Skip to content

Releases: stefanoginella/aicontainer

v0.6.0

Choose a tag to compare

@github-actions github-actions released this 13 Jul 13:54
5f69e91

Added

  • Local rootless Docker contexts work without extra flags. aic discovers
    the selected Unix socket and regenerates a gitignored host-only environment
    file, while remote Docker contexts still fail closed.
  • Host readiness can be checked before startup. aic doctor reports
    prerequisites and project wiring as concise OK/WARN/FAIL results.
  • Project state is visible without mutation. aic status summarizes the
    project identity, modes, image/runtime, credential-bridge health, and
    managed volumes.
  • Resolved validation is available for CI. aic validate applies the full
    gate noninteractively without prompting or recording trust.
  • aic startup validates resolved project config before handoff. CLI starts
    check managed files plus the fully merged Compose model; the generated VS
    Code initializer repeats the gate before Compose creation.
  • Reviewed host access can be trusted without repository state. aic trust
    records approval for the exact relevant config hash outside the checkout;
    changes automatically invalidate it.
  • Unsafe access can be approved for one run. --allow-unsafe carries an
    exact configuration hash through up/rebuild without persisting approval;
    unbounded build contexts require this per-run review.
  • Docker inspection is now a separate opt-in mode. --docker-read enables
    host object list/inspect APIs without writes, while --docker remains the
    explicit read-write choice and --no-docker revokes either.
  • Shell completions cover every aic command. aic completion emits
    ready-to-install Bash, Zsh, or fish completions for commands and flags.

Changed

  • Docker object access is off by default. The proxy exposes only ping and
    version until the host user explicitly consents, hiding unrelated container,
    image, network, volume, log, and file metadata.
  • Projects receive path-unique runtime identities. Compose resources and
    session volumes include a canonical-path hash; existing transcript data is
    migrated automatically without another login.
  • The shared session root has a tool-neutral name. Container state now lives
    below ~/.aic-sessions; legacy .claude-sessions data is carried forward.
  • Host preferences pass through an isolated sanitizer. A fixed networkless
    service sees the raw Git/tool files and gives the agent only root-owned,
    allowlisted JSON output.
  • Tool homes are isolated while logins remain reusable. Credentials sync
    through a fixed networkless helper, while config, instructions, plugins,
    prompt history, and transcripts stay in each project's volume.
  • Git config is installed behind a root boundary. Only fixed safe host
    preferences survive parsing, and the validated result is created once as
    root:root 0444 with executable/path-bearing keys refused.
  • Shell startup ignores writable home profiles. Zsh, Bash, and fish launch
    from root-managed system config, preventing next-session persistence without
    importing host rc code.
  • AI safety policy uses managed system precedence. Claude, Codex, and
    OpenCode autonomous settings plus the shared guardrail cannot be disabled by
    user-level tool config.
  • Container creation no longer resolves Python dependencies. Post-create,
    seed sanitization, and credential sync use system Python plus a hash-pinned
    baked TOML writer, improving offline startup and removing a pre-policy fetch.
  • Weekly images refresh their base layers reliably. Scheduled/manual image
    builds pull current bases and bypass stale caches while pinned release tags
    remain reproducible.
  • Package metadata now names all supported agents. The npm description and
    keywords include OpenCode.
  • Packed artifacts exclude development debris. Python caches/bytecode and
    operating-system metadata no longer enter the npm tarball.

Fixed

  • Codex refresh follows its supported unattended path. Rebuilds rerun the
    official standalone installer instead of relying on installation-method
    detection that can reject a valid standalone release.
  • Fresh projects initialize isolated customization roots. Claude and Codex
    skill, command, rule, prompt, and plugin directories exist before first use
    and remain confined to the path-unique project volume.
  • Large changelogs no longer block valid release tags. The local pre-push
    mirror avoids a pipefail/SIGPIPE false negative after finding an early
    matching version section.
  • Compose validation works across supported host versions. Managed Docker
    socket mounts retain raw interpolation inspection on Compose 2.38.x instead
    of failing before the security gate can evaluate project overrides.
  • Sync does not inherit unconsented Docker access. Repository-only proxy
    modes reset to none; users who need Docker opt in once and record host
    consent explicitly.
  • VS Code selects a compatible host CLI. Direct editor starts skip old
    aic installs that lack managed initialization, scan every supported
    Node-manager fallback, and print an actionable upgrade command when needed.
  • Same-named checkouts no longer share containers or transcripts. Legacy
    cleanup requires an exact owned primary, permits only fixed unlabeled
    sidecars, and never removes arbitrary orphans. Transcript import verifies the
    actual session mount and absence of a conflicting owner; ambiguity is
    preserved rather than guessed.
  • Symlinked control paths are rejected. Host-side init/sync refuses links or
    special files at managed and project-owned control inputs instead of
    following them outside the repository.
  • Managed template replacement is atomic. Files and hooks are staged beside
    their destination before rename.
  • Mode switches remove stale managed artifacts. Switching to pull mode
    removes every build-only file so later syncs cannot flip modes accidentally.
  • VS Code settings cannot escape their merge point. Project settings are
    parsed and re-serialized as strict JSON; invalid input and managed-key
    collisions are warned and skipped.
  • Non-interactive destroy requires explicit confirmation. aic destroy
    now needs --yes when no terminal is present instead of treating closed
    input as permission to delete history.
  • Release retries preserve immutable artifacts. Reruns reuse verified
    version images and matching npm publications, advancing :latest only from
    the current npm release to prevent accidental overwrite or rollback.
  • Legacy image recovery cannot widen an unknown artifact. Unannotated GHCR
    versions require a matching immutable npm tarball and are never promoted to
    :latest.

