Clarify sandbox networking, env sourcing, and approval defaults#24745
Open
dvdksn wants to merge 7 commits intodocker:mainfrom
Open
Clarify sandbox networking, env sourcing, and approval defaults#24745dvdksn wants to merge 7 commits intodocker:mainfrom
dvdksn wants to merge 7 commits intodocker:mainfrom
Conversation
Variables set in /etc/sandbox-persistent.sh inside a sandbox are only sourced during interactive shell sessions and agent startup. Running a command directly with `sbx exec <name> <command>` skips the login shell, so the persistent environment file is not loaded. Add a note explaining this distinction and a workaround using a login shell wrapper. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sandbox agent templates run without approval prompts by default, which can be surprising. Add a FAQ entry explaining that the sandbox isolation layers replace the need for per-action approval, and show how to re-enable approval prompts by passing the agent's own CLI flags after the -- separator. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…king Users may expect that adding a domain to the allow list unblocks all traffic to that host, including SSH. Add a note to the network policy page stating that allow rules only apply to HTTP/HTTPS, and add a troubleshooting entry for SSH with a workaround (use HTTPS for Git). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
✅ Deploy Preview for docsdocker ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Replace the incorrect --permission-mode flag example with two workarounds that actually work: changing the permission mode inside the session (e.g. /permissions in Claude Code), or building a custom template with different default launch flags. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Blocked non-HTTP requests look the same as other blocked requests in sbx policy log output, so the advice to check for a PROXY value of "network" was not useful. Simplify the section. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Verified that sbx exec runs commands without a shell, so the persistent env file is not sourced. Wrapping in bash -c is enough because the file is sourced via BASH_ENV, not login profiles. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
robmry
reviewed
Apr 16, 2026
Non-HTTP TCP traffic including SSH can be permitted via IP:port policy rules (docker/sandboxes#2329). UDP and ICMP remain blocked. Update the policy page, monitoring table, and troubleshooting entry accordingly. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
dvdksn
added
the
status/do-not-merge
robmry
approved these changes
Apr 16, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
/etc/sandbox-persistent.shis sourced when bash runs insidethe sandbox, but not when
sbx exec <name> <command>runs a commanddirectly without a shell. Add a
bash -cworkaround.(Related:
claudeCLI works in interactive shell but fails in direct execution withNot logged in · Run /loginsbx-releases#53)sandbox is the safety boundary) and how to re-enable them: change the
permission mode inside the session, or build a custom template.
(Related: opt out of yolo mode default sbx-releases#47)
it explicit that SSH and other non-HTTP protocols are always blocked,
regardless of allow rules. (Related: Network proxy drops outbound SSH (Port 22) during Key Exchange, ignoring explicitly "Allowed" policies sbx-releases#46)
🤖 Generated with Claude Code