sandboxes 0.10.1 (#24059)

- **cli: docker sandboxes v0.10.1**
- **sandboxes: add `docker sandbox save` to templates docs**
- **sandboxes: add copilot to supported agents**
- **sandboxes: call out yolo mode by default in overview**

---------

Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>

Author: dvdksn

content/manuals/ai/sandboxes/_index.md

@@ -27,6 +27,7 @@ environment without affecting your host.
 You get:
 
 - Agent autonomy without host system risk
+- YOLO mode by default - agents work without asking permission
 - Private Docker daemon for running test containers
 - File sharing between host and sandbox
 - Network access control
@@ -85,6 +86,7 @@ Docker Sandboxes works with multiple AI coding agents:
 
 - **Claude Code** - Anthropic's coding agent
 - **Codex** - OpenAI's Codex agent (partial support; in development)
+- **Copilot** - GitHub Copilot agent (partial support; in development)
 - **Gemini** - Google's Gemini agent (partial support; in development)
 - **cagent** - Docker's [cagent](/ai/cagent/) (partial support; in development)
 - **Kiro** - by AWS (partial support; in development)

content/manuals/ai/sandboxes/agents.md

@@ -11,13 +11,14 @@ inside microVMs with private Docker daemons.
 
 ## Supported agents
 
-| Agent       | Command  | Status       | Notes                      |
-| ----------- | -------- | ------------ | -------------------------- |
-| Claude Code | `claude` | Experimental | Most tested implementation |
-| Codex       | `codex`  | Experimental | In development             |
-| Gemini      | `gemini` | Experimental | In development             |
-| cagent      | `cagent` | Experimental | In development             |
-| Kiro        | `kiro`   | Experimental | In development             |
+| Agent       | Command    | Status       | Notes                      |
+| ----------- | ---------- | ------------ | -------------------------- |
+| Claude Code | `claude`   | Experimental | Most tested implementation |
+| Codex       | `codex`    | Experimental | In development             |
+| Copilot     | `copilot`  | Experimental | In development             |
+| Gemini      | `gemini`   | Experimental | In development             |
+| cagent      | `cagent`   | Experimental | In development             |
+| Kiro        | `kiro`     | Experimental | In development             |
 
 ## Experimental status
 
@@ -37,6 +38,7 @@ The agent type is specified when creating a sandbox:
 ```console
 $ docker sandbox create claude ~/my-project
 $ docker sandbox create codex ~/my-project
+$ docker sandbox create copilot ~/my-project
 $ docker sandbox create gemini ~/my-project
 $ docker sandbox create cagent ~/my-project
 $ docker sandbox create kiro ~/my-project

content/manuals/ai/sandboxes/templates.md

@@ -22,7 +22,7 @@ Use custom templates when:
 For one-off work or simple setups, use the default template and ask the agent
 to install what's needed.
 
-## Building a template
+## Building templates with Dockerfiles
 
 Start from Docker's official sandbox templates:
 
@@ -46,9 +46,9 @@ RUN pip3 install --no-cache-dir \
 USER agent
 ```
 
-Official templates include the agent binary, Ubuntu base, development tools
-(Git, Docker CLI, Node.js, Python, Go), and the non-root `agent` user with
-sudo access.
+Official templates include the agent binary, Ubuntu base, and development tools
+like Git, Docker CLI, Node.js, Python, and Go. They run as the non-root
+`agent` user with sudo access.
 
 ### The USER pattern
 
@@ -57,42 +57,74 @@ end. The base template defaults to `USER agent`, so you need to explicitly
 switch to root for package installations. Always switch back to `agent` before
 the end of your Dockerfile so the agent runs with the correct permissions.
 
-### Using templates
+### Using templates built from Dockerfiles
 
 Build your template:
 
 ```console
 $ docker build -t my-template:v1 .
 ```
 
-Then choose how to use it:
-
-Option 1: Load from local images (quick, for personal use)
+Use it directly from your local Docker daemon:
 
 ```console
-$ docker sandbox create --template my-template:v1 \
-    --load-local-template \
-    claude ~/project
-$ docker sandbox run <sandbox-name>
+$ docker sandbox run --load-local-template -t my-template:v1 claude ~/project
 ```
 
-The `--load-local-template` flag loads the image from your local Docker daemon
-into the sandbox VM. This works for quick iteration and personal templates.
+The `--load-local-template` flag tells the sandbox to use an image from your
+local Docker daemon. Without it, the sandbox looks for the image in a registry.
 
