--name now identifies a sandbox independently of the working directory.
Expanded the reconnecting and naming section to cover: re-attaching by
name from any directory, re-running a create command to reconnect without
error, and using distinct names to run multiple sandboxes against the
same workspace.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
sbx secret set-custom --host is now repeatable, so one secret entry can
cover multiple domains. Added a second example showing the multi-host
form and updated the prose to reflect that the proxy matches any of the
configured hosts.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Audit records now include an `agent` field identifying which AI agent
drove the sandbox (claude, codex, etc.), so multi-agent deployments can
attribute policy decisions per agent. Added to the example record and the
field reference table.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Sandbox DNS lookups now go through the same policy engine as TCP
connections — a denied domain is refused at the resolver level, not just
the connection level. Updated the network isolation description to reflect
this guarantee rather than describing DNS as merely proxied.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The OpenAI-compatible provider examples nested model settings under a
`provider:` key directly on the agent, which is not a valid field and
fails with `unknown field "provider"`. Define a named model in the
`models` section instead and reference it from the agent.
Fixesdocker/docker-agent#3121
Add a Changelog section at the top of the kit spec reference noting the
v0.32.0 field renames (memory -> agentContext, kind: agent -> kind:
sandbox, agent: block -> sandbox: block), which are deprecated aliases
that sbx kit validate warns on.
Also fix the per-kit directory name: v0.32.0 renamed kits-memory/ to
kits-agent-context/ (with automatic migration), which the docs had not
been updated to reflect.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Rename the spec.yaml agent: block to sandbox: and its field paths
(agent.image, agent.aiFilename, agent.entrypoint) to sandbox.*. Update
the "Agent block" reference heading and its #agent-block anchor to
"Sandbox block"/#sandbox-block, repoint cross-links, and rename the
tutorial's "Write the agent block" section.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Rename the spec.yaml kind: agent value to kind: sandbox and the "agent
kit" concept to "sandbox kit" across the overview, spec reference,
examples, index, and FAQ. Update the "Agent kits" heading and its
#agent-kits anchor to "Sandbox kits"/#sandbox-kits, and repoint inbound
links. The agent: block and the build-an-agent.md tutorial keep their
existing names.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Rename the spec.yaml memory: field to agentContext: across the spec
reference, overview, and tutorial, and update the section heading,
anchor, and cross-links. The memory file artifact and kits-memory/
directory keep their names.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The agent.persistence field was removed from kits, so drop it from the
spec reference, the agent block examples, and the build-an-agent tutorial.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The links pointed to #defining-an-agent, but the heading "Define an
agent" slugifies to #define-an-agent.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Move the spec.yaml field reference out of the Kits overview page into a
new Kit spec reference page, keeping the overview focused on concepts and
usage. Rewire cross-page links accordingly.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
<!--Delete sections as needed -->
## Description
Updated intro and the section for find.
The Helm docs link is removed as users on this page are expected to know
what a Helm chart is, and "Docker-provided" immediately before it makes
the link misleading. The Find section is no longer needed as the catalog
can be linked directly and viewed without signing in.
Preview:
https://deploy-preview-25334--docsdocker.netlify.app/dhi/how-to/helm/
## Related issues or tickets
https://docker.slack.com/archives/C04300R4G5U/p1781196686143879
## Reviews
<!-- Notes for reviewers here -->
<!-- List applicable reviews (optionally @tag reviewers) -->
- [ ] Editorial review
Signed-off-by: Craig Osterhout <craig.osterhout@docker.com>
<!--Delete sections as needed -->
## Description
Refreshed Node.js guide
- Updated all examples to DHI. DHI Community is now free so the DOI
fallback is no longer needed.
- Replaced the git clone pattern with the file scaffolding component.
- Simplified the sample app to a Node.js backend API. Added links at the
start of the guide to dedicated frontend framework guides.
- Added "Secure your Node.js image supply chain" topic to showcase DHI.
- Refreshed topic intros and related links.
https://deploy-preview-25319--docsdocker.netlify.app/guides/nodejs/
## Related issues or tickets
ENGDOCS-3319
Closes#25280
## Reviews
<!-- Notes for reviewers here -->
<!-- List applicable reviews (optionally @tag reviewers) -->
- [ ] Technical review
- [ ] Editorial review
- [ ] Product review
Signed-off-by: Craig Osterhout <craig.osterhout@docker.com>
Three small fixes in the guides.
- `guides/localstack`: the prose says `S3_ENDPOINT_URL` is
`http://localhost:4556`, but LocalStack's edge port is `4566`, and the
guide's own `.env` block later uses `4566`.
- `guides/pgadmin`: the top-level Compose key for the pgpass file is
`configs`, not `config`. As written the compose file is invalid.
