childflow 0.8.0

childflow 0.8.0 focuses on making sandbox behavior easier to inspect and reuse in real workflows: stronger observability, machine-readable reports, richer domain-based policy controls, and more complete demo coverage.

Highlights

• Added machine-readable output across the main observability surfaces:
  • --doctor --doctor-format json
  • --summary --summary-format json
  • --report --report-format json
• Added childflow --report <flow.jsonl> so saved flow logs can be rendered again as text, Markdown, or JSON.
• Added stable runtime failure reason_code and phase reporting across stderr, flow logs, summaries, and reports.
• Added stronger DNS and target correlation so reports can connect queried names, resolved IPs, observed targets, and matched domain rules.

Policy and Reporting

• Added --allow-domain and --deny-domain for rootless domain-based policy control.
• Added --allow-domain-exact and --deny-domain-exact for exact-hostname matching.
• Added matched_domain to policy_violation events when a domain rule blocks DNS resolution or a resolved destination.
• Added ranked reporting for:
  • policy violation reasons
  • policy control flags
  • matched blocked domains
  • connect errors
  • runtime failures
  • runtime failure phases
• Added flattened dns_policy_rows so external tooling can iterate DNS name / answer IP / target / matched-domain correlations without unpacking nested report sections.

Observability and Host Diagnosis

• Expanded --doctor with backend-aware capability checks for items such as:
  • namespace handles
  • uidmap helpers
  • /dev/net/tun
  • AF_PACKET capture
  • AppArmor user namespace restrictions
  • root privileges and forwarding checks for rootful mode
• Improved Markdown reports with compact highlights and overview sections for DNS, policy, and runtime behavior.
• Expanded --summary so it can surface top DNS names, top targets, domain-policy correlations, common policy violations, and common runtime failures after a run.
• Added schema documentation for doctor, summary, report, and shared observability output.

Profiles, Demo, and CI

• Extended TOML profiles so reusable sandbox definitions can also store:
  • summary_format
  • doctor_format
  • report_format
• Kept CLI-overrides-profile behavior for those observability settings.
• Expanded the Docker demo with reusable allow-domain and deny-domain profiles, plus report-driven domain-policy examples.
• Added a dedicated domain-policy demo tape.
• Expanded rootless integration coverage for domain matching, exact-domain matching, and subdomain behavior.
• Kept CI coverage working across both ubuntu-22.04 and ubuntu-24.04.

Notes

• childflow remains Linux-only.
• Structured flow logs, reports, and domain-based policy controls currently target the default rootless-internal backend.
• Profile files still use backend values such as backend = "rootful" rather than CLI-only convenience flags such as --root.