github docker/sbx-releases v0.30.0
on GitHub

3 hours ago

Highlights

This release introduces experimental MCP server management with an aggregate gateway, giving sandboxes a unified interface for accessing remote and local MCP servers — opt-in via the SBX_MCP_ENABLE environment variable (#2677). The CLI gets non-interactive Docker Hub login for scripted workflows (#2913), and sandboxes now have a configurable grace period before auto-stopping when the last session exits (#2849). Plus a wave of fixes covering Linux packaging, macOS worktree compatibility, Windows installer paths, network isolation, and recoverable sandbox state when host directories vanish.

What's New

MCP (experimental, opt-in)

  • Add MCP server management and aggregate gateway (#2677). Opt-in via the SBX_MCP_ENABLE environment variable, then register servers with sbx mcp add and pass --mcp <name> (or --mcp all) to sbx create / sbx run. Supports remote endpoints, the community registry (managed or --local), and local stdio commands. Examples: 
    # Remote MCP endpoint (OAuth auto-detected)
sbx mcp add notion --url https://mcp.notion.com/mcp

# Community registry, OCI image runs on host via docker run
sbx mcp add fetch --local --url https://registry.modelcontextprotocol.io/v0/servers/fetch-mcp/versions/latest

# Local stdio command (development only — no sandboxing, runs as host user)
sbx mcp add github --command npx --args @modelcontextprotocol/server-github

Governance & Policy

  • Allow sbx policy setup before login (#2903)

Kits & Agents

  • Re-run commands.startup on every container start so init hooks are idempotent across restarts (#2842)
  • Per-kit memory files for progressive disclosure (#2899)
  • Enumerate installed kits in the AI memory file's Kits section (#2906)

CLI & Auth

  • Add non-interactive Docker Hub login for scripted workflows (#2913)
  • Migrate /reset to /daemon/reset; state-dir wipe is now daemon-side (#2550)
  • Print "Git repository detected" once when using --branch (#2923)
  • Skip implicit run options when the user provides explicit args (#2880)

Networking & Sandboxd

  • Bind both loopback stacks by default when publishing ports (#2830)
  • Allow raw TCP to host.docker.internal when localhost is allowed in policy (#2929)
  • Add grace period before auto-stopping a sandbox when the last session exits (#2849)

Bug Fixes

  • Build sailor's ffi crate instead of ffi-krun for packaged Linux release artifacts (#2979)
  • Keep sandboxes recoverable when workspace or worktree is deleted on the host (#2928)
  • Add macOS /private path compatibility for worktrees (#2875)
  • Probe canonical socket path for sun_path budget — fixes krun_start_enter failed on macOS with long usernames (#2885)
  • Namespace gVisor socket dir and auth/secret stores by --app-name so concurrent daemons don't collide (#2896, #2900)
  • Sanitize runtime ID when looking up gVisor network (#2949)
  • Check database version before starting the daemon; surface an instructive error instead of crashing (#2882)
  • Report Docker daemon startup time instead of the pre-start message in DinD (#2854)
  • Harden BuildFileCredential to check more than just file existence (#2935)
  • Open a sentinel connection in cp and kit add to prevent auto-stop race (#2910)
  • Remove redundant ContainerKill before ContainerRemove in sandboxlib (#2909)
  • Use a safe Windows start invocation for OpenURL in the TUI (#2915)
  • Rename WiX install directory id to INSTALLFOLDER (#2945)

Documentation

  • Warn agents about worktree path traps with --branch (#2932)
  • Improve consistency and wording in CLI help strings (#2942)
Check out latest releases or
releases around docker/sbx-releases v0.30.0

Don't miss a new sbx-releases release

NewReleases is sending notifications on new releases.

Get notifications