Skip to content

v0.7.0

Latest

Choose a tag to compare

@github-actions github-actions released this 06 Jul 11:11

Sandbox base image moves to Debian 13, :copy keeps git history, Claude
Code v2.1.x compatibility, and yoloai system prune now reclaims leaked
host-side artifacts. See docs/BREAKING-CHANGES.md for the three breaking
changes.

Breaking changes (docs/BREAKING-CHANGES.md)

  • Sandbox base image is now Debian 13 (trixie): system Python 3.13, aider
    isolated on a uv-managed Python 3.12, binutils-gold for arm64 cgo. The
    base rebuilds automatically on next use.
  • :copy now preserves git history (CoW-clones the source .git), so
    log/blame/bisect and repo filters (LFS, git-crypt) work. Opt out with
    :copy-strict / --copy-strict / profile copy_strict: where a repo has
    un-rotated secrets in history.
  • A failed or interrupted yoloai new/run no longer leaves a half-created
    sandbox behind — it rolls back completely, so re-running the same command
    is clean.

Security

  • Copy-mode work-copy git is now confined on the apple and seatbelt backends
    too (per-container VM exec on apple; a dedicated tight sandbox-exec profile
    on seatbelt), closing the last host-side path where an agent-planted
    .git/config filter could execute on the host (audit C1).
  • core.fsmonitor is disabled on all yoloai-invoked git, removing the
    fsmonitor-command execution vector.

Features

  • yoloai system prune reclaims leaked host-side artifacts, not just
    containers: orphaned credential-broker processes, CNI network namespaces +
    IPAM leases, and (macOS/seatbelt) leaked tmux servers and their
    status-monitor/setup process group. yoloai doctor surfaces them.
    Dry-run lists everything before anything is reaped.
  • The apple backend now reclaims build cache + dangling images in
    system prune.

Fixes

  • Claude Code v2.1.x compatibility: seed onboarding-complete + folder-trust
    and map rootless-podman keep-id onto the yoloai uid, so the agent no longer
    hangs on the new theme/trust/permissions startup dialogs.
  • containerd/Kata: re-establish the network namespace on restart (a Stop then
    Start no longer fails with "ttrpc: closed").
  • apple: stop container exec -t's ONLCR from corrupting tmux scroll
    rendering.
  • system prune: no longer counts running containers' writable layers as
    reclaimable, and drops the misleading "--dry-run" wording from the internal
    scan; the netns firewall sidecar now carries com.yoloai.* labels so a
    crash-leak stays reclaimable.
  • network: sandbox allowed reads the network mode from netpolicy rather than
    from container inspection.
  • seatbelt (macOS): the host agent launch now discovers node on the host PATH
    (Homebrew, keg-only node@22, nvm) instead of assuming it, and no longer
    crashes the launch when node is absent — fixing a start failure on the
    seatbelt backend.
  • system check now recognizes on-disk / Keychain credentials, not just
    env-var API keys, when reporting agent auth status.
  • smoke harness tolerates invalid UTF-8 in captured agent-TUI output, and
    labels an upstream Anthropic API overload (HTTP 529) as such instead of a
    generic timeout.

Developer / CI

  • Mandatory-infrastructure test policy (D112): an absent but platform-possible
    backend/tool now fails rather than silently skipping; sole carve-out is
    YOLOAI_TEST_UNCONTROLLED_BACKENDS. Smoke tiers: smoketest (full matrix) /
    smoketest-quick (container core).
  • make check now lints and vets every non-host platform, not just the host
    (LINT_PLATFORMS), so a lint/build issue in a //go:build file is caught
    whichever OS runs the gate.
  • sudo make releasetest runs green (unit gate + integration escalation are
    sudo-safe; the Go/uv toolchain PATH is recovered under sudo).

Install: download the archive for your platform below and extract the yoloai binary,
brew install kstenerud/tap/yoloai, or go install github.com/kstenerud/yoloai/cmd/yoloai@latest.
Verify with checksums.txt (+ the cosign signature / build provenance).