diff --git a/content/manuals/ai/sandboxes/_index.md b/content/manuals/ai/sandboxes/_index.md index 00cd87d0134..7e32f3b9055 100644 --- a/content/manuals/ai/sandboxes/_index.md +++ b/content/manuals/ai/sandboxes/_index.md @@ -72,8 +72,8 @@ the [usage guide](usage.md) for common patterns. extending or tailoring sandboxes - [Architecture](architecture.md) — microVM isolation, workspace mounting, networking -- [Security](security/) — isolation model, credential handling, network - policies, workspace trust +- [Security](security/) — isolation model, credential handling, and + network policies - [CLI reference](/reference/cli/sbx/) — full list of `sbx` commands and options - [Troubleshooting](troubleshooting.md) — common issues and fixes - [FAQ](faq.md) — login requirements, telemetry, etc diff --git a/content/manuals/ai/sandboxes/agents/claude-code.md b/content/manuals/ai/sandboxes/agents/claude-code.md index 8bc52aae25c..2043649de2d 100644 --- a/content/manuals/ai/sandboxes/agents/claude-code.md +++ b/content/manuals/ai/sandboxes/agents/claude-code.md @@ -72,6 +72,40 @@ $ sbx run claude -- --dangerously-skip-permissions -c See the [Claude Code CLI reference](https://code.claude.com/docs/en/cli-reference) for available options. +## Agents view + +Claude Code's [agents view](https://code.claude.com/docs/en/agent-view) +dispatches tasks to subagents that work in parallel, each in its own +Git worktree. Pair it with [clone mode](../usage.md#clone-mode) for an +isolated multi-agent workflow: + +```console +$ sbx run --clone claude -- agents +``` + +This invocation replaces the +[default startup command](#default-startup-command), so it doesn't +include `--dangerously-skip-permissions` and you can't switch to +bypass-permissions mode inside the sandbox. Either pass the flag too: + +```console +$ sbx run --clone claude -- --dangerously-skip-permissions agents +``` + +or use Claude Code's auto mode. + +The subagents' worktrees live inside the sandbox's private clone — none +of them touches your host repository. Each subagent commits to its own +branch, and you review the work from the host by fetching the +`sandbox-` remote: + +```console +$ git fetch sandbox- +$ git diff main..sandbox-/ +``` + +See [Git workflow](../usage.md#git-workflow) for clone-mode details. + ## Base image The sandbox uses `docker/sandbox-templates:claude-code`. See diff --git a/content/manuals/ai/sandboxes/get-started.md b/content/manuals/ai/sandboxes/get-started.md index 2e1d97d380a..160db21dcdd 100644 --- a/content/manuals/ai/sandboxes/get-started.md +++ b/content/manuals/ai/sandboxes/get-started.md @@ -268,5 +268,6 @@ working tree are unaffected. - [Customize](customize/) — build reusable templates or declare capabilities with kits - [Credentials](security/credentials.md) — credential storage and management -- [Workspace trust](security/workspace.md) — review agent changes safely +- [Workspace isolation](security/isolation.md#workspace-isolation) — what + the agent can affect on your host, and how to review changes - [Policies](security/policy.md) — control outbound access diff --git a/content/manuals/ai/sandboxes/security/_index.md b/content/manuals/ai/sandboxes/security/_index.md index ef6048e4446..120270ec9c9 100644 --- a/content/manuals/ai/sandboxes/security/_index.md +++ b/content/manuals/ai/sandboxes/security/_index.md @@ -18,9 +18,10 @@ anything on your host except what is explicitly shared. What crosses the boundary into the VM: -- **Workspace directory:** mounted into the VM with read-write access. With - the default direct mount, changes the agent makes appear on your host - immediately. +- **Workspace directory:** mounted into the VM. The default direct mount is + read-write — the agent edits your working tree in place. With + [`--clone`](../usage.md#clone-mode), your repository is mounted read-only + and the agent works on a private clone. - **Credentials:** the host-side proxy injects authentication headers into outbound HTTP requests. The raw credential values never enter the VM. - **Network access:** HTTP and HTTPS requests to @@ -41,7 +42,7 @@ and ICMP are blocked at the network layer. ## Isolation layers -The sandbox security model has four layers. See +The sandbox security model has five layers. See [Isolation layers](isolation/) for technical details on each. - **Hypervisor isolation:** separate kernel per sandbox. No shared memory or @@ -50,6 +51,10 @@ The sandbox security model has four layers. See [Deny-by-default policy](defaults/). Non-HTTP protocols blocked entirely. - **Docker Engine isolation:** each sandbox has its own Docker Engine with no path to the host daemon. +- **Workspace isolation:** with `--clone`, the agent works on a private + in-VM clone and your repository is mounted read-only. In direct mode + (default), the agent edits your working tree directly — no boundary + applies. - **Credential isolation:** API keys are injected into HTTP headers by the host-side proxy. Credential values never enter the VM. @@ -66,13 +71,15 @@ permitted and what is blocked. The sandbox isolates the agent from your host system, but the agent's actions can still affect you through the shared workspace and allowed network channels. -**Workspace changes are live on your host.