github docker/sbx-releases v0.31.0
on GitHub

3 hours ago

Highlights

Clone mode: --clone

The --branch flag has been removed in favor of --clone (clone mode). Using --branch now fails with: 

$ sbx run claude --branch foo
ERROR: --branch is no longer supported; use --clone instead

Clone mode does not create a branch or worktree on your behalf — instead of a host-side worktree, the sandbox now runs against an in-container read-only clone.

  • Your source repository is mounted into the sandbox read-only, and the shallow clone sets that mount as a Git remote. The agent only ever writes to the in-container clone, never to your working tree or .git/
  • The clone lives on the sandbox's filesystem and is exposed back to the host as a sandbox-<name> Git remote served by git-daemon (no more .sbx/<name>-worktrees/... on the host).
  • Forge remotes (origin, upstream, etc.) on the host are propagated into the in-container clone, so the agent can git push origin directly, the same way you would. Local-path remotes are skipped.
  • Fetched sandbox refs are mirrored into refs/sandboxes/<name>/* on the host and persist after the sandbox is removed. Restore a branch from a removed sandbox with git branch <local-name> refs/sandboxes/<name>/<branch>. Commits that were never fetched, or uncommitted changes, are still lost on sbx rm.
  • The sandbox-<name> remote is added to your host on sbx create --clone / sbx run --clone and removed on sbx rm, including across stop and restart.

What's New

CLI

  • sbx create auto-starts the daemon when it isn't already running.
  • sbx logout now stops the daemon and running sandboxes.
  • Unify terminal environment variables across sbx run and sbx exec.

Policies

  • Show policy and rule names in CLI list output and TUI details.
  • Add filters to the policies listing.

Kits

  • Mark kits as experimental.
  • Verbose error reporting for kit apply failures.

Sandboxes

  • Opt a sandbox into virtiofs caching at create time via DOCKER_SANDBOXES_ENABLE_VIRTIOFS_CACHE=1 (off by default; the choice is persisted in the spec and survives daemon restarts).

Networking

  • Allow public-CA CRL/OCSP/AIA endpoints in the balanced proxy preset. Applies to new installations or after sbx policy reset (which removes any user-added rules).

Telemetry

  • Surface port_publish_failed inner error detail.

Bug Fixes

  • Sort template ls output by repository, then tag.
  • Retry ExecResize to keep the agent TUI in sync.
  • Set TERM=xterm-256color when exec'ing with -t.
  • Move the state directory symlink from /tmp to ~/.sbx/run/.
  • Stop storageRootsGone from locking the storagekit singleton.
  • Use engineError and add retry debug logging in sandboxd.
  • Retry transient shim start closures.
  • Make Cursor session bootstrap proxy-local.
  • Add bracketed [::1] to NO_PROXY for IPv6 loopback.
  • Backdate proxy CA NotBefore to match the goproxy leaf cert window.
Check out latest releases or
releases around docker/sbx-releases v0.31.0

Don't miss a new sbx-releases release

NewReleases is sending notifications on new releases.

Get notifications