v0.8.0

sluice v0.8.0

A security-hardening release. Opt-in sandbox lockdown, a copy-on-write workspace mode, and tighter egress that closes DNS-based exfil tunnels - all on top of the same default-deny egress firewall, non-root box, and project-dir-only mount.

Added

• Hardened seccomp profile (opt-in) - SLUICE_SECCOMP=hardened runs the box under a tightened syscall filter.
• Read-only rootfs (opt-in) - SLUICE_READONLY_ROOT=1 makes the container filesystem immutable.
• Workspace overlay (opt-in) - SLUICE_WORKSPACE=overlay runs against a throwaway copy of the repo; the agent's edits land in a scratch layer you review and apply.
• Tighter default privileges - drop ALL Linux capabilities and add back only the boot-needed set, plus no-new-privileges, resource bounds, and removal of in-box sudo.
• DoH/DoT exfil block - DNS-over-HTTPS and DNS-over-TLS resolvers are refused even when their host is allowlisted, closing a covert egress tunnel.
• No-op run hint - sluice run warns when SLUICE_RUN_CMD is a no-op so a silent success isn't mistaken for a hang.

Changed

• Test suite migrated to bats-core with a container-structure-test gate (asserts base-image invariants: no sudo, uid 1000, firewall packages). CI runs the gate on Docker and rootless Podman.

Verify

Every release ships a deterministic source tarball, SHA256SUMS, and a cosign keyless signature bundle. Verification steps are in SECURITY.md.

Full changelog: v0.7.0...v0.8.0

v0.7.0

Coding agents, supply-chain verification, and stronger isolation. Run coding agents one-shot inside the sandbox, gate dependencies with vuln scans and a strict lockfile, and optionally give each box its own kernel.

Added

Coding agents

• sluice agent <name> [args] runs an agent in the sandbox; trailing args run it one-shot (e.g. sluice agent claude -p "fix the failing test"). No name lists every preset with its auth variable and whether that variable is set on your host.
• Two new presets, qwen and crush, bringing the set to nine (claude, codex, gemini, aider, cursor, opencode, amp, qwen, crush).
• Pre-run auth check warns when a preset's API-key variable is unset, and a multi-agent guard points you to git worktree when a directory is already wired to a different agent.

Supply chain

• sluice lock --scan runs a host-side Grype or Trivy vulnerability scan of the box, with --fail-on <severity> to gate the build.
• sluice lock --enforce makes the lockfile a strict gate (build fails on package drift). Inventory now covers cargo alongside apk/npm/pip/gem/go, and lockfiles export as CycloneDX or SPDX via --format.
• Base-image SBOM attestation: the published GHCR base image ships a CycloneDX SBOM, cosign-signed keyless.

Isolation

• SLUICE_RUNTIME=kata runs a box as an own-kernel micro-VM instead of a shared-kernel container, where available.

Control plane

• sluice -b/--box <name> targets any box from outside its directory; sluice ls gained a posture/orphan dashboard; sluice rm / prune remove boxes; version --json and learn public-suffix wildcards round out scripting support.
• Egress receipts now report per-host byte volume, and opt-in TLS interception (SSL-bump) is available for scoped deep inspection.

Changed

• Shell completions install automatically via Homebrew and install.sh (bash + zsh).

Full changelog: v0.6.0...v0.7.0

v0.6.0

Multi-box visibility and machine-readable output. See every sandbox on your machine at a glance, get JSON from the inspection commands for scripting and CI, and point boxes at a central egress allowlist.

Added

• sluice ls lists every built box on this machine - name, status (running/stopped/built), stack, project path, and description - with the box matching your shell's directory marked. Derived from Docker; no extra state to manage.
• sluice egress [--json] prints what a box actually reached vs. what the firewall blocked - an audit record you can pipe to a file or a collector.
• --json output for sluice ls and sluice doctor - machine-readable box inventory and posture, for scripting and CI.
• SLUICE_DESC - an optional one-line box description, shown in sluice ls and sluice doctor.
• SLUICE_POLICY_URL points a box at a central plain-text allowlist (any http/https/file URL), fetched on the host at run and merged into the box's egress policy. Additive and host-trusted: it can only add allowed hosts, never weaken the sandbox.

Changed

• README: a "What it looks like" section with real sluice doctor / sluice ls output, status badges, and a one-line note that sluice runs entirely on your machine (the only network call it makes is an opt-out update check).

