v0.2.2

What's Changed

• fix skill management by @thecodeassassin in #15
• Refactor/fix agent hardcode by @bigheart-x in #12
• Add .NET support, fix Windows Docker build by @bigheart-x in #16
• fix: squid, OAuth, skills, MCP, tmux improvements by @thecodeassassin in #17

New Contributors

• @bigheart-x made their first contribution in #12

Full Changelog: v0.2.1...v0.2.2

v0.2.1

New Contributors

• @soyjhonathandev made their first contribution in #14

Bug Fixes

• Claude Code musl/Alpine compatibility: Claude Code v2.1.63+ broke on Alpine (posix_getdents: symbol not found). Replaced the custom GCS download pipeline with the official native installer (curl install.sh | bash), added a build-time LD_PRELOAD shim that provides posix_getdents via SYS_getdents64, and added libgcc,
  libstdc++, gcompat to the base image. Configures DISABLE_AUTOUPDATER=1 and USE_BUILTIN_RIPGREP=0 for containerized use.
• IPC server deadlock: Split single mutex into separate handler-map and prompt-serialization locks so a hung tmux popup no longer blocks vault/kv operations. Added 30-second timeout on tmux popup prompts.
• Env var reservation: OLLAMA_HOST, ANTHROPIC_BASE_URL, ANTHROPIC_API_KEY, OPENAI_BASE_URL are no longer unconditionally reserved; they only conflict when --ollama is active.
• exitbox-allow error messages: Distinguishes "socket missing" from "socket exists but connect failed" to help diagnose stale bind-mount scenarios.

New Features

• Agent version pinning: Pin agent versions per-session (exitbox run --version 1.0.123 claude), per-rebuild (exitbox rebuild claude --version 1.0.123), or in config (agents.claude.version in config.yaml). Resolution order: CLI flag > config > latest.
• exitbox config command group: exitbox import moved to exitbox config import. New exitbox config edit <agent> opens the agent's primary config file in $EDITOR.
• Codex sandbox compatibility: Added Python IPC fallback for exitbox-allow (Codex's seccomp blocks connect() for /bin/sh children). Added standalone exitbox-allow-ipc.py for direct invocation. Auto-generates Starlark approval rules (.codex/rules/exitbox.rules) pre-approving exitbox-allow, exitbox-vault, and
  exitbox-kv.

Minor Changes

• Sandbox instructions now list go install as a blocked package manager command.

Breaking Changes

• exitbox import is now exitbox config import.
• Inside the container, the Go binary is renamed to exitbox-allow-bin; a wrapper script takes the exitbox-allow name (transparent to agents).

Full Changelog: v0.2.0...v0.2.1

v0.2.0

Bug Fixes

• Fix config directory mount — The entrypoint failed with Permission denied on Podman/SELinux because only config.yaml was bind-mounted as a single file. Now mounts the entire ~/.config/exitbox directory so the entrypoint can read/write config and access workspace profiles.

Changes

• Manual install as default — README install instructions now use direct binary download from GitHub Releases instead of curl | sh. Added security warning for the script installer.
• Update instructions — Added exitbox update and exitbox rebuild documentation.
• README documentation — Documented IDE integration, RTK token optimizer, full git support, GitHub CLI authentication, and external tools.

Full Changelog: v0.1.9...v0.2.0

v0.1.9

New Features

IDE Integration via Unix Socket Relay

• Editors (VS Code, Cursor, etc.) running on the host can now connect to agents inside the container through a Unix socket relay
• Full git support mode (--full-git-support) mounts the host .gitconfig and SSH agent into the container for seamless git operations
• External tools system: configure third-party tools (GitHub CLI, etc.) via the setup wizard, with packages auto-installed at image build time

RTK Token Optimizer

• Added optional rtk integration for 60-90% reduction in CLI output token consumption
• Configurable via the setup wizard (Settings > RTK)
• Conditionally built from source using musl/Rust toolchain — zero image size impact when disabled
• Container sandbox instructions automatically include rtk-prefixed command guidance when enabled
• Agent management commands: exitbox agents list, exitbox agents config

Bug Fixes

Git credential helper crash on read-only .gitconfig

• Fixed a container startup crash (cannot overwrite multiple values) when the host .gitconfig is mounted read-only via full git support. The entrypoint now skips
  credential helper configuration when the file isn't writable.

