v0.30.0-rc2

Highlights

This release candidate ships a Linux packaging fix for the sailor micro-VM shim. The previous RC bundled the wrong crate (ffi-krun) into the Linux release artifacts, which broke installs that exercise the sailor codepath on Linux. This RC corrects the packaging to build the intended ffi crate. macOS and Windows artifacts are unaffected.

What's New

Bug Fixes

• Build sailor's ffi crate instead of ffi-krun for packaged Linux release artifacts (#2979)

v0.30.0-rc1

Highlights

This release lands sandbox profiles with multi-policy support (#2904), giving operators reusable governance posture per sandbox and letting policy be configured before login. Workspace and worktree handling is more resilient: sandboxes stay recoverable when their workspace or worktree is removed from the host, and macOS /private paths work correctly with --branch. Networking gains per-sandbox hostname tracking via gVisor SwapStubResolver and binds both loopback stacks by default on publish. The kits experience is more dynamic — startup commands re-run on every container start, installed kits show up in the AI file, and each kit can supply its own progressive-disclosure memory file.

What's New

Governance & Profiles

• Introduce sandbox profiles and multi-policy support (#2904)
• Allow policy setup before login (#2903)

Networking

• Bind both loopback stacks by default on publish (#2830)
• Use gVisor SwapStubResolver for per-sandbox hostname tracking (#2693)

Daemon

• Capture shim/vmm logs into daemon.log (#2873)

Kits

• Re-run commands.startup on every container start (#2842)
• Per-kit memory files for progressive disclosure (#2899)
• Enumerate installed kits in AI file Kits section (#2906)

Bug Fixes

• Keep sandboxes recoverable when workspace or worktree is deleted on host (#2928)
• Add macOS /private path compatibility for worktrees (#2875)
• Skip implicit run options when user provides explicit args (#2880)
• Sanitize runtime ID when looking up gVisor network (#2949)
• Allow raw TCP to host.docker.internal when localhost is allowed (#2929)
• Print "Git repository detected" once when using --branch (#2923)
• Open sentinel connection in cp and kit add to prevent auto-stop race (#2910)
• Remove redundant ContainerKill before ContainerRemove (#2909)
• Report Docker daemon startup time instead of pre-start message (#2854)

Documentation

• Warn agents about worktree path traps with --branch (#2932)

v0.29.0

Highlights

This release brings per-sandbox network policies, giving callers fine-grained control over which domains each sandbox can reach, including an explicit deniedDomains list and allowance for binary TCP protocols like SSH. Sandboxes now carry daemon-assigned UUIDs, enabling reliable identification across restarts and telemetry. Several agent improvements land in this release: Gemini gets SSO browser relay, Codex auth is more robust, and the OpenAI OAuth flow now auto-opens the browser. A round of bug fixes improves daemon robustness on macOS (long-username sun_path overflow), gVisor isolation under --app-name, and database-version handling.

What's New

Networking & Policy

• Support per-sandbox scoped network policies (#2463)
• Add deniedDomains to network kit policy (#2566)
• Allow binary TCP protocols (e.g. SSH) through domain allow rules (#2664)
• Pipe in policykit error handler for better diagnostics (#2537)

Sandboxes

• Add daemon-assigned UUID to sandbox runtimes (#2783)

Agents

• Enable SSO browser relay for Gemini (#2807)
• Auto-open browser during OpenAI OAuth flow (#2548)
• Skip auth.json placeholder for Codex when no host credentials (#2543)
• Expose Claude guidance to Codex sandboxes (#2672)

CLI

• Require confirmation for sbx rm <name> to prevent accidental deletion (#2576)
• Unhide kit command in help output (#2549)

