New features
Guest runtime metricsmsb-metrics and the per-sandbox metrics surface now report CPU, memory, disk, and network samples from the VMM instead of host process totals, so readings reflect what the guest actually used. Stopped sandboxes are excluded from exports, and the new fields flow through the CLI, the Rust, TypeScript, Python, and Go SDKs, and the MCP tool.
msb-metrics overview.
Idempotent named volume mounts
Named volumes can now be mounted in one step: the CLI creates the backing volume if it does not exist, so a fresh sandbox can persist state without a separate msb volume create. The Rust, TypeScript, Python, and Go SDKs gain explicit existing-only, create-only, and ensure-exists modes on named mounts.
stop and kill now wait for the sandbox to reach the requested state across the Rust, TypeScript, Python, and Go SDKs. Timeout-aware variants and a new wait_until_stopped / waitUntilStopped / WaitUntilStopped helper let you observe sandbox-domain stopped state. Request-only behavior is still available through explicit methods for fire-and-return callers. Scoped filesystem and SSH helpers are renamed to operation groups (SandboxFsOps, SandboxSshOps, and language-idiomatic variants), and SSH helper methods are now open_client, prepare_server, and serve_connection. This is a breaking SDK source change; the CLI is unaffected.
--mount-dir, --mount-file, --mount-disk, and --mount-named flags on msb run and msb create let you choose the mount kind directly instead of relying on -v source inference. Each flag uses the existing SOURCE:DEST[:OPTIONS] syntax with kind-specific option validation, and explicit directory and file sources are checked against the host path kind so typos fail early.
- Raw agentd socket path.
AgentClient::socket_path(name)in Rust,AgentClient.socketPath(name)in TypeScript,AgentClient.socket_path(name)in Python, andmicrosandbox.AgentSocketPath(name)in Go return a sandbox’sagentdrelay socket path without connecting, so callers that splice raw bytes to the socket no longer have to open the framed client first. The C FFI gainsmsb_agent_socket_path. See the Python agent client reference. - Richer secret violation logs.
block-and-logandblock-and-terminateactions now emit structured warnings and errors with the secret env var, placeholder, request context, match location, protocol, SNI, host, method, redacted path, and original guest destination. Body-continuation chunks on long-lived TLS connections carry the same context.blockcontinues to be silent. See the TLS networking guide. - Cleaner installer. The CLI installer no longer edits shell startup files. It places runtime files under
$HOME/.microsandbox(or$MSB_HOME), exposesmsbandmicrosandboxthrough~/.local/binsymlinks, prints a PATH hint only when~/.local/binis missing, and refreshes those links frommsb self update. Existing non-symlink command paths are left alone instead of being overwritten. See the quickstart. - Global log level for sandbox runs. Global log flags now flow into the sandbox runtime when
msb runormsb createdoes not pass--log-level, somsb -v run ...actually raises sandbox verbosity instead of being ignored.
Bug fixes
- Published-port responses no longer stall behind a slow host-side client; the relay now wakes the poll loop as soon as host-channel capacity frees up.
- Long-running execs that take no host input, like builds,
sleep, or batch commands, are no longer reclaimed by the idle-timeout monitor while still running. Heartbeat-based idle detection now tracks exec sessions, filesystem and TCP byte movement, and agentd heartbeats independently of serial or stream backpressure. - Stopped sandboxes no longer appear in metrics exports with a frozen value after a SIGKILL; the collector now skips slots whose updates have stopped instead of replaying the last sample indefinitely.