Docker lifecycle states); typed API for lifecycle, cleanup, inspect, exec, and image operations, replacing CLI stderr string-matching; docker build, docker exec -it, and docker run -it stay on the CLI by design — see Codebase Map for details

Partially implemented

• 1Password integration — env references and picker flows are documented in standard docs; roadmap tracks future read-only secret file mounts
• Multi-runtime support for Codex, Amp, Kimi, and OpenCode — built-in runtime launch for all five agent runtimes is documented in standard docs; roadmap tracks deeper runtime parity
• GitHub CLI authentication strategy — shipped GitHub auth forwarding is documented in standard docs; roadmap tracks the CLI subcommand, scope pre-flight, and deeper GHE coverage
• Workspace Claude token setup — shipped token commands, the shared op_picker Create mode, and the plain-prompt --interactive storage-location picker are documented in standard docs; roadmap tracks the canonical auth slot, the console Auth-tab generate-token action, Apple Keychain backend, validity probe, and bulk migration
• Config versioning and migration framework — shipped per-file schema gates for config, workspace files, and role manifests, plus automatic config/workspace migration, desktop role manifest migration through jackin role migrate, and CI migration through jackin-role migrate; roadmap tracks deferred --pr automation and the Renovate-style auto-migration GitHub Action
• Console agent session control — instance discovery, console workspace tree-view with expandable instance rows and session pane, hardline --shell, in-container multiplexer primary session, secondary agent sessions via hardline --new, and console a/x/N/X/T/P instance keybindings shipped; Phase 4 (live session reconciliation, agent runtime status, resource panel integration) remains open
• jackin’ Capsule control plane — Phases 1–3 shipped: jackin-capsule Rust binary as PID 1 with zombie reaping; structured session inventory over Unix socket; in-container PTY multiplexer built on the vt100 crate with a Zellij-style dirty-row renderer, tmux-style prefix-key model (Ctrl+B opt-in, including prefix Ctrl+L clear-pane), persistent server that exits cleanly on last-session-end, binary tag+length attach framing, single-client takeover, mode-state restore on focus swap, OSC 52 / 9 / 2 / 8 passthrough, and top chrome with a brand pill, tab strip, and identity row. Phase 4 (host daemon integration, the agent runtime status authority, and Desktop Agent Hub bridge) remains open

Planned

Product identity

• Brand identity system — research-backed terminal-native identity program sequenced after the Launch Progress TUI: prototype standalone marks that reduce cleanly to the j❯ prompt sigil, lock in the styled jackin❯ / by tailrocks logo treatment with white/black word letters and the bright green chevron, restrict > to true fallback surfaces, make the terminal prompt the distribution surface, define frozen brand-rain help/README/OG treatments without replacing the launch cockpit, and plan the global apostrophe-era text and asset sweep (status: open — design proposal)

Platform expansion

• Kubernetes platform support — run agents on Kubernetes clusters instead of local Docker, enabling team-scale deployments and production debug containers. The vision is to use jackin’ as a debug container in production environments — safely exploring issues with AI agent assistance inside a controlled Kubernetes pod.

Security improvements

• Network egress policy — outbound policy per role/workspace, with explicit enforcement-quality reporting across DinD, future microVM backends, SSH remotes, and Kubernetes. Inspired by Docker Sandboxes’ host-side proxy model, Hazmat’s network tiering, and the upstream anthropics/claude-code devcontainer allowlist approach (status: open — design proposal)
• Process-level sandboxing — per-operation isolation using OS-native mechanisms (Bubblewrap + Seccomp + Landlock on Linux, Apple Seatbelt on macOS) to restrict individual agent tool calls to only the paths, network hosts, and environment variables they need. Informed by Zerobox (the open-source library powering OpenAI Codex CLI’s sandbox mode) and the three-tier isolation model: process sandbox → container → microVM (status: proposed — research captured, no implementation committed)
• Credential proxy — proxy-based credential injection to avoid storing tokens inside containers
• Agent version pinning — pin role repos to tagged versions for reproducible builds, with explicit --update to advance (status: open — design proposal)
• Reliable Claude authentication strategy — move beyond copied session auth toward clearer, more durable modes for long-lived and concurrent agent runtimes (status: deferred — needs design work)
• Docker runtime hardening contract — keep Docker as the default runtime while making its security posture explicit: profiles, DinD hardening, resource budgets, read-only root evaluation, network-policy defaults, and launch-contract reporting (status: open — design proposal)
• OrbStack isolated machine backend — macOS backend research for running jackin’ role containers and private Docker workflows inside OrbStack isolated machines, with explicit shares and honest shared-kernel risk language (status: open — research and design proposal)
• smolvm backend research — open-source Rust/libkrun VM backend research for true VM-per-workload isolation, OCI-image execution, network-off defaults, allow-host egress, possible future SDK embedding, and a direct comparison with OrbStack isolated machines and Docker Sandboxes (status: open — research and design proposal)
• Selectable sandbox backends — umbrella for Docker, OrbStack isolated machines, Kubernetes, and later true microVM providers; detailed backend work now lives in focused roadmap items (status: deferred — umbrella design)
• Devcontainer parity — comparison with the upstream anthropics/claude-code devcontainer setup; informs network policy + reproducibility decisions (status: proposed — research captured, no implementation committed)

