sbx: vendor v0.32.0 CLI reference

data/sbx_cli/sbx.yaml

@@ -20,7 +20,7 @@ see_also:
     - sbx create - Create a sandbox for an agent
     - sbx diagnose - Diagnose common issues with your sbx installation
     - sbx exec - Execute a command inside a sandbox
-    - sbx kit - Manage kit artifacts
+    - sbx kit - (Experimental) Manage kit artifacts
     - sbx login - Sign in to Docker
     - sbx logout - Stop all running sandboxes and sign out of Docker
     - sbx ls - List sandboxes

data/sbx_cli/sbx_create.yaml

@@ -23,10 +23,6 @@ options:
       experimental: true
       usage: |
         Kit reference (directory, ZIP, or OCI). Can be specified multiple times
-    - name: mcp
-      default_value: '[]'
-      usage: |
-        MCP server name to enable (use 'all' for all registered servers). Can be specified multiple times
     - name: memory
       shorthand: m
       usage: |

data/sbx_cli/sbx_create_claude.yaml

@@ -32,10 +32,6 @@ inherited_options:
       experimental: true
       usage: |
         Kit reference (directory, ZIP, or OCI). Can be specified multiple times
-    - name: mcp
-      default_value: '[]'
-      usage: |
-        MCP server name to enable (use 'all' for all registered servers). Can be specified multiple times
     - name: memory
       shorthand: m
       usage: |

data/sbx_cli/sbx_create_codex.yaml

@@ -32,10 +32,6 @@ inherited_options:
       experimental: true
       usage: |
         Kit reference (directory, ZIP, or OCI). Can be specified multiple times
-    - name: mcp
-      default_value: '[]'
-      usage: |
-        MCP server name to enable (use 'all' for all registered servers). Can be specified multiple times
     - name: memory
       shorthand: m
       usage: |

data/sbx_cli/sbx_create_copilot.yaml

@@ -32,10 +32,6 @@ inherited_options:
       experimental: true
       usage: |
         Kit reference (directory, ZIP, or OCI). Can be specified multiple times
-    - name: mcp
-      default_value: '[]'
-      usage: |
-        MCP server name to enable (use 'all' for all registered servers). Can be specified multiple times
     - name: memory
       shorthand: m
       usage: |

data/sbx_cli/sbx_create_cursor.yaml

@@ -32,10 +32,6 @@ inherited_options:
       experimental: true
       usage: |
         Kit reference (directory, ZIP, or OCI). Can be specified multiple times
-    - name: mcp
-      default_value: '[]'
-      usage: |
-        MCP server name to enable (use 'all' for all registered servers). Can be specified multiple times
     - name: memory
       shorthand: m
       usage: |

data/sbx_cli/sbx_create_docker-agent.yaml

@@ -32,10 +32,6 @@ inherited_options:
       experimental: true
       usage: |
         Kit reference (directory, ZIP, or OCI). Can be specified multiple times
-    - name: mcp
-      default_value: '[]'
-      usage: |
-        MCP server name to enable (use 'all' for all registered servers). Can be specified multiple times
     - name: memory
       shorthand: m
       usage: |

data/sbx_cli/sbx_create_droid.yaml

@@ -32,10 +32,6 @@ inherited_options:
       experimental: true
       usage: |
         Kit reference (directory, ZIP, or OCI). Can be specified multiple times
-    - name: mcp
-      default_value: '[]'
-      usage: |
-        MCP server name to enable (use 'all' for all registered servers). Can be specified multiple times
     - name: memory
       shorthand: m
       usage: |

data/sbx_cli/sbx_create_gemini.yaml

@@ -32,10 +32,6 @@ inherited_options:
       experimental: true
       usage: |
         Kit reference (directory, ZIP, or OCI). Can be specified multiple times
-    - name: mcp
-      default_value: '[]'
-      usage: |
-        MCP server name to enable (use 'all' for all registered servers). Can be specified multiple times
     - name: memory
       shorthand: m
       usage: |