- `guides/bun/deploy`: the "Turn on Kubernetes" link has a doubled slash
(`/manuals//desktop/...`).
Signed-off-by: Emmanuel Yusufu Kimaswa <kimaswaemma36@gmail.com>
The `/docker-entrypoint-initaws.d` directory was removed in LocalStack
2.0. Updates the Compose snippet to mount the current `ready.d` init
hook directory and adds a short tip pointing to the LocalStack init
hooks reference. Also drops a stray trailing quote that made the
previous mount path invalid.
Closes#22640
## Description
The prerequisites section for deactivating a Docker account contained a
broken bullet:
> Unlink your [GitHub and account](...)
\"GitHub and account\" is not grammatical. The linked page covers
unlinking both GitHub and Bitbucket accounts (for the deprecated
automated builds feature), but only GitHub was mentioned.
This fix:
- Rewrites the bullet to be grammatically correct
- Clarifies it only applies to users who linked accounts for automated
builds
- Adds a link for Bitbucket alongside GitHub
## Related issues or tickets
Fixes#25128
## Reviews
- [ ] Technical review
- [ ] Editorial review
Align the experimental flag badges in the Docker CLI layout with the
violet color used by the sbx-cli layout, so experimental indicators are
consistent across both reference templates.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The sbx-cli layout had no handling for the experimental: true field
present in many data/sbx_cli/*.yaml files. Add visual indicators
matching the Docker CLI layout:
- Command-level (experimental: true at YAML root): magenta callout
block below the summary table
- Flag-level (experimental: true on an option): violet badge before
the flag description in Options and Global options tables
- Subcommands table: violet badge alongside the synopsis for
experimental child commands
The title heading stays plain, consistent with cli.html, which signals
experimental status only through the command-level callout.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Reorder the Docker registry section so it opens with the fact that
Docker Hub needs no registry credentials (sbx reuses your sbx login
session), then covers configuring credentials for other registries.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The Shell page had "Default startup command" as an h3 with no parent h2,
skipping a heading level. Promote it to h2 so it sits alongside "Base
image", consistent with the other agent pages.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
"The templates ... already includes uv" -> "include"; spell out "etc"
as "and so on".
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
"seamless" is on the repo's banned hedge-word list. State plainly that a
Docker account authenticates the requests.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Clone-mode sandboxes enable virtiofs caching automatically as of v0.32.0,
so note that the DOCKER_SANDBOXES_ENABLE_VIRTIOFS_CACHE tuning is only
relevant for direct-mode workspaces.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Compose, Engine, Desktop, and Docker Agent pages live on docs.docker.com,
so link to them with source-relative /manuals/ paths instead of absolute
https://docs.docker.com URLs. This matches the dominant convention in the
repo and lets Hugo resolve and link-check the references.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
commands.startup[].background now keeps a service alive and replays on
every container start (sbx-releases #2842, shipped in v0.30.0), so the
nohup/& shell workaround is no longer required. Lead the background
service example with background: true, drop the stale claim that the
field alone leaves the service attached to an exiting shell, and remove
the resolved follow-up TODO comment. Update the generic startup example
in the kits reference to match.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The --branch flag was removed in sbx v0.31.0 in favor of --clone. Drop
the troubleshooting section about stale host worktrees (clone mode keeps
no host-side worktree, so the scenario can no longer occur) and update
the architecture lifecycle note to describe clone-mode cleanup, which
removes the sandbox-<name> Git remote on sbx rm.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Two pages linked to usage.md#signed-commits, an anchor that does not
exist. The commit-signing content lives in workflows.md under the
"Commit signing" heading. Point both links there.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Note in AGENTS.md and the PR review workflow that
content/reference/api/ai-governance/api.yaml is a verbatim copy of the
upstream OpenAPI spec, vendored from the private docker/governor-services
repo via hack/sync-governance-api.sh, and should not be hand-edited.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>
Sync the AI Governance Policy API reference with the upstream spec from
docker/governor-services. Renames the shared 403 response component from
PermissionDenied to Forbidden across the policy/rule endpoints, and adds a
limit_exceeded error code covering org policy and per-policy rule maximums.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>
Add hack/sync-governance-api.sh to re-vendor the AI Governance Policy API
spec from the private docker/governor-services repo. The vendored copy at
content/reference/api/ai-governance/api.yaml is a verbatim copy of upstream,
so the script fetches it via gh (using the caller's own auth, no repo
secrets) and prints a diff summary for review. Mirrors the existing
hack/sync-cli-docs.sh convention.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>
## Summary
`sbx` now prompts you to authenticate to Codex on the host before
launching the sandbox when no OpenAI credential is stored. Updated the
Codex agent page and the credentials best practices to describe this
flow, and reordered the Codex auth methods so OAuth (the host-side
prompted flow) leads.
Generated by Claude Code
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
David Karlsson