Reactive daemon program

• jackin’ daemon — umbrella — introduce the long-running per-operator-user host process jackin’ will use for reactive features. One umbrella item that decides lifecycle, install method, control socket, security posture, and log redaction once so each reactive feature plugs into one daemon shape. The full list of phase-2/phase-3 reactive adapters lives in the program doc and the sidebar under Reference → Roadmap → Reactive daemon program (status: open — design proposal)
• jackin’ Desktop Agent Hub — native macOS menu bar and desktop companion for active jackin’ workspaces, isolated agent sessions, PR jump links, and built-in-runtime account state (Claude, Codex, Amp, Kimi, OpenCode), with CodexBar and OpenUsage as scoped references for account quota surfaces. Keeps the agent TUIs as the primary agent UI while using the daemon as the shared state/event backend (status: open — design proposal)
• Live bidirectional auth sync — Phase 2 adapter. Keep host and every running container in lock-step on each auth axis (gh, Claude, Codex, Amp, …). Subsumes the launch-time sync mode’s bidirectional follow-up; reconsiders the sync name in the process (status: open — design proposal)
• Agent runtime status authority — Phase 2 state source. Herdr-class in-container authority for working, blocked, derived done, idle, unknown, and stuck diagnostics, informed by multicode, CCManager, Agent Session Manager, WezTerm Agent Deck, ccmux, TUICommander, Codemux, and tmux-agent-status. Uses semantic runtime hooks/APIs, foreground-process ownership, visible-screen signals, shell markers, and cursor/readiness probes instead of treating PTY silence as attention-needed (status: open — design proposal)
• Agent attention prompts — Phase 2 adapter. Host-side OS notifications when an agent inside a Capsule-managed role container is waiting on operator input or has finished unseen work. Consumes the agent runtime status authority, escalates from silent toast to sound after a configurable timeout, and focuses the right terminal tab where supported. Targets the biggest operator throughput drag: idle wall-clock waiting on agents that don’t surface their waiting state (status: open — design proposal)
• Host bridge — secrets and approved host actions — Phase 3 adapter. Operator-mediated channel for agents to request a single secret value or invoke a single host command without tearing down the container. Auto-registered MCP server, TouchID / polkit / password approval per request, per-workspace allowlist / blocklist / disabled policies, audit log. Closes the “agent needs one thing from the host, mid-session” gap that today forces full-restart workarounds (status: open — design proposal)
• Container credential exposure — beyond env injection — Phase 3 follow-on. Auth tokens and operator env values resolved from op:// references become agent-readable when exported into the container today. Captures the trajectory from documented exposure to file-mount compatibility, command-scoped secret handles, Docker Sandboxes-style credential proxying, and daemon-mediated secret.request / secret.run grants where the agent gets a handle rather than the raw value (status: open — design proposal)

Infrastructure improvements

• Construct user creation optimization — move user creation to the derived layer to eliminate UID/GID remapping (status: deferred — needs design work)
• Workspace registry cache — opt-in workspace-level zot registry that acts as a pull-through cache for Docker Hub and a local push target; shared across all DinD sidecars in a workspace so base image layers are pulled once and reused, and built images persist across sessions (status: open — design proposal)

