Security updates:
- The agent's API key stays host-side by default
- The
:overlaycapability-escape mode is retired --network-isolatedno longer trusts the agent container withCAP_NET_ADMIN:copynow honors.gitignore
Other updates:
- Native per-agent turn-completion detection
- A new headless
runverb - File-defined agents
- Crash-safe data-dir migration framework.
Highlights
Credential brokering by default (security)
When an agent's credential is brokerable (Claude ANTHROPIC_API_KEY or subscription CLAUDE_CODE_OAUTH_TOKEN) and the backend can host a host-side injector (Linux docker/podman) and networking is open, yoloai now runs a small host-side reverse proxy and points the agent at it (the real credential is held host-side and never enters the container).
Previously the key was written into the container environment and brokering was opt-in. Opt out with --no-broker (sticky across restart).
:overlay retired; crash-safe system migrate
:overlay is removed because it required CAP_SYS_ADMIN in the agent container, a host-escape primitive on rootful Docker. :copy delivers the same protect-original / review-before-apply workflow with no elevated capability and is cheap on modern filesystems.
IMPORTANT: yoloai system migrate (v3→v4) auto-converts existing overlay sandboxes to :copy, capturing the running merged tree (gitignored and uncommitted files included) verbatim.
The migration runs on a new crash-safe promotion framework (build-new → repopulate → atomic swap), resumable across a crash at any rename boundary, so an interrupted migrate never strands a half-converted sandbox.
Tamper-resistant network isolation
--network-isolated no longer grants the agent container CAP_NET_ADMIN. A short-lived netns-sharing sidecar installs the firewall rules and exits, so a prompt-injected agent can't alter its own allowlist and no privileged process persists.
:copy honors .gitignore
Inside a git work tree, :copy now copies only project files (tracked plus untracked-but-not-ignored); ignored files (.env, keys, local config) stay out of the sandbox and never appear in diffs. Use the new :copy-all suffix for the previous copy-everything behavior.
Native turn-completion detection
Per-agent native turn-completion strategies replace heuristic idle-guessing: Gemini / Codex / OpenCode / Aider via their own hooks, Claude via resume. Done/idle detection is now driven by the agent, with a fall-to-shell fallback for heuristic agents.
Headless yoloai run
yoloai run is a new headless run-to-completion verb.
File-defined agents
File-defined agents let you drop a ~/.yoloai/.../agents/*.yaml to add an agent, alongside agnostic context injection and an enriched capability catalog.
Public embedding surface
The runtime, store, and copy/diff/apply packages are now public, with per-sandbox agent.json / netpolicy.json config (for embedders building on yoloai as a library).
Notable fixes
- prune: devmapper host-reclaim is now discard-accurate and accounts for the containerd content store; orphans identified by
com.yoloai.*labels, not name. - launch: bounded retry for the network-isolation firewall sidecar; podman keepalive bring-up fixed.
- tart: don't recommend deleting a base VM pinned by
tart.image; teardown verified on macOS. - mcp: list hidden files; diff-handler corrections (still experimental).
- store: warn when the data dir is on a network filesystem.
- doctor: render description-only fix steps.
Breaking changes
Four breaking changes — see docs/BREAKING-CHANGES.md for details and migration steps:
:overlaydirectory mode removed (auto-migrated to:copybysystem migrate).--network-isolated: agent container no longer holdsCAP_NET_ADMIN(a sidecar installs the firewall).:copyhonors.gitignore(opt out with:copy-all).- Credential brokering is the default on supported backends (opt out with
--no-broker).
Upgrading
Run yoloai system migrate after updating.
Full Changelog: v0.5.2...v0.6.0