v0.1.5 — OpenAI Codex as a second agent

OpenAI Codex joins Claude Code as a selectable agent — same containment model: the real key (Anthropic or OpenAI) stays host-only, the VM only ever sees a budget-capped bearer token, egress is deny-by-default, and every change comes back as a human-gated git diff.

Added

• drydock submit --agent claude|codex; operator default via default_agent / DRYDOCK_DEFAULT_AGENT. The credential gateway gained a vendor registry (Anthropic + OpenAI), with per-task USD metering + revoke for both. brokerd now accepts at least one of ANTHROPIC_API_KEY / OPENAI_API_KEY. drydock tasks shows duration + metered cost + outcome for Codex too.

Changed

• Sandbox image renamed claude-sandbox → drydock-sandbox (hosts both CLIs); entrypoint.sh dispatches on DRYDOCK_AGENT. Re-run drydock init to rebuild. api.openai.com added to the default egress allowlist (gateway-routed, like api.anthropic.com).

Fixed

• drydock start now accepts either vendor key — it previously refused to start without ANTHROPIC_API_KEY, blocking Codex-only operation.

Full notes in CHANGELOG.md. No third-party security audit; working alpha. macOS 26+ / Apple silicon.

Install: brew tap sricola/drydock && brew install drydock
sha256: b82af6287dcd1ffdc09f66a3e38b915bfb0d5f3c2c6d56c8ea3d02c5b608c865

v0.1.4

Highlights

• State dirs default to ~/.drydock/{stage,audit,squid} instead of /tmp/broker/.... Audit history was at risk of silent eviction on /tmp. Existing operators upgrading still see legacy /tmp/broker/audit content in drydock tasks via a fallback path.
• drydock submit propagates ^C as a request cancellation. The code-comment claim has finally caught up to the implementation.
• Friendlier offline messages. submit, approve, deny, pending, kill, and status all print brokerd not running — start it in another shell with drydock start instead of raw Go HTTP transport errors. drydock kill no longer says "no such task" when brokerd is down.
• README install snippet now includes brew trust sricola/drydock (modern Brew rejects personal taps without explicit trust).
• SECURITY.md gets a dedicated "TCP exposure" section spelling out that broker.addr / BROKER_ADDR has no built-in auth.

Full notes: CHANGELOG.md

Install

brew install sricola/drydock/drydock
drydock init && drydock doctor

v0.1.3

Highlights

• New drydock doctor smoke command — verifies sandbox setup without API spend.
• Per-task --model flag + default_model config field — pick Opus, Sonnet, or Haiku per task or set a default.
• Sandbox image ships Python 3.11 and Go 1.26.4 alongside Node 22; egress allowlist adds proxy.golang.org + sum.golang.org.
• --help works on every subcommand (previously could accidentally approve/deny a task named "--help").
• drydock version reports git-describe output on source builds.
• drydock init preflights macOS version + Apple-silicon arch; nudges operators whose existing ~/.drydock/egress.yaml is missing newer shipping entries.
• drydock init detects stale sandbox images from before the macagent→drydock rename and rebuilds with --no-cache.
• Failed tasks resolve to error (with duration + cost) instead of staying at running? forever.

Full notes: see CHANGELOG.md

Install

brew install sricola/drydock/drydock
drydock init && drydock doctor

v0.1.2 — operator config moves to ~/.drydock

Operator config moves to ~/.drydock/{config,egress}.yaml — seeded by drydock init, never overwriting your edits. Env vars (DRYDOCK_, BROKER_) still override file values, so existing scripts keep working. ANTHROPIC_API_KEY stays env-only by design.

v0.1.1 — patch

Patch: brokerd discovers config/egress.yaml via the same search paths as drydock init's image dir. Fixes drydock start after brew install (the v0.1.0 default of relative config/egress.yaml only worked from the cloned-repo cwd).

v0.1.0

Full Changelog: https://github.com/sricola/drydock/commits/v0.1.0