Bug Fixes

• Namespace gVisor socket dir by --app-name so concurrent daemons don't share state (#2896)
• Probe canonical socket path for sun_path budget — fixes krun_start_enter failed for macOS users with long usernames (#2885)
• Check database version before starting the daemon and surface an instructive error instead of crashing (#2882)
• Route gVisor sockets to a persistent, sandboxd-owned location (#2698)
• Delete stranded tracker after failed auto-stop with no active sessions (#2678)
• Clean up DinD volume even when container inspect fails (#2571)
• Apply SANDBOXES_STORAGE_ROOT override to storage config (#2532)
• Report running binary (not first sbx on PATH) in diagnose (#2536)
• Explain how to configure OpenAI credentials in no-creds warning (#2545)
• Allow MCR layer-blob CDN in default-code-and-containers policy (#2719)
• Improve empty state of sbx ls with actionable guidance (#2567)

v0.29.0-rc1

Highlights

This release introduces a major new sandboxd HTTP API with an OpenAPI spec and fully generated client code — CLI and TUI have been migrated to use it, making the daemon the single source of truth for all sandbox operations. Per-sandbox network policies are now supported, giving callers fine-grained control over which domains each sandbox can reach, including an explicit deniedDomains list. Sandboxes now carry daemon-assigned UUIDs, enabling reliable identification across restarts and telemetry. Several agent improvements land in this release: Gemini gets SSO browser relay, Codex auth is more robust, and the OpenAI OAuth flow now auto-opens the browser.

What's New

API & Daemon

• Add OpenAPI spec and generated code for new sandboxd API (#2480)
• Implement daemon endpoints and migrate CLI/TUI to new API (#2519)
• Add daemon-assigned UUID to sandbox runtimes (#2783)

Networking & Policy

• Support per-sandbox scoped network policies (#2463)
• Add deniedDomains to network kit policy (#2566)
• Allow binary TCP protocols (e.g. SSH) through domain allow rules (#2664)
• Pipe in policykit error handler for better diagnostics (#2537)

Agents

• Enable SSO browser relay for Gemini (#2807)
• Auto-open browser during OpenAI OAuth flow (#2548)
• Skip auth.json placeholder for Codex when no host credentials (#2543)
• Expose Claude guidance to Codex sandboxes (#2672)

CLI

• Require confirmation for sbx rm <name> to prevent accidental deletion (#2576)
• Unhide kit command in help output (#2549)

Bug Fixes

• Route gVisor sockets to a persistent, sandboxd-owned location (#2698)
• Delete stranded tracker after failed auto-stop with no active sessions (#2678)
• Clean up DinD volume even when container inspect fails (#2571)
• Apply SANDBOXES_STORAGE_ROOT override to storage config (#2532)
• Report running binary (not first sbx on PATH) in diagnose (#2536)
• Explain how to configure OpenAI credentials in no-creds warning (#2545)
• Allow MCR layer-blob CDN in default-code-and-containers policy (#2719)
• Improve empty state of sbx ls with actionable guidance (#2567)

v0.28.3

Update README.md

v0.28.2

What's New

CLI

• Auto-open browser during login flow

Templates

• Install ssh-add and SSH client tools in the main template

Bug Fixes

• Prefer Codex OAuth over discovered API-key credentials
• Propagate host TTY size when running sbx exec -it
• Reveal trailing characters in masked secrets

v0.28.1

Highlights

A small release that wires custom agent kits through the CLI — discoverable in --help and invocable via --kit — and brings
in-process sandbox run/exec with launch-mode and settings dialogs to the TUI. Two bug fixes round it out: private Docker Hub image pulls work again via --template, and the secrets-masking path is tightened.

What's New

CLI

• Make custom agent kits invocable and surface --kit in help (#2471)
• TUI: in-process sandbox run/exec with launch mode dialog, settings dialog + misc fixes (#2369)

Bug Fixes

• Enable private Docker Hub image pulls via --template (#2316)
• Tighten secrets masking and emphasize set-custom warning (#2411)

v0.28.0

Highlights

This release introduces kits — a first-class way to define and ship sandbox agents and plugins, with community-maintained kits living in sbx-kits-contrib. Alongside that, sbx cp brings host↔container file copying to the CLI, host SSH agent forwarding lets agents use your existing SSH keys, and .worktreeinclude lets you opt specific gitignored files into worktree-backed sandbox branches. 500-level telemetry errors are now classified into specific categories instead of disappearing into unknown. A wave of kit fixes — covering Codex, Copilot, docker-agent, and droid — improves agent reliability across the board.

