Docker SBX v0.31.0: Clone Mode Replaces Branch Flag

TL;DR

• --branch flag removed; use --clone for in-container read-only clones instead
• Sandbox clones now exposed as sandbox-<name> Git remotes on your host
• Breaking change: existing workflows using --branch will fail immediately

New

• Clone mode (--clone) — replaces branch worktrees with in-container read-only clones; source repo mounted read-only, agent writes only to sandbox filesystem, refs mirrored to refs/sandboxes/<name>/* on host
• Auto-start daemon — sbx create now starts the daemon automatically if not running
• virtiofs caching opt-in — enable at create time with DOCKER_SANDBOXES_ENABLE_VIRTIOFS_CACHE=1 (persisted in spec)
• Policy and rule names in CLI — list output and TUI details now show policy/rule identifiers with added filtering
• Public CA endpoints in balanced proxy — CRL/OCSP/AIA endpoints now allowed (applies to new installs or after sbx policy reset)
• Experimental kit marking — kits now flagged as experimental with verbose error reporting on apply failures

Fixed

• Template listing now sorted by repository then tag
• ExecResize retried to keep agent TUI in sync
• TERM=xterm-256color set when exec'ing with -t
• State directory symlink moved from /tmp to ~/.sbx/run/
• storageRootsGone no longer locks storagekit singleton
• Cursor session bootstrap now proxy-local
• IPv6 loopback added to NO_PROXY with bracketed notation [::1]
• Proxy CA NotBefore backdated to match goproxy leaf cert window

Breaking Changes

• --branch flag removed entirely — replace with --clone in all scripts and workflows. Running sbx run claude --branch foo now errors immediately
• sbx logout now stops the daemon and running sandboxes (previously only logged out)

Update with: docker sbx update or download from GitHub releases.

Source: Docker