Releases: stefanoginella/aicontainer
Releases · stefanoginella/aicontainer
Release list
v0.6.0
Added
- Local rootless Docker contexts work without extra flags. aic discovers
the selected Unix socket and regenerates a gitignored host-only environment
file, while remote Docker contexts still fail closed. - Host readiness can be checked before startup.
aic doctorreports
prerequisites and project wiring as conciseOK/WARN/FAILresults. - Project state is visible without mutation.
aic statussummarizes the
project identity, modes, image/runtime, credential-bridge health, and
managed volumes. - Resolved validation is available for CI.
aic validateapplies the full
gate noninteractively without prompting or recording trust. - aic startup validates resolved project config before handoff. CLI starts
check managed files plus the fully merged Compose model; the generated VS
Code initializer repeats the gate before Compose creation. - Reviewed host access can be trusted without repository state.
aic trust
records approval for the exact relevant config hash outside the checkout;
changes automatically invalidate it. - Unsafe access can be approved for one run.
--allow-unsafecarries an
exact configuration hash throughup/rebuildwithout persisting approval;
unbounded build contexts require this per-run review. - Docker inspection is now a separate opt-in mode.
--docker-readenables
host object list/inspect APIs without writes, while--dockerremains the
explicit read-write choice and--no-dockerrevokes either. - Shell completions cover every aic command.
aic completionemits
ready-to-install Bash, Zsh, or fish completions for commands and flags.
Changed
- Docker object access is off by default. The proxy exposes only ping and
version until the host user explicitly consents, hiding unrelated container,
image, network, volume, log, and file metadata. - Projects receive path-unique runtime identities. Compose resources and
session volumes include a canonical-path hash; existing transcript data is
migrated automatically without another login. - The shared session root has a tool-neutral name. Container state now lives
below~/.aic-sessions; legacy.claude-sessionsdata is carried forward. - Host preferences pass through an isolated sanitizer. A fixed networkless
service sees the raw Git/tool files and gives the agent only root-owned,
allowlisted JSON output. - Tool homes are isolated while logins remain reusable. Credentials sync
through a fixed networkless helper, while config, instructions, plugins,
prompt history, and transcripts stay in each project's volume. - Git config is installed behind a root boundary. Only fixed safe host
preferences survive parsing, and the validated result is created once as
root:root 0444with executable/path-bearing keys refused. - Shell startup ignores writable home profiles. Zsh, Bash, and fish launch
from root-managed system config, preventing next-session persistence without
importing host rc code. - AI safety policy uses managed system precedence. Claude, Codex, and
OpenCode autonomous settings plus the shared guardrail cannot be disabled by
user-level tool config. - Container creation no longer resolves Python dependencies. Post-create,
seed sanitization, and credential sync use system Python plus a hash-pinned
baked TOML writer, improving offline startup and removing a pre-policy fetch. - Weekly images refresh their base layers reliably. Scheduled/manual image
builds pull current bases and bypass stale caches while pinned release tags
remain reproducible. - Package metadata now names all supported agents. The npm description and
keywords include OpenCode. - Packed artifacts exclude development debris. Python caches/bytecode and
operating-system metadata no longer enter the npm tarball.
Fixed
- Codex refresh follows its supported unattended path. Rebuilds rerun the
official standalone installer instead of relying on installation-method
detection that can reject a valid standalone release. - Fresh projects initialize isolated customization roots. Claude and Codex
skill, command, rule, prompt, and plugin directories exist before first use
and remain confined to the path-unique project volume. - Large changelogs no longer block valid release tags. The local pre-push
mirror avoids apipefail/SIGPIPE false negative after finding an early
matching version section. - Compose validation works across supported host versions. Managed Docker
socket mounts retain raw interpolation inspection on Compose 2.38.x instead
of failing before the security gate can evaluate project overrides. - Sync does not inherit unconsented Docker access. Repository-only proxy
modes reset tonone; users who need Docker opt in once and record host
consent explicitly. - VS Code selects a compatible host CLI. Direct editor starts skip old
aic installs that lack managed initialization, scan every supported
Node-manager fallback, and print an actionable upgrade command when needed. - Same-named checkouts no longer share containers or transcripts. Legacy
cleanup requires an exact owned primary, permits only fixed unlabeled
sidecars, and never removes arbitrary orphans. Transcript import verifies the
actual session mount and absence of a conflicting owner; ambiguity is
preserved rather than guessed. - Symlinked control paths are rejected. Host-side init/sync refuses links or
special files at managed and project-owned control inputs instead of
following them outside the repository. - Managed template replacement is atomic. Files and hooks are staged beside
their destination before rename. - Mode switches remove stale managed artifacts. Switching to pull mode
removes every build-only file so later syncs cannot flip modes accidentally. - VS Code settings cannot escape their merge point. Project settings are
parsed and re-serialized as strict JSON; invalid input and managed-key
collisions are warned and skipped. - Non-interactive destroy requires explicit confirmation.
