github docker/sbx-releases v0.33.0-rc1
on GitHub

pre-release3 hours ago

Highlights

v0.33.0-rc1 sharpens network isolation and policy enforcement and reworks sandbox identity around --name. Sandbox DNS is now gated on network policy (closing a DNS-based exfiltration channel), ICMP egress is blocked across daemon restarts, and the MITM proxy publishes a CRL so revocation-strict clients (e.g. .NET) keep working. sbx run --name becomes the primary sandbox identity key, letting you run and re-attach to multiple independently-named sandboxes in the same workspace. This release also enables the virtiofs cache by default on macOS and Linux.

What's New

Sandbox Identity & CLI

  • sbx run --name now identifies a sandbox independent of the working directory: run multiple independently-named sandboxes in the same workspace, re-attach from any directory (agent may be omitted), and re-run a create command to re-enter. It no longer auto-creates numbered sibling sandboxes, prompts before entering a same-named sandbox from a different workspace, and errors when the requested agent doesn't match the named sandbox. The TUI follows the same rules.
  • sbx ls --json now reports a stable per-sandbox id.
  • sbx create now fails with a clear missing-agent error when run without arguments.
  • sbx exec now uses the same working directory as sbx run.
  • sbx cp -L now follows symlinks in the source path for container-to-host copies.
  • Daemon inspect output is now included in the diagnostics bundle.

Networking & Proxy

  • Sandbox DNS lookups are now gated on the network policy: a sandboxed process can no longer resolve domains that policy denies, closing a DNS-based data-exfiltration channel. Loopback names (e.g. localhost) are exempt so local OAuth callback flows keep working.
  • Outgoing ICMP from sandboxes is now blocked across daemon restarts.
  • CIDR subnet allow rules (e.g. sbx policy allow network 10.10.14.0/24) now correctly permit traffic to IP addresses within the subnet.
  • The MITM proxy now publishes a CRL and embeds a CRL distribution point in generated certificates, fixing clients that require certificate revocation checking (e.g. .NET CheckCertificateRevocationList=true).
  • Removed the bracketed [::1] entry from the container NO_PROXY default, fixing credential injection for HTTP clients that mis-parsed it.
  • Claude connectors (Slack, Gmail, Notion, Atlassian, etc.) now work inside sbx-sandboxed Claude Code without manual policy overrides.

Secrets & Credentials

  • sbx secret set-custom --host now accepts wildcard host patterns (* matches one label, ** matches any number) and is repeatable, so one custom secret can cover multiple subdomains/domains.

Agents

  • Fixed Cursor repeatedly prompting for login; Cursor OAuth credentials now also appear in sbx secret ls.
  • Fixed Cursor agents failing to start with "No model found" when authenticating with a Cursor API key.

Platform & Performance

  • The virtiofs cache is now enabled by default on macOS and Linux.
  • Build packages for linux/arm64 are now produced.
  • On Linux, the keychain backend now falls back to the encrypted on-disk store when dbus-launch is unavailable, fixing headless/server hosts.

Bug Fixes

  • Suppress a misleading warning when saving OAuth credentials while the daemon is not running.
  • Fixed a TTY sizing issue on Windows.
  • Keep agent entrypoint flags when arguments after -- are themselves flags.
  • Inject git identity from subdirectories and [include]d Git config when cloning.
  • Proxy service detection now supports middle-position wildcards.
  • Sandboxes blocked by mount policies are no longer filtered out on daemon startup.
Check out latest releases or
releases around docker/sbx-releases v0.33.0-rc1

Don't miss a new sbx-releases release

NewReleases is sending notifications on new releases.

Get notifications