Sandbox base image moves to Debian 13, :copy keeps git history, Claude
Code v2.1.x compatibility, and yoloai system prune now reclaims leaked
host-side artifacts. See docs/BREAKING-CHANGES.md for the three breaking
changes.
Breaking changes (docs/BREAKING-CHANGES.md)
- Sandbox base image is now Debian 13 (trixie): system Python 3.13, aider
isolated on a uv-managed Python 3.12, binutils-gold for arm64 cgo. The
base rebuilds automatically on next use. :copynow preserves git history (CoW-clones the source .git), so
log/blame/bisect and repo filters (LFS, git-crypt) work. Opt out with
:copy-strict/--copy-strict/ profilecopy_strict:where a repo has
un-rotated secrets in history.- A failed or interrupted
yoloai new/runno longer leaves a half-created
sandbox behind — it rolls back completely, so re-running the same command
is clean.
Security
- Copy-mode work-copy git is now confined on the apple and seatbelt backends
too (per-container VM exec on apple; a dedicated tight sandbox-exec profile
on seatbelt), closing the last host-side path where an agent-planted
.git/config filter could execute on the host (audit C1). - core.fsmonitor is disabled on all yoloai-invoked git, removing the
fsmonitor-command execution vector.
Features
yoloai system prunereclaims leaked host-side artifacts, not just
containers: orphaned credential-broker processes, CNI network namespaces +
IPAM leases, and (macOS/seatbelt) leaked tmux servers and their
status-monitor/setup process group.yoloai doctorsurfaces them.
Dry-run lists everything before anything is reaped.- The apple backend now reclaims build cache + dangling images in
system prune.
Fixes
- Claude Code v2.1.x compatibility: seed onboarding-complete + folder-trust
and map rootless-podman keep-id onto the yoloai uid, so the agent no longer
hangs on the new theme/trust/permissions startup dialogs. - containerd/Kata: re-establish the network namespace on restart (a Stop then
Start no longer fails with "ttrpc: closed"). - apple: stop
container exec -t's ONLCR from corrupting tmux scroll
rendering. - system prune: no longer counts running containers' writable layers as
reclaimable, and drops the misleading "--dry-run" wording from the internal
scan; the netns firewall sidecar now carries com.yoloai.* labels so a
crash-leak stays reclaimable. - network:
sandbox allowedreads the network mode from netpolicy rather than
from container inspection. - seatbelt (macOS): the host agent launch now discovers node on the host PATH
(Homebrew, keg-only node@22, nvm) instead of assuming it, and no longer
crashes the launch when node is absent — fixing a start failure on the
seatbelt backend. - system check now recognizes on-disk / Keychain credentials, not just
env-var API keys, when reporting agent auth status. - smoke harness tolerates invalid UTF-8 in captured agent-TUI output, and
labels an upstream Anthropic API overload (HTTP 529) as such instead of a
generic timeout.
Developer / CI
- Mandatory-infrastructure test policy (D112): an absent but platform-possible
backend/tool now fails rather than silently skipping; sole carve-out is
YOLOAI_TEST_UNCONTROLLED_BACKENDS. Smoke tiers:smoketest(full matrix) /
smoketest-quick(container core). make checknow lints and vets every non-host platform, not just the host
(LINT_PLATFORMS), so a lint/build issue in a //go:build file is caught
whichever OS runs the gate.sudo make releasetestruns green (unit gate + integration escalation are
sudo-safe; the Go/uv toolchain PATH is recovered under sudo).
Install: download the archive for your platform below and extract the yoloai binary,
brew install kstenerud/tap/yoloai, or go install github.com/kstenerud/yoloai/cmd/yoloai@latest.
Verify with checksums.txt (+ the cosign signature / build provenance).