aic destroy
now needs--yeswhen no terminal is present instead of treating closed
input as permission to delete history. - Release retries preserve immutable artifacts. Reruns reuse verified
version images and matching npm publications, advancing:latestonly from
the current npm release to prevent accidental overwrite or rollback. - Legacy image recovery cannot widen an unknown artifact. Unannotated GHCR
versions require a matching immutable npm tarball and are never promoted to
:latest.
Security
- Seeded config no longer carries literal credentials. Inline provider and
MCP environment/header secrets are stripped recursively across Claude,
Codex, and OpenCode. - Cross-project prompt persistence is blocked. Auto-loaded memory, skills,
commands, rules, prompts, plugins, histories, and transcripts are scoped to
the path-unique project rather than the reusable credential store. - Privileged volume ownership verifies daemon metadata. The fixed helper
accepts only canonical mountpoints backed by ordinary option-free Docker
named volumes and rejects binds, symlinks, nesting, and custom drivers. - The runtime drops unnecessary Linux capabilities. The devcontainer starts
fromcap_drop: ALL;NET_RAWremains absent and only fixed helper/firewall
capabilities return. - Raw Docker access is hidden from the agent. The fixed helper socket sits
behind a root-only directory thatvscodecannot traverse. - The Docker proxy image is digest-pinned. Its verified multi-architecture
digest prevents a mutable dependency from replacing the raw-socket holder. - Metadata blocking covers IPv4 and IPv6 providers. Always-on drops include
IPv4/IPv6 link-local plus AWS and Alibaba metadata endpoints, independent of
the optional full allowlist. - Firewall refreshes stay fail-closed. IPv4/IPv6 rules are built off-path
and switched atomically; failed or prohibited DNS resolution leaves the
active restrictive policy untouched. - CI publishing uses narrower credentials. Checkout credentials are not
persisted and package-write permission exists only in the publishing job. - Registry publication is serialized across workflows. Release and
security-refresh GHCR jobs share a non-cancelling lock, closing mutable-tag
check-then-publish races without changing their workflow cancellation rules. - Managed path normalization cannot hide host aliases. Build contexts,
workspace/control binds, project volumes, and networks are verified against
the canonical checkout before installation-specific paths are normalized. - Unmanaged Dev Container startup hooks are rejected. Features and
lifecycle commands fail validation before aic hands configuration off. - Compose startup behavior cannot be replaced silently. Command,
entrypoint, healthcheck, and related service changes require review. - Managed Python ignores environment module injection. Post-create,
sanitization, and credential sync run isolated fromPYTHONPATH/PYTHONHOME. - Host variables cannot be forwarded silently. Active Compose interpolation
or bare environment/build-arg pass-through requires exact-config trust without
exposing the resolved value; literals and escaped templates remain prompt-free. - Managed startup environment cannot be shadowed silently. Overrides of
tool homes, shell/Git startup, loader paths, or the Docker proxy endpoint now
require explicit review before creation. - Validation output cannot inject terminal controls. Repository-controlled
names, paths, and values are rendered safely in host-side findings.
v0.5.0
Changed
- Docker socket write access is now off by default. The bundled
socket-proxy ships read-only (POST/BUILDblocked), so an in-container
agent can no longerdocker run --privileged -v /:/hostto escape or spawn
firewall-dodging sibling containers. Opt in per project withaic init --docker(oraic sync --docker);--no-dockerreverts.
