v0.5.2 — Backend reliability fixes (Tart UTF-8, Docker rebuild churn)

Patch release. No breaking changes (BREAKING-CHANGES.md unchanged since v0.5.0).
User-facing backend reliability fixes plus prune/build hardening.

Tart:
- Force UTF-8 on tmux attach (tmux -u) so the agent renders Unicode instead of
  ASCII — tart exec gives the attach client a C locale, which made tmux paint
  the logo and status-line emoji as underscores.
- Retry the VM work-dir git setup through the firstlaunch storm.

Docker:
- Stop rebuilding yoloai-base from scratch on every smoke run on the Docker
  Desktop containerd store: imageExists now cross-checks a transient
  ImageInspect NotFound against ImageList (with a bounded warm-up backoff)
  instead of trusting a single flaky probe.

Prune:
- Warn when a stale lock can't be removed.
- Report temp-dir removal failures instead of swallowing them.

Build / CI / tests:
- Gate the Tart base-image build on macOS + Apple Silicon only.
- Bump astral-sh/setup-uv (v5 to v7) and golang.org/x/sys + golang.org/x/term.
- Smoke harness captures each prereq base-image build into the run dir.

Verified: make releasetest passed on macOS and Linux.

v0.5.2 — Backend reliability fixes (Tart UTF-8, Docker rebuild churn)

Patch release. No breaking changes (BREAKING-CHANGES.md unchanged since v0.5.0).
User-facing backend reliability fixes plus prune/build hardening.

Tart:
- Force UTF-8 on tmux attach (tmux -u) so the agent renders Unicode instead of
  ASCII — tart exec gives the attach client a C locale, which made tmux paint
  the logo and status-line emoji as underscores.
- Retry the VM work-dir git setup through the firstlaunch storm.

Docker:
- Stop rebuilding yoloai-base from scratch on every smoke run on the Docker
  Desktop containerd store: imageExists now cross-checks a transient
  ImageInspect NotFound against ImageList (with a bounded warm-up backoff)
  instead of trusting a single flaky probe.

Prune:
- Warn when a stale lock can't be removed.
- Report temp-dir removal failures instead of swallowing them.

Build / CI / tests:
- Gate the Tart base-image build on macOS + Apple Silicon only.
- Bump astral-sh/setup-uv (v5 to v7) and golang.org/x/sys + golang.org/x/term.
- Smoke harness captures each prereq base-image build into the run dir.

Verified: make releasetest passed on macOS and Linux.

v0.5.1 — Backend reliability + shared conformance test suite

Patch release. No breaking changes (BREAKING-CHANGES.md unchanged since v0.5.0).
Primarily test-infrastructure and reliability hardening across the runtime
backends, plus a few user-facing backend fixes.

Backend fixes
- agent: idle sandboxes now use a portable keep-alive (tail -f /dev/null)
  instead of sleep infinity, which the macOS VM guest's BSD sleep rejects —
  fixes idle/--idle sandboxes failing to stay up on the Tart and Apple
  backends.
- containerd: Exec now trims stdout to honor the ExecResult contract (matches
  the other backends).
- podman: system build no longer passes the docker-only --provenance/--sbom
  flags to podman build, which rejected them.
- prune: --images now warns when running containers are blocking image
  reclaim, instead of silently reclaiming less than expected.

Testing & reliability (internal)
- All runtime backends — docker, podman, containerd, apple, tart, seatbelt —
  now run against a single shared, backend-agnostic conformance suite
  (lifecycle / exec / interactive / idempotency), so every backend verifies the
  same runtime.Runtime contract. Tart and Seatbelt were brought up on it via a
  P1/P2 split (a bare exec-able instance vs. full sandbox provisioning).
- Host-aware integration targets: releasetest/smoketest-full now run
  everything the host can test — including the heavyweight macOS-VM conformance —
  and fail loudly when required infrastructure is missing, rather than silently
  skipping.
- Smoke harness: one matrix per host OS, collision-safe run ids, automatic
  sweep of leftover smoke instances, and warm-up failures now surface their
  cause.

Docs
- Backend conformance coverage map; idiosyncrasies doc scoped to external-tool
  behaviors only; README backend/isolation accuracy fixes.

yoloAI v0.5.0

The Apple `container` backend brings Linux-VM isolation to macOS, alongside a
hardening pass that funnels every subprocess through an explicit, curated
environment.

