diff --git a/content/manuals/ai/sandboxes/release-notes.md b/content/manuals/ai/sandboxes/release-notes.md index 105431fdc320..19cb21f2c8ae 100644 --- a/content/manuals/ai/sandboxes/release-notes.md +++ b/content/manuals/ai/sandboxes/release-notes.md @@ -15,6 +15,100 @@ the full release history, including pre-releases and downloads, see the +## 0.32.0 + +{{< release-date date="2026-06-09" >}} + +[GitHub release](https://github.com/docker/sbx-releases/releases/tag/v0.32.0) + +### Highlights + +**[Audit logging](https://docs.docker.com/ai/sandboxes/governance/audit/)**: Sandboxes now emit structured JSONL audit records for policy decisions. Records are written to a per-OS log directory and can be forwarded to any SIEM platform for enterprise compliance workflows. Requires a Docker AI Governance subscription. + +**[Sign-in enforcement](https://docs.docker.com/ai/sandboxes/governance/sign-in-enforcement/)**: Administrators can now require Docker organization membership verification. Enforcement is deployed via standard endpoint management tooling: configuration profiles on macOS, the registry on Windows, and a JSON policy file on Linux. This closes the gap for organizations that need to ensure only authenticated, authorized users run AI coding agents. + +### What's New + +#### CLI + +- Offer an interactive "Sign in with ChatGPT" OAuth flow on the first `sbx create`/`sbx run codex` when no Codex credentials are configured. +- Pre-select `balanced` as the highlighted default in the first-run network policy prompt, so pressing Enter accepts the recommended policy. +- Make global the default scope for `policy network allow|deny` and `policy rm`; add `--sandbox` to target a specific sandbox and drop the `-g/--global` flag. +- Simplify `sbx version` to a single line by default; gate detailed information behind `-D/--debug`. +- Unhide `sbx secret set-custom`, a command for [setting custom secrets](https://docs.docker.com/ai/sandboxes/security/credentials/#custom-secrets), and mark it as experimental. + +#### Secrets + +- Add OpenRouter as a built-in service provider, so `sbx secret set openrouter` works without `set-custom` and the proxy injects `Authorization: Bearer ` automatically. +- Fall back to an encrypted on-disk secrets store on Linux/WSL hosts where no working keychain is available, with a one-time warning on secret-writing paths including `sbx login`. +- Substitute custom-secret sentinels inside HTTP Basic auth payloads, so credentials referenced in `Basic` Authorization headers are resolved like other sentinel shapes. + +#### Networking + +- Hide inactive governed policy rules by default in `sbx policy ls` and the TUI Network Rules view, with governance/sync status, hidden-rule indicators, and an `--include-inactive` flag (TUI `i` toggle) to reveal them. +- Route OAuth/browser-open requests to the caller's graphical session, fixing `/login` opening on the host's display instead of the SSH terminal that invoked it. + +#### Kits + +- Support the v2 OCI kit artifact format end-to-end, so kits are standard OCI images that registries and OCI tooling (Hub, `oras`, `crane`, `skopeo`) can introspect without kit-specific knowledge. +- Write `files/workspace/` kit entries correctly when `sbx run --clone` is used; previously the file hook fired before the in-container clone populated the workspace and failed the sandbox start. + +#### Performance + +- Keep virtiofs caching enabled for sandboxes using `--clone`, avoiding a FUSE round-trip on every `stat()` and speeding up `git status`, `grep -r`, and tree walks inside the sandbox. + +#### Packaging + +- Require the system keyring dependency in Linux packages so credential storage works out of the box. + +#### Documentation + +- Replace stale `--branch`/worktree guidance in generated agent guidance (CLAUDE.md/AGENTS.md) with `--clone`, including how to sync host commits via `/run/sandbox/source`. + +#### Bug Fixes + +- Fix an issue with `sbx secret set ` silently dropping credentials while reporting success. +- Migrate stale runtime `SocketPath` references on daemon restart, so sandboxes upgraded from v0.31.0 stay visible to `sbx ls` after `/tmp` is cleaned. +- Keep non-interactive `sbx exec` output intact by not tearing down the attach-exec bridge on stdin EOF (no more spurious empty output with exit code 0). +- Clear stale pending status in the TUI when a network deny rule is deleted, so a host no longer shows as Blocked after its rule is removed. +- Bind MCP gateway state to the daemon-assigned runtime instance so a same-name sandbox recreate cannot leave Claude pointed at a stale gateway port. +- Set the default network policy before launching the TUI to avoid spurious 412 errors from policy-rule requests. +- Stop counting expected `rm`/`stop`/list-ports "not found" 404s as analytics failures, so routine existence checks no longer inflate error dashboards. +- Require a daemon restart (instead of failing with `405 Method Not Allowed`) when downgrading the CLI below a newer running daemon. + +## 0.31.3 + +{{< release-date date="2026-06-03" >}} + +[GitHub release](https://github.com/docker/sbx-releases/releases/tag/v0.31.3) + +### Bug Fixes + +- Fix a failure to start sandboxes that were created with older versions of the CLI. +- Fix a file descriptor leak on