What's New

CLI

• Add sbx cp command for host-container file copy (#2399)
• Forward host SSH agent into sandboxes (#2398)
• Check for updated templates on create/run (#2405)
• Inform the user that sandboxes are being deleted instead of being reset (#2412)
• Rename secret set-custom --target to --host and improve help text (#2380)
• Hint users to run policy ls before policy rm network (#2331)
• Restore kitty keyboard protocol on TUI suspend/resume (#2314)

Sandboxes & Worktrees

• Support .worktreeinclude for copying gitignored files into sandbox branches (#2406)
• Gracefully signal agents on container stop (#2185)
• Add tini as init process to reap zombie processes, with fallback when missing (#2396, #2416)

Kits & Agents

• Default droid agent to high autonomy (#2410)
• Make Copilot CLI fully work in sandboxes (#2400)
• Use docker-agent-docker template for docker-agent (#2439)
• Pre-create CODEX_HOME directory for Codex (#2459)
• Install optional native dependency for Codex on linux-x64 (#2456)
• Apply initFiles mode when writing files (#2421)
• Scope service discovery to the active agent (#2447)
• Propagate kit ServiceDomains, ServiceAuth, and credential sources to proxy (#2434)
• Close credential discovery gaps between CLI, library, and TUI paths (#2438)

Daemon & Networking

• Classify 500-level server errors into specific telemetry categories (#2440)
• Surface implicit deny baseline in policy ls (#2409)
• Update kaemon-stdlib-go to fix policy scoping issue (#2461)
• Dedupe domains within input in AllowNewNetworkDomains (#2460)
• Update default allow-list to include new Docker Hub domain (#2382)
• Use context deadlines instead of client timeout for HTTP requests (#2391)

Bug Fixes

• Use forward slashes when writing paths inside the container on Windows (#2318)

v0.27.0

Highlights

This release brings Linux TUI support across popular terminal emulators (kitty, wezterm, alacritty, ghostty, and more), governance UX improvements that surface the controlling organization name and remote sync status in both sbx policy ls and the TUI governance tab, and the Factory-ai agent renamed to droid. sbx reset now works reliably when logged out.

What's New

CLI

• Add support for removing template images by image ID in addition to tags (#2370)

Governance

• Surface active organization name and remote sync status in sbx policy ls output and the TUI governance tab (#2343)

Agents

• Rename Factory-ai agent as "droid" (#2378)

TUI

• Add Linux terminal spawning support for kitty, wezterm, alacritty, ghostty, gnome-terminal, konsole, xfce4-terminal, and xterm (#2356)

Bug Fixes

• Fix sbx reset to work when logged out (#2368)
• Fix TUI cursor positioning issues by disabling ONLCR to prevent \r\r\n sequences that caused byte-count drift (#2351)

v0.26.1

Highlights

This release introduces sbx diagnose, a new command for gathering and uploading diagnostic information when troubleshooting sandbox issues. Factory.ai joins the roster of supported agents with a dedicated template. Agents that use OAuth flows now benefit from an xdg-open shim and localhost OAuth callback, enabling browser-based auth redirects to work seamlessly inside sandboxes. Template management is expanded with sbx template save, load, ls, and rm commands, plus a warning when loading a template built for a different agent. The daemon now supports log rotation and improved logging in foreground and debug modes.

On the networking front, Claude's download domains (downloads.claude.ai, claude.com) are now on the default proxy allow list, and domain-allow rules now correctly override implicit CIDR denies for IP literals.

What's New

CLI

• Warn when a template was built for a different agent (#2241)

Daemon

• Add log rotation for daemon logs (#2307)
• Fix daemon logging in foreground and debug modes (#2328)

Templates

• Add sbx template save, load, ls, and rm commands (#2317)

Networking

• Add downloads.claude.ai and claude.com to Claude's proxy allow list (#2336)
• Domain-allow rules now override implicit CIDR deny for IP address literals (#2329)
• Add **.hashicorp.com to the default allow list (#2291)

Diagnose

• Add sbx diagnose command for collecting and uploading diagnostic data (#2332)

Agents

• Add support for Factory.ai (#2249)
• Add xdg-open shim and localhost callback to support OAuth redirects inside sandboxes (#2260)

Bug Fixes

• Fix stopped sandbox disappearing from list when a prefix-named sandbox is running (#2313)
• Fix new session being killed by an in-progress auto-stop (#2278)
• Fix exec "command not found" detection from stdout and stderr (#2300)
• Fix Ghostty launch on macOS to use file-based launch (#2296)
• Detect terminal background color instead of system appearance (#2299)
• Improve accuracy and detail of policy denial log messages (#2281)