** The agent edits the same files you -see on your host. This includes files that execute implicitly during normal -development: Git hooks, CI configuration, IDE task configs, `Makefile`, -`package.json` scripts, and similar build files. Review changes before running -any modified code. Note that Git hooks live inside `.git/` and do not appear in -`git diff` output. Check them separately. -See [Workspace trust](workspace/). +**Workspace changes are live on your host in direct mode.** With the default +direct mount, the agent edits the same files you see on your host. This +includes files that execute implicitly during normal development: Git hooks, +CI configuration, IDE task configs, `Makefile`, `package.json` scripts, and +similar build files. Review changes before running any modified code. Note +that Git hooks live inside `.git/` and do not appear in `git diff` output — +check them separately. See +[Workspace isolation](isolation/#workspace-isolation) for the full list and +for the alternative clone-mode boundary. **Default allowed domains include broad wildcards.** Some defaults like `*.googleapis.com` cover many services beyond AI APIs. Run `sbx policy ls` to @@ -93,12 +100,11 @@ See [Organization governance](governance/) for details. ## Learn more -- [Isolation layers](isolation/): how hypervisor, network, Docker, and - credential isolation work +- [Isolation layers](isolation/): how hypervisor, network, Docker, + workspace, and credential isolation work - [Default security posture](defaults/): what a fresh sandbox permits and blocks - [Credentials](credentials/): how to provide and manage API keys - [Policies](policy/): how to customize network access rules - [Organization governance](governance/): centrally manage policies across an organization -- [Workspace trust](workspace/): what to review after an agent session diff --git a/content/manuals/ai/sandboxes/security/defaults.md b/content/manuals/ai/sandboxes/security/defaults.md index 8c8a1f9a175..fe698245648 100644 --- a/content/manuals/ai/sandboxes/security/defaults.md +++ b/content/manuals/ai/sandboxes/security/defaults.md @@ -28,7 +28,8 @@ working tree directly, and changes appear on your host immediately. The agent can read, write, and delete any file within the workspace directory, including hidden files, configuration files, build scripts, and Git hooks. -See [Workspace trust](workspace.md) for what to review after an agent session. +See [Workspace isolation](isolation.md#workspace-isolation) for what to +review after an agent session. ## Credential defaults diff --git a/content/manuals/ai/sandboxes/security/isolation.md b/content/manuals/ai/sandboxes/security/isolation.md index ab220ad26ba..e39bebf50bb 100644 --- a/content/manuals/ai/sandboxes/security/isolation.md +++ b/content/manuals/ai/sandboxes/security/isolation.md @@ -1,13 +1,14 @@ --- title: Isolation layers weight: 10 -description: How Docker Sandboxes isolate AI agents using hypervisor, network, Docker Engine, and credential boundaries. -keywords: docker sandboxes, isolation, hypervisor, network, credentials +description: How Docker Sandboxes isolate AI agents using hypervisor, network, Docker Engine, workspace, and credential boundaries. +keywords: docker sandboxes, isolation, hypervisor, network, credentials, workspace, git --- AI coding agents need to execute code, install packages, and run tools on -your behalf. Docker Sandboxes run each agent in its own microVM with four -isolation layers: hypervisor, network, Docker Engine, and credential proxy. +your behalf. Docker Sandboxes run each agent in its own microVM. Five +isolation layers protect your host: hypervisor, network, Docker Engine, +workspace, and credential proxy. ## Hypervisor isolation @@ -59,18 +60,136 @@ your host. When the agent runs `docker build` or `docker compose up`, those commands execute against that engine. The agent has no path to your host Docker daemon. -```plaintext -Host system - ├── Host Docker daemon - │ └── Your containers and images - │ - └── Sandbox Docker engine (isolated from host) - ├── [VM] Agent container — sandbox 1 - │ └── [VM] Containers created by agent - └── [VM] Agent container — sandbox 2 - └── [VM] Containers created by agent +Each sandbox VM runs its own