v0.15.0

0.15.0 - 2026-05-17

Added

• Added crabbox capsule for local GitHub Actions failure replay manifests, including capture, inspect, replay, promotion, and documentation for how capsules compose with actions hydration and checkpoints. Thanks @zozo123.
• Added AWS macOS support to native crabbox checkpoint snapshot/image creation and forks, including host-pin metadata and On-Demand fork defaults.
• Added --take-control for WebVNC portal handoffs so opened browser viewers can automatically become the keyboard and mouse controller after connecting.
• Added scripts/macos-image-lifecycle-smoke.sh for guarded AWS EC2 Mac host allocation, source macOS lease boot, WebVNC bridge proof, AMI creation, candidate-image smoke, promotion, promoted-image smoke, cleanup, and durable summary.json evidence.
• Added a no-spend macOS host region preflight helper for checking reusable EC2 Mac Dedicated Hosts, dry-run allocation readiness, and Dedicated Mac host quota across configured AWS regions before approving paid allocation.
• Added an account-guarded macOS image lifecycle IAM apply helper for trusted operators remediating coordinator AWS permissions from smoke artifacts, including automatic local AWS profile matching.
• Added parsed IAM policy target details to crabbox admin providers identity --provider aws --json so operators know which role or user needs the macOS image lifecycle policy.
• Added provider-scoped admin entrypoints: crabbox admin providers identity, crabbox admin providers policy, and crabbox admin hosts for host lifecycle operations. Existing admin aws-* and admin mac-hosts commands remain compatibility aliases.
• Added provider-neutral CRABBOX_HOST_ID / hostId config for host-pinned leases while keeping CRABBOX_AWS_MAC_HOST_ID / aws.macHostId as AWS compatibility aliases.
• Added provider-neutral coordinator admin routes for host lifecycle and provider identity operations, while keeping the legacy AWS routes as compatibility fallbacks.
• Added compatibility aliases crabbox admin mac-hosts, crabbox admin aws-identity, crabbox admin aws-policy, and crabbox admin aws-policy --mac-hosts for existing AWS macOS operator workflows.
• Added a broker-side AWS orphan sweep that periodically scans configured AWS capacity regions from the Durable Object alarm and can terminate confirmed Crabbox-tagged EC2 orphans.
• Added an AWS orphan-audit script for trusted operators to find Crabbox-tagged EC2 instances left behind in old provider accounts after credential or account rotation.
• Added macOS image lifecycle evidence files for host discovery, quota, dry-run, allocation, image creation, image promotion, warmup, host wait, WebVNC daemon startup, WebVNC status, and artifact directories for blocked, partial, and completed runs.
• Added regression coverage for the guarded macOS image lifecycle smoke and configurable WebVNC post-start grace period.

Changed

• Hardened the macOS image lifecycle smoke so native checkpoint snapshot creation, checkpoint forks, WebVNC proof, and checkpoint cleanup run before candidate-image promotion.
• Hardened the macOS image lifecycle smoke so EC2 Mac Dedicated Host scrubbing, WebVNC daemon cleanup, active portal bridge checks, and Mac host family fallback are covered before image promotion.
• Changed AWS promoted image records to be scoped by target, architecture, server type, and region so macOS AMIs do not become the default image for Linux or Windows leases.
• Changed native checkpoint records to preserve the source provider server type so macOS snapshot forks reuse the matching EC2 Mac host family unless --type is explicitly overridden.
• Changed AWS macOS instance fallback candidates to include current Apple silicon Mac host families before the legacy mac1.metal fallback.
• Changed EC2 Mac Dedicated Host quota checks to use direct Service Quotas lookups for known Mac host families before falling back to broader quota listing.
• Changed the macOS host preflight and image lifecycle smoke to use the provider-neutral admin host/provider commands and CRABBOX_HOST_ID when pinning leases to an allocated host.
• Changed the macOS image lifecycle smoke artifact to include the coordinator provider identity used for IAM remediation.
• Changed macOS image lifecycle smoke blocker commands to use portable evidence filenames with the guarded IAM apply helper for coordinator permission remediation.
• Changed macOS image lifecycle smoke summaries to record artifact-relative evidence paths so published bundles do not expose local checkout paths.
• Changed macOS image lifecycle blocked summaries to include a blocker.reason alias for automation that expects a short blocker reason.
• Changed standalone macOS host region preflight blockers to use the guarded IAM apply helper instead of manual account-match shell snippets.
• Updated Go provider SDKs and Worker runtime/toolchain dependencies.
• Documented the AWS account-match and IAM remediation flow for attaching the combined macOS image lifecycle policy to the coordinator role or user.
• Clarified the EC2 Mac host IAM policy, including create-time tag permissions, Dedicated Mac host quota checks, and the split between baseline AWS provider permissions and paid macOS image bake, WebVNC, promotion, and cleanup permissions.
• Clarified AWS security guardrail docs so IAM Access Analyzer external-access analyzers are created in every configured capacity region, while S3 Block Public Access and IAM password policy remain account-level controls.

