docs(sandboxes): post-v0.32.0 doc updates#25329
Open
dvdksn wants to merge 9 commits into
Open
Conversation
docker-agent
left a comment
docker-agent
left a comment
There was a problem hiding this comment.
Assessment: 🟢 APPROVE
The three documentation updates are accurate, well-scoped, and follow Docker's style guide. No issues found.
✅ Deploy Preview for docsdocker ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
dvdksn
force-pushed
the
worktree-sandboxes-docs-post-v0.32
branch
5 times, most recently
from
3047687 to
613f8fa
Compare
dvdksn
force-pushed
the
worktree-sandboxes-docs-post-v0.32
branch
8 times, most recently
from
23233f2 to
613f8fa
Compare
…olation Sandbox DNS lookups now go through the same policy engine as TCP connections — a denied domain is refused at the resolver level, not just the connection level. Updated the network isolation description to reflect this guarantee rather than describing DNS as merely proxied. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Audit records now include an `agent` field identifying which AI agent drove the sandbox (claude, codex, etc.), so multi-agent deployments can attribute policy decisions per agent. Added to the example record and the field reference table. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
sbx secret set-custom --host is now repeatable, so one secret entry can cover multiple domains. Added a second example showing the multi-host form and updated the prose to reflect that the proxy matches any of the configured hosts. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
--name now identifies a sandbox independently of the working directory. Expanded the reconnecting and naming section to cover: re-attaching by name from any directory, re-running a create command to reconnect without error, and using distinct names to run multiple sandboxes against the same workspace. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
sbx secret set-custom --host accepts wildcards (* for a single label, ** for any number), using the same syntax as network rules. Added a note and examples alongside the repeatable --host guidance. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…d Linux Direct-mode virtiofs caching is now on by default on macOS and Linux; Windows remains opt-in. Corrected the troubleshooting guidance, which still described caching as disabled by default, and documented DOCKER_SANDBOXES_ENABLE_VIRTIOFS_CACHE=0 as the kill switch. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Arguments after `--` no longer wholesale-replace an agent's default entrypoint flags. The default flags are now kept when the first user argument is itself a flag (begins with `-`), and replaced only when the first argument is a bare word (a subcommand or prompt). Updated the "Default startup command" section on each affected agent page and fixed examples that re-included flags now retained automatically. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Ctrl+V image/screenshot paste into sandboxed agents (Claude Code, Codex) is opt-in via the clipboard.imagePaste setting. Added an FAQ entry covering how to enable it and the isolation tradeoff: enabling it lets a sandbox process read the host clipboard through the proxy, scoped to image data only and never cached or logged. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
dvdksn
force-pushed
the
worktree-sandboxes-docs-post-v0.32
branch
from
613f8fa to
9324a4f
Compare
…odel Lead "How credential injection works" with the injection model and an orientation table (which form to use, when), and group the value sources. Reframe registry credentials by purpose and isolation posture rather than as the "non-injection" outlier: explain the host-only/global/sandbox scopes upfront, that in-sandbox credentials are written to ~/.docker/config.json at creation time (less isolated than proxy injection), and show the store-then-run ordering. Add a best-practices note on the registry isolation tradeoff. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
kiview
approved these changes
Jun 16, 2026
docker-agent
left a comment
docker-agent
left a comment
There was a problem hiding this comment.
Assessment: 🟢 APPROVE
This PR documents Docker Sandboxes v0.32–v0.33 changes clearly and accurately. The changes are well-scoped, technically coherent, and follow the documentation style guide. One minor suggestion about platform-specific paste shortcut clarity is left as an inline comment.
| ## Can I paste images into an agent? | ||
|
|
||
| Yes, but it's off by default. Text paste already works, because the terminal | ||
| sends it directly. Pasting an image or screenshot with `Ctrl+V` is different: |
There was a problem hiding this comment.
[MEDIUM] Ctrl+V paste shortcut may be incorrect or incomplete for macOS users
The FAQ section uses Ctrl+V as the paste shortcut for image pasting, but Docker Desktop's primary user base includes macOS where Cmd+V is the standard paste shortcut in native terminals (Terminal.app, iTerm2, etc.). If Docker Sandboxes uses a native terminal UI on macOS, macOS users would need Cmd+V, not Ctrl+V.
Consider clarifying which terminal type this applies to, or noting the platform-specific shortcut (e.g., Cmd+V on macOS, Ctrl+V on Linux/Windows) to avoid confusing macOS users.
craig-osterhout
approved these changes
Jun 16, 2026
| endpoint being called. See individual [agent pages](../agents/) for | ||
| provider-specific details. | ||
| When a sandbox makes an outbound request, the host-side proxy decides three | ||
| things: whether the request **matches** a service the kit (or built-in agent) |
Contributor
There was a problem hiding this comment.
Flagging the bolding as it seems like non UI elements. Readability is good imo though.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Documentation updates based on changes merged into docker/sandboxes after the v0.32.0 release cut (through v0.33.0-rc1):
security/isolation.md): clarifies that DNS resolution is subject to the same network policy as outbound connections — domains that policy denies are refused at the resolver, not just blocked at the connection level. Loopback names such aslocalhostare always resolved regardless of policy.governance/audit.md): documents the newagentfield on audit records, which identifies the AI agent driving the sandbox.security/credentials.md): documents that--hostonsbx secret set-customis now repeatable and accepts wildcard patterns (*for a single label,**for any number), so one secret can cover multiple domains.--nameas primary sandbox identity (usage.md,workflows.md): documents that--nameidentifies a sandbox independently of the working directory — re-attach from anywhere, run multiple named sandboxes per workspace, and re-run a create command to reconnect. Updates existing examples that used the positional sandbox-name form to use--namefor consistency.troubleshooting.md): corrects the slow-filesystem guidance — virtiofs caching is now enabled by default on macOS and Linux (Windows remains opt-in), andDOCKER_SANDBOXES_ENABLE_VIRTIOFS_CACHE=0is the kill switch.--argument behavior (agents/*.md): corrects the "Default startup command" guidance across the agent pages — arguments after--keep the agent's default flags when the first argument is itself a flag, and replace them only when it's a bare word (subcommand or prompt).faq.md): documents the opt-inclipboard.imagePastesetting for pasting host images into agents withCtrl+V, including the host-clipboard isolation tradeoff.security/credentials.md): [not really v0.33-specific but this needed clarification] leads with the injection model + an orientation table (which form to use, when), groups the value sources, and reframes registry credentials by purpose and isolation posture — scopes explained upfront, the in-sandbox/create-time behavior of~/.docker/config.json, and the isolation tradeoff vs proxy injection.Generated by Claude Code