docker/sbx-releases v0.32.0 on GitHub

Highlights

Audit logging: Sandboxes now emit structured JSONL audit records for policy decisions. Records are written to a per-OS log directory and can be forwarded to any SIEM platform for enterprise compliance workflows. Requires a Docker AI Governance subscription.

Sign-in enforcement: Administrators can now require Docker organization membership verification. Enforcement is deployed via standard endpoint management tooling: configuration profiles on macOS, the registry on Windows, and a JSON policy file on Linux. This closes the gap for organizations that need to ensure only authenticated, authorized users run AI coding agents.

What's New

CLI

Offer an interactive "Sign in with ChatGPT" OAuth flow on the first sbx create/sbx run codex when no Codex credentials are configured.
Pre-select balanced as the highlighted default in the first-run network policy prompt, so pressing Enter accepts the recommended policy.
Make global the default scope for policy network allow|deny and policy rm; add --sandbox to target a specific sandbox and drop the -g/--global flag.
Simplify sbx version to a single line by default; gate detailed information behind -D/--debug.
Unhide sbx secret set-custom, a command for setting custom secrets, and mark it as experimental.

Secrets

Add OpenRouter as a built-in service provider, so sbx secret set <sandbox> openrouter works without set-custom and the proxy injects Authorization: Bearer <token> automatically.
Fall back to an encrypted on-disk secrets store on Linux/WSL hosts where no working keychain is available, with a one-time warning on secret-writing paths including sbx login.
Substitute custom-secret sentinels inside HTTP Basic auth payloads, so credentials referenced in Basic Authorization headers are resolved like other sentinel shapes.

Networking

Hide inactive governed policy rules by default in sbx policy ls and the TUI Network Rules view, with governance/sync status, hidden-rule indicators, and an --include-inactive flag (TUI i toggle) to reveal them.
Route OAuth/browser-open requests to the caller's graphical session, fixing /login opening on the host's display instead of the SSH terminal that invoked it.

Kits

Support the v2 OCI kit artifact format end-to-end, so kits are standard OCI images that registries and OCI tooling (Hub, oras, crane, skopeo) can introspect without kit-specific knowledge.
Write files/workspace/<path> kit entries correctly when sbx run --clone is used; previously the file hook fired before the in-container clone populated the workspace and failed the sandbox start.

Performance

Keep virtiofs caching enabled for sandboxes using --clone, avoiding a FUSE round-trip on every stat() and speeding up git status, grep -r, and tree walks inside the sandbox.

Packaging

Require the system keyring dependency in Linux packages so credential storage works out of the box.

Documentation

Replace stale --branch/worktree guidance in generated agent guidance (CLAUDE.md/AGENTS.md) with --clone, including how to sync host commits via /run/sandbox/source.

Bug Fixes

Fix an issue with sbx secret set <sandbox> <service> silently dropping credentials while reporting success.
Migrate stale runtime SocketPath references on daemon restart, so sandboxes upgraded from v0.31.0 stay visible to sbx ls after /tmp is cleaned.
Keep non-interactive sbx exec output intact by not tearing down the attach-exec bridge on stdin EOF (no more spurious empty output with exit code 0).
Clear stale pending status in the TUI when a network deny rule is deleted, so a host no longer shows as Blocked after its rule is removed.
Bind MCP gateway state to the daemon-assigned runtime instance so a same-name sandbox recreate cannot leave Claude pointed at a stale gateway port.
Set the default network policy before launching the TUI to avoid spurious 412 errors from policy-rule requests.
Stop counting expected rm/stop/list-ports "not found" 404s as analytics failures, so routine existence checks no longer inflate error dashboards.
Require a daemon restart (instead of failing with 405 Method Not Allowed) when downgrading the CLI below a newer running daemon.