data/sbx_cli/sbx_create_kiro.yaml

@@ -32,10 +32,6 @@ inherited_options:
       experimental: true
       usage: |
         Kit reference (directory, ZIP, or OCI). Can be specified multiple times
-    - name: mcp
-      default_value: '[]'
-      usage: |
-        MCP server name to enable (use 'all' for all registered servers). Can be specified multiple times
     - name: memory
       shorthand: m
       usage: |

data/sbx_cli/sbx_create_opencode.yaml

@@ -32,10 +32,6 @@ inherited_options:
       experimental: true
       usage: |
         Kit reference (directory, ZIP, or OCI). Can be specified multiple times
-    - name: mcp
-      default_value: '[]'
-      usage: |
-        MCP server name to enable (use 'all' for all registered servers). Can be specified multiple times
     - name: memory
       shorthand: m
       usage: |

data/sbx_cli/sbx_create_shell.yaml

@@ -32,10 +32,6 @@ inherited_options:
       experimental: true
       usage: |
         Kit reference (directory, ZIP, or OCI). Can be specified multiple times
-    - name: mcp
-      default_value: '[]'
-      usage: |
-        MCP server name to enable (use 'all' for all registered servers). Can be specified multiple times
     - name: memory
       shorthand: m
       usage: |

data/sbx_cli/sbx_kit_add.yaml

@@ -33,4 +33,4 @@ example: |4-
       # Add a kit from a git repository
       sbx kit add my-sandbox git+https://github.com/org/kits.git#dir=mcp-postgres
 see_also:
-    - sbx kit - Manage kit artifacts
+    - sbx kit - (Experimental) Manage kit artifacts

data/sbx_cli/sbx_kit_inspect.yaml

@@ -20,4 +20,4 @@ inherited_options:
       default_value: "false"
       usage: Enable debug logging
 see_also:
-    - sbx kit - Manage kit artifacts
+    - sbx kit - (Experimental) Manage kit artifacts

data/sbx_cli/sbx_kit_pack.yaml

@@ -20,4 +20,4 @@ inherited_options:
       default_value: "false"
       usage: Enable debug logging
 see_also:
-    - sbx kit - Manage kit artifacts
+    - sbx kit - (Experimental) Manage kit artifacts

data/sbx_cli/sbx_kit_pull.yaml

@@ -2,11 +2,17 @@ name: sbx kit pull
 synopsis: Pull a kit artifact from an OCI registry
 experimental: true
 description: |-
-    Pull a kit artifact from an OCI registry and save it as a ZIP file.
+    Pull a kit artifact from an OCI registry and save its layer payload to a file.
 
     The reference should be in the format "registry/repo:tag" or
     "registry/repo@sha256:digest" (e.g., "ghcr.io/myorg/my-plugin:1.0").
 
+    The file extension is chosen automatically based on the kit's format:
+      schemaVersion: "1"  → <name>.zip      (legacy ZIP archive)
+      schemaVersion: "2"  → <name>.tar.gz   (standard OCI tar+gzip layer)
+
+    The registry must support HTTPS.
+
     Authentication: sbx registry secrets (sbx secret set --registry) take priority, falling back to the Docker credential store.
 usage: sbx kit pull REFERENCE [flags]
 options:
@@ -16,11 +22,11 @@ options:
       usage: help for pull
     - name: output
       shorthand: o
-      usage: 'Output ZIP file path (default: derived from reference)'
+      usage: 'Output file path (default: derived from reference + format)'
 inherited_options:
     - name: debug
       shorthand: D
       default_value: "false"
       usage: Enable debug logging
 see_also:
-    - sbx kit - Manage kit artifacts
+    - sbx kit - (Experimental) Manage kit artifacts

data/sbx_cli/sbx_kit_push.yaml

@@ -7,6 +7,13 @@ description: |-
     The directory must contain a valid spec.yaml. The reference should be
     in the format "registry/repo:tag" (e.g., "ghcr.io/myorg/my-plugin:1.0").
 
