Skip to content

v0.6.0

Choose a tag to compare

@github-actions github-actions released this 13 Jul 13:54
5f69e91

Added

  • Local rootless Docker contexts work without extra flags. aic discovers
    the selected Unix socket and regenerates a gitignored host-only environment
    file, while remote Docker contexts still fail closed.
  • Host readiness can be checked before startup. aic doctor reports
    prerequisites and project wiring as concise OK/WARN/FAIL results.
  • Project state is visible without mutation. aic status summarizes the
    project identity, modes, image/runtime, credential-bridge health, and
    managed volumes.
  • Resolved validation is available for CI. aic validate applies the full
    gate noninteractively without prompting or recording trust.
  • aic startup validates resolved project config before handoff. CLI starts
    check managed files plus the fully merged Compose model; the generated VS
    Code initializer repeats the gate before Compose creation.
  • Reviewed host access can be trusted without repository state. aic trust
    records approval for the exact relevant config hash outside the checkout;
    changes automatically invalidate it.
  • Unsafe access can be approved for one run. --allow-unsafe carries an
    exact configuration hash through up/rebuild without persisting approval;
    unbounded build contexts require this per-run review.
  • Docker inspection is now a separate opt-in mode. --docker-read enables
    host object list/inspect APIs without writes, while --docker remains the
    explicit read-write choice and --no-docker revokes either.
  • Shell completions cover every aic command. aic completion emits
    ready-to-install Bash, Zsh, or fish completions for commands and flags.

Changed

  • Docker object access is off by default. The proxy exposes only ping and
    version until the host user explicitly consents, hiding unrelated container,
    image, network, volume, log, and file metadata.
  • Projects receive path-unique runtime identities. Compose resources and
    session volumes include a canonical-path hash; existing transcript data is
    migrated automatically without another login.
  • The shared session root has a tool-neutral name. Container state now lives
    below ~/.aic-sessions; legacy .claude-sessions data is carried forward.
  • Host preferences pass through an isolated sanitizer. A fixed networkless
    service sees the raw Git/tool files and gives the agent only root-owned,
    allowlisted JSON output.
  • Tool homes are isolated while logins remain reusable. Credentials sync
    through a fixed networkless helper, while config, instructions, plugins,
    prompt history, and transcripts stay in each project's volume.
  • Git config is installed behind a root boundary. Only fixed safe host
    preferences survive parsing, and the validated result is created once as
    root:root 0444 with executable/path-bearing keys refused.
  • Shell startup ignores writable home profiles. Zsh, Bash, and fish launch
    from root-managed system config, preventing next-session persistence without
    importing host rc code.
  • AI safety policy uses managed system precedence. Claude, Codex, and
    OpenCode autonomous settings plus the shared guardrail cannot be disabled by
    user-level tool config.
  • Container creation no longer resolves Python dependencies. Post-create,
    seed sanitization, and credential sync use system Python plus a hash-pinned
    baked TOML writer, improving offline startup and removing a pre-policy fetch.
  • Weekly images refresh their base layers reliably. Scheduled/manual image
    builds pull current bases and bypass stale caches while pinned release tags
    remain reproducible.
  • Package metadata now names all supported agents. The npm description and
    keywords include OpenCode.
  • Packed artifacts exclude development debris. Python caches/bytecode and
    operating-system metadata no longer enter the npm tarball.