Docker Engine. The agent runs inside the VM, +alongside that engine, and drives it to create containers, all within the +VM: + +```mermaid +flowchart TB + subgraph host["Host system"] + subgraph hostd["Host Docker daemon"] + hc["Your containers and images"] + end + subgraph vm["Sandbox (microVM)"] + a["Agent"] + subgraph e["Sandbox Docker engine"] + c["Containers created by agent"] + end + a -->|"docker build / compose up"| e + end + end + style host fill:#3b82f622,stroke:#3b82f6 ``` +## Workspace isolation + +When you create a sandbox, you choose one of two ways to share your +workspace with it: + +- **Direct mount** (the default): the agent has read-write access to + your working tree. There is no boundary between the agent's edits and + your host filesystem. +- **Clone mode** (`--clone`): your repository is mounted read-only into + the VM and the agent works on a private clone inside the VM. The + agent's edits never reach your host until you fetch them. + +See [Git workflow](../usage.md#git-workflow) for the workflow side of +each. + +### Direct mount (default) + +By default, your workspace is shared into the VM as a read-write mount. +The agent and the host see the same files, and changes the agent makes +appear on your host as soon as they're written. + +There is no isolation between the agent and your workspace in this mode. +The agent can create, modify, or delete any file in the workspace, +including: + +- Source code and configuration files +- Build files (`Makefile`, `package.json`, `Cargo.toml`) +- Git hooks (`.git/hooks/`) +- CI configuration (`.github/workflows/`, `.gitlab-ci.yml`) +- IDE configuration (`.vscode/tasks.json`, `.idea/` run configurations) +- Hidden files, shell scripts, and executables + +Some of these files execute code when you trigger normal development +actions — committing, pushing, building, or opening the project in an IDE. +Review them after any agent session before performing those actions: + +- **Git hooks** (`.git/hooks/`) run on commit, push, and other Git actions. + These are inside `.git/` and **do not appear in `git diff` output** — + check them separately with `ls -la .git/hooks/`. +- **CI configuration** (`.github/workflows/`, `.gitlab-ci.yml`) runs on + push. +- **Build files** (`Makefile`, `package.json` scripts, `Cargo.toml`) run + during build or install steps. +- **IDE configuration** (`.vscode/tasks.json`, `.idea/`) can run tasks + when you open the project. + +> [!WARNING] +> Treat sandbox-modified workspace files the same way you would treat a pull +> request from an untrusted contributor: review before you trust them on +> your host. + +### Clone mode + +When you start a sandbox with [`--clone`](../usage.md#clone-mode), the agent +never works directly against your host repository. Even with full root +inside the VM, it cannot modify your `.git` directory, your working tree, +or any tracked file on your host. + +```mermaid +flowchart LR + subgraph host["Host repository (untouched)"] + direction TB + repo[".git/ + working tree"] + remote["remote sandbox-<name>"] + end + subgraph vm["Sandbox VM"] + direction TB + mount["/run/sandbox/source
(read-only bind mount)"] + clone["private clone (RW)
agent edits here"] + daemon["git-daemon"] + end + repo -->|"read-only bind mount"| mount + mount -->|"git clone"| clone + clone --> daemon + daemon -->|"git fetch"| remote +``` + +How the boundary is enforced: + +- Your repository's Git root is mounted at `/run/sandbox/source` as + read-only. Nothing the agent does inside the VM can write back through + that mount. +- The agent works on a private clone that lives inside the sandbox. The + clone has its own index, its own refs, and its own working tree. Writes + to the clone never reach your host. +- The sandbox publishes the clone over a Git daemon bound to localhost on + the host. The CLI wires it up as a `sandbox-` Git remote on + your host repository. Fetching from that remote uses the same trust + model as fetching from any third-party remote — nothing is integrated + until you explicitly merge or check out the fetched refs. + +The practical guarantees: + +- The agent cannot modify any tracked file or any byte under `.git/` on + your host. A compromised or buggy agent cannot drop a + `.git/hooks/pre-commit`, alter `.github/workflows/`, or sneak changes + into your working tree. +- Concurrent `git` commands on the host and inside the sandbox cannot + race on a shared `.git/index` or shared refs — there is no shared + writable state. +- Credentials, signing keys, and any settings in your repository's + `.git/config` stay on the host. The agent's clone has its own + independent configuration. + +Use clone mode whenever you want a strong boundary between the agent's +Git activity