sandboxes: document --clone and consolidate workspace isolation#25140
Open
ndeloof wants to merge 6 commits into
Open
sandboxes: document --clone and consolidate workspace isolation#25140ndeloof wants to merge 6 commits into
ndeloof wants to merge 6 commits into
Conversation
✅ Deploy Preview for docsdocker ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
docker-agent
left a comment
docker-agent
left a comment
There was a problem hiding this comment.
Assessment: 🟢 APPROVE
The PR cleanly documents the --clone mode for Docker Sandboxes, replacing the previous --branch/worktree approach. The changes across all four files are technically accurate, internally consistent, and well-structured.
What was reviewed:
security/_index.md— 4-layer → 5-layer model (source-repository added)security/isolation.md— New "Source-repository isolation" section with diagramsecurity/workspace.md— Branch mode stub → Clone mode (security boundary)usage.md— Clone mode rewrite, propagated remotes, cleanup warning
No high or medium issues found. Commands, flags (--clone), front matter fields, and cross-references all appear correct. The cleanup > [!WARNING] callout for sbx rm dropping uncommitted in-container commits is accurate and appropriately prominent.
dvdksn
changed the title
… isolation Replaces the `--branch[=NAME]` documentation with `--clone` (boolean) on both `sbx create` and `sbx run`, matching the CLI rename in docker/sandboxes#3055. Clone mode is now strictly about running the agent on a private in-container `git clone --reference` of the host repository; no host-side branch is created on the user's behalf — the user instructs the agent to `git checkout -b ...` inside the sandbox if a dedicated working branch is needed. Key documentation changes: - usage.md: "Branch mode" section is renamed to "Clone mode" and rewritten end-to-end. Drops the `.sbx/<name>-worktrees/...` directory mention (no longer created), the host-side branch creation/checkout step, the `--branch=auto` flow, and the legacy "Multiple branches per sandbox" section. Adds: * an explicit note that clone mode is fixed at create time; * the forge-remote propagation behaviour (origin/upstream propagated from host into the in-container clone, local-path remotes skipped); * a Cleanup warning about lost in-container commits when running `sbx rm` (mirrors the runtime warning). - security/isolation.md: adds the "Source-repository isolation" section introduced in docker#25007. Same content, but uses `--clone` and "clone mode" terminology throughout, plus a clarifying note that `sbx rm` warns before dropping unfetched/unpushed commits. - security/workspace.md: the existing "Branch mode" stub (claiming the old `--branch` was a "workflow convenience, not a security boundary") is replaced with a "Clone mode" section that explicitly calls out the isolation guarantee — clone mode IS a security boundary, the host's `.git` cannot be touched. - security/_index.md: source-repository isolation is added to the five-layer model (was four). Wording aligned with isolation.md. Migration: callers that scripted `sbx create --branch=feature/x` now pass `--clone` and tell the agent to create the branch. This PR is an alternative to docker#25007, written against the post-rename CLI. Signed-off-by: Nicolas De loof <nicolas.deloof@gmail.com>
…e isolation - Move boundary description for both direct and clone modes onto the isolation page; snip the separate workspace trust page. - Rewrite the usage.md Clone mode section workflow-first: mental model, setup, reviewing/merging via the sandbox-<name> remote, pushing to forge remotes propagated from the host, parallel branches inside one sandbox, daemon lifecycle and ephemeral port, cleanup, restrictions. - Drop the --workspace-volume restriction (hidden, non-functional flag). - Restore the user-created worktree caveat. - Update cross-references that pointed at workspace.md.
- Name both mounting modes upfront in the isolation page intro instead of teasing "two ways" and burying the detail in subsections. - Reword "a sandbox mounts it one of two ways" to put the user in control of the choice. - Soften "bind-mount" terminology — the workspace is shared into a VM, not a container. - Reframe the multiple-branches and pushing-to-fork sections around prompting and agent orchestration patterns instead of manual sbx exec invocations. The agent (or the agent setup) should be driving Git inside the sandbox, not the user via a shell.
dvdksn
force-pushed
the
ndeloof/sandboxes-clone-docs
branch
from
1bf6ab6 to
e926b52
Compare
dvdksn
reviewed
May 26, 2026
Comment on lines
+132
to
+141
| ```plaintext | ||
| Host repository Sandbox VM | ||
| .git/ (untouched) private clone (RW, in VM) | ||
| working tree (untouched) ↑ agent edits here | ||
| │ | ||
| /run/sandbox/source (RO bind mount) ←──────┘ | ||
| (read-only view of your repo) | ||
|
|
||
| remote sandbox-<name> ──── git fetch ───► git-daemon (inside VM) | ||
| ``` |
Contributor
There was a problem hiding this comment.
I don't know what claude was thinking with this diagram but I guess I'll open inkscape and try to create something legible to replace this.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Alternative to #25007 — written against the post-rename CLI (
--branch[=NAME]→--clone, boolean) from docker/sandboxes#3055.Replaces the entire "Branch mode" documentation with "Clone mode":
--cloneinstead of--branch=NAME/--branch=autogit checkout -b ...inside the sandbox.sbx/<name>-worktrees/...directory (clone lives on the container's overlay filesystem)git push originagainst the user's fork as on the hostKeeps the security framing from #25007:
security/isolation.md(same diagram and guarantees, terminology updated)security/workspace.mdcalls out that this IS a security boundary, not just a workflow conveniencesecurity/_index.md(adds source-repository)Adds a Cleanup warning in usage.md —
sbx rmdrops in-container commits that haven't been fetched (git fetch sandbox-<name>) or pushed; the CLI surfaces a runtime warning before deletion.Files changed
usage.md.sbx/worktree section, add propagated remotes, add cleanup warningsecurity/isolation.mdsecurity/workspace.mdsecurity/_index.mdTest plan
#clone-modeand#source-repository-isolationresolvevalepasses (verified locally — zero errors in changed files)--branchreferences on the sandbox pagesMigration note
Callers that scripted
sbx create --branch=feature/xnow pass--cloneand instruct the agent to create the branch (e.g. viagit checkout -b feature/x).🤖 Generated with Claude Code