## Highlights

### Apple `container` backend (macOS 26+, Apple Silicon)
- New `apple` backend runs each sandbox as a Linux OCI container in its own
  sub-second-boot VM, with no Docker Desktop dependency — the yoloai-base image
  is built by Apple's own builder.
- `--isolation vm` on macOS now routes to it (previously it degraded to a
  shared-kernel container, since containerd/Kata is Linux-only). When `container`
  is installed it also becomes the macOS default: VM isolation is effectively
  free because the VMs boot sub-second. Opt back with `--isolation container`.
- Full workflow verified end-to-end: copy/diff/apply, `--network-isolated` (the
  guest kernel enforces the iptables allowlist), restart, `exec`-based attach,
  and an orphan-container `system prune` sweep.

### Container-system selector (macOS)
- `--backend orbstack` / `--backend docker-desktop` (and the matching
  `container_backend` config) pin the docker backend to that provider's daemon
  socket, so the choice is honored even when both are installed.
- `yoloai system backends` lists them; provider-switch failures (daemon
  unreachable / container not found) now name the installed providers.

### Setup wizard: default-environment presets
- The backend step is a flat preset list (apple/orbstack/docker-desktop/podman/
  tart/seatbelt on macOS; docker/podman/vm on Linux). A pick writes the
  os/isolation/container_backend it needs and resets the rest.

### Two-tier backend probe
- Every backend now reports installed (tool present) vs running (daemon
  reachable); selection uses installed, point-of-use starts on demand.

### Environment-access hardening (security; DEV 12)
- Every subprocess (docker/podman/containerd/tart/git/agent CLIs) launches with
  an explicitly constructed, curated env — never the inherited os.Environ().
  Closes the DF19 data-loss path where a test invoking the real cross-backend
  prune deleted the developer's real VMs during `make check`.
- `${VAR}` interpolation in config/profile values now resolves only a fixed
  allowlist (HOME/USER/LANG/TZ/LC_*), so a config value can't pull a host secret.
- Mechanical guards: forbidigo bans raw exec.Command* and ambient env reads
  below the edge.

## Notable fixes
- docker: build base/profile images without BuildKit attestations — fixes a full
  yoloai-base rebuild on every run against a Docker Desktop containerd store;
  plus base-image download retries for transient CDN failures.
- podman: carry TMPDIR into macOS Podman-machine socket discovery.
- tart: commit-level git diff runs in the VM; `system tart list` via JSON; stop
  the base VM before deleting it in Setup.
- gVisor: restrictive secret/path perms (DF20).
- Claude Code: seed ~/.claude/statusline.sh (executable) so the statusLine
  script works inside sandboxes.

## Breaking changes
Four breaking changes — see docs/BREAKING-CHANGES.md (v0.5.0) for details and
migration steps:
- macOS default isolation becomes `vm` (Apple `container`) when installed.
- `${VAR}` interpolation restricted to a fixed allowlist.
- Go embedding surface: `IsolationAvailability` gained (hostMacOSMajor,
  containerInstalled); `TartBaseAdmin.AvailableRuntimes`/`PlanBase` gained a ctx.

v0.4.0

Consolidation release on top of v0.3.0's layer-1 reshape: the public Go surface
settles into a dormant-creation lifecycle, backend coverage grows (Docker-in-
Docker everywhere, macOS container isolation, host-tracking Tart bases), and a
class of Tart data-loss and interactive-exec bugs is closed. See
docs/BREAKING-CHANGES.md for full per-entry migration steps.

Breaking — Public Go API:
- Creation is dormant: CreateSandbox / Sandbox.Clone return a live *Sandbox
  that the caller starts; RunSandbox removed in favor of Sandbox.Wait(ctx,
  opts) with a configurable exit/idle condition + timeout.
- CloneSandbox moved off the Client root onto Sandbox.Clone(ctx, dest, opts).
- Read-model field renames across the embedding surface (e.g. PruneItem.Bytes
  -> BytesReclaimed, TrashedSandbox.From/Dest -> OriginalPath/TrashPath) and
  the names that previously needed a comment to compensate.
- BuildImageOptions backend selection collapsed to one required field;
  System.Build -> BuildImage.
- An explicit backend is required again (newRuntime wrapper dropped); Client /
  Engine Close is now terminal (ErrClosed); Sandbox.Destroy is idempotent.

