sandboxes: document branch-mode in-container clone and source-repo isolation#25007
Closed
ndeloof wants to merge 1 commit into
Closed
sandboxes: document branch-mode in-container clone and source-repo isolation#25007ndeloof wants to merge 1 commit into
ndeloof wants to merge 1 commit into
Conversation
✅ Deploy Preview for docsdocker ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
docker-agent
reviewed
May 8, 2026
docker-agent
left a comment
docker-agent
left a comment
There was a problem hiding this comment.
Assessment: 🟢 APPROVE
The documentation changes are well-written and follow Docker's style guidelines. The branch-mode section rewrite, source-repository isolation explanation, and security model updates are clear, accurate, and appropriately scoped.
ndeloof
force-pushed
the
ndeloof/sandboxes-branch-clone-docs
branch
from
17a22ac to
5c7b0f7
Compare
docker-agent
left a comment
docker-agent
left a comment
There was a problem hiding this comment.
Assessment: 🟢 APPROVE
The PR is well-structured and clearly documents the branch-mode in-container clone and source-repository isolation. Content is accurate and the technical explanations are thorough. A few minor style guide violations in the added content.
…olation Update the branch-mode workflow to reflect the move from on-host worktrees to an in-container clone exposed over git-daemon, and add a new source-repository isolation layer to the security model. Highlights the strong guarantee that an unconstrained agent cannot corrupt the host's .git directory or working tree, since the source mount is read-only and the agent operates on a private clone with its own index, refs, and working tree. Tracks docker/sandboxes#2477.
ndeloof
force-pushed
the
ndeloof/sandboxes-branch-clone-docs
branch
from
5c7b0f7 to
6b0aed9
Compare
4 tasks
dvdksn
pushed a commit
to ndeloof/docker.github.io
that referenced
this pull request
May 26, 2026
… isolation Replaces the `--branch[=NAME]` documentation with `--clone` (boolean) on both `sbx create` and `sbx run`, matching the CLI rename in docker/sandboxes#3055. Clone mode is now strictly about running the agent on a private in-container `git clone --reference` of the host repository; no host-side branch is created on the user's behalf — the user instructs the agent to `git checkout -b ...` inside the sandbox if a dedicated working branch is needed. Key documentation changes: - usage.md: "Branch mode" section is renamed to "Clone mode" and rewritten end-to-end. Drops the `.sbx/<name>-worktrees/...` directory mention (no longer created), the host-side branch creation/checkout step, the `--branch=auto` flow, and the legacy "Multiple branches per sandbox" section. Adds: * an explicit note that clone mode is fixed at create time; * the forge-remote propagation behaviour (origin/upstream propagated from host into the in-container clone, local-path remotes skipped); * a Cleanup warning about lost in-container commits when running `sbx rm` (mirrors the runtime warning). - security/isolation.md: adds the "Source-repository isolation" section introduced in docker#25007. Same content, but uses `--clone` and "clone mode" terminology throughout, plus a clarifying note that `sbx rm` warns before dropping unfetched/unpushed commits. - security/workspace.md: the existing "Branch mode" stub (claiming the old `--branch` was a "workflow convenience, not a security boundary") is replaced with a "Clone mode" section that explicitly calls out the isolation guarantee — clone mode IS a security boundary, the host's `.git` cannot be touched. - security/_index.md: source-repository isolation is added to the five-layer model (was four). Wording aligned with isolation.md. Migration: callers that scripted `sbx create --branch=feature/x` now pass `--clone` and tell the agent to create the branch. This PR is an alternative to docker#25007, written against the post-rename CLI. Signed-off-by: Nicolas De loof <nicolas.deloof@gmail.com>
dvdksn
pushed a commit
to ndeloof/docker.github.io
that referenced
this pull request
May 27, 2026
… isolation Replaces the `--branch[=NAME]` documentation with `--clone` (boolean) on both `sbx create` and `sbx run`, matching the CLI rename in docker/sandboxes#3055. Clone mode is now strictly about running the agent on a private in-container `git clone --reference` of the host repository; no host-side branch is created on the user's behalf — the user instructs the agent to `git checkout -b ...` inside the sandbox if a dedicated working branch is needed. Key documentation changes: - usage.md: "Branch mode" section is renamed to "Clone mode" and rewritten end-to-end. Drops the `.sbx/<name>-worktrees/...