v2026.4.11

• Bundled and distroless darwin-x86_64 builds now ship alongside the arm64 macOS and Linux ones; install.sh auto-detects Intel Macs.
• [env].HOME now drives container-side ~ expansion.
• The project disk image now reclaims deleted blocks back to the host every 10 minutes instead of staying at its high-water mark. (#4)
• Periodic file descriptor reclaiming (every 5 minutes) (#5)

Full Changelog: v2026.4.10...v2026.4.11

v2026.4.10

• Personal monitor settings. Added buffer caps, terminal scrollback, and key bindings for the --monitor TUI settings to ~/.airlock/settings.toml
• Project sub-directory masking. Added a new [mask.<name>] config option mounts an empty directory over chosen project paths inside the VM, so AI agents can't see sensitive project from e.g. monorepo. Masking happens in VM: this is invisibility, not a hard security boundary.
• User-level airlock.toml moved to ~/.airlock/. The user-level slot in airlock's config hierarchy is now ~/.airlock/config.<ext> (was ~/.cache/airlock/config.<ext>).

Full Changelog: v2026.4.9...v2026.4.10

v2026.4.9

• Replaced LuaJIT with PUC Lua 5.4, still trying to fix (#3)

Full Changelog: v2026.4.8...v2026.4.9

v2026.4.8

• Added com.apple.security.cs.allow-jit entitlement to prevent macOS kernel from killing the CLI process
  when LuaJIT starts JITting the network middleware (#3)

Full Changelog: v2026.4.7...v2026.4.8

v2026.4.7

• More robust macOS VM backend. Closes off the two most-likely paths for the rare "sandbox disappeared with a broken terminal" failure: any framework error is now caught cleanly instead of aborting the process, and a late-arriving VM callback can no longer touch freed memory.
• Silent-exit diagnostics. If the CLI ever does exit abnormally, the log now survives restarts (trimmed to about a megabyte on open) and captures every Rust panic or fatal native signal. A final exit-code line marks clean shutdowns — its absence tells you where the process actually died.
• Airlock version shown in the log and on the monitor tab.
• Monitor TUI usability. Pressing q closes an open details pane before returning to the sandbox. Text-selection mode now exits on any keypress or on jumping back to the monitor tab — no more getting stranded with passthrough mouse.

Full Changelog: v2026.4.6...v2026.4.7

v2026.4.6

• Container egress works on docker bridge networks. All VM TCP egress (including container netns traffic) is intercepted by a smoltcp userspace stack on an in-VM TUN device. The iptables REDIRECT → 127.0.0.1:15001 path and its network_mode: host workaround for Docker are gone. The docker example now uses standard bridge networking + ports: publishing.
• Network RPC on a dedicated vsock. Bulk byte relays can no longer head-of-line-block pty keystrokes, pollStats, or daemon shutdown. The supervisor and network channels have independent socket buffers and flow control.
• Host wall-clock pushed to the guest every minute. The VM clock no longer drifts after laptop sleep / suspend, so TLS cert checks and mtime-driven build tools keep working across host wakeups.
• More informative guest-process logging during airlock start.
• Fix airlock start failure on macOS for deeply nested project paths. The CLI socket now falls back to ~/.cache/airlock/sock/<hash>.sock when the in-sandbox path would exceed the AF_UNIX 104-byte limit. airlock exec finds it automatically via the same hash. (#2)

Full Changelog: v2026.4.5...v2026.4.6

v2026.4.5

• Add [daemons.<name>] sidecar process support, with docker example demonstrating dockerd-as-daemon
• Add reverse port forwards (host → guest)
• Add network passthrough opt-in for non-HTTP protocols
• Make Docker-in-VM work: kernel config (networking and overlayfs) + /tmp tmpfs
• Fix overlayfs ESTALE on remount and xattr whiteout readdir leak

Full Changelog: v2026.4.4...v2026.4.5

v2026.4.4

• macOS binary signing with Developer Application certificate and stable identity (needed for Keychain to remember the application over version updates)
• Monitor: coloring fixed for light terminal themes.
• Secrets CLI: secret / ls / rm renamed to secrets / list / remove (old names kept as aliases).
• Secrets CLI: airlock secrets list now shows a masked preview (****… + last 2–4 chars) to help tell similarly-named tokens apart.
• Secrets CLI: output formatting tightened.
• Network middleware: unresolved ${VAR} references now abort airlock start with a clear error instead of silently sending an empty Authorization header.
• OCI image pulling: progress bars re-skinned and now continue through tar extraction (downloading → extracting → ready / cached) instead of stalling at "done".
• Docs: user manual reorganized — Presets lifted to a top-level section with per-agent chapters (Claude Code, Copilot CLI, OpenAI Codex); Monitor dashboard moved under Usage.
• Docs: README rewritten with an end-to-end Claude Code quickstart.

Full Changelog: v2026.4.3...v2026.4.4

v2026.4.3

• q on the Monitor tab no longer kills the sandbox — it switches back to the Sandbox tab. Use Ctrl+D to exit.

Full Changelog: v2026.4.2...v2026.4.3

v2026.4.2

• Default secret vault backend changed from encrypted-file to the OS keyring (macOS Keychain / Linux Secret Service). Headless boxes can still opt out with vault.storage = "encrypted-file".

Full Changelog: v2026.4.1...v2026.4.2