Update project portfolio

src/content/docs/resources/projects/cargo-hyperlight.mdx

@@ -1,15 +1,19 @@
 ---
 title: Cargo Hyperlight
-description: A cargo subcommand to simplify building Hyperlight guest binaries.
+description: A cargo subcommand to build Hyperlight guest binaries.
 ---
 
 import { LinkButton } from '@astrojs/starlight/components';
 
-Cargo Hyperlight is a `cargo` subcommand to help with building Hyperlight guest binaries.
+Cargo Hyperlight is a `cargo` subcommand for building [Hyperlight](https://github.com/hyperlight-dev/hyperlight)
+guest binaries.
 
-Hyperlight's extremely limited guest API can make it challenging to build guests targeting the environment. `cargo-hyperlight`
-was created to make it easier to build guest binaries. In fact, if your bin or any of its dependencies have a `build.rs`
-script using `cc` and `bindgen` to compile C code and generate bindings, they will often work without change!
+Write a Hyperlight guest binary in Rust and build it with `cargo hyperlight build`; no extra build configuration is
+needed. If your binary or any dependency has a `build.rs` script using `cc` and `bindgen` to compile C code and generate
+bindings, it will often work out of the box.
+
+Your crate must have `hyperlight-guest-bin` as a transitive dependency. The command builds for the
+`x86_64-hyperlight-none` target by default and places the resulting guest binary under `target/x86_64-hyperlight-none/`.
 
 ```bash
 # Install

src/content/docs/resources/projects/hyperagent.mdx

@@ -1,32 +1,47 @@
 ---
 title: HyperAgent
-description: A sandboxed code-acting AI agent runtime built on Hyperlight micro-VMs.
+description: A sandboxed code-acting AI agent runtime built on Hyperlight micro virtual machines.
 ---
 
 import { Aside, LinkButton } from '@astrojs/starlight/components';
 
 <Aside type="caution">HyperAgent is pre-release software. Not for production use.</Aside>
 
+<Aside type="note">HyperAgent requires hardware virtualization: Linux with KVM, Azure Linux with MSHV, Windows with WHP, or WSL2 with KVM. It does not currently run on macOS.</Aside>
+
 HyperAgent is a sandboxed code-acting AI agent runtime: it writes JavaScript handlers, validates them, and runs them
-inside hardware-isolated Hyperlight micro-VMs using the [GitHub Copilot SDK](https://github.com/github/copilot-sdk).
+inside hardware-isolated Hyperlight micro virtual machines using the [GitHub Copilot SDK](https://github.com/github/copilot-sdk).
 
 It is built for useful, bounded work: data analysis, document generation, API workflows, secure file output, and tool
 use through plugins and MCP servers. The model can write code, but the code runs in a sandbox with no direct
 filesystem, shell, or network access unless you explicitly enable narrowly scoped host capabilities.
 
 ```bash
+# Authenticate with GitHub; Copilot access is required.
+gh auth login
+
+# Install and run. Requires Node.js 22+.
+npm install -g @hyperlight-dev/hyperagent
 hyperagent --skill pptx-expert --profile web-research \
   --prompt "Create a presentation on the NASA Artemis II mission \
   include lots of statistics and data, use an appropriate theme \
   and color scheme for the subject, make it stunning"
 ```
 
+What that gets you:
 | Instead of                | HyperAgent gives you                                          |
 | ------------------------- | ------------------------------------------------------------- |
 | Shell-first automation    | Code-first handlers validated and run in a micro-VM           |
 | Ambient filesystem access | Path-jailed read/write plugins                                |
 | Ambient network access    | Domain-scoped fetch with SSRF checks                          |
 | Ad hoc tool calls         | Normal JavaScript APIs for approved capabilities              |
-| Hidden agent state        | Explicit shared state, transcript logs, and timing logs       |
+| One-off generated scripts | Reusable handlers and modules                                 |
+| Hidden agent state        | Explicit shared state, transcript logs, debug logs, and timing logs |
+| Trust-me execution        | Tool gating, code validation, plugin approval, and MCP review |
+
+HyperAgent is designed for useful, bounded jobs such as data pipelines, API exploration, reports, PowerPoint decks,
+PDFs, Excel workbooks, and workflows that connect approved MCP servers. Add `--auto-approve` only for trusted
+non-interactive runs; otherwise HyperAgent can pause for approval before enabling plugins, connecting MCP servers, or
+taking write-capable actions.
 
 <LinkButton href="https://github.com/hyperlight-dev/hyperagent">GitHub</LinkButton>

src/content/docs/resources/projects/hyperlight-sandbox.mdx

@@ -6,7 +6,7 @@ description: A multi-backend sandboxing framework for running untrusted code wit
 import { LinkButton } from '@astrojs/starlight/components';
 
 Hyperlight Sandbox is a multi-backend sandboxing framework for running untrusted code with controlled host capabilities.
-It provides a unified API across multiple isolation backends (Wasm Component, HyperlightJS, Nanvix) with a common
+It provides a unified API across multiple isolation backends, including Wasm Component and HyperlightJS, with a common
 capability model and SDKs for Python, .NET, and Rust.
 
 Key features include:
@@ -16,6 +16,7 @@ Key features include:
 - **Capability-based file access** — Read-only `/input` directory, writable `/output` directory, strict path isolation
 - **Snapshot / restore** — Capture and rewind sandbox runtime state for reuse
 - **Network allow listing** — Network traffic is off by default; allow specific domains and HTTP verbs
+- **SDKs for multiple languages** — Python, .NET, and Rust SDKs
 
