Answers are generated based on the documentation.

Docker Sandboxes release notes

This page lists changes in recent stable releases of Docker Sandboxes. For the full release history, including pre-releases and downloads, see the Docker Sandboxes releases on GitHub.

0.34.0

2026-06-26

GitHub release

Highlights

Kit installs are now restricted to an allowlist of sources, defaulting to Docker Hub only — a breaking change if you install kits from a Git URL or another registry.

This release also renames sbx policy set-default to sbx policy init, restores published ports when a sandbox restarts, fixes a number of bugs, and adds two experimental previews: a native SSH endpoint and an sbx setup command for smoother first-time onboarding.

What's New

SSH

  • Add an experimental native SSH endpoint in sandboxd: connect with ssh <sandbox-name>@127.0.0.1 -p 2222 (publickey auth, connect-to-create, interactive shell and exec; no SFTP yet). Enable with sbx settings set feature.ssh true.

Setup & Onboarding

  • Add an experimental sbx setup command that imports agent credentials from environment variables.

Agents

  • Cursor sandboxes no longer show the workspace trust prompt on launch.

Kits

  • Add OCI v2 kit artifact streaming that decompresses the layer once to a cache directory and uses seek-based random access, so file content is not held in memory between reads.

  • Restrict kit installs to an allowlist of sources, defaulting to Docker Hub (docker.io/) only.

    Breaking: installing a kit from another registry or a Git URL fails until you add its prefix with sbx settings set kit.allowedSources. See Docs: Restrict kit sources for details.

CLI & Behavior Changes

  • Rename sbx policy set-default to sbx policy init; the old name keeps working as a hidden, deprecated alias.
  • Published sandbox ports are restored on restart, and the CLI/TUI can recover explicit host-port conflicts by choosing a new host port.

Bug Fixes

  • Fix a daemon hang where a slow or stuck sandbox creation/deletion blocked sbx ls, the TUI, and new sessions until the daemon was restarted.
  • Fix a kit mixin regression where adding network.serviceDomains for a service already provided by the base agent failed with a "credential … defined in both" error.
  • Reject + in sandbox names with a clear validation error instead of panicking.
  • Fix the interactive host-port conflict recovery prompt not appearing on Windows when restarting a sandbox whose published port is already in use.

0.33.0

2026-06-17

GitHub release

Highlights

sbx run --name <sandbox> now re-attaches to an existing sandbox by name. You can now also create multiple sandboxes of the same agent type and workspace by specifying unique sandbox names with --name.

Consequently, re-attaching to existing sandboxes with sbx run <name> is deprecated; the preferred form is sbx run --name <name>. The positional argument for sbx run should be an agent (e.g. claude, or codex). Sandbox name as the positional argument for run is still supported but will be removed in a future release.

This release also improves network isolation and policy enforcement. Sandbox DNS is now gated on network policy (closing a DNS-based exfiltration channel), ICMP egress is blocked across daemon restarts, and the MITM proxy publishes a CRL so revocation-strict clients keep working.

What's New

Sandbox Identity & CLI

  • sbx run --name now identifies a sandbox independent of the working directory: run multiple independently-named sandboxes in the same workspace, re-attach from any directory (agent may be omitted), and re-run a create command to re-enter. It no longer auto-creates numbered sibling sandboxes, prompts before entering a same-named sandbox from a different workspace, and errors when the requested agent doesn't match the named sandbox. The TUI follows the same rules.
  • sbx run <sandbox> now prints a deprecation warning when re-attaching to an existing sandbox; use sbx run --name <sandbox> instead.
  • sbx ls --json now reports a stable per-sandbox id.
  • sbx create now fails with a clear missing-agent error when run without arguments.
  • sbx exec now uses the same working directory as sbx run.
  • sbx cp -L now follows symlinks in the source path for sandbox-to-host copies.
  • Daemon inspect output is now included in the diagnostics bundle.

Networking & Proxy

  • Sandbox DNS lookups are now gated on the network policy: a sandboxed process can no longer resolve domains that policy denies, closing a DNS-based data-exfiltration channel. Loopback names (e.g. localhost) are exempt to avoid breaking local OAuth callback flows. CVE-2026-12039
  • Outgoing ICMP from sandboxes is now blocked across daemon restarts. CVE-2026-12539
  • CIDR subnet allow rules (e.g. sbx policy allow network 10.10.14.0/24) now correctly permit traffic to IP addresses within the subnet.
  • The MITM proxy now publishes a CRL and embeds a CRL distribution point in generated certificates, fixing clients that require certificate revocation checking (e.g. .NET CheckCertificateRevocationList=true).
  • Removed the bracketed [::1] entry from the sandbox NO_PROXY default, fixing credential injection for HTTP clients that mis-parsed it.
  • Claude connectors (Slack, Gmail, Notion, Atlassian, etc.) now work inside sandboxed Claude Code without manual policy overrides.