Security

  • Seeded config no longer carries literal credentials. Inline provider and
    MCP environment/header secrets are stripped recursively across Claude,
    Codex, and OpenCode.
  • Cross-project prompt persistence is blocked. Auto-loaded memory, skills,
    commands, rules, prompts, plugins, histories, and transcripts are scoped to
    the path-unique project rather than the reusable credential store.
  • Privileged volume ownership verifies daemon metadata. The fixed helper
    accepts only canonical mountpoints backed by ordinary option-free Docker
    named volumes and rejects binds, symlinks, nesting, and custom drivers.
  • The runtime drops unnecessary Linux capabilities. The devcontainer starts
    from cap_drop: ALL; NET_RAW remains absent and only fixed helper/firewall
    capabilities return.
  • Raw Docker access is hidden from the agent. The fixed helper socket sits
    behind a root-only directory that vscode cannot traverse.
  • The Docker proxy image is digest-pinned. Its verified multi-architecture
    digest prevents a mutable dependency from replacing the raw-socket holder.
  • Metadata blocking covers IPv4 and IPv6 providers. Always-on drops include
    IPv4/IPv6 link-local plus AWS and Alibaba metadata endpoints, independent of
    the optional full allowlist.
  • Firewall refreshes stay fail-closed. IPv4/IPv6 rules are built off-path
    and switched atomically; failed or prohibited DNS resolution leaves the
    active restrictive policy untouched.
  • CI publishing uses narrower credentials. Checkout credentials are not
    persisted and package-write permission exists only in the publishing job.
  • Registry publication is serialized across workflows. Release and
    security-refresh GHCR jobs share a non-cancelling lock, closing mutable-tag
    check-then-publish races without changing their workflow cancellation rules.
  • Managed path normalization cannot hide host aliases. Build contexts,
    workspace/control binds, project volumes, and networks are verified against
    the canonical checkout before installation-specific paths are normalized.
  • Unmanaged Dev Container startup hooks are rejected. Features and
    lifecycle commands fail validation before aic hands configuration off.
  • Compose startup behavior cannot be replaced silently. Command,
    entrypoint, healthcheck, and related service changes require review.
  • Managed Python ignores environment module injection. Post-create,
    sanitization, and credential sync run isolated from PYTHONPATH/PYTHONHOME.
  • Host variables cannot be forwarded silently. Active Compose interpolation
    or bare environment/build-arg pass-through requires exact-config trust without
    exposing the resolved value; literals and escaped templates remain prompt-free.
  • Managed startup environment cannot be shadowed silently. Overrides of
    tool homes, shell/Git startup, loader paths, or the Docker proxy endpoint now
    require explicit review before creation.
  • Validation output cannot inject terminal controls. Repository-controlled
    names, paths, and values are rendered safely in host-side findings.

v0.5.0

Choose a tag to compare

@github-actions github-actions released this 06 Jul 13:54
2b7c2b1

Changed

  • Docker socket write access is now off by default. The bundled
    socket-proxy ships read-only (POST/BUILD blocked), so an in-container
    agent can no longer docker run --privileged -v /:/host to escape or spawn
    firewall-dodging sibling containers. Opt in per project with aic init --docker (or aic sync --docker); --no-docker reverts.

