Skip to content

Security focus + a couple of new features

Latest

Choose a tag to compare

@kstenerud kstenerud released this 02 Jul 08:06

Security updates:

  • The agent's API key stays host-side by default
  • The :overlay capability-escape mode is retired
  • --network-isolated no longer trusts the agent container with CAP_NET_ADMIN
  • :copy now honors .gitignore

Other updates:

  • Native per-agent turn-completion detection
  • A new headless run verb
  • File-defined agents
  • Crash-safe data-dir migration framework.

Highlights

Credential brokering by default (security)

When an agent's credential is brokerable (Claude ANTHROPIC_API_KEY or subscription CLAUDE_CODE_OAUTH_TOKEN) and the backend can host a host-side injector (Linux docker/podman) and networking is open, yoloai now runs a small host-side reverse proxy and points the agent at it (the real credential is held host-side and never enters the container).

Previously the key was written into the container environment and brokering was opt-in. Opt out with --no-broker (sticky across restart).

:overlay retired; crash-safe system migrate

:overlay is removed because it required CAP_SYS_ADMIN in the agent container, a host-escape primitive on rootful Docker. :copy delivers the same protect-original / review-before-apply workflow with no elevated capability and is cheap on modern filesystems.

IMPORTANT: yoloai system migrate (v3→v4) auto-converts existing overlay sandboxes to :copy, capturing the running merged tree (gitignored and uncommitted files included) verbatim.

The migration runs on a new crash-safe promotion framework (build-new → repopulate → atomic swap), resumable across a crash at any rename boundary, so an interrupted migrate never strands a half-converted sandbox.

Tamper-resistant network isolation

--network-isolated no longer grants the agent container CAP_NET_ADMIN. A short-lived netns-sharing sidecar installs the firewall rules and exits, so a prompt-injected agent can't alter its own allowlist and no privileged process persists.

:copy honors .gitignore

Inside a git work tree, :copy now copies only project files (tracked plus untracked-but-not-ignored); ignored files (.env, keys, local config) stay out of the sandbox and never appear in diffs. Use the new :copy-all suffix for the previous copy-everything behavior.

Native turn-completion detection

Per-agent native turn-completion strategies replace heuristic idle-guessing: Gemini / Codex / OpenCode / Aider via their own hooks, Claude via resume. Done/idle detection is now driven by the agent, with a fall-to-shell fallback for heuristic agents.

Headless yoloai run

yoloai run is a new headless run-to-completion verb.

File-defined agents

File-defined agents let you drop a ~/.yoloai/.../agents/*.yaml to add an agent, alongside agnostic context injection and an enriched capability catalog.

Public embedding surface

The runtime, store, and copy/diff/apply packages are now public, with per-sandbox agent.json / netpolicy.json config (for embedders building on yoloai as a library).

Notable fixes

  • prune: devmapper host-reclaim is now discard-accurate and accounts for the containerd content store; orphans identified by com.yoloai.* labels, not name.
  • launch: bounded retry for the network-isolation firewall sidecar; podman keepalive bring-up fixed.
  • tart: don't recommend deleting a base VM pinned by tart.image; teardown verified on macOS.
  • mcp: list hidden files; diff-handler corrections (still experimental).
  • store: warn when the data dir is on a network filesystem.
  • doctor: render description-only fix steps.

Breaking changes

Four breaking changes — see docs/BREAKING-CHANGES.md for details and migration steps:

  • :overlay directory mode removed (auto-migrated to :copy by system migrate).
  • --network-isolated: agent container no longer holds CAP_NET_ADMIN (a sidecar installs the firewall).
  • :copy honors .gitignore (opt out with :copy-all).
  • Credential brokering is the default on supported backends (opt out with --no-broker).

Upgrading

Run yoloai system migrate after updating.

Full Changelog: v0.5.2...v0.6.0