Added
- Cloud metadata / link-local egress is blocked on every container create.
post-createdrops169.254.0.0/16(including the169.254.169.254cloud
metadata endpoint) viaaic-firewall block-metadata, independent of the
opt-in allowlist — closing the cloud-credential-theft path by default. aic up/aic rebuildscan project-owned override files before starting.
Flags host-access grants (privileged,cap_add, host mounts, the Docker
socket, a non-aicontainerDockerfile.projectbase) that ride along in an
untrusted repo; prompts on a TTY. Silence withAIC_NO_OVERRIDE_SCAN=1.- The devcontainer runs with
pids_limit: 4096. A fork-bomb / runaway-agent
backstop so it can't exhaust host PIDs; raise it (or addmem_limit/cpus)
indocker-compose.override.yml. aic preflightreports the Docker socket state. The trust-boundary
summary now shows whether the socket-proxy is read-only or read-write and
notes the always-on metadata block.
v0.4.3
Changed
- Devcontainer name flipped back to the
<folder>-aicontainersuffix. Was
aicontainer-<folder>; leads each label with the project name so it reads
first in VS Code's remote indicator. Re-derived on everyaic init/aic sync
and not hand-editable.
v0.4.2
Added
- Starting the container from VS Code now runs the image/CLI drift check too.
"Reopen/Rebuild in Container" drivesdevcontainer updirectly (never the
aicCLI), so the warning previously only appeared onaic up/shell/rebuild;
it's now wired into the devcontainer'sinitializeCommandand logged to the
Dev Containers output channel. Best-effort and never blocks the container from
starting.
v0.4.1
Added
aic up/aic shell/aic rebuildwarn when the pinned image lags youraic.
An offline check compares the:vX.Y.Zpinned indocker-compose.ymlagainst
the installed CLI and points ataic sync && aic rebuildto reconcile; on
rebuildit fires before the pull, so you can abort and re-pin first.
(Build-mode projects have no pin and are not checked.)aic version/aic upgradeflag a newer publishedaicontainer. Queried
from npm (the upgrade source of truth), cached for 24h, fail-silent, and
skipped in CI. Silence both notifications withAIC_NO_UPDATE_CHECK=1.
v0.4.0
Added
- OpenCode joins Claude Code and Codex as a first-class tool. Baked into the
image and auto-updated on everyaic rebuild, with persistent login,
per-project transcripts, and the shared.env/curl|shguardrail wired in as
an OpenCode plugin. Host~/.config/opencode/opencode.jsonprovider/model
definitions are seeded read-only (inline API keys stripped — log in inside with
opencode auth login); it's on by default, or choose it with
aic init --with …,opencode. (aic, template/)
v0.3.1
Changed
- Refreshed bundled tools and base image. uv 0.11, fzf 0.73.1, and
git-delta 0.19.2, plus a current Ubuntu 24.04 base-image digest.
(template/Dockerfile)
v0.3.0
Added
- Per-project VS Code extensions survive
aic sync. A project-owned
.devcontainer/vscode-extensions(onepublisher.nameid per line) is merged
intocustomizations.vscode.extensionson every init/sync; invalid lines are
warned about and skipped. (aic, template/devcontainer.json) - Per-project VS Code settings survive
aic sync. A project-owned
.devcontainer/vscode-settings.jsonobject is merged into
customizations.vscode.settings. README adds Python and TypeScript editor +
agent-LSP recipes. (aic, README.md) .devcontainer/README.mdexplains what to edit and what not to. Shipped
into every project (both modes) to steer humans and AI agents away from
hand-editing the sync-overwrittendevcontainer.jsontoward the project-owned
files. (template/README.md, aic)
v0.2.3
Added
post-create.pywarns loudly when no git identity is configured. The
sandbox inheritsuser.name/user.emailfrom the read-only host
~/.gitconfig; if that was empty/broken at build time,git commitfailed
mid-session with a cryptic "Author identity unknown" and couldn't be fixed
from inside. Container creation now flags it last with the host-side fix.
(post-create.py)
v0.2.2
Added
- Agents are told the read-only git internals are by design.
post-create.py
writes a managed note into~/.claude/CLAUDE.mdand~/.codex/AGENTS.mdso a
tool stops burning tokens "fixing" the expectedgit config … Device or resource busyfailure (and blocked.git/hooksinstalls). (post-create.py)