All notable user-facing changes to SandVault are documented in this file.
- Fix race condition and collisions in UID/GID allocation.
- Fix TOCTOU vulnerability in shared-folder ACL removal.
- Fix stdin processing so piped input works with
sv claudeandsv claude -- -p(e.g.echo "who are you" | sv claude) (#150)
- Remove
.zlogin/.zlogouthandling in the guest shell (#150)
- New
/svClaude Code skill for handing tasks off to sandvault directly from Claude Code - Automatically symlink
/svskill into~/.claude/skills/duringsv build
- Fix skill link path and improve terminal compatibility for the
/svskill
- Increase Chrome and iOS simulator startup timeouts from 5s to 15s for better reliability under load (#146)
- Pass
VERBOSEenvironment variable through to sandboxed processes
- Per-repo SSH deploy keys for cloned repositories (#139) — thanks @jesserobbins!
- Standalone
sv-clonecommand, replacing the previoussv --cloneflag (#133)
- File permissions no longer set the execute bit on regular files in the vault (#141)
- Fix sandvault user not being added to the sandvault group (#131)
- Forward
COLORTERMenvironment variable from host to guest for proper terminal color support (#131)
- Add iOS simulator sandbox bridge for testing mobile apps in the sandbox (#118)
- Make AI agents aware of browser endpoint via
SV_BROWSER_ENDPOINT(#116)
- Move session files to shared workspace so users can manage them directly (#117)
- Suppress noisy process-kill notifications when closing iOS simulator or browser sessions (#118)
- Fix Ensure AI agent scripts write header to stderr (#114) — thanks @nichenke!
- Fix OpenCode permission bypass so sandbox restrictions are properly enforced (#111) — thanks @MikeMcQuaid!
- Preserve user customizations to
.gitconfigand.claude.jsonacross sandbox sessions instead of overwriting them on each launch (#109)
- Add OpenCode agent support (#107) — thanks @MikeMcQuaid!
- Fix native install for Codex and Gemini agents when nvm is in use —
.npmrcprefix setting was breaking nvm
- Prevent keychain login dialog from popping up during sandbox sessions (#104)
- Native install option for AI agents (Claude, Codex, Gemini) — run agents directly on the host with sandboxed access to the current project
SANDVAULT_ARGSenvironment variable for setting defaultsvarguments
No user-facing changes. This release includes internal CI fixes.
No user-facing changes. This release includes internal release tooling fixes.
No user-facing changes. This release includes internal CI and release tooling improvements.
No user-facing changes. This release includes internal CI and release tooling improvements.
- Fix version number not being updated in
svbinary during 1.2.0 release (#94)
- Add browser automation and testing support
- Fix xargs error when no files synced with rsync
- Fix session-exit cleanup scope bug — thanks @MikeMcQuaid!
- Warm up quarantined Homebrew tools to prevent first-run delays — thanks @MikeMcQuaid!
- Fix WORKSPACE path to use Homebrew opt/ symlink instead of Cellar
- Fix SSH mode when Remote Login is set to "All users" — thanks @jesserobbins!
- Add
--fix-permissionsflag, umask detection, and permission hardening — thanks @jesserobbins!
- Move custom configuration to
$SHARED_WORKSPACE/user
- Fix zprofile PATH bootstrapping — thanks @MikeMcQuaid!
- Fix install detection for AI agents
- Fix initial directory when not cloning
- Handle user directory being a symlink — thanks @MikeMcQuaid!
- Speed up
--clonefor sandvault user accessible repositories — thanks @MikeMcQuaid!
- Fix permissions errors when cloning repositories
- Remove sandvault user from staff group for better isolation
- Add
sv --cloneto clone repositories into the sandbox — thanks @MikeMcQuaid!
- Allow "." and ".." as repo names by resolving paths fully
- Search for Claude at native install location
- Enable running sandvault inside sandvault (nested sandboxes)
- Use Bash 3.2 for all scripts to ensure macOS compatibility
- Rename
VERBOSEenv-var toSV_VERBOSE
- Fix scripts to trap on error for better reliability
- Add strict sandbox disk write rules for tighter security
- Allow running
/bin/psin sandbox
- Add
--no-sandboxoption to disable use of sandbox-exec
- Fix ACL traversal for sandvault shared workspace
- Fix PATH ordering:
/opt/homebrew/binbefore/bin
- Clean up sandvault-configure sentinel files
- Fix file ownership ordering for sandvault files
- Fix quoting and stdin-piping for SSH mode
- Fix sudoers: move validated file to sudoers.d to avoid writing corrupted data
- Reduce sudoers privileges for better security
- Revert sudoers fix (hotfix release)
- Fix workspace resolution for Homebrew installations
- Remove overly permissive sudoers rule
- Reduce Homebrew dependencies — thanks @MikeMcQuaid!
- Improve rsync file ownership handling
- Improve SSH connectivity check
- Improve environment setup in sandbox execution
- Add shell command argument passing support
- Propagate exit codes from sandbox commands
- Show AI agent is running as sandvault user
- Fix zsh profile files for non-interactive use
- Fix race condition in multi-instance session cleanup
- Fix TMPDIR ownership by creating it as sandvault user
- Block access to external drives using sandbox-exec
- Check SSH group membership before adding user
- Set unique TMPDIR to avoid conflicts between users
- Avoid unnecessary brew install commands
- Continue running when Remote Login is disabled (unless mode=SSH)
- Add
--yoloflag for Gemini to match Claude/Codex
- Add support for Google Gemini
- Add support for OpenAI Codex
- Add pass-through arguments to claude/codex/shell commands
- Shorten shared directory name to
sv-$USER - ACL-based permissions with per-user sandboxes
- Fix reversed comparison that prevented sandvault shutdown
- Fix npm install location for claude & codex
- Fix missing arguments failure — thanks @MikeMcQuaid!
- Fix symlink resolution for script directory — thanks @AlessandroW!
- Fix Homebrew bootstrapping in sandbox — thanks @AlessandroW!
- Use less opinionated zshrc defaults — thanks @MikeMcQuaid!
- Resync sandvault
$HOMEevery run without password prompt - Improve shared workspace permission management
- Remove git-lfs dependency — thanks @MikeMcQuaid!