sandboxes: document --clone and consolidate workspace isolation#25140
sandboxes: document --clone and consolidate workspace isolation#25140ndeloof wants to merge 10 commits into
Conversation
✅ Deploy Preview for docsdocker ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
docker-agent
left a comment
docker-agent
left a comment
There was a problem hiding this comment.
Assessment: 🟢 APPROVE
The PR cleanly documents the --clone mode for Docker Sandboxes, replacing the previous --branch/worktree approach. The changes across all four files are technically accurate, internally consistent, and well-structured.
What was reviewed:
security/_index.md— 4-layer → 5-layer model (source-repository added)security/isolation.md— New "Source-repository isolation" section with diagramsecurity/workspace.md— Branch mode stub → Clone mode (security boundary)usage.md— Clone mode rewrite, propagated remotes, cleanup warning
No high or medium issues found. Commands, flags (--clone), front matter fields, and cross-references all appear correct. The cleanup > [!WARNING] callout for sbx rm dropping uncommitted in-container commits is accurate and appropriately prominent.
dvdksn
changed the title
dvdksn
force-pushed
the
ndeloof/sandboxes-clone-docs
branch
from
1bf6ab6 to
e926b52
Compare
| ```plaintext | ||
| Host repository Sandbox VM | ||
| .git/ (untouched) private clone (RW, in VM) | ||
| working tree (untouched) ↑ agent edits here | ||
| │ | ||
| /run/sandbox/source (RO bind mount) ←──────┘ | ||
| (read-only view of your repo) | ||
|
|
||
| remote sandbox-<name> ──── git fetch ───► git-daemon (inside VM) | ||
| ``` |
There was a problem hiding this comment.
I don't know what claude was thinking with this diagram but I guess I'll open inkscape and try to create something legible to replace this.
There was a problem hiding this comment.
Do we have support for mermaid on docker/docs ?
There was a problem hiding this comment.
I don't think so atm, but simple to add 👍
There was a problem hiding this comment.
I'll add it in a separate PR
There was a problem hiding this comment.
if you lgtm this one and rebase we can add a mermaid diagram here: #25178
… isolation Replaces the `--branch[=NAME]` documentation with `--clone` (boolean) on both `sbx create` and `sbx run`, matching the CLI rename in docker/sandboxes#3055. Clone mode is now strictly about running the agent on a private in-container `git clone --reference` of the host repository; no host-side branch is created on the user's behalf — the user instructs the agent to `git checkout -b ...` inside the sandbox if a dedicated working branch is needed. Key documentation changes: - usage.md: "Branch mode" section is renamed to "Clone mode" and rewritten end-to-end. Drops the `.sbx/<name>-worktrees/...` directory mention (no longer created), the host-side branch creation/checkout step, the `--branch=auto` flow, and the legacy "Multiple branches per sandbox" section. Adds: * an explicit note that clone mode is fixed at create time; * the forge-remote propagation behaviour (origin/upstream propagated from host into the in-container clone, local-path remotes skipped); * a Cleanup warning about lost in-container commits when running `sbx rm` (mirrors the runtime warning). - security/isolation.md: adds the "Source-repository isolation" section introduced in docker#25007. Same content, but uses `--clone` and "clone mode" terminology throughout, plus a clarifying note that `sbx rm` warns before dropping unfetched/unpushed commits. - security/workspace.md: the existing "Branch mode" stub (claiming the old `--branch` was a "workflow convenience, not a security boundary") is replaced with a "Clone mode" section that explicitly calls out the isolation guarantee — clone mode IS a security boundary, the host's `.git` cannot be touched. - security/_index.md: source-repository isolation is added to the five-layer model (was four). Wording aligned with isolation.md. Migration: callers that scripted `sbx create --branch=feature/x` now pass `--clone` and tell the agent to create the branch. This PR is an alternative to docker#25007, written against the post-rename CLI. Signed-off-by: Nicolas De loof <nicolas.deloof@gmail.com>
…e isolation - Move boundary description for both direct and clone modes onto the isolation page; snip the separate workspace trust page. - Rewrite the usage.md Clone mode section workflow-first: mental model, setup, reviewing/merging via the sandbox-<name> remote, pushing to forge remotes propagated from the host, parallel branches inside one sandbox, daemon lifecycle and ephemeral port, cleanup, restrictions. - Drop the --workspace-volume restriction (hidden, non-functional flag). - Restore the user-created worktree caveat. - Update cross-references that pointed at workspace.md.