-Option 2: Push to a registry (for sharing and persistence)
+To share the template with others, push it to a registry:
 
 ```console
 $ docker tag my-template:v1 myorg/my-template:v1
 $ docker push myorg/my-template:v1
-$ docker sandbox create --template myorg/my-template:v1 claude ~/project
-$ docker sandbox run <sandbox-name>
+$ docker sandbox run -t myorg/my-template:v1 claude ~/project
 ```
 
-Pushing to a registry makes templates available to your team and persists them
-beyond your local machine.
+Once pushed to a registry, you don't need `--load-local-template`.
+
+## Creating templates from existing sandboxes
+
+Rather than writing a Dockerfile, you can start with a sandbox, configure it,
+then save it as a template. This is convenient when you already have a working
+environment set up by the agent.
+
+Start a sandbox and have the agent install what you need:
+
+```console
+$ docker sandbox run claude ~/project
+```
+
+Inside the sandbox, ask the agent to install tools and configure the
+environment. Once everything works, exit and save the sandbox as a template:
+
+```console
+$ docker sandbox save claude-sandbox-2026-02-02-123456 my-template:v1
+✓ Saved sandbox as my-template:v1
+```
+
+This saves the image to your local Docker daemon. Use `--load-local-template`
+to create new sandboxes from it:
+
+```console
+$ docker sandbox run --load-local-template -t my-template:v1 claude ~/other-project
+```
+
+To save as a tar file instead (for example, to transfer to another machine):
+
+```console
+$ docker sandbox save -o template.tar claude-sandbox-2026-02-02-123456 my-template:v1
+```
+
+Use a Dockerfile when you want a clear record of how the environment is built.
+Use `docker sandbox save` when you already have a working sandbox and want to
+reuse it.
 
 ## Example: Node.js template
 
+This template adds Node.js 20 and common development tools:
+
 ```dockerfile
 FROM docker/sandbox-templates:claude-code
 
@@ -108,14 +140,14 @@ RUN curl -fsSL https://deb.nodesource.com/setup_20.x | bash - \
 
 # Install common tools
 RUN npm install -g \
-    typescript@5.1.6 \
-    eslint@8.46.0 \
-    prettier@3.0.0
+    typescript@5.7.2 \
+    eslint@9.17.0 \
+    prettier@3.4.2
 
 USER agent
 ```
 
-Pin versions for reproducible builds.
+Pin specific versions for reproducible builds across your team.
 
 ## Using standard images
 
@@ -138,21 +170,28 @@ dependencies, configure the shell, and set up the `agent` user. Building from
 
 ## Sharing with teams
 
-Push templates to a registry and version them:
+To share templates, push them to a registry with version tags:
 
 ```console
 $ docker build -t myorg/sandbox-templates:python-v1.0 .
 $ docker push myorg/sandbox-templates:python-v1.0
 ```
 
-Team members can then use the template:
+Or tag and push a saved sandbox:
+
+```console
+$ docker tag my-template:v1 myorg/my-template:v1.0
+$ docker push myorg/my-template:v1.0
+```
+
+Team members use the template by referencing the registry image:
 
 ```console
-$ docker sandbox create --template myorg/sandbox-templates:python-v1.0 claude ~/project
+$ docker sandbox run -t myorg/sandbox-templates:python-v1.0 claude ~/project
 ```
 
-Using version tags (`:v1.0`, `:v2.0`) instead of `:latest` ensures stability
-across your team.
+Use version tags like `:v1.0` instead of `:latest` for consistency across your
+team.
 
