Agentlas
Agentlas
Search docs…⌘K
← Back to app
IntroductionFeaturesIntegrationsTips & TricksChangelog
May 2026

v0.2 — Create Studio is the home

The big pivot. Agentlas is now describe-an-AI-agent and download. The home is a chat input, not a dashboard.

New

  • Create Studio at /. Type a sentence, get a fully populated draft.
  • Workshop at /draft/[id] — Live Preview + Visual Edit + Skills + Test prompts.
  • Ship Readiness on Workshop and public profiles — deterministic checks for setup, secrets, smoke tests, safety labels, and ZIP contents.
  • Save-to-Cargo claim flow — anonymous drafts can be attached to a real customer account after sign-in.
  • Account entitlements now guard Forge and deep editor tools; plan intent no longer grants paid access.
  • Production health at /api/health checks store latency, auth, billing, LLM, PNG rendering, object storage, rate limiting, and worker readiness.
  • API abuse protection — auth links, token acceptance, session/logout, waitlist, health/ops alerts, builder rendering, draft create/fetch/change/claim/readiness, clarify session/finalize, public remix, scans/status, ZIP uploads, billing, manifest fetch/change, guide enhancement, Forge edits, audit reports, publishing, ZIP export, share-card rendering, system LLM status, and share events now share fixed-window limits with Mongo-backed counters in production. All JSON/body ingestion routes now use explicit size caps before expensive work.
  • Browser security headers — every page and API response now ships a CSP, frame-ancestor blocking, HSTS, referrer policy, permission policy, MIME-sniffing defense, and legacy cross-domain policy guards from the Next.js edge header layer.
  • Cross-origin mutation guard — mutating /api requests now reject browser requests from untrusted origins at middleware before route handlers run, while signed webhooks and non-browser server calls keep working.
  • API cache guard — middleware now applies no-store, no-cache headers to API responses by default, with only short-lived public share-card images left cacheable.
  • Production smoke command — npm run smoke:production checks live security headers, no-store API caching, cross-origin mutation blocking, webhook exemptions, oversized payload rejection, and /api/health reachability against a deployed origin.
  • CI production gates — app changes now run dependency install, typecheck, high-severity audit, production build, local production server boot, and the live production smoke suite in GitHub Actions.
  • Billing provider shift — hosted checkout is now the primary paid path, with signed webhook idempotency, price-id based plan mapping, past_due retry access, stale event protection, and legacy fallback support.
  • Queued scan worker mode — web requests save jobs, worker:scan claims them, and queued ZIP uploads use temporary object storage.
  • Protected health alert delivery — cron can call /api/ops/health-alert or npm run health:alert to send webhook, Slack, or Discord alerts with throttling.
  • Hardened deploy profile — Docker targets and compose profile run the scan worker as non-root with read-only filesystem, tmpfs, cap drop, no-new-privileges, seccomp, and resource limits.
  • Provider deploy runbooks — Railway, Fly.io, and Kubernetes settings are documented with example configs in app/deploy/.
  • Runtime adapter kit — export ZIPs include .agentlas/runtime-adapters.json and per-runtime smoke docs for Claude Code, Codex, Gemini, Cursor, and Manus targets.
  • Hosted runtime lab — Workshop can install the ZIP into a temp project, probe available Claude/Codex/Gemini CLIs, return Cursor/Manus manual smoke steps, and run Pro/Max live model smoke with AI-credit ledgering.
  • Team governance — Account has a policy center, invite domain controls, member removal, invite revocation, export/publish approval queue, manager approve/reject flow, audit-event filtering/CSV export, and server-side gates for ZIP export and public publishing.
  • Enterprise SSO — Team accounts can use a generic OIDC provider with state/nonce storage, JWKS id_token verification, company-domain allowlist, and existing signed-session handoff.
  • SCIM lifecycle — Team accounts can expose /api/scim/v2 and run an Account dry run for bearer-token user lookup, provisioning, group-to-role sync, active=false deprovisioning, DELETE deprovisioning, and inactive directory retention against the same account membership model.
  • Compliance export — Team owners and admins can download a sanitized ZIP for security review with account policy, approvals, asset inventory, usage, billing state, telemetry, and health evidence.
  • Improve report — the Audit tab now flags weak metadata, vague outputs, unclear setup prerequisites, risky tool combinations, beginner-risk installs, permissions, duplicates, size, and naming issues with copyable repair packets plus a Markdown repair-kit export.
  • Marketplace directory — published profiles can be searched, filtered by source/risk/assets, sorted by recency/assets/access, and copied as tracked profile links.
  • Publish lifecycle — Agent Cargo can unpublish scan and draft profiles without deleting the private Cargo item, and publish/unpublish actions appear in the account audit trail.
  • Telemetry dashboard — Console shows 7/30-day profile views, share events, share rate, format mix, recent activity, and per-profile demand.
  • Tiny Q&A — kindergarten-friendly clarifying questions, applied with one tap.
  • Templates gallery at /templates with 16 searchable workflow prompts.
  • .zip export at /api/draft/[id]/export with a real .claude/ tree (zero-dependency ZIP encoder).
  • Publish a draft → public profile uses the same renderer as imported repos.

Changed

  • Repo scanner and drafts now share /cargo as Agent Cargo.
  • Trust grade dropped in favor of a fact-only Access Summary.
  • Audit added as a tab on the repo result page.

Enterprise pilots

  • Team SSO and SCIM are implemented with generic OIDC and SCIM flows. IdP-specific screenshots should be added after the first enterprise pilot picks the real vendor.