- Name both mounting modes upfront in the isolation page intro instead of teasing "two ways" and burying the detail in subsections. - Reword "a sandbox mounts it one of two ways" to put the user in control of the choice. - Soften "bind-mount" terminology — the workspace is shared into a VM, not a container. - Reframe the multiple-branches and pushing-to-fork sections around prompting and agent orchestration patterns instead of manual sbx exec invocations. The agent (or the agent setup) should be driving Git inside the sandbox, not the user via a shell.
Replace the ASCII clone-mode diagram with a mermaid flowchart, per review feedback. Relies on the mermaid codeblock render hook from docker#25178. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
dvdksn
force-pushed
the
ndeloof/sandboxes-clone-docs
branch
from
f092685 to
8c175f7
Compare
The ASCII diagram modeled the agent as an "Agent container" managed by a single host-level "Sandbox Docker engine". That is wrong: each sandbox is a microVM running its own Docker Engine, and the agent runs as root inside the VM alongside that engine — it drives the engine to create containers, it is not a container itself. Redraw as a mermaid flowchart with one engine per sandbox VM, the agent as a sibling of the engine, and the containers it creates nested in the engine. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Show a single sandbox VM instead of two, drop the incorrect "runs as root" label (the agent is a non-root sudo user, per the hypervisor section), and tint the Host system box with a distinct background. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
ndeloof
force-pushed
the
ndeloof/sandboxes-clone-docs
branch
from
e26b0ea to
31f9a47
Compare
Wrap the "treat sandbox-modified files like a PR from an untrusted contributor" advisory in a [!WARNING] callout, matching the layout used for the other security advisories in these docs (policy.md, credentials.md). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
ndeloof
requested review from
aevesdocker,
Copilot and
dvdksn
and removed request for
dvdksn
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Documentation update replacing the previous --branch (worktree-based) Git workflow with a new --clone mode for Docker Sandboxes, where agents work on a private in-VM Git clone that's exposed as a remote on the host. Also consolidates the standalone "Workspace trust" page into a new "Workspace isolation" section within the existing isolation layers doc.
Changes:
- Replaces
--branch/branch mode documentation with--clone/clone mode across usage, security, and getting-started pages. - Adds a new "Workspace isolation" layer (now five layers total) to the isolation doc and deletes the separate
workspace.mdpage, updating all cross-references. - Adds a Claude Code "Agents view" section illustrating the parallel subagents + clone mode workflow.
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| content/manuals/ai/sandboxes/usage.md | Rewrites Git workflow section: removes branch mode, adds clone mode with fetch/push/parallel-branch workflows and restrictions. |
| content/manuals/ai/sandboxes/security/workspace.md | Deletes the standalone Workspace trust page (content folded into isolation.md). |
| content/manuals/ai/sandboxes/security/isolation.md | Adds Workspace isolation layer (direct vs clone), Mermaid diagrams, and enforcement details. |
| content/manuals/ai/sandboxes/security/defaults.md | Updates link from workspace.md to the new isolation anchor. |
| content/manuals/ai/sandboxes/security/_index.md | Updates security overview to mention five layers, clone mode, and removes Workspace trust link. |
| content/manuals/ai/sandboxes/get-started.md | Replaces Workspace trust link with Workspace isolation reference. |
| content/manuals/ai/sandboxes/agents/claude-code.md | Adds Agents view section combining subagents with clone mode. |
| content/manuals/ai/sandboxes/_index.md | Removes "workspace trust" from security blurb. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| See [Workspace isolation](security/isolation.md#workspace-isolation) for the | ||
| security model behind each mode. |
| subgraph host["Host repository (untouched)"] | ||
| direction TB | ||
| repo[".git/ + working tree"] | ||
| remote["remote sandbox-<name>"] |
| - **Workspace isolation:** with `--clone`, the agent works on a private | ||
| in-VM clone and your repository is mounted read-only. In direct mode | ||
| (default), the agent edits your working tree directly — no boundary | ||
| applies. |
| This invocation replaces the | ||
| [default startup command](#default-startup-command), so it doesn't | ||
| include `--dangerously-skip-permissions` and you can't switch to | ||
| bypass-permissions mode inside the sandbox. Either pass the flag too: |
| to work on a dedicated branch, instruct it (or open a shell with `sbx exec` | ||
| yourself) to run `git checkout -b my-feature` inside the sandbox before it | ||
| starts editing. |
docker-agent
left a comment
docker-agent
left a comment
There was a problem hiding this comment.
