Sandboxlib

- Fixed that published web sites would incorrectly handle a query string when the path ended with '/'.
- Self-hosting: Improved messaging around changes to BASE_URL causing OAuth login providers to be de-configured.
- Sandstorm for Work: SAML now supports configuring a logout endpoint. If configured, SAML users who log out of Sandstorm will also be logged out of the IdP, and vice versa.
- Oasis: The user's total quota is now displayed along-side their current usage above the grain list.
- Oasis: When canceling a paid subscription (i.e. switching to "free"), you will now retain the benefits of the paid plan until the end of the current pay period. (This is in preparation for ending the beta discount, which makes all paid plans effectively free.)

- Sandstorm for Work: You can now disable the "about sandstorm" menu item as a whitelabeling setting.
- Fixed bug where grains that are actively handling API requests but which weren't open in any browser windows would shut down every couple minutes, only to start back up on the next request. These grains will now stay running.
- Fixed that apps were always being told "Accept-Encoding: gzip" whether or not the client actually sent this header. (Apps must be rebuilt with the latest sandstorm-http-bridge to receive this change.)
- Increased directory nesting limit in SPK files from 64 to 128 to work around long npm dependency chains.

- Installer should now work on RHEL, CentOS, Arch, and other distros where user namespaces are unavailable and/or kernel version 3.10 is in use.
- Fixed that trashed grains were not being shut down immediately.
- Fixed that non-root installs (an unusual configuration) were crashing on updates since v0.190. Unfortunately they will crash again on 0.193 but future updates should succeed.
- Fixed various bugs with standalone domains.
- Fixed that app-requested sign-in overlay appeared off-center on IE.
- The "Who has access?" dialog now shows a spinner while loading, since it can take several seconds.
- Made danger buttons less loud.
- Oasis: Fixed bug where storage could be temporarily miscalculated while a collaborator has one of your grains open.

- Apps can now request via postMessage that Sandstorm display a large sign-in prompt.
- On (experimental) standalone domains, the app can now request that the user be logged out.
- When running an app in dev mode, the perceived UID and GID inside the sandbox are now randomized. This is to help catch app bugs in which the app incorrectly assumes that these numbers will always be the same. When using the new "privileged" sandbox mode (which supports older Linux kernels), the UID depends on the host system, whereas in the past it has always been 1000.
- Fixed that if e-mail was not configured in Sandstorm, but the local machine had an MTA listening on port 25, sometimes Sandstorm would unexpectedly use it.
- Oasis: Restyled demo sidebar.
- Oasis: Restyled plan pricing table.

- Fix bug that broke Ethercalc.

- Sandstorm can now run on systems where user namespaces are not available, including on kernel version 3.10 (previously, 3.13 was required). This means RHEL 7, CentOS 7, and Arch should now be supported. However, we plan to spend some time testing this new mode before updating the installer script to accept these platforms. If you'd like to test it now -- with the caveat that there may be bugs -- try the updated installer script from [this pull request](https://github.com/sandstorm-io/sandstorm/pull/2656). Or, copy an existing Sandstorm install to a new server -- the new sandboxing mode is used automatically when user namespaces are unavailable.
- Changed LDAP config to mask the search password.
- Moved login errors to the top of the login dialog / menu, from the bottom.
- Fixed more admin settings inputs to automatically trim whitespace.
- Added internal support for "standalone grains", where a grain runs on a separate domain with Sandstorm UI hidden. This is experimental and currently requires poking the database to enable.