Highlights
This release lands sandbox profiles with multi-policy support (#2904), giving operators reusable governance posture per sandbox and letting policy be configured before login. Workspace and worktree handling is more resilient: sandboxes stay recoverable when their workspace or worktree is removed from the host, and macOS /private paths work correctly with --branch. Networking gains per-sandbox hostname tracking via gVisor SwapStubResolver and binds both loopback stacks by default on publish. The kits experience is more dynamic — startup commands re-run on every container start, installed kits show up in the AI file, and each kit can supply its own progressive-disclosure memory file.
What's New
Governance & Profiles
- Introduce sandbox profiles and multi-policy support (#2904)
- Allow policy setup before login (#2903)
Networking
- Bind both loopback stacks by default on publish (#2830)
- Use gVisor
SwapStubResolverfor per-sandbox hostname tracking (#2693)
Daemon
- Capture shim/vmm logs into
daemon.log(#2873)
Kits
- Re-run
commands.startupon every container start (#2842) - Per-kit memory files for progressive disclosure (#2899)
- Enumerate installed kits in AI file Kits section (#2906)
Bug Fixes
- Keep sandboxes recoverable when workspace or worktree is deleted on host (#2928)
- Add macOS
/privatepath compatibility for worktrees (#2875) - Skip implicit run options when user provides explicit args (#2880)
- Sanitize runtime ID when looking up gVisor network (#2949)
- Allow raw TCP to
host.docker.internalwhen localhost is allowed (#2929) - Print "Git repository detected" once when using
--branch(#2923) - Open sentinel connection in
cpandkit addto prevent auto-stop race (#2910) - Remove redundant
ContainerKillbeforeContainerRemove(#2909) - Report Docker daemon startup time instead of pre-start message (#2854)
Documentation
- Warn agents about worktree path traps with
--branch(#2932)