and your host repository — for example when running an +unfamiliar agent, running multiple agents on the same repository at once, +or keeping your working tree clean while the agent works. + ## Credential isolation Most agents need API keys for their model provider. Rather than passing keys diff --git a/content/manuals/ai/sandboxes/security/workspace.md b/content/manuals/ai/sandboxes/security/workspace.md deleted file mode 100644 index e6cb792bfa0..00000000000 --- a/content/manuals/ai/sandboxes/security/workspace.md +++ /dev/null @@ -1,72 +0,0 @@ ---- -title: Workspace trust -weight: 40 -description: | - How sandboxed agents interact with your workspace files and what to review - after an agent session. -keywords: docker sandboxes, workspace trust, file access, review, sbx ---- - -Agents running in sandboxes have full access to the workspace directory without -prompting. With the default direct mount, changes the agent makes appear on -your host immediately. Treat sandbox-modified workspace files the same way -you would treat a pull request from an untrusted contributor: review before -you trust them on your host. - -## What the agent can modify - -The agent can create, modify, and delete any file in the workspace. This -includes: - -- Source code files -- Configuration files (`.eslintrc`, `pyproject.toml`, `.env`, etc.) -- Build files (`Makefile`, `package.json`, `Cargo.toml`) -- Git hooks (`.git/hooks/`) -- CI configuration (`.github/workflows/`, `.gitlab-ci.yml`) -- IDE configuration (`.vscode/tasks.json`, `.idea/` run configurations) -- Hidden files and directories -- Shell scripts and executables - -> [!CAUTION] -> Files like Git hooks, CI configuration, IDE task configs, and build scripts -> execute code when triggered by normal development actions such as committing, -> building, or opening the project in an IDE. Review these files after any agent -> session before performing those actions. - -## Branch mode - -The `--branch` flag lets the agent work on a separate branch. This is a -workflow convenience, not a security boundary: the agent still mounts the full -repository. See the [usage guide](../usage.md) for details. - -## Reviewing changes - -After an agent session, review changes before executing any code the agent -touched. - -With the default direct mount, changes are in your working tree: - -```console -$ git diff -``` - -If you used `--branch`, the agent's changes are on a separate branch: - -```console -$ git diff main..my-feature -``` - -Pay particular attention to: - -- **Git hooks** (`.git/hooks/`): run on commit, push, and other Git actions. - These are inside `.git/` and **do not appear in `git diff` output**. Check - them separately with `ls -la .git/hooks/`. -- **CI configuration** (`.github/workflows/`, `.gitlab-ci.yml`): runs on push -- **Build files** (`Makefile`, `package.json` scripts, `Cargo.toml`): run - during build or install steps -- **IDE configuration** (`.vscode/tasks.json`, `.idea/`): can run tasks when - you open the project -- **Executable files and shell scripts**: can run directly - -These files execute code without you explicitly running them. Review them before -committing, building, or opening the project in an IDE. diff --git a/content/manuals/ai/sandboxes/usage.md b/content/manuals/ai/sandboxes/usage.md index c8fa2e8f757..861c52f459c 100644 --- a/content/manuals/ai/sandboxes/usage.md +++ b/content/manuals/ai/sandboxes/usage.md @@ -73,121 +73,159 @@ hosts, and add custom network rules. Press `?` to see all keyboard shortcuts. ## Git workflow -When your workspace is a Git repository, the agent edits your working tree -directly by default. Changes appear in your working tree immediately, the same -as working in a normal terminal. - -If you run multiple agents on the same repository at once, use [branch -mode](#branch-mode) to give each agent its own branch and working directory. +When your workspace is a Git repository, you can choose one of two ways +to share it with a sandbox. You make the choice when you create the +sandbox: + +- **Direct mode (default)** — the agent has read-write access to your + working tree. Changes the agent makes appear on your host immediately. + Best when you're collaborating turn-by-turn with the agent on a single + repository. +- **[Clone mode](#clone-mode) (`--clone`)** — the agent works on a private + Git clone inside the sandbox, with your host repository mounted + read-only. The sandbox exposes its clone as a Git remote on your host, + so you fetch the agent's commits the same way you'd fetch from any + other remote. Best when you want the agent isolated from your host + repository — for running multiple agents in parallel, working with + untrusted code, or keeping your working tree clean