Secrets & Credentials

  • sbx secret set-custom --host, and serviceDomains in kits, now accept wildcard host patterns (* matches one label, ** matches any number) and is repeatable, so one custom secret can cover multiple subdomains/domains.

Agents

  • Cursor OAuth is now supported

Platform & Performance

  • The virtiofs cache is now enabled by default on macOS and Linux.
  • Build packages for linux/arm64 are now produced.
  • On Linux, the keychain backend now falls back to the encrypted on-disk store when dbus-launch is unavailable, fixing headless/server hosts.

Bug Fixes

  • Suppress a misleading warning when saving OAuth credentials while the daemon is not running.
  • Fixed a TTY sizing issue on Windows.
  • Keep agent entrypoint flags when arguments after -- are themselves flags.
  • Inject git identity from subdirectories and [include]d Git config when cloning.
  • Proxy service detection now supports middle-position wildcards.
  • Sandboxes blocked by mount policies are no longer filtered out on daemon startup.

0.32.0

2026-06-09

GitHub release

Highlights

Audit logging: Sandboxes now emit structured JSONL audit records for policy decisions. Records are written to a per-OS log directory and can be forwarded to any SIEM platform for enterprise compliance workflows. Requires a Docker AI Governance subscription.

Sign-in enforcement: Administrators can now require Docker organization membership verification. Enforcement is deployed via standard endpoint management tooling: configuration profiles on macOS, the registry on Windows, and a JSON policy file on Linux. This closes the gap for organizations that need to ensure only authenticated, authorized users run AI coding agents.

What's New

CLI

  • Offer an interactive "Sign in with ChatGPT" OAuth flow on the first sbx create/sbx run codex when no Codex credentials are configured.
  • Pre-select balanced as the highlighted default in the first-run network policy prompt, so pressing Enter accepts the recommended policy.
  • Make global the default scope for policy network allow|deny and policy rm; add --sandbox to target a specific sandbox and drop the -g/--global flag.
  • Simplify sbx version to a single line by default; gate detailed information behind -D/--debug.
  • Unhide sbx secret set-custom, a command for setting custom secrets, and mark it as experimental.

Secrets

  • Add OpenRouter as a built-in service provider, so sbx secret set <sandbox> openrouter works without set-custom and the proxy injects Authorization: Bearer <token> automatically.
  • Fall back to an encrypted on-disk secrets store on Linux/WSL hosts where no working keychain is available, with a one-time warning on secret-writing paths including sbx login.
  • Substitute custom-secret sentinels inside HTTP Basic auth payloads, so credentials referenced in Basic Authorization headers are resolved like other sentinel shapes.

Networking

  • Hide inactive governed policy rules by default in sbx policy ls and the TUI Network Rules view, with governance/sync status, hidden-rule indicators, and an --include-inactive flag (TUI i toggle) to reveal them.
  • Route OAuth/browser-open requests to the caller's graphical session, fixing /login opening on the host's display instead of the SSH terminal that invoked it.

Kits

  • Support the v2 OCI kit artifact format end-to-end, so kits are standard OCI images that registries and OCI tooling (Hub, oras, crane, skopeo) can introspect without kit-specific knowledge.
  • Write files/workspace/<path> kit entries correctly when sbx run --clone is used; previously the file hook fired before the in-container clone populated the workspace and failed the sandbox start.

Performance

  • Keep virtiofs caching enabled for sandboxes using --clone, avoiding a FUSE round-trip on every stat() and speeding up git status, grep -r, and tree walks inside the sandbox.

Packaging

  • Require the system keyring dependency in Linux packages so credential storage works out of the box.

Documentation

  • Replace stale --branch/worktree guidance in generated agent guidance (CLAUDE.md/AGENTS.md) with --clone, including how to sync host commits via /run/sandbox/source.

Bug Fixes

  • Fix an issue with sbx secret set <sandbox> <service> silently dropping credentials while reporting success.
  • Migrate stale runtime SocketPath references on daemon restart, so sandboxes upgraded from v0.31.0 stay visible to sbx ls after /tmp is cleaned.
  • Keep non-interactive sbx exec output intact by not tearing down the attach-exec bridge on stdin EOF (no more spurious empty output with exit code 0).
  • Clear stale pending status in the TUI when a network deny rule is deleted, so a host no longer shows as Blocked after its rule is removed.
  • Bind MCP gateway state to the daemon-assigned runtime instance so a same-name sandbox recreate cannot leave Claude pointed at a stale gateway port.
  • Set the default network policy before launching the TUI to avoid spurious 412 errors from policy-rule requests.
  • Stop counting expected rm/stop/list-ports "not found" 404s as analytics failures, so routine existence checks no longer inflate error dashboards.
  • Require a daemon restart (instead of failing with 405 Method Not Allowed) when downgrading the CLI below a newer running daemon.

Earlier releases

For older versions, see the Docker Sandboxes releases on GitHub.