+    The OCI artifact format is selected from the kit's spec.yaml:
+      schemaVersion: "1"  → legacy ZIP-based artifact
+      schemaVersion: "2"  → v2 tar+gzip layer with the spec in the manifest
+                            config blob and standard OCI annotations (so
+                            distribution tooling can read kit metadata
+                            without pulling layers)
+
     Authentication uses the Docker credential store.
 usage: sbx kit push DIRECTORY REFERENCE [flags]
 options:
@@ -20,4 +27,4 @@ inherited_options:
       default_value: "false"
       usage: Enable debug logging
 see_also:
-    - sbx kit - Manage kit artifacts
+    - sbx kit - (Experimental) Manage kit artifacts

data/sbx_cli/sbx_kit_validate.yaml

@@ -17,4 +17,4 @@ inherited_options:
       default_value: "false"
       usage: Enable debug logging
 see_also:
-    - sbx kit - Manage kit artifacts
+    - sbx kit - (Experimental) Manage kit artifacts

data/sbx_cli/sbx_policy_allow_network.yaml

@@ -7,38 +7,36 @@ description: |-
     Supports exact domains (example.com), wildcard subdomains (*.example.com),
     and optional port suffixes (example.com:443). Use "**" to allow all hosts.
 
-    Use -g/--global to apply the rule globally to all sandboxes, or provide
-    SANDBOX before RESOURCES to add the rule to policy "local" scoped to that
-    sandbox.
-usage: sbx policy allow network [-g | SANDBOX] RESOURCES [flags]
+    The rule applies globally to all sandboxes by default. Use --sandbox to add
+    the rule to policy "local" scoped to a single sandbox instead.
+usage: sbx policy allow network [--sandbox SANDBOX] RESOURCES [flags]
 options:
-    - name: global
-      shorthand: g
-      default_value: "false"
-      usage: Apply the rule globally to all sandboxes
     - name: help
       shorthand: h
       default_value: "false"
       usage: help for network
+    - name: sandbox
+      usage: |
+        Scope the rule to a specific sandbox (default: all sandboxes)
 inherited_options:
     - name: debug
       shorthand: D
       default_value: "false"
       usage: Enable debug logging
 example: |4-
-      # Allow access to a single host globally
-      sbx policy allow network -g api.example.com
+      # Allow access to a single host (all sandboxes)
+      sbx policy allow network api.example.com
 
-      # Allow access to multiple hosts globally
-      sbx policy allow network -g "api.example.com,cdn.example.com"
+      # Allow access to multiple hosts
+      sbx policy allow network "api.example.com,cdn.example.com"
 
       # Allow a host only for a specific sandbox
-      sbx policy allow network my-sandbox api.example.com
+      sbx policy allow network --sandbox my-sandbox api.example.com
 
       # Allow all subdomains of a host
-      sbx policy allow network -g "*.npmjs.org"
+      sbx policy allow network "*.npmjs.org"
 
-      # Allow all outbound traffic globally
-      sbx policy allow network -g "**"
+      # Allow all outbound traffic
+      sbx policy allow network "**"
 see_also:
     - sbx policy allow - Add an allow rule for sandboxes

data/sbx_cli/sbx_policy_deny_network.yaml

@@ -6,32 +6,30 @@ description: |-
     RESOURCES is a comma-separated list of hostnames, domains, or IP addresses.
     Deny rules always take precedence over allow rules.
 
-    Use -g/--global to apply the rule globally to all sandboxes, or provide
-    SANDBOX before RESOURCES to add the rule to policy "local" scoped to that
-    sandbox.
-usage: sbx policy deny network [-g | SANDBOX] RESOURCES [flags]
+    The rule applies globally to all sandboxes by default. Use --sandbox to add
+    the rule to policy "local" scoped to a single sandbox instead.
+usage: sbx policy deny network [--sandbox SANDBOX] RESOURCES [flags]
 options:
-    - name: global
-      shorthand: g
-      default_value: "false"
-      usage: Apply the rule globally to all sandboxes
     - name: help
       shorthand: h
       default_value: "false"
       usage: help for network
+    - name: sandbox
+      usage: |
+        Scope the rule to a specific sandbox (default: all sandboxes)
 inherited_options:
     - name: debug
       shorthand: D
       default_value: "false"
       usage: Enable debug logging
 example: |4-
-      # Block access to a host globally
-      sbx policy deny network -g ads.example.com
+      # Block access to a host (all sandboxes)
+      sbx policy deny network ads.example.com
 