SSH proxy tunnel on WSL

• Fixed SSH operations failing with Could not resolve hostname on WSL. The SSH proxy tunnel (routing through the firewall) no longer requires SSH_AUTH_SOCK to be
  set, since the proxy is needed for all SSH connections through the firewall — not just agent-forwarded ones.

RTK Alpine compatibility

• Fixed fcntl64: symbol not found error. Pre-built rtk binaries are glibc-linked and incompatible with Alpine's musl libc. Replaced with a conditional
  build-from-source approach using rustup + cargo install gated by the INSTALL_RTK build arg.

Vault wizard default

• "Keep current settings" is now the default cursor position when re-running the setup wizard on a workspace that already has a vault configured.

Full Changelog: v0.1.8...v0.1.9

v0.1.8

What's new:

Secure Output Redactor - Vault secrets are now automatically scrubbed from container output in real-time. When vault is enabled for a workspace, every exitbox-vault get records the retrieved value, and all subsequent stdout/stderr from the container is filtered through a redactorWriter that replaces secret values with before
they reach your terminal. This prevents accidental secret leakage in agent output, curl responses, logs, or error messages, even if the agent prints a secret it fetched earlier.

• Thread-safe Redactor with static and dynamic SecretProvider modes
• VaultState.GetRetrievedSecrets() feeds secrets to the redactor using a separate mutex to avoid deadlocks with tmux popup prompts
• redactorWriter wraps both stdout and stderr for the container process
• 9 unit tests covering single/multiple secrets, partial matches, newlines, provider mode, and clear

Self-Update - ExitBox can now update itself. Run exitbox update to check GitHub Releases for a newer version and replace the binary in-place.

• exitbox update command: checks the latest release, downloads the correct binary for your OS/arch, and atomically replaces the current executable
• Update notice on exitbox: the default command shows a yellow banner when a newer version is available, with a 2-second timeout so it never slows you down
• In-session tmux popup: when running an agent, ExitBox checks for updates in the background. If one is found, a tmux popup asks whether to update after the session ends. Approve it and the update applies automatically on exit

Config Generation - OpenCode now prompts for auto-compaction with pruning during exitbox generate opencode.

Full Changelog: v0.1.7...v0.1.8

v0.1.7

What's new

Encrypted Vault

Secrets (API keys, tokens, credentials) are now stored in an encrypted vault instead of plain .env files.

• AES-256 encryption with Argon2id key derivation — secrets are encrypted at rest with OWASP-recommended parameters
• Per-workspace isolation — each workspace has its own encrypted vault, preventing credential leakage between projects
• User approval on every access — each secret read/write triggers a y/n approval popup via tmux, so agents never silently access credentials
• Password cached per session — enter the vault password once, subsequent access within the same session reuses it
• .env file masking — when vault is enabled, .env files are mounted as /dev/null inside the container, forcing agents to use the vault
• Read-only mode — optionally restrict agents to only reading secrets (no storing new ones)
• In-container CLI — exitbox-vault get|set|list|env available inside the sandbox
• Agent guardrails — sandbox instructions are automatically injected telling agents to never print, log, or commit secret values

KV Store for Session Persistence

Session metadata now lives in a BadgerDB-backed key-value store instead of scattered files on disk.

