From 6aac799609179f333b75d5ca42e74009ad331c60 Mon Sep 17 00:00:00 2001
From: David Karlsson <35727626+dvdksn@users.noreply.github.com>
Date: Tue, 31 Mar 2026 18:25:38 +0200
Subject: [PATCH 1/7] sandboxes: fix broken anchor link in troubleshooting

The link to the Monitoring section in policy.md used the wrong anchor
(#monitoring-network-activity). The actual heading generates #monitoring.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 content/manuals/ai/sandboxes/troubleshooting.