while the agent + works. + +See [Workspace isolation](security/isolation.md#workspace-isolation) for the +security model behind each mode. ### Direct mode (default) The agent edits your working tree directly. Stage, commit, and push as you -normally would. If you run multiple agents on the same repository at the same -time, they may step on each other's changes. See -[branch mode](#branch-mode) for an alternative. - -### Branch mode - -Pass `--branch ` to give the agent its own -[Git worktree](https://git-scm.com/docs/git-worktree) and branch. This -prevents conflicts when multiple agents, or you and an agent, write to the -same files at the same time. You can set `--branch` on `create`, `run`, or -both. +normally would. If you run multiple agents on the same repository at the +same time, they may step on each other's changes — use +[clone mode](#clone-mode) to give each agent its own isolated workspace. -The CLI creates worktrees under `.sbx/` in your repository root. The -worktree is a separate working directory, so the agent doesn't touch your main -working tree. This means: +### Clone mode -- The worktree branches off your latest commit when you create it. - Uncommitted changes in your working tree are not included (`sbx` warns you - if it detects any). -- Files you add or change in your main working tree won't be visible to the - agent, and vice versa. The two directories are independent. - -#### Starting a branch +In clone mode, the sandbox becomes a Git remote on your host. The agent +commits inside the sandbox; you pull its work back out by fetching from +that remote. ```console -$ sbx run claude --branch my-feature # agent works on the my-feature branch +$ sbx run --clone claude ``` -Use `--branch auto` to let the CLI generate a branch name for you: +You can also create the sandbox in the background and attach later: ```console -$ sbx run claude --branch auto +$ sbx create --clone --name my-sandbox claude . +$ sbx run my-sandbox ``` -You can also create the sandbox first and add a branch at run time: +The clone follows whichever ref your host repository has checked out at +create time. No new branch is created automatically. If you want the agent +to work on a dedicated branch, instruct it (or open a shell with `sbx exec` +yourself) to run `git checkout -b my-feature` inside the sandbox before it +starts editing. -```console -$ sbx create --name my-sandbox claude . -$ sbx run --branch my-feature my-sandbox -``` +> [!NOTE] +> Clone mode is fixed at create time. To switch an existing sandbox to +> clone mode, remove it and recreate it with `sbx create --clone`. -Or set the branch at create time and reuse it on subsequent runs: +#### Reviewing and merging the agent's commits + +The CLI wires the in-sandbox clone as a `sandbox-` Git remote +on your host. Pull the agent's commits the same way you'd fetch any other +remote — no `cd` into a separate directory, no extra tooling: ```console -$ sbx create --name my-sandbox --branch my-feature claude . -$ sbx run my-sandbox # resumes in the my-feature worktree -$ sbx run --branch my-feature my-sandbox # same — reuses the existing worktree +$ git fetch sandbox-my-sandbox +$ git log sandbox-my-sandbox/ +$ git diff main..sandbox-my-sandbox/ +$ git checkout -b my-feature sandbox-my-sandbox/ +$ git push -u origin my-feature +$ gh pr create ``` -#### Multiple branches per sandbox +If you asked the agent to work on a dedicated branch, `` is that +branch name. Otherwise it's whatever ref your host repository was on at +create time. -You can run multiple worktrees in the same sandbox by passing different branch -names: +Some agents don't commit automatically. If `git log sandbox-/` +shows nothing new, open a shell in the sandbox and commit from there: ```console -$ sbx run --branch feature-a my-sandbox -$ sbx run --branch feature-b my-sandbox +$ sbx exec -it my-sandbox bash +$ git commit -am "save work" ``` -#### Reviewing and pushing changes +#### Pushing to your fork from inside the sandbox + +When the sandbox starts, the CLI copies the Git remotes from your host +repository (`origin`, `upstream`, and so on) into the in-sandbox clone +with their existing URLs. The agent can push to your fork on GitHub +directly — for example, by prompting: + +> Commit these changes and push them to a new branch on `origin`. -To review the agent's work, find the worktree with `git worktree list`, then -push or open a PR from there: +The push uses the same `git push origin ...