Breaking — CLI / wire format:
- Destructive flags are named for their consequence; the generic --force is
  gone (--abandon-unapplied, --overwrite, --rebuild, ...). --yes no longer
  widens destructive scope — opting into collateral danger is an explicit
  consequence-named selector, and absent it the command hard-refuses in every
  mode (interactive, --json, piped).
- --json output is always a top-level object (DF17 convention sweep).
- The launch-prefix legacy path is removed; the library data dir migrates to
  schema v2 (agent_launch_prefix backfill) via `yoloai system migrate`.
- Default Tart base image tracks the host's macOS instead of pinning Sequoia;
  `system prune` gains a --stale-bases selector to reclaim superseded bases.

Backends & isolation:
- container-privileged and container-enhanced supported on macOS hosts;
  container-enhanced (gVisor) subsequently re-blocked on macOS where it isn't
  turn-key (D71).
- Docker-in-Docker via overlay2 on a real-fs volume now works across all
  providers (incl. Linux rootless Podman keep-id:uid=1001).
- Interactive exec/attach routed through the API socket with uniform exit-code
  propagation across backends; exec TTY reflects whether stdin is a terminal.
- Docker daemon resolved from the active docker context with stale-socket
  self-heal; images build with BuildKit to stop prune churning base layers;
  prune disk-accounting corrected for Podman and containerd.

Fixes:
- Tart: change detection runs in-VM (the working copy lives on VM-local
  storage), so `info` no longer reports "Changes: no" on a dirty sandbox and
  destroy/reset fail safe when the VM is stopped — closing a silent data-loss
  path. Destroy is gated on unapplied changes, not merely a running agent.
- Per-sandbox --env is re-injected on the recreate path; tmux socket derived
  live instead of from frozen config; seatbelt regenerates derived artifacts on
  Start so upgrades self-heal; git-tag-on-apply pipeline is backend-aware.

Internal:
- D74: the Engine owns the lazy backend connection and the lifecycle/workdir/
  files/network verbs; sub-handles hold *Engine (no layout/runtime threading).

Dependencies:
- Go toolchain 1.26.4; containerd/v2 2.3.1; assorted x/sys, x/net, x/term,
  mcp-go, go-connections bumps; self-policing govulncheck allowlist.

v0.3.0

Layer-1 architecture refactor: CLI -> public Client -> runtime. The root
yoloai package is now the sole embedding surface; external code never imports
internal/*.

Public Go API (see docs/BREAKING-CHANGES.md for full migration):
- Handle model: client.Sandbox(name) -> (*Sandbox, error), with .Workdir()
  / .Network() / .Agent() sub-handles. Admin/fleet ops via client.System().
- Renames of the shipped surface: Options -> ClientCreateOptions (.Backend ->
  .BackendType), RunOptions -> SandboxRunOptions, ApplyOptions ->
  WorkdirApplyOptions, NewWithOptions -> NewClient; New(ctx) removed.
- Per-name Client methods (Inspect/Stop/Destroy/Diff/Apply) moved onto the
  Sandbox / Workdir handles.
- Lazy backend: a Client built without BackendType serves backend-free ops
  without opening a runtime; a backend-bound call returns ErrBackendRequired.
- Typed errors (errors.As): ErrSandboxNotFound, *ActiveWorkError,
  *DirtyWorkdirError, *UsageError, ...
- Kind enums read as AgentType / BackendType (fixed-set "type", not "name").

Data layout / migration:
- Data dir bifurcated into library/ (engine) + cli/ (app), each with a
  plain-int .schema-version stamp.
- New `yoloai system migrate`: the only mutator; the engine no longer
  auto-migrates. Fail-fast on a newer-than-build stamp.

CLI / wire format:
- `system doctor` -> `doctor`; `system runtime` -> `system tart`.
- prune now scans all backends; `--cache` -> `--images`.
- aux `:copy` / `:overlay` mounts removed.
- apply is commits-only by default; `--squash` -> `--no-commit`, plus
  `--include-uncommitted`.
- setup wizard collapsed into the CLI (library has no setup verb).
- sandbox info/list --json nest creation settings under "environment" (was
  "meta") and drop pure-mechanism fields.

v0.2.6: Pre-rearchitecture baseline — tested across all backends

Final release before the layering rearchitecture. main remains live for
hotfixes while feature work moves to `layering-refactor`.