Fixed

• Fixed code-scanning findings in container command execution, Worker sanitizers, docs link/build helpers, and JSON error responses.
• Fixed live smoke scripts so provider-specific missing workflow, snapshot, CLI, Python client, or Semaphore config prerequisites fail before allocating resources, and added Sprites coverage to the live provider smoke.
• Fixed live coordinator auth smoke so GitHub-authenticated coordinator identities are accepted and Cloudflare Access credential gaps print an actionable prerequisite error.
• Fixed raw SSH-provider JS package command failures so Crabbox probes obvious pnpm, npm, node, corepack, yarn, and bun entrypoints before syncing and fails with hydration/setup guidance instead of an empty exit 127 tail.
• Fixed crabbox webvnc --open so opened portal links make the lease visible to authenticated org users instead of showing a misleading 404 when CLI auth and browser auth differ.
• Fixed WebVNC portal click forwarding so controller clicks reach the remote desktop while preserving focus and browser context-menu suppression.
• Fixed WebVNC --take-control handoff links so the portal keeps retrying the automatic control claim until the opened viewer is registered as an observer.
• Fixed remote macOS screenshots so crabbox screenshot captures the Screen Sharing/VNC framebuffer instead of relying on screencapture from non-interactive SSH sessions.
• Fixed remote macOS screenshots against no-auth VNC servers by reading the RFB 3.8 security result before framebuffer negotiation.
• Fixed brokered AWS macOS launches so stale host ids, missing Mac hosts, regional AMI gaps, and unavailable default Mac capacity can fall back to usable host, region, image, or alternate Mac host family candidates.
• Fixed brokered AWS macOS launches so newer mac-m* Mac host fallback candidates resolve macOS 15 AMIs instead of reusing the earlier Apple silicon macOS 14 AMI query.
• Fixed coordinator-backed macOS lease reuse so follow-up run, sync, and image smoke commands use the brokered /Users/ec2-user/crabbox work root instead of Linux's /work/crabbox.
• Fixed coordinator-backed macOS checkpoint metadata so an auto-discovered provider host id is preserved for snapshot forks.
• Fixed AWS image deletion so scoped promoted macOS images cannot be deleted until another image is promoted.
• Fixed brokered Azure leases so the CLI only sends azureOSDisk when the user explicitly configures it, preserving the coordinator default while keeping new Azure leases checkpointable by default. Thanks @jwmoss.
• Fixed managed Windows bootstraps so native Windows leases skip desktop/VNC setup unless --desktop is requested, while WSL2 leases keep their Windows core and Linux setup paths separate. Thanks @jwmoss.
• Fixed macOS image lifecycle cleanup and release paths so script-allocated hosts and local WebVNC daemons are stopped after source-only, candidate-only, blocked, partial, and completed runs.
• Fixed macOS image lifecycle cleanup so script-allocated EC2 Mac Dedicated Hosts are released from failure traps when host release is requested.
• Fixed EC2 Mac Dedicated Host allocation and release handling so paid host IDs returned by AWS are not retried in another availability zone after post-allocation describe failures, and failed ReleaseHosts results are surfaced instead of reported as released.
• Fixed macOS image lifecycle region-preflight blockers so they preserve guarded IAM helper remediation commands from the region preflight evidence instead of falling back to manual account-match snippets.
• Fixed macOS image lifecycle and host-region preflight blockers so remediation commands use neutral crabbox commands and the guarded IAM apply helper instead of embedding local binary paths, checkout paths, or manual account-match snippets.
• Fixed macOS image lifecycle blocked summaries so quota preflight failures, EC2 Mac host dry-run IAM failures, rerun commands, and short blocker.reason aliases are preserved in evidence.
• Fixed macOS image lifecycle evidence and artifact summaries so paths are only populated after the matching files or directories are captured.
• Fixed EC2 Mac host dry-run JSON output so AWS authorization failures do not expose raw provider error details in operator logs.
• Fixed EC2 Mac host quota checks so unsupported regional Mac quota resources return an empty quota result instead of a 502 preflight error.
• Fixed missing coordinator Mac host admin endpoints so they report a blocked preflight instead of an empty preflight failure.
• Fixed external macOS AMI promotion so x86 Mac images are keyed by their described architecture instead of defaulting to Apple silicon metadata.
• Fixed provider-neutral admin command errors so older coordinators report the neutral route and the legacy compatibility route that both returned 404.
• Fixed provider-neutral host pin requests and lease records so the public JSON field is hostId, while hostID remains accepted for compatibility.