Operator surface and fleet operations

• Agent Orchestrator Research Program — phased research program comparing jackin’ against multicode, Hazmat, Docker Sandboxes, Herdr, and adjacent devcontainer/native-worktree approaches. Includes Orca ADE research — benchmarking Orca’s desktop-native worktree-per-task model, diff-annotation feedback loop, and 30+ agent runtime breadth against the Capsule-first isolation model (status: open — research captured, no implementation committed) — and agent workflow orchestration — Phase 4 leaf scoping the roadmap-to-pr direction, adversarial research on Conductor, Contrabass, agtx, Sculptor, Emdash, Forge MCP, MCO/Hive, Optio, Vibe Kanban, Sandcastle, Handler.dev, Helmor, Orca, OpenClaw Code Agent, Ruah/Bernstein, Switchboard, and GitHub Agentic Workflows, and a recommendation to validate the shared run/event spine before building a native runner or adopting an external orchestrator (status: open — research and design proposal). The fleet track covers live agent observability, per-instance persistent storage, declarative resource limits, autonomous task queue, remote operation, and skill mounts; its first-class agentic terminal direction is now captured by the agent runtime status authority. The containment track adds session contract and explain mode, stack integration contracts, network egress policy, and session snapshot and rollback so contributors can see the Hazmat/Docker Sandboxes research as actionable roadmap work rather than loose notes. The full leaf list lives in the program doc and the sidebar under Reference → Roadmap → Agent Orchestrator Research.
• Launch progress TUI — shared launch visualization for jackin load and console-triggered launches: first/last-container digital rain gating, structured launch progress events, durable debug logging, compact error dialogs, rich-terminal TUI rendering, fallback line output, and staged startup parallelization (status: open — design proposal)
• Native APM support for jackin’ agent roles — convention-based integration with Microsoft APM: if a role repo contains apm.yml next to jackin.role.toml, jackin’ runs apm install inside the isolated role environment with explicit targets, lockfile handling, reproducibility warnings, and host-mutation safeguards (status: open — design proposal)
• Public attribution and project growth — research how jackin’ can use visible software-development surfaces, especially Git commit trailers and PR metadata, to make the project discoverable without silently mutating operator repositories or misusing authorship semantics (status: open — research and design proposal)

Codebase health

• Codebase readability program — multi-phase internal-quality work covering documentation/setup, behavioral specs, DRY deduplication, module-contract refactors, and test coverage. Re-analyzed May 2026 against the current codebase (~91K lines of production Rust, 13 files over 1000 lines, pervasive TUI/auth/Docker duplication). The full leaf list lives in the program doc and in the sidebar under Reference → Roadmap → Codebase health.
• Cargo workspace split — deferred multi-crate Cargo workspace plan for when LOC, compile time, or external-consumer triggers make crate boundaries worth the overhead (status: deferred to Phase 3 — trigger not yet met, but architecture is ready)
• Open review findings catalog — living backlog of review findings with accepted-exception annotations. Code review and automated scanning consult this catalog (see AGENTS.md → “Code review & automated scanning”).

Documentation infrastructure

• Markdown linting for docs — uniform Markdown lint pipeline for the docs site (status: proposed — design captured, no implementation committed)
• Move documentation to a separate repository — promote docs/ out of the CLI repo into its own jackin-project/jackin-docs repo so the ecosystem-level docs have an ecosystem-level home; the load-bearing question is how to keep the docs as fresh as same-repo co-location makes them today (status: deferred — needs design pass on the cross-repo freshness story)
• Rustdoc → Starlight integration — surface rustdoc JSON inside the Starlight docs site (status: deferred — Phase 3)

Tip

Detailed design documents for individual TODO items are linked from the sidebar under Roadmap (each open category — Agent Orchestrator Research, Codebase health, Agent runtimes & authentication, Isolation & security, Infrastructure, Documentation tooling, Configuration ergonomics). Fully shipped items are summarized under Completed above and documented in the canonical guides, commands, or reference pages instead of remaining as resolved roadmap pages.

Vision

The user-facing summary of where jackin’ is headed lives on the Why jackin’? → Vision page so it is visible to operators and role authors, not only to contributors who end up on the roadmap. The longer-term shape of the project, the local-first focus, and the eventual move toward Kubernetes-backed debug workflows are all captured there.

If jackin’ works for your use case — or almost works but needs something different — open an issue or submit a pull request.

Contributing

jackin’ is open source under the Apache 2.0 license. To develop and test jackin’ itself, use The Architect — a dedicated agent with the full Rust toolchain:

jackin load the-architect

The project uses cargo-nextest for testing and requires all clippy lints to pass before committing.