` directory mention (no longer created), the host-side branch creation/checkout step, the `--branch=auto` flow, and the legacy "Multiple branches per sandbox" section. Adds: * an explicit note that clone mode is fixed at create time; * the forge-remote propagation behaviour (origin/upstream propagated from host into the in-container clone, local-path remotes skipped); * a Cleanup warning about lost in-container commits when running `sbx rm` (mirrors the runtime warning). - security/isolation.md: adds the "Source-repository isolation" section introduced in docker#25007. Same content, but uses `--clone` and "clone mode" terminology throughout, plus a clarifying note that `sbx rm` warns before dropping unfetched/unpushed commits. - security/workspace.md: the existing "Branch mode" stub (claiming the old `--branch` was a "workflow convenience, not a security boundary") is replaced with a "Clone mode" section that explicitly calls out the isolation guarantee — clone mode IS a security boundary, the host's `.git` cannot be touched. - security/_index.md: source-repository isolation is added to the five-layer model (was four). Wording aligned with isolation.md. Migration: callers that scripted `sbx create --branch=feature/x` now pass `--clone` and tell the agent to create the branch. This PR is an alternative to docker#25007, written against the post-rename CLI. Signed-off-by: Nicolas De loof <nicolas.deloof@gmail.com>
dvdksn
added a commit
that referenced
this pull request
May 28, 2026
## Summary Alternative to #25007 — written against the post-rename CLI (`--branch[=NAME]` → `--clone`, boolean) from docker/sandboxes#3055. Replaces the entire "Branch mode" documentation with "Clone mode": - `--clone` instead of `--branch=NAME` / `--branch=auto` - No more host-side branch creation: the user/agent decides whether to `git checkout -b ...` inside the sandbox - No more `.sbx/<name>-worktrees/...` directory (clone lives on the container's overlay filesystem) - Clone mode is fixed at create time (no run-time branch switching) - Forge remotes (origin, upstream, …) are propagated from host into the in-container clone so the agent can `git push origin` against the user's fork as on the host Keeps the security framing from #25007: - Source-repository isolation section in `security/isolation.md` (same diagram and guarantees, terminology updated) - "Clone mode" section in `security/workspace.md` calls out that this IS a security boundary, not just a workflow convenience - Five-layer model in `security/_index.md` (adds source-repository) Adds a Cleanup warning in usage.md — `sbx rm` drops in-container commits that haven't been fetched (`git fetch sandbox-<name>`) or pushed; the CLI surfaces a runtime warning before deletion. ## Files changed | File | Change | |------|--------| | `usage.md` | Branch mode → Clone mode (rewrite), drop `.sbx/` worktree section, add propagated remotes, add cleanup warning | | `security/isolation.md` | Add Source-repository isolation section | | `security/workspace.md` | Branch mode stub → Clone mode (boundary) | | `security/_index.md` | 4-layer model → 5-layer (source-repository) | ## Test plan - [ ] Deploy preview renders the updated Git workflow section - [ ] Anchors `#clone-mode` and `#source-repository-isolation` resolve - [ ] `vale` passes (verified locally — zero errors in changed files) - [ ] No remaining `--branch` references on the sandbox pages ## Migration note Callers that scripted `sbx create --branch=feature/x` now pass `--clone` and instruct the agent to create the branch (e.g. via `git checkout -b feature/x`). 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Signed-off-by: Nicolas De loof <nicolas.deloof@gmail.com> Co-authored-by: David Karlsson <35727626+dvdksn@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Documents the branch-mode rework introduced in docker/sandboxes#2477, which replaces on-host Git worktrees with an in-container clone exposed over
git-daemon, and surfaces the new source-repository isolation guarantee.User-facing changes in
usage.md:sandbox-<name>Git remote that gets wired on the host.git worktree list,cd .sbx/...) with the simplergit fetch sandbox-<name>review flow..sbx/-directory and "multiple branches per sandbox" sections.--workspace-volume, host worktree).Security-model changes:
security/isolation.mdthat explains why the agent — even running unconstrained — cannot corrupt the host's.gitstate. The host source is bind-mounted read-only at/run/sandbox/source; the agent's clone is private (own index, own refs, own working tree) and shares only the immutable object database via.git/objects/info/alternates.security/_index.md.security/workspace.mdto correct the previous "branch mode is a workflow convenience, not a security boundary" caveat, which is no longer accurate after added compose file example in accordion #2477.The changes lean heavily on the threat-model framing the user asked for: the new design is not just ergonomic, it is the first time
--branchprovides a hard isolation boundary for the source repository.Dependency
This documentation describes behavior introduced by docker/sandboxes#2477, which is not yet merged at the time of opening this PR. Please hold this PR or land it on the next sandboxes release that ships #2477.
Test plan
usage.mdbranch-mode sectionsecurity/isolation.mdsource-repository-isolation sectionusage.md,security/workspace.md, andsecurity/isolation.md