Version: sbx v0.28.3 (8d114184e520cf5744502f187faf90342af599e5), macOS 15 (Darwin 25.4.0), Apple Silicon.
Summary
After resuming from sleep, I found all my open sessions killed and asked to login again. After doing so, it was unable to resume anything. sbx run ... returned:
ERROR: failed to create sandbox: create runtime: create runtime: sandboxd error: status 500: failed to create network: Error response from daemon: already exists
sbx diagnose reported every check passing and sbx ls gave me an empty list. Since all of this is incredibly far from my area of expertise, I've asked Claude to diagnose and try to fix the issue, below is what it came up with. I've edited it a little to make it clearer what I've actually done. I can also provide the log files upon request.
.../com.docker.sandboxes-auth/sandboxes-auth/<some-hash>/metadata.json contained the literal four bytes null instead of an account identifier. The associated secretpass was 349 bytes vs. 1815 bytes in the working user-scoped slot.
Timeline (from sandboxd/daemon.log)
- Through 2026-05-11T20:26:12,
GET /runtime returned ~24 KB (7 sandboxes).
- 2026-05-11T20:25:16: a routine
GET /network/log that normally returns in <1 ms took 15.5 s and ended with write unix …/sandboxd.sock: write: broken pipe. At the same instant, seven failed to create SDK client for runtime <name>: health check: context canceled warnings fired — one per sandbox.
- 2026-05-11T20:26:25 onward:
/runtime started returning 401 user is not authenticated to Docker: secret not found.
- ~14-hour gap (overnight suspend).
- 2026-05-12T10:55:59: 401 with a more specific cause:
retrieve default account metadata: store is locked
context deadline exceeded
recovery failed. lock file is not older than 30 seconds
- 2026-05-12T10:56:11: lock condition resolves and
…/metadata/hub/default/metadata.json is rewritten as the literal bytes null. From this point on, /runtime returns HTTP 200 with body [].
- Several
sbx login invocations after this succeeded ("Signed in as ") and refreshed the user-scoped slot, but default/metadata.json was repeatedly rewritten as null.
- After some attempts at recovery (copying some directory that contained the sandboxes into the one that
sbx actually used at that time), eventually I got this message, which then led Claude to discover the actual fix:
WARN: unknown authentication error type encountered: default user account id: invalid identifier: "" must match ^[A-Za-z0-9._:-]+(?:/[A-Za-z0-9._:-]+)*$
Recovery that worked
Trying out a few suggestions, this is was worked in the end. I don't know if all of those steps were necessary.
- Stop sandboxd (
kill <pid from sandboxd.pid>).
- Delete
.posixage.lock under both …/com.docker.sandboxes/sandboxes/ and …/com.docker.sandboxes-auth/sandboxes-auth/.
- Delete the
…/sandboxes-auth/ZG9ja2VyL2F1dGgvbWV0YWRhdGEvaHViL2RlZmF1bHQ=/ directory entirely.
- Run
sbx ls. The daemon respawned, triggered a sign-in, and all seven sandboxes reappeared with state intact.
Version:
sbxv0.28.3 (8d114184e520cf5744502f187faf90342af599e5), macOS 15 (Darwin 25.4.0), Apple Silicon.Summary
After resuming from sleep, I found all my open sessions killed and asked to login again. After doing so, it was unable to resume anything.
sbx run ...returned:sbx diagnosereported every check passing andsbx lsgave me an empty list. Since all of this is incredibly far from my area of expertise, I've asked Claude to diagnose and try to fix the issue, below is what it came up with. I've edited it a little to make it clearer what I've actually done. I can also provide the log files upon request..../com.docker.sandboxes-auth/sandboxes-auth/<some-hash>/metadata.jsoncontained the literal four bytesnullinstead of an account identifier. The associatedsecretpasswas 349 bytes vs. 1815 bytes in the working user-scoped slot.Timeline (from
sandboxd/daemon.log)GET /runtimereturned ~24 KB (7 sandboxes).GET /network/logthat normally returns in <1 ms took 15.5 s and ended withwrite unix …/sandboxd.sock: write: broken pipe. At the same instant, sevenfailed to create SDK client for runtime <name>: health check: context canceledwarnings fired — one per sandbox./runtimestarted returning 401user is not authenticated to Docker: secret not found.…/metadata/hub/default/metadata.jsonis rewritten as the literal bytesnull. From this point on,/runtimereturns HTTP 200 with body[].sbx logininvocations after this succeeded ("Signed in as ") and refreshed the user-scoped slot, butdefault/metadata.jsonwas repeatedly rewritten asnull.sbxactually used at that time), eventually I got this message, which then led Claude to discover the actual fix:Recovery that worked
Trying out a few suggestions, this is was worked in the end. I don't know if all of those steps were necessary.
kill <pid from sandboxd.pid>)..posixage.lockunder both…/com.docker.sandboxes/sandboxes/and…/com.docker.sandboxes-auth/sandboxes-auth/.…/sandboxes-auth/ZG9ja2VyL2F1dGgvbWV0YWRhdGEvaHViL2RlZmF1bHQ=/directory entirely.sbx ls. The daemon respawned, triggered a sign-in, and all seven sandboxes reappeared with state intact.