       # Block a host only for a specific sandbox
-      sbx policy deny network my-sandbox ads.example.com
+      sbx policy deny network --sandbox my-sandbox ads.example.com
 
-      # Block all outbound traffic globally
-      sbx policy deny network -g "**"
+      # Block all outbound traffic
+      sbx policy deny network "**"
 see_also:
     - sbx policy deny - Add a deny rule for sandboxes

data/sbx_cli/sbx_policy_ls.yaml

@@ -1,11 +1,14 @@
 name: sbx policy ls
 synopsis: List sandbox policy rules
 description: |-
-    List all active policy rules.
+    List active policy rules.
 
     Displays the provenance, scope, rule name (or ID if no name is set), type,
     decision (allow/deny), and the associated resources for each rule.
 
+    When remote governance is active, inactive policy rules are hidden by default.
+    Use --include-inactive to show inactive rules for troubleshooting.
+
     When SANDBOX is specified, only policies that apply to that sandbox are shown
     (global rules plus rules scoped to that sandbox).
 usage: sbx policy ls [SANDBOX] [flags]
@@ -14,6 +17,9 @@ options:
       shorthand: h
       default_value: "false"
       usage: help for ls
+    - name: include-inactive
+      default_value: "false"
+      usage: Show inactive policy rules hidden by remote governance
     - name: type
       default_value: all
       usage: 'Filter policies by type: "all" or "network" (default "all")'
@@ -31,5 +37,8 @@ example: |4-
 
       # List policies that apply to a specific sandbox
       sbx policy ls my-sandbox
+
+      # Include inactive rules hidden by remote governance
+      sbx policy ls --include-inactive
 see_also:
     - sbx policy - Manage sandbox policies

data/sbx_cli/sbx_policy_rm_network.yaml

@@ -3,16 +3,12 @@ synopsis: Remove a network rule
 description: |-
     Remove a network rule by rule ID, resource, or both.
 
-    Use -g/--global to remove from the global policy, or provide SANDBOX to
-    remove from policy "local" scoped to that sandbox.
+    The rule is removed from the global policy by default. Use --sandbox to
+    remove from policy "local" scoped to a single sandbox instead.
 
     Use "sbx policy ls" to see active policies and their IDs/resources.
-usage: sbx policy rm network [-g | SANDBOX] [flags]
+usage: sbx policy rm network [--sandbox SANDBOX] [flags]
 options:
-    - name: global
-      shorthand: g
-      default_value: "false"
-      usage: Remove from the global policy
     - name: help
       shorthand: h
       default_value: "false"
@@ -21,6 +17,9 @@ options:
       usage: Remove by rule ID
     - name: resource
       usage: Remove by resource value(s), comma-separated
+    - name: sandbox
+      usage: |
+        Scope the removal to a specific sandbox (default: global policy)
 inherited_options:
     - name: debug
       shorthand: D
@@ -31,12 +30,12 @@ example: |4-
       sbx policy ls
 
       # Remove a global rule by resource
-      sbx policy rm network -g --resource api.example.com
+      sbx policy rm network --resource api.example.com
 
       # Remove a global rule by ID
-      sbx policy rm network -g --id 2d3c1f0e-4a73-4e05-bc9d-f2f9a4b50d67
+      sbx policy rm network --id 2d3c1f0e-4a73-4e05-bc9d-f2f9a4b50d67
 
       # Remove a sandbox-scoped rule by resource
-      sbx policy rm network my-sandbox --resource api.example.com
+      sbx policy rm network --sandbox my-sandbox --resource api.example.com
 see_also:
     - sbx policy rm - Remove a policy rule

data/sbx_cli/sbx_policy_set-default.yaml

@@ -33,6 +33,6 @@ example: |4-
 
       # Block everything, then allow specific sites
       sbx policy set-default deny-all
-      sbx policy allow network -g api.example.com:443
+      sbx policy allow network api.example.com:443
 see_also:
     - sbx policy - Manage sandbox policies