Assessment: 🟡 NEEDS ATTENTION
1 high-severity issue (missing redirect) and 2 medium-severity style violations found in the added lines.
| @@ -1,13 +1,14 @@ | |||
| --- | |||
There was a problem hiding this comment.
[HIGH] Missing redirect alias for deleted workspace.md page — will cause 404
security/workspace.md is deleted in this PR but no aliases: entry was added to isolation.md (or any other page) to redirect the old URL.
The old URL /manuals/ai/sandboxes/security/workspace/ will return a 404 after merging. Any existing bookmarks, external links, or search engine results pointing to that page will break.
Fix: Add an aliases: entry to the front matter of isolation.md (or whichever page absorbs the content):
---
title: Isolation layers
weight: 10
aliases:
- /manuals/ai/sandboxes/security/workspace/
description: ...| any modified code. Note that Git hooks live inside `.git/` and do not appear in | ||
| `git diff` output. Check them separately. | ||
| See [Workspace trust](workspace/). | ||
| **Workspace changes are live on your host in direct mode.** With the default |
There was a problem hiding this comment.
[MEDIUM] Bold used for emphasis, not for UI elements — violates Docker style guide
The two bold sentence-starters here (**Workspace changes are live on your host in direct mode.** and **Default allowed domains include broad wildcards.**) use bold for emphasis, not to label UI elements.
Docker's STYLE.md is explicit: "Use bold only for UI elements (buttons, menus, field labels). Never use bold for emphasis, product names, or feature names."
Fix: Remove the bold and rely on sentence structure for emphasis, or promote these to ### subheadings if the content warrants it:
Workspace changes are live on your host in direct mode. With the default
direct mount...| actions — committing, pushing, building, or opening the project in an IDE. | ||
| Review them after any agent session before performing those actions: | ||
|
|
||
| - **Git hooks** (`.git/hooks/`) run on commit, push, and other Git actions. |
There was a problem hiding this comment.
[MEDIUM] Bold used for technical terms in list items — violates Docker style guide
The list items here use the **Term** description pattern (e.g., **Git hooks**, **CI configuration**, **Build files**, **IDE configuration**) with bold for technical term emphasis, not for UI element names.
Docker's STYLE.md explicitly calls out this pattern as bad practice:
- "Don't use 'Bold: format' for subsection labels"
- "Avoid marketing-style list formatting: Don't use 'Term - Description' format"
- "Use bold only for UI elements"
In-line bold is also used for **do not appear in \git diff` output**`, which is emphasis, not a UI label.
Fix: Remove the bold and use plain text for the terms:
- Git hooks (`.git/hooks/`) run on commit, push, and other Git actions.
These are inside `.git/` and do not appear in `git diff` output —
check them separately with `ls -la .git/hooks/`.
- CI configuration (`.github/workflows/`, `.gitlab-ci.yml`) runs on push.
|
The cleanup WARNING under Sandbox lifecycle and the Git remote in The section should also surface the recovery path: |
|
⏱️ PR Review Timed Out — The review agent hit the 1800 s time limit before completing. This usually happens on large or complex diffs. You can re-trigger with |
Summary
Alternative to #25007 — written against the post-rename CLI (
--branch[=NAME]→--clone, boolean) from docker/sandboxes#3055.Replaces the entire "Branch mode" documentation with "Clone mode":
--cloneinstead of--branch=NAME/--branch=autogit checkout -b ...inside the sandbox.sbx/<name>-worktrees/...directory (clone lives on the container's overlay filesystem)git push originagainst the user's fork as on the hostKeeps the security framing from #25007:
security/isolation.md(same diagram and guarantees, terminology updated)security/workspace.mdcalls out that this IS a security boundary, not just a workflow conveniencesecurity/_index.md(adds source-repository)Adds a Cleanup warning in usage.md —
sbx rmdrops in-container commits that haven't been fetched (git fetch sandbox-<name>) or pushed; the CLI surfaces a runtime warning before deletion.Files changed
usage.md.sbx/worktree section, add propagated remotes, add cleanup warningsecurity/isolation.mdsecurity/workspace.mdsecurity/_index.mdTest plan
#clone-modeand#source-repository-isolationresolvevalepasses (verified locally — zero errors in changed files)--branchreferences on the sandbox pagesMigration note
Callers that scripted
sbx create --branch=feature/xnow pass--cloneand instruct the agent to create the branch (e.g. viagit checkout -b feature/x).🤖 Generated with Claude Code