 ## Next steps
 

content/reference/cli/docker/sandbox/create/copilot.md

@@ -0,0 +1,6 @@
+---
+datafolder: sandbox-cli
+datafile: docker_sandbox_create_copilot
+title: docker sandbox create copilot
+layout: cli
+---

content/reference/cli/docker/sandbox/save.md

@@ -0,0 +1,6 @@
+---
+datafolder: sandbox-cli
+datafile: docker_sandbox_save
+title: docker sandbox save
+layout: cli
+---

data/sandbox-cli/docker_sandbox.yaml

@@ -12,6 +12,7 @@ cname:
     - docker sandbox reset
     - docker sandbox rm
     - docker sandbox run
+    - docker sandbox save
     - docker sandbox stop
     - docker sandbox version
 clink:
@@ -22,6 +23,7 @@ clink:
     - docker_sandbox_reset.yaml
     - docker_sandbox_rm.yaml
     - docker_sandbox_run.yaml
+    - docker_sandbox_save.yaml
     - docker_sandbox_stop.yaml
     - docker_sandbox_version.yaml
 options:

data/sandbox-cli/docker_sandbox_create_copilot.yaml

@@ -0,0 +1,40 @@
+command: docker sandbox create copilot
+short: Create a sandbox for copilot
+long: |-
+    Create a sandbox with access to a host workspace for copilot.
+
+    The workspace path is required and will be exposed inside the sandbox at the same path as on the host.
+
+    Use 'docker sandbox run SANDBOX' to start copilot after creation.
+usage: docker sandbox create copilot WORKSPACE
+pname: docker sandbox create
+plink: docker_sandbox_create.yaml
+inherited_options:
+    - option: debug
+      shorthand: D
+      value_type: bool
+      default_value: "false"
+      description: Enable debug logging
+      deprecated: false
+      hidden: false
+      experimental: false
+      experimentalcli: false
+      kubernetes: false
+      swarm: false
+    - option: socket
+      value_type: string
+      description: |
+        Connect to daemon at specific socket path (for development/debugging)
+      deprecated: false
+      hidden: true
+      experimental: false
+      experimentalcli: false
+      kubernetes: false
+      swarm: false
+deprecated: false
+hidden: false
+experimental: false
+experimentalcli: false
+kubernetes: false
+swarm: false
+

data/sandbox-cli/docker_sandbox_run.yaml

@@ -4,16 +4,6 @@ long: |-
     Run an agent in a sandbox. Create the sandbox if it does not exist.
 
     Pass agent arguments after the "--" separator.
-
-    Examples:
-      # Create and run a sandbox with claude in current directory
-      docker sandbox run claude .
-
-      # Run an existing sandbox
-      docker sandbox run existing-sandbox
-
-      # Run a sandbox with agent arguments
-      docker sandbox run claude . -- -p "What version are you running?"
 usage: docker sandbox run SANDBOX [-- AGENT_ARGS...] | AGENT WORKSPACE [-- AGENT_ARGS...]
 pname: docker sandbox
 plink: docker_sandbox.yaml

data/sandbox-cli/docker_sandbox_save.yaml

@@ -0,0 +1,51 @@
+command: docker sandbox save
+short: Save a snapshot of the sandbox as a template
+long: |-
+    Save a snapshot of the sandbox as a template.
+
+    By default, the image is loaded into the host's Docker daemon (requires Docker to be running).
+    Use --output to save the image to a tar file instead.
+usage: docker sandbox save SANDBOX TAG
+pname: docker sandbox
+plink: docker_sandbox.yaml
+options:
+    - option: output
+      shorthand: o
+      value_type: string
+      description: |
+        Save image to specified tar file instead of loading into host Docker
+      deprecated: false
+      hidden: false
+      experimental: false
+      experimentalcli: false
+      kubernetes: false
+      swarm: false
+inherited_options:
+    - option: debug
+      shorthand: D
+      value_type: bool
+      default_value: "false"
+      description: Enable debug logging
+      deprecated: false
+      hidden: false
+      experimental: false
+      experimentalcli: false
+      kubernetes: false
+      swarm: false
+    - option: socket
+      value_type: string
+      description: |
+        Connect to daemon at specific socket path (for development/debugging)
+      deprecated: false
+      hidden: true
+      experimental: false
+      experimentalcli: false
+      kubernetes: false
+      swarm: false
+deprecated: false
+hidden: false
+experimental: false
+experimentalcli: false
+kubernetes: false
+swarm: false
+