Full changelog: v0.5.0...v0.6.0

v0.5.0

sluice learn --audit - a one-shot, open-egress discovery pass for the egress allowlist.

sluice learn proposes the allowlist from what the firewall blocked, without ever opening egress. --audit covers the one case enforce-mode can't: trusted code whose fetcher aborts on the first blocked host. It runs your command once in a throwaway, credential-stripped container with egress open to all HTTP/HTTPS hosts, then proposes the full allowlist from every host it reached.

Added

• sluice learn --audit runs SLUICE_RUN_CMD once with egress opened to all HTTP/HTTPS hosts, then proposes the allowlist from everything it reached. Loudly warned and confirm-gated; the audit container is ephemeral and torn down after the run. Enforce-mode learn stays the default.
• Credential-stripped by design. The audit run forwards no SLUICE_ENV, runs no SLUICE_PRELAUNCH, and mounts no persisted state dirs, so nothing sensitive can leave while egress is open. Non-HTTP ports and IPv6 stay default-DROP throughout. See THREAT_MODEL.md for exactly what it opens and keeps closed.

Changed

• Slimmer README layout - documented as role-based top-level directories rather than a per-file tree.

Full changelog: v0.4.0...v0.5.0

v0.4.0

[0.4.0] - 2026-06-01

Added

• Supply-chain: sluice lock - write a committable inventory of the built image (every apk + global npm package with version + digest); sluice update re-resolves and relocks. sluice lock --check is a CI drift gate (fails if the image differs from sluice.lock); sluice lock --sbom emits a deterministic CycloneDX 1.5 SBOM for scanners.
• Agent session persistence (SLUICE_STATE_DIRS) - a coding agent's history, sessions, and auth survive a rebuild, sluice stop, or reboot, via a per-project host store.
• sluice learn --print - emit the proposed egress allowlist to stdout (review / CI).
• sluice learn --apply - write the allowlist and rebuild in one step.
• Nix gallery example + SLUICE_SETUP_ROOT_CMDS (a build-time root hook) - run a reproducible, pinned Nix toolchain inside a sluice, contained at runtime.
• SLUICE_ALLOW_IPS database-egress demo - reach a fixed-IP, non-HTTP service (Postgres/Redis/MySQL) through the firewall's escape hatch.
• Codex and Gemini agent presets verified through the harness - all seven presets are now cred-free verified.
• Update check in sluice version - flags a newer release when one is available (SLUICE_NO_UPDATE_CHECK=1 to disable).

Changed

• sluice help is grouped into sections (Common / Build & lifecycle / Inspect / Meta).
• test/verify-runtimes.sh runs the runtime fixtures in parallel.
• README: an "Updating sluice" section, plus gallery and command-surface docs. The CLI surface is pre-1.0 and may still change before 1.0.

Full changelog: v0.3.1...v0.4.0

v0.3.1

A patch release: the cursor agent preset was broken — now fixed and verified — plus a new agent-verification harness and a security-showcase demo.

Fixed

• sluice agent cursor was broken. The preset installed @cursor/cli, which 404s on npm — cursor-agent ships via Cursor's own install script, not npm. Switched to the script + a PATH symlink, and verified it installs and runs.

Added

• Agent-preset verification harness (test/verify-agents.sh + a manual verify-agents.yml). For each preset it builds the image and checks, with no credentials, that the CLI binary installs and runs, every declared API host is reachable through the proxy, a non-allowlisted host is blocked, and the auth env var is forwarded; the live authenticated round-trip is the only cred-gated step (auto-runs if the key is present, else skips). cursor, amp, and opencode are now verified cred-free; opencode's full live round-trip passes too.
• A firewall/exfil demo (examples/firewall.config.sh) — self-contained and non-server: it reaches an allowlisted host, then is blocked trying to exfiltrate a fake secret to a non-allowlisted host and to a raw IP, surfaced by sluice doctor and the at-exit hint. The threat model, runnable.

Changed

• Curated the demo gallery into a capability matrix — firewall / strudel / jupyter each show a different slice — and elevated the coding-agent section from a footnote. Trimmed the vite/next/fastapi starters (redundant with sluice init, which scaffolds them) to an init pointer.
• De-staled the strudel and jupyter demos (/home/node → /home/sluice, after the sandbox user rename).

Full changelog: v0.3.0...v0.3.1

v0.3.0

sluice is a sandboxed, firewalled, non-root container for any project: drop a sluice.config.sh in a directory and run sluice. This release adds a signed base image, fixes a Linux egress bug for rotating-CDN hosts, and verifies rootless Podman.

