Highlights
This release candidate hardens credential handling on the daemon-routed sandbox-create path, closing two regressions where credentials could be mishandled when a create was routed through the daemon rather than the legacy in-process path. Registry-credential injection is restored, and the credentials.failClosed enforcement now applies to all agents instead of only codex.
Bug Fixes
- Restore registry-credential injection for
sbx secret set --registrybindings: sandbox creates that have a registry credential bound now route through the in-process create path that writes~/.docker/config.jsoninto the sandbox, sodocker pullfrom inside the sandbox authenticates correctly. Other sandboxes continue to use the daemon-routed create path. - Honour the
credentials.failClosedsetting on all sandbox creates, not just codex. The interactive credential-binding wizard now fires on TTY-attachedsbx createinvocations withfailClosed=true, and credentials whose inject domains aren't approved by your bindings are dropped before the create reaches the daemon.