Fixed

  • Codex refresh follows its supported unattended path. Rebuilds rerun the
    official standalone installer instead of relying on installation-method
    detection that can reject a valid standalone release.
  • Fresh projects initialize isolated customization roots. Claude and Codex
    skill, command, rule, prompt, and plugin directories exist before first use
    and remain confined to the path-unique project volume.
  • Large changelogs no longer block valid release tags. The local pre-push
    mirror avoids a pipefail/SIGPIPE false negative after finding an early
    matching version section.
  • Compose validation works across supported host versions. Managed Docker
    socket mounts retain raw interpolation inspection on Compose 2.38.x instead
    of failing before the security gate can evaluate project overrides.
  • Sync does not inherit unconsented Docker access. Repository-only proxy
    modes reset to none; users who need Docker opt in once and record host
    consent explicitly.
  • VS Code selects a compatible host CLI. Direct editor starts skip old
    aic installs that lack managed initialization, scan every supported
    Node-manager fallback, and print an actionable upgrade command when needed.
  • Same-named checkouts no longer share containers or transcripts. Legacy
    cleanup requires an exact owned primary, permits only fixed unlabeled
    sidecars, and never removes arbitrary orphans. Transcript import verifies the
    actual session mount and absence of a conflicting owner; ambiguity is
    preserved rather than guessed.
  • Symlinked control paths are rejected. Host-side init/sync refuses links or
    special files at managed and project-owned control inputs instead of
    following them outside the repository.
  • Managed template replacement is atomic. Files and hooks are staged beside
    their destination before rename.
  • Mode switches remove stale managed artifacts. Switching to pull mode
    removes every build-only file so later syncs cannot flip modes accidentally.
  • VS Code settings cannot escape their merge point. Project settings are
    parsed and re-serialized as strict JSON; invalid input and managed-key
    collisions are warned and skipped.
  • Non-interactive destroy requires explicit confirmation. aic destroy
    now needs --yes when no terminal is present instead of treating closed
    input as permission to delete history.
  • Release retries preserve immutable artifacts. Reruns reuse verified
    version images and matching npm publications, advancing :latest only from
    the current npm release to prevent accidental overwrite or rollback.
  • Legacy image recovery cannot widen an unknown artifact. Unannotated GHCR
    versions require a matching immutable npm tarball and are never promoted to
    :latest.

Security

  • Seeded config no longer carries literal credentials. Inline provider and
    MCP environment/header secrets are stripped recursively across Claude,
    Codex, and OpenCode.
  • Cross-project prompt persistence is blocked. Auto-loaded memory, skills,
    commands, rules, prompts, plugins, histories, and transcripts are scoped to
    the path-unique project rather than the reusable credential store.
  • Privileged volume ownership verifies daemon metadata. The fixed helper
    accepts only canonical mountpoints backed by ordinary option-free Docker
    named volumes and rejects binds, symlinks, nesting, and custom drivers.
  • The runtime drops unnecessary Linux capabilities. The devcontainer starts
    from cap_drop: ALL; NET_RAW remains absent and only fixed helper/firewall
    capabilities return.
  • Raw Docker access is hidden from the agent. The fixed helper socket sits
    behind a root-only directory that vscode cannot traverse.
  • The Docker proxy image is digest-pinned. Its verified multi-architecture
    digest prevents a mutable dependency from replacing the raw-socket holder.
  • Metadata blocking covers IPv4 and IPv6 providers. Always-on drops include
    IPv4/IPv6 link-local plus AWS and Alibaba metadata endpoints, independent of
    the optional full allowlist.
  • Firewall refreshes stay fail-closed. IPv4/IPv6 rules are built off-path
    and switched atomically; failed or prohibited DNS resolution leaves the
    active restrictive policy untouched.
  • CI publishing uses narrower credentials. Checkout credentials are not
    persisted and package-write permission exists only in the publishing job.
  • Registry publication is serialized across workflows. Release and
    security-refresh GHCR jobs share a non-cancelling lock, closing mutable-tag
    check-then-publish races without changing their workflow cancellation rules.
  • Managed path normalization cannot hide host aliases. Build contexts,
    workspace/control binds, project volumes, and networks are verified against
    the canonical checkout before installation-specific paths are normalized.
  • Unmanaged Dev Container startup hooks are rejected. Features and
    lifecycle commands fail validation before aic hands configuration off.
  • Compose startup behavior cannot be replaced silently. Command,
    entrypoint, healthcheck, and related service changes require review.
  • Managed Python ignores environment module injection. Post-create,
    sanitization, and credential sync run isolated from PYTHONPATH/PYTHONHOME.
  • Host variables cannot be forwarded silently. Active Compose interpolation
    or bare environment/build-arg pass-through requires exact-config trust without
    exposing the resolved value; literals and escaped templates remain prompt-free.
  • Managed startup environment cannot be shadowed silently. Overrides of
    tool homes, shell/Git startup, loader paths, or the Docker proxy endpoint now
    require explicit review before creation.
  • Validation output cannot inject terminal controls. Repository-controlled
    names, paths, and values are rendered safely in host-side findings.