Sandboxlib

- Offer templates can now define some static properties of the API host to be served statically in response to unauthenticated requests, such as the DAV header for OPTIONS requests as well as simple resources. This should allow DAV apps like Davros and Radicale to fix incompatibilities with certain client apps.
- Offer templates can now include a clipboard button which copies the text to the clipboard.
- Sharing emails to/from Github identities will now use the Github account's primary email address, rather than the first-listed address.
- Setting BIND_IP to an ipv6 address should now work.
- Improved styling of "shrink sidebar" button.
- Fixed that if you visited a grain URL when not logged in, saw the "request access" screen, then logged in as an identity that already has access, the "request access" screen would continue to display until refresh.
- Fixed that "request access" would display for non-existent grain IDs.
- Fixed several icons displaying incorrectly on IE, especially in the sharing UI.
- Fixed that the API endpoint URL in the (obscure) webkey dialog was showing up as `undefined`.

- If you open a grain URL to which you do not have access -- presumably becaues the owner forgot to share it with you, and thought that just copy/pasting the URL would work -- you will now be presented with the ability to send an access request email.
- Client apps accessing Sandstorm grains via HTTP APIs no longer need to be whitelisted for use of HTTP Basic Auth. As part of this, Sandstorm now allocates a new random hostname for every API key. This change was made so that an upcoming CalDAV apps can be used with any standard CalDAV client. We still prefer new apps use bearer token authorization rather than basic auth.
- IP network capabilities can now be granted through the powerbox, opening the door to apps that need to operate at the raw TCP or UDP level -- however, only the server admin is able to grant such capabilities, since it could be a security problem for large shared servers.
- Shrinking the sidebar is now sticky (remembered by your browser, not by the server).
- It is now possible for developers to recover from losing their app signing key by submitting a pull request against `src/sandstorm/appid-replacements.capnp` in the Sandstorm repository.
- More large internal refactoring to switch to ES6 with JSCS-enforced style checking.
- Fixed another issue that could cause spurious errors when returning to grains after losing internet connectivity for a bit.
- Fixed problem that caused Groove Basin streams to disconnect.
- Oasis: Fixed another problem preventing adding an identity to your account which was already attached to some other empty account.
- Oasis: Fixed problem preventing signup keys from being consumed (applies to preorders and Indiegogo customers who hadn't claimed their invites yet).

- Updated glibc for CVE-2015-7547.
- Oasis: Fixed a bug that prevented adding an identity that is already attached to an empty account.

- Initial version of Picker Powerbox implemented. A grain can now prompt the user to choose one of their other grains to share, and then the requesting grain can present that grain to other users. This could be used e.g. to share securely through a chat room or message board. Look for apps to start using this soon.
- When app search gives no results, we now suggest the user try the app market.
- HTTP headers `If-Match: *` and `If-None-Match: *` are now correctly passed through to the app.
- Added tooltips to all topbar items.
- The "share access" button now works in incognito mode (and suggests copy/pasting the link).
- Significant internal refactoring: Now using more ES6 features, and using `box-sizing: border-box` everywhere.
- Self-hosting: We now show an explanatory error message in the admin panel if `WILDCARD_HOST` is misconfigured, which we've found is a common mistake.
- Oasis: Fixed bug where grains could get stuck at "loading" spinner forever.

- Added support for HTTP PATCH method.
- Fixed inability to revoke some types of shares in the "who has access" dialog.
- Removed obsolete and confusing `sandstorm reset-oauth` shell command.

- Page titles (as in document.title) now use the server's title as specified in the admin settings rather than just "Sandstorm".
- Dev apps now appear first in the app list.
- Fixed apps with multiple "new" actions always using the last action when launched in dev mode.
- Fixed icon in sidebar for shared grains.
- Fixed computation of sharing stats (part of admin stats).
- Oasis: Fixed bug where free users were not getting infinite grains as promised after referring someone. :(
- Oasis: Users subscribed to our announcement mailing list will now receive 1GB bonus storage.