Linux. Each credential lookup left a session + D-Bus socket open, so long-running processes (such as the daemon) could + gradually accumulate open file descriptors and eventually hit the session + bus's connection limit, failing with "The maximum number of active + connections has been reached." Connections are now closed after each + operation. macOS and Windows were not affected. + +## 0.31.2 + +{{< release-date date="2026-06-01" >}} + +[GitHub release](https://github.com/docker/sbx-releases/releases/tag/v0.31.2) + +### Highlights + +This patch release resolves two reliability issues. It **fixes a Windows issue** where odd default sandbox memory values could lead to startup timeouts. It also includes a **daemon-compatibility fix** that prevents a silent failure (`405 Method Not Allowed`) when the `sbx` CLI is downgraded while a newer `sandboxd` daemon is still running — the CLI now requires a daemon restart instead. + +### What's New + +#### Bug Fixes + +- Fix a Windows issue where odd default sandbox memory values could lead to startup timeouts. +- Require a daemon restart when downgrading the CLI below a running daemon, instead of silently proceeding into a `405 Method Not Allowed` error. + ## 0.31.1 {{< release-date date="2026-05-29" >}} @@ -33,9 +127,6 @@ the full release history, including pre-releases and downloads, see the ### Highlights -> [!IMPORTANT] -> This release has a known issue where sandboxes from earlier versions may not be listed by sbx ls and can fail to run. This is fixed in [v0.31.1](https://github.com/docker/sbx-releases/releases/tag/v0.31.1) — please upgrade. - #### Clone mode: `--clone` The `--branch` flag has been removed in favor of `--clone` (clone mode). Using `--branch` now fails with: @@ -83,6 +174,13 @@ Clone mode does not create a branch or worktree on your behalf — instead of a - Surface `port_publish_failed` inner error detail. +#### Secrets + +- Store container-registry pull credentials with `sbx secret set --registry`, so `sbx run --template` and `sbx run --kit` can pull from private registries (GHCR, ACR, ECR, Quay, …) without a `docker login`. Manage entries with `sbx secret ls` and remove them with `sbx secret rm --registry `. + +> [!WARNING] +> By default the credential is stored **host-side only** and is used just for pulling templates/kits. It is never placed inside a sandbox. If you pass `-g` (or scope it to a sandbox name), the credential is **injected into the sandbox in plaintext**, where the agent and any code running there can read it. Only use `-g`/sandbox scope when the sandbox itself needs to pull from the registry; otherwise omit `-g` to keep it host-only. + #### Bug Fixes - Sort `template ls` output by repository, then tag. @@ -152,55 +250,6 @@ The CLI gets **non-interactive Docker Hub login** for scripted workflows, and sa - Warn agents about worktree path traps with `--branch` - Improve consistency and wording in CLI help strings -## 0.29.0 - -{{< release-date date="2026-05-13" >}} - -[GitHub release](https://github.com/docker/sbx-releases/releases/tag/v0.29.0) - -### Highlights - -This release brings **per-sandbox network policies**, giving callers fine-grained control over which domains each sandbox can reach, including an explicit `deniedDomains` list and allowance for binary TCP protocols like SSH. Sandboxes now carry **daemon-assigned UUIDs**, enabling reliable identification across restarts and telemetry. Several **agent improvements** land in this release: Gemini gets SSO browser relay, Codex auth is more robust, and the OpenAI OAuth flow now auto-opens the browser. A round of **bug fixes** improves daemon robustness on macOS (long-username `sun_path` overflow), gVisor isolation under `--app-name`, and database-version handling. - -### What's New - -#### Networking & Policy - -- Support per-sandbox scoped network policies -- Add `deniedDomains` to network kit policy -- Allow binary TCP protocols (e.g. SSH) through domain allow rules -- Pipe in policykit error handler for better diagnostics - -#### Sandboxes - -- Add daemon-assigned UUID to sandbox runtimes - -#### Agents - -- Enable SSO browser relay for Gemini -- Auto-open browser during OpenAI OAuth flow -- Skip auth.json placeholder for Codex when no host credentials -- Expose Claude guidance to Codex sandboxes - -#### CLI - -- Require confirmation for `sbx rm ` to prevent accidental deletion -- Unhide `kit` command in help output - -#### Bug Fixes - -- Namespace gVisor socket dir by `--app-name` so concurrent daemons don't share state -- Probe canonical socket path for `sun_path` budget — fixes `krun_start_enter failed` for macOS users with long usernames -- Check database version before starting the daemon and surface an instructive error instead of crashing -- Route gVisor sockets to a persistent, sandboxd-owned location -- Delete stranded tracker after failed auto-stop with no active sessions -- Clean up DinD volume even when container inspect fails -- Apply `SANDBOXES_STORAGE_ROOT` override to storage config -- Report running binary (not first `sbx` on PATH) in `diagnose` -- Explain how to configure OpenAI credentials in no-creds warning -- Allow MCR layer-blob CDN in default-code-and-containers policy -- Improve empty state of `sbx ls` with actionable guidance - ## Earlier releases