` invocation the agent would +run on the host. This is interchangeable with fetching the commits to +your host first and pushing from there. + +Local-path remotes (`file://` URLs, filesystem paths) aren't copied, since +they aren't reachable from inside the sandbox. + +#### Running multiple branches in parallel + +A single sandbox can hold several branches at once. Each branch the +agent commits to appears as a separate ref on the `sandbox-` +remote, so you can fetch them independently from the host: ```console -$ git worktree list # find the worktree path -$ cd .sbx/-worktrees/my-feature -$ git log # see what the agent did -$ git push -u origin my-feature -$ gh pr create +$ git fetch sandbox-my-sandbox +$ git log sandbox-my-sandbox/feature-a +$ git log sandbox-my-sandbox/feature-b ``` -Some agents don't commit automatically and leave changes uncommitted in the -worktree. If that happens, commit from the worktree directory before pushing. +A few common ways to have the agent start each task on its own branch: -See [Workspace trust](security/workspace.md) for security considerations when -reviewing agent changes. +- A subagent orchestrator such as Claude Code's + [agents view](agents/claude-code.md#agents-view) dispatches each task + to a subagent that creates its own worktree inside the clone. +- Agent-level instructions in `CLAUDE.md`, an orchestration skill, or a + system prompt include a rule to start each task on a new branch. +- For one-off tasks, ask the agent to switch to a new branch before it + starts. -#### Cleanup +#### Sandbox lifecycle and the Git remote -`sbx rm` removes the sandbox and all of its worktrees and branches. +The Git daemon that exposes the in-sandbox clone runs as part of the +sandbox itself. It's only reachable while the sandbox is running: -#### Ignoring the `.sbx/` directory +- `sbx stop` shuts down the daemon. `git fetch sandbox-` fails until + the sandbox starts again. +- Restarting the sandbox assigns a new ephemeral port to the daemon. The + CLI updates the `sandbox-` remote URL in your host repository's + Git config automatically, so fetching continues to work without manual + reconfiguration. +- `sbx rm` removes the sandbox, the daemon, the published port, and the + `sandbox-` remote entry from your host repository. -Branch mode stores worktrees under `.sbx/` in your repository root. To keep -this directory out of `git status`, add it to your project's `.gitignore`: +> [!WARNING] +> Removing a clone-mode sandbox drops the in-sandbox clone along with it. +> Any commits you haven't fetched (`git fetch sandbox-`) or pushed +> to an upstream remote are lost. `sbx rm` prints a warning before +> deleting a clone-mode sandbox — review it before confirming. -```console -$ echo '.sbx/' >> .gitignore -``` - -Or, to ignore it across all repositories, add `.sbx/` to your global gitignore: +#### Restrictions -```console -$ echo '.sbx/' >> "$(git config --global core.excludesFile)" -``` +Clone mode requires a Git repository as the primary workspace, and is +rejected at create time in two cases: -> [!TIP] -> If `git config --global core.excludesFile` is empty, set one first: -> `git config --global core.excludesFile ~/.gitignore`. +- `--clone` on a non-Git workspace. Omit `--clone` for non-Git workspaces. +- `--clone` from inside a Git worktree (other than the main one). The + read-only bind mount can't resolve the worktree's `.git` pointer file. + Run `sbx create --clone` from the main repository checkout instead. -You can also create Git worktrees yourself and run an agent directly in one, -but the sandbox won't have access to the `.git` directory in the parent -repository. This means the agent can't commit, push, or use Git. `--branch` -solves this by setting up the worktree so that Git works inside the sandbox. +You can also create a Git worktree yourself and run an agent inside it +without `--clone`, but the sandbox won't have access to the `.git` +directory in the parent repository, so the agent can't use Git at all. +Clone mode is the supported alternative for working on a separate branch. ### Signed commits @@ -251,7 +289,7 @@ $ sbx create claude . ``` Unlike `run`, `create` requires an explicit workspace path. It uses direct -mode by default, or pass `--branch` for [branch mode](#branch-mode). Attach +mode by default, or pass `--clone` for [clone mode](#clone-mode). Attach later with `sbx run`: ```console @@ -262,8 +300,8 @@ $ sbx run claude-my-project You can mount extra directories into a sandbox alongside the main workspace. The first path is the primary workspace — the agent starts here, and the -sandbox's Git worktree is created from this directory if you use `--branch`. -Extra workspaces are always mounted directly. +sandbox's in-container Git clone is populated from this directory if you +use `--clone`. Extra workspaces are always mounted directly. All workspaces appear inside the sandbox at their absolute host paths. Append `:ro` to mount an extra workspace read-only — useful for reference material or