New features (user-visible):
- VS Code integration: `yoloai sandbox <name> vscode` (attach to running
  container in VS Code) and `--vscode-tunnel` (Remote Tunnel for any IDE)
- Devcontainer support: parses `.devcontainer/devcontainer.json` and
  executes lifecycle commands (onCreate / postCreate / postStart) via
  archetype resolution
- `yoloai baseline advance` / `set` for unsticking sandboxes when the
  apply baseline drifts
- `yoloai system prune --cache` and `yoloai system disk` for storage
  management across all backends
- Network isolation: `--network-isolated` with `--network-allow <domain>`
  iptables+ipset allowlist; `--network-none` for full block
- New backends: Podman (rootless containers), Tart (macOS Apple-Silicon
  VMs), Seatbelt (macOS process sandbox), containerd (Linux VMs via Kata)
- New isolation modes: `container-privileged` (Docker-in-Docker via
  --privileged + fuse-overlayfs), `vm` (Kata+QEMU), `vm-enhanced` (Kata
  +Firecracker)
- Apple simulator runtime management (Tart-only):
  `yoloai system runtime create/list/delete` for iOS/tvOS/watchOS/visionOS

Breaking changes since v0.2.5 (full details in docs/BREAKING-CHANGES.md):
- `yoloai apply` defaults to commits-only; `--no-wip` removed in favor
  of `--include-wip` for the old behavior
- `--security` flag replaced by `--isolation` (with renamed mode values:
  standard→container, gvisor→container-enhanced, kata→vm,
  kata-firecracker→vm-enhanced)
- `apply --force` removed; dirty trees handled automatically via
  `git am --autostash`
- `container-nestable` isolation removed; use `container-privileged`
- Profile system: `~/.yoloai/profiles/base/` replaced by `~/.yoloai/
  defaults/`; baked-in defaults embedded in the binary
- Sandbox status `running` renamed to `active`; `--running` flag renamed
  to `--active`
- `--backend` moved from a global flag to per-command flags
- Cross-process JSON files (`runtime-config.json`, `agent-status.json`)
  gain a `schema_version` field with hard-fail-on-mismatch policy
- `files`, `sandbox`, and `network` subcommands restructured for
  name-before-subcommand consistency

Architecture work landed since v0.2.5:
- Architecture remediation Phases 1–6 + W11 (Runtime interface split
  into core + descriptor + optional interfaces) + W12 (sandbox/ carved
  into archetype/, patch/, store/ subpackages)
- BackendDescriptor with (factory, descriptor) registry — adding a new
  backend is now purely additive
- Python pytest infra + race-coordination tests in runtime/monitor/
- Backend-name dispatch replaced by capability flags throughout

v0.2.5: Fix files put for pre-feature sandboxes

Highlights:
- Fix: files put now creates the host-side files/ directory if missing,
  preventing cp from creating a plain file named 'files' in sandboxes
  that predate the files exchange feature
- Test: regression test covering the missing files/ directory case

v0.2.4: Reliability & testing improvements

Highlights:
- Fix overlay read-only on VirtioFS and overlay baseline recovery when chown breaks git visibility
- Fix relaunch agent failure when tmux uses fixed socket path
- Fix system prune reporting and force-remove dangling images
- Use Stop hook for Claude Code idle detection instead of Notification
- Add Clone and Overlay integration tests
- Add CLI integration tests for StartAfterDone, FilesExchange, Apply
- Smoke test v2: --full flag, matrix split, --junit JUnit XML output
- Add releasetest Makefile target — runs every test tier, fastest first
- Auto-escalate to root for smoketest-full on Linux
- Multiple smoke test reliability fixes for Kata, gVisor, and QEMU backends

Release v0.2.3

Highlights:
- Fix: Tart VM apply operations now work correctly
  - Refactored git operations to run inside VM instead of on host
  - Fixed git patch whitespace handling to prevent corruption
  - All backends now preserve exact git output for patches
- Feat: Configurable test retry support (Tart gets 1 retry for flaky agent/API timing)
- Fix: Multiple Tart VM improvements (work directory creation, path translation)
- Fix: Smoke test infrastructure improvements (better debugging, local binary usage)
- Fix: Temp file cleanup now skips undeletable directories instead of aborting

This release makes Tart VM backend fully functional for apply workflows.

Full changelog: v0.2.2...v0.2.3