 ```python
 from hyperlight_sandbox import Sandbox

src/content/docs/resources/projects/hyperlight-unikraft.mdx

@@ -0,0 +1,66 @@
+---
+title: Hyperlight Unikraft
+description: Run Unikraft unikernels and Linux applications on Hyperlight micro virtual machines.
+---
+
+import { LinkButton } from '@astrojs/starlight/components';
+
+Hyperlight Unikraft runs [Unikraft](https://unikraft.org/) unikernels on [Hyperlight](https://github.com/hyperlight-dev/hyperlight),
+enabling Linux applications written in Python, Node.js, Go, Rust, C, and C++ to execute inside hardware-isolated
+micro virtual machines.
+
+It provides a CLI host that loads a Unikraft kernel and optional initrd, passes application arguments into the guest,
+and captures console output through Hyperlight. The project also includes ready-to-use example configurations for
+building and running common application runtimes.
+
+Key features include:
+
+- **Unikernel execution** — Run Linux application binaries inside Unikraft guests on Hyperlight
+- **Thin, opt-in host surface** — Guests have no host filesystem, network, or host functions by default; `--mount`, `--net`, and `--enable-tools` opt in through a single `__dispatch` JSON-RPC bridge
+- **Broad language support** — Use examples for Python, Node.js, Go, Rust, C, C++, and more
+- **Generic command line** — Pass arguments to any application with `-- arg1 arg2 ...`
+- **Fast startup** — Use Hyperlight's lightweight VMM for low-latency micro virtual machine startup
+- **Host filesystem sandboxing** — Preopen host directories and expose them to guest applications with path isolation
+
+From commandline:
+
+```bash
+# Install pyhl
+cargo install --git https://github.com/hyperlight-dev/hyperlight-unikraft \
+    hyperlight-unikraft-host --bin pyhl
+
+pyhl setup --from examples/python-agent-driver
+pyhl run -c 'import pandas as pd; print(pd.DataFrame({"x":[1,2,3]}).sum().to_dict())'
+```
+
+As a library:
+
+```
+fn main() -> anyhow::Result<()> {
+    let code = std::env::args()
+        .nth(1)
+        .unwrap_or_else(|| r#"print("hello from the pyhl library API")"#.to_string());
+
+    let home = std::env::var("PYHL_HOME")
+        .map(std::path::PathBuf::from)
+        .unwrap_or_else(|_| Path::new(".pyhl").to_path_buf());
+
+    // Default: no mounts. Add `Preopen::new(host, guest)` entries to
+    // expose host directories via the guest's hostfs.
+    let mounts: &[Preopen] = &[];
+
+    let mut rt = pyhl::Runtime::new(&home, mounts, None, None)?;
+
+    eprintln!("-- first run (hermetic from loaded snapshot) --");
+    let t1 = rt.run_code(&code)?;
+    eprintln!("restore={:.1}ms call={:.1}ms", t1.restore_ms, t1.call_ms);
+
+    eprintln!("-- second run (restores to the same snapshot) --");
+    let t2 = rt.run_code(&code)?;
+    eprintln!("restore={:.1}ms call={:.1}ms", t2.restore_ms, t2.call_ms);
+
+    Ok(())
+}
+```
+
+<LinkButton href="https://github.com/hyperlight-dev/hyperlight-unikraft?tab=readme-ov-file">GitHub</LinkButton>

src/content/docs/resources/projects/index.mdx

@@ -10,10 +10,10 @@ import { LinkCard, CardGrid } from '@astrojs/starlight/components';
 The following projects are part of the Hyperlight family, providing language runtimes, sandboxing frameworks, developer tools, and more.
 
 <CardGrid>
-  <LinkCard title="Cargo Hyperlight" href="/resources/projects/cargo-hyperlight/" description="A cargo subcommand to simplify building Hyperlight guest binaries." />
-  <LinkCard title="HyperAgent" href="/resources/projects/hyperagent/" description="A sandboxed code-acting AI agent runtime built on Hyperlight micro-VMs." />
-  <LinkCard title="Hyperlight JavaScript" href="/resources/projects/hyperlight-js/" description="Execute JavaScript within the Hyperlight secure boundary." />
-  <LinkCard title="Hyperlight Nanvix" href="/resources/projects/hyperlight-nanvix/" description="Run the Nanvix microkernel inside Hyperlight for broad POSIX compatibility." />
-  <LinkCard title="Hyperlight Sandbox" href="/resources/projects/hyperlight-sandbox/" description="A multi-backend sandboxing framework for running untrusted code." />
-  <LinkCard title="Hyperlight Wasm" href="/resources/projects/hyperlight-wasm/" description="Run Wasm modules within Hyperlight's secure boundary using Wasmtime." />
-</CardGrid>
+  <LinkCard title="Cargo Hyperlight" href="/resources/projects/cargo-hyperlight/" description="A cargo subcommand to build Hyperlight guest binaries." />
+  <LinkCard title="HyperAgent" href="/resources/projects/hyperagent/" description="A Hyperlight micro virtual machine sandboxed, code-acting, AI agent runtime for document, data, and API workflows." />
+  <LinkCard title="Hyperlight JavaScript" href="/resources/projects/hyperlight-js/" description="Run JavaScript inside Hyperlight micro virtual machines using QuickJS." />
+  <LinkCard title="Hyperlight Unikraft" href="/resources/projects/hyperlight-unikraft/" description="Run Unikraft unikernels on Hyperlight micro virtual machines." />
+  <LinkCard title="Hyperlight Sandbox" href="/resources/projects/hyperlight-sandbox/" description="A Hyperlight micro virtual machine multi-backend sandboxing framework for running untrusted code." />
+  <LinkCard title="Hyperlight Wasm" href="/resources/projects/hyperlight-wasm/" description="Run Wasm components in a Hyperlight micro virtual machine-backed sandbox." />
+</CardGrid>