From 6b8f42ec1b6c4fa3dded4d21e8fac931d3f9577f Mon Sep 17 00:00:00 2001 From: Craig Osterhout Date: Tue, 23 Jun 2026 08:31:32 -0700 Subject: [PATCH 1/4] sbx: clarify clone behavior Signed-off-by: Craig Osterhout --- content/manuals/ai/sandboxes/security/isolation.md | 12 +++++++++--- content/manuals/ai/sandboxes/usage.md | 7 ++++--- 2 files changed, 13 insertions(+), 6 deletions(-) diff --git a/content/manuals/ai/sandboxes/security/isolation.md b/content/manuals/ai/sandboxes/security/isolation.md index da3089844b8e..7a31e256dec9 100644 --- a/content/manuals/ai/sandboxes/security/isolation.md +++ b/content/manuals/ai/sandboxes/security/isolation.md @@ -165,8 +165,10 @@ flowchart LR How the boundary is enforced: - Your repository's Git root is mounted at `/run/sandbox/source` as - read-only. Nothing the agent does inside the VM can write back through - that mount. + read-only. The mount covers your entire working directory, including + untracked files and files excluded by `.gitignore`. Nothing the agent + does inside the VM can write back through that mount, but all files + under the Git root are readable inside the sandbox. - The agent works on a private clone that lives inside the sandbox. The clone has its own index, its own refs, and its own working tree. Writes to the clone never reach your host. @@ -187,7 +189,11 @@ The practical guarantees: writable state. - Credentials, signing keys, and any settings in your repository's `.git/config` stay on the host. The agent's clone has its own - independent configuration. + independent configuration. Credential files in your working directory that aren't tracked by Git, + including those excluded by `.gitignore`, such as `.envrc.private`, are + readable inside the sandbox. + Store secrets outside your working directory or use + [credential isolation](credentials.md) instead. Use clone mode whenever you want a strong boundary between the agent's Git activity and your host repository — for example when running an diff --git a/content/manuals/ai/sandboxes/usage.md b/content/manuals/ai/sandboxes/usage.md index 838c843c4580..770be444b472 100644 --- a/content/manuals/ai/sandboxes/usage.md +++ b/content/manuals/ai/sandboxes/usage.md @@ -99,9 +99,10 @@ same time, they may step on each other's changes — use ### Clone mode -In clone mode, the sandbox becomes a Git remote on your host. The agent -commits inside the sandbox; you pull its work back out by fetching from -that remote. +In clone mode, the sandbox becomes a Git remote on your host. Your entire +working directory, including untracked files and files excluded by `.gitignore`, is mounted +read-only inside the sandbox. The agent commits inside the sandbox; you pull its work back +out by fetching from that remote. > [!NOTE] > Clone mode was introduced in `sbx` v0.31.0 and replaces the `--branch` From cf49d474a067d4f3e2c31ad456546244a78951d7 Mon Sep 17 00:00:00 2001 From: Craig Osterhout Date: Tue, 23 Jun 2026 08:50:27 -0700 Subject: [PATCH 2/4] separate bullet Signed-off-by: Craig Osterhout --- content/manuals/ai/sandboxes/security/isolation.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/content/manuals/ai/sandboxes/security/isolation.md b/content/manuals/ai/sandboxes/security/isolation.md index 7a31e256dec9..ec6cac362152 100644 --- a/content/manuals/ai/sandboxes/security/isolation.md +++ b/content/manuals/ai/sandboxes/security/isolation.md @@ -189,11 +189,11 @@ The practical guarantees: writable state. - Credentials, signing keys, and any settings in your repository's `.git/config` stay on the host. The agent's clone has its own - independent configuration. Credential files in your working directory that aren't tracked by Git, - including those excluded by `.gitignore`, such as `.envrc.private`, are - readable inside the sandbox. - Store secrets outside your working directory or use - [credential isolation](credentials.md) instead. + independent configuration. +- Credential files in your working directory that aren't tracked by Git, + including those excluded by `.gitignore` such as `.envrc.private`, are + readable inside the sandbox. Store secrets outside your working + directory or use [credential isolation](credentials.md) instead. Use clone mode whenever you want a strong boundary between the agent's Git activity and your host repository — for example when running an From ee05b0714046aad2c55ce1198589f8596ac1eccb Mon Sep 17 00:00:00 2001 From: Craig Osterhout Date: Tue, 23 Jun 2026 08:54:09 -0700 Subject: [PATCH 3/4] move limitation out of benefit Signed-off-by: Craig Osterhout --- content/manuals/ai/sandboxes/security/isolation.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/content/manuals/ai/sandboxes/security/isolation.md b/content/manuals/ai/sandboxes/security/isolation.md index ec6cac362152..8fbe65c8b9e0 100644 --- a/content/manuals/ai/sandboxes/security/isolation.md +++ b/content/manuals/ai/sandboxes/security/isolation.md @@ -168,7 +168,10 @@ How the boundary is enforced: read-only. The mount covers your entire working directory, including untracked files and files excluded by `.gitignore`. Nothing the agent does inside the VM can write back through that mount, but all files - under the Git root are readable inside the sandbox. + under the Git root are readable inside the sandbox. This includes + credential files not tracked by Git, such as `.envrc.private`. Store + secrets outside your working directory or use + [credential isolation](credentials.md) instead. - The agent works on a private clone that lives inside the sandbox. The clone has its own index, its own refs, and its own working tree. Writes to the clone never reach your host. @@ -190,10 +193,6 @@ The practical guarantees: - Credentials, signing keys, and any settings in your repository's `.git/config` stay on the host. The agent's clone has its own independent configuration. -- Credential files in your working directory that aren't tracked by Git, - including those excluded by `.gitignore` such as `.envrc.private`, are - readable inside the sandbox. Store secrets outside your working - directory or use [credential isolation](credentials.md) instead. Use clone mode whenever you want a strong boundary between the agent's Git activity and your host repository — for example when running an From e96b460a0ac3c6af01879f4c23416189476b32a6 Mon Sep 17 00:00:00 2001 From: Craig Osterhout Date: Tue, 23 Jun 2026 13:45:55 -0700 Subject: [PATCH 4/4] update file example Signed-off-by: Craig Osterhout --- content/manuals/ai/sandboxes/security/isolation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/manuals/ai/sandboxes/security/isolation.md b/content/manuals/ai/sandboxes/security/isolation.md index 8fbe65c8b9e0..6d397b4d27a8 100644 --- a/content/manuals/ai/sandboxes/security/isolation.md +++ b/content/manuals/ai/sandboxes/security/isolation.md @@ -169,7 +169,7 @@ How the boundary is enforced: untracked files and files excluded by `.gitignore`. Nothing the agent does inside the VM can write back through that mount, but all files under the Git root are readable inside the sandbox. This includes - credential files not tracked by Git, such as `.envrc.private`. Store + credential files not tracked by Git, such as `.env`. Store secrets outside your working directory or use [credential isolation](credentials.md) instead. - The agent works on a private clone that lives inside the sandbox. The