• Persistent sessions — resume tokens, session names, and active session markers survive container restarts via structured KV storage
• Per-workspace scoping — each workspace gets its own KV database at ~/.local/share/exitbox/kv/<workspace>/
• IPC integration — agents can read/write session data from inside the container via exitbox-kv get|set|delete|list
• Automatic WAL recovery — gracefully handles corrupted write-ahead logs from unclean container shutdowns
• Filesystem fallback — automatically migrates legacy file-based session data to KV on first read
• Auto-expanding storage — no artificial size caps; the store grows as needed for large workspaces
• Agent instructions — sandbox instructions enforce that sensitive data goes to the vault, never the KV store

Improved Setup Wizard

• Vault configuration step — enable/disable vault, choose read & write or read-only mode, set encryption password
• Vault management for existing workspaces — change password, toggle read-only mode, or disable vault when editing a workspace
• Review screen — shows vault mode (read & write / read-only) in the summary before applying

exitbox info — Data Store Visibility

The exitbox info command now shows a Data Stores section with per-workspace status:

Data Stores

Workspace: default
  Vault:         initialized, enabled (1.0 MB)
  KV Store:      1.0 MB

Workspace: work
  Vault:         not initialized
  KV Store:      empty

Host-Side KV Commands

New exitbox kv subcommands for debugging and management:

• exitbox kv get <key> [-w workspace]
• exitbox kv set <key> <value> [-w workspace]
• exitbox kv delete <key> [-w workspace]
• exitbox kv list [prefix] [-w workspace]
• exitbox kv bench [-w workspace] [-s size_mb] — generate test data

Other

• Lock detection: exitbox kv warns when a running session holds the database lock
• Value log GC runs on open/close to reclaim disk space automatically

Full Changelog: v0.1.6...v0.1.7

v0.1.6

What's New

Encrypted Vault

• Built-in encrypted secret storage using AES-256 + Argon2id key derivation with Badger embedded database
• Host CLI: exitbox vault init/set/get/list/delete/import/edit/status/destroy
• Container-side access via exitbox-vault get with per-read approval popups
• First access prompts for vault password; subsequent reads only require y/n approval
• All .env* files automatically masked inside the container when vault is enabled
• Secret values prompted securely from stdin, never exposed in shell history

Enhanced Sandbox Instructions

• Agents are now told to replace sensitive values with before displaying output
• Agents are informed that /workspace is their only accessible directory
• Vault-aware instructions guide agents to use exitbox-vault instead of .env files

Setup Wizard — Vault Step

• New vault step in the workspace creation wizard (enable + set password)
• Vault automatically initialized when creating a workspace with vault enabled

Improvements

• Fixed sanitizeForShell stripping underscores from vault key names and domain labels
• Fixed tmux popup password capture (temp file approach instead of stdout piping)
• Added EXITBOX_VAULT_ENABLED to reserved environment variables
• Cross-compiled exitbox-vault binaries embedded for amd64 and arm64

Full Changelog: v0.1.5...v0.1.6

v0.1.5

v0.1.5 introduces a new named session management system and improves container build reliability/performance.

• Added named resumable sessions via --name, with improved --resume [SESSION|TOKEN] behavior and per-session token storage.
• Added new session CLI commands: exitbox sessions list and exitbox sessions rm, plus shell completion for saved session names.
• Added in-container session/workspace switching menus (including a dedicated session menu) and updated status/keybinding UX.
• Optimized project image builds by consolidating/deduplicating package installs, reducing rebuild overhead.
• Improved runtime robustness across image/network/IPC/uninstall flows with stronger error handling and safer fallbacks.
• Minor housekeeping: coverage badge update.

Full Changelog: v0.1.4...v0.1.5

v0.1.4

Full Changelog: v0.1.3...v0.1.4

v0.1.3

• Add Unix socket IPC between host and container for extensible messaging
• Add exitbox-allow command: agents can request domain access at runtime
  with host-side /dev/tty approval prompt and live Squid hot-reload
• Add credential import/copy step to setup wizard (from host or existing workspace)
• Add --workspace flag to exitbox import command
• Make workspace names case-insensitive across all operations
• Validate workspace existence before attempting to run
• Fix resume token capture failing silently under set -e when grep has no match
• Fix workspace switching listing the current workspace
• Fix shell completion hints printing during eval
• Fix symlink handling in workspace credential copy
• Add resume command with --workspace flag for non-default workspaces
• Update README: correct all commands to exitbox run, fix workspace subcommand
  names, document IPC/exitbox-allow, shell completion, credential import,
  accurate wizard steps, fix auto-resume default documentation

Full Changelog: v0.1.2...v0.1.3