Added

  • Cloud metadata / link-local egress is blocked on every container create.
    post-create drops 169.254.0.0/16 (including the 169.254.169.254 cloud
    metadata endpoint) via aic-firewall block-metadata, independent of the
    opt-in allowlist — closing the cloud-credential-theft path by default.
  • aic up / aic rebuild scan project-owned override files before starting.
    Flags host-access grants (privileged, cap_add, host mounts, the Docker
    socket, a non-aicontainer Dockerfile.project base) that ride along in an
    untrusted repo; prompts on a TTY. Silence with AIC_NO_OVERRIDE_SCAN=1.
  • The devcontainer runs with pids_limit: 4096. A fork-bomb / runaway-agent
    backstop so it can't exhaust host PIDs; raise it (or add mem_limit / cpus)
    in docker-compose.override.yml.
  • aic preflight reports the Docker socket state. The trust-boundary
    summary now shows whether the socket-proxy is read-only or read-write and
    notes the always-on metadata block.

v0.4.3

Choose a tag to compare

@github-actions github-actions released this 30 Jun 20:10
1affa65

Changed

  • Devcontainer name flipped back to the <folder>-aicontainer suffix. Was
    aicontainer-<folder>; leads each label with the project name so it reads
    first in VS Code's remote indicator. Re-derived on every aic init/aic sync
    and not hand-editable.

v0.4.2

Choose a tag to compare

@github-actions github-actions released this 09 Jun 15:05
7c99c56

Added

  • Starting the container from VS Code now runs the image/CLI drift check too.
    "Reopen/Rebuild in Container" drives devcontainer up directly (never the
    aic CLI), so the warning previously only appeared on aic up/shell/rebuild;
    it's now wired into the devcontainer's initializeCommand and logged to the
    Dev Containers output channel. Best-effort and never blocks the container from
    starting.

v0.4.1

Choose a tag to compare

@github-actions github-actions released this 09 Jun 13:57
f8e2dad

Added

  • aic up / aic shell / aic rebuild warn when the pinned image lags your aic.
    An offline check compares the :vX.Y.Z pinned in docker-compose.yml against
    the installed CLI and points at aic sync && aic rebuild to reconcile; on
    rebuild it fires before the pull, so you can abort and re-pin first.
    (Build-mode projects have no pin and are not checked.)
  • aic version / aic upgrade flag a newer published aicontainer. Queried
    from npm (the upgrade source of truth), cached for 24h, fail-silent, and
    skipped in CI. Silence both notifications with AIC_NO_UPDATE_CHECK=1.

v0.4.0

Choose a tag to compare

@github-actions github-actions released this 09 Jun 10:02
0a54ac1

Added

  • OpenCode joins Claude Code and Codex as a first-class tool. Baked into the
    image and auto-updated on every aic rebuild, with persistent login,
    per-project transcripts, and the shared .env/curl|sh guardrail wired in as
    an OpenCode plugin. Host ~/.config/opencode/opencode.json provider/model
    definitions are seeded read-only (inline API keys stripped — log in inside with
    opencode auth login); it's on by default, or choose it with
    aic init --with …,opencode. (aic, template/)

v0.3.1

Choose a tag to compare

@github-actions github-actions released this 09 Jun 07:57
5713c07

Changed

  • Refreshed bundled tools and base image. uv 0.11, fzf 0.73.1, and
    git-delta 0.19.2, plus a current Ubuntu 24.04 base-image digest.
    (template/Dockerfile)

v0.3.0

Choose a tag to compare

@github-actions github-actions released this 03 Jun 12:46
dd9ad9b

Added

  • Per-project VS Code extensions survive aic sync. A project-owned
    .devcontainer/vscode-extensions (one publisher.name id per line) is merged
    into customizations.vscode.extensions on every init/sync; invalid lines are
    warned about and skipped. (aic, template/devcontainer.json)
  • Per-project VS Code settings survive aic sync. A project-owned
    .devcontainer/vscode-settings.json object is merged into
    customizations.vscode.settings. README adds Python and TypeScript editor +
    agent-LSP recipes. (aic, README.md)
  • .devcontainer/README.md explains what to edit and what not to. Shipped
    into every project (both modes) to steer humans and AI agents away from
    hand-editing the sync-overwritten devcontainer.json toward the project-owned
    files. (template/README.md, aic)

v0.2.3

Choose a tag to compare

@github-actions github-actions released this 03 Jun 08:40
6567078

Added

  • post-create.py warns loudly when no git identity is configured. The
    sandbox inherits user.name/user.email from the read-only host
    ~/.gitconfig; if that was empty/broken at build time, git commit failed
    mid-session with a cryptic "Author identity unknown" and couldn't be fixed
    from inside. Container creation now flags it last with the host-side fix.
    (post-create.py)

v0.2.2

Choose a tag to compare

@github-actions github-actions released this 01 Jun 20:10
d9b0078

Added

  • Agents are told the read-only git internals are by design. post-create.py
    writes a managed note into ~/.claude/CLAUDE.md and ~/.codex/AGENTS.md so a
    tool stops burning tokens "fixing" the expected git config … Device or resource busy failure (and blocked .git/hooks installs). (post-create.py)