Added

• Cosign-signed base image. The generic sandbox core (proxy, firewall, dnsmasq, non-root user) is now published to GHCR as a multi-arch (amd64 + arm64) image, keyless-signed with cosign (GitHub OIDC). Opt a project into building FROM it with SLUICE_BASE_IMAGE=ghcr.io/pyronewbic/sluice-base:0.3.0 instead of rebuilding the core locally — sluice verifies the signature when cosign is installed (SLUICE_REQUIRE_SIGNED=1 to make a missing/failed signature fatal). The image carries no private key: the squid splice cert is generated per-container at runtime. Local-from-core stays the default this release.

Fixed

• Egress to rotating-CDN hosts on Linux. HTTPS to allowlisted hosts on large rotating IP pools (Google/Akamai/Fastly — e.g. proxy.golang.org, static.crates.io) could fail with an opaque TLS error. squid's transparent-intercept Host-forgery check was rejecting a legitimate host when the client and squid resolved its name to different pool IPs milliseconds apart. A small in-box dnsmasq cache now pins one IP set per session, so both agree and the connection splices through. (Surfaced on Linux only; macOS Docker Desktop's resolver masked it.)
• Eliminated rm: Permission denied cleanup noise in the test harnesses (chown the mount back to the host uid before teardown).

Changed

• The non-root sandbox user is now sluice (was node; uid unchanged at 1000). A /home/node → /home/sluice symlink keeps existing SLUICE_MOUNTS working. Node + npm remain in the base as the agent runtime.
• Rootless Podman verified. The acceptance harness now probes rootless Podman in CI; the full egress matrix passes in an unprivileged user namespace, so the route_localnet/disable_ipv6 sysctls and in-netns iptables the proxy needs work rootless too (no rootful requirement).
• Docs: sluice doctor, the at-exit visible-egress hint, the --HEAD dev stream, and running any language via SLUICE_EXTRA_PKGS + SLUICE_RUN_CMD.

Full changelog: v0.2.0...v0.3.0

v0.2.0

Minor release: adds sluice doctor and visible egress denials, plus SLUICE_NAME, and tightens the agent allowlists.

Added

• sluice doctor - one-shot health check: engine, config, image freshness, effective allowlist, auth env, and the hosts the proxy blocked this run. Self-contained, so it works in the broken states it diagnoses (no engine/config/image, container not running).
• Visible egress denials - after a default sluice / sluice agent run, a one-line hint lists any not-yet-allowed hosts the proxy blocked (fires even on Ctrl-C), so a silent TLS error no longer hides what to allow.
• SLUICE_NAME - override the per-project image/container name (defaults to the directory basename).

Changed

• Agent allowlists scoped to each CLI's documented API-key hosts, dropping browser-only OAuth/sign-in hosts that can't complete headless.
• Example runtime projects moved to test/fixtures (the sluice init scaffold supersedes them).

Fixed

• Claude Code v2.x connectivity: allow platform.claude.com, claude.ai, and statsig.com (feature flags).

Full changelog: v0.1.1...v0.2.0

v0.1.1

Patch release.

Fixed

• sluice -v / sluice version / the startup banner now report sluice's own version. A Homebrew-installed sluice previously reported Homebrew's version, because git describe walked up to the enclosing /opt/homebrew git repo.

Added

• Homebrew: brew install Pyronewbic/tap/sluice.

Full changelog: v0.1.0...v0.1.1

v0.1.0

sluice sandboxes any project in a firewalled, non-root container: drop a sluice.config.sh (or just run sluice and it scaffolds one), and untrusted code, dependencies, and coding agents run behind a default-DROP egress firewall, seeing only that one directory. First release.

Highlights

• Zero-config - sluice in any repo detects the stack (Node, Python, Deno, Ruby, Rust, Go), scaffolds a config, and runs it.
• Hostname-filtered egress - all HTTP/HTTPS is forced through an in-sluice squid proxy that allows by domain / TLS-SNI and splices (never decrypts); IPv6 and direct-IP are blocked; the firewall self-tests at boot.
• Coding agents, contained - sluice agent <name> runs Claude Code, Codex, Gemini, aider, Cursor, opencode, or amp in YOLO mode, safely sandboxed.
• sluice learn - proposes the egress allowlist from the hosts your app was blocked reaching.
• CLI - sluice help, sluice version (engine + OS + install dir), a startup banner, and a logo.
• Runs on Docker or Podman, Linux and macOS.

Install

curl -fsSL https://raw.githubusercontent.com/Pyronewbic/Sluice/main/install.sh | sh

Docs: README - THREAT_MODEL. Full changelog: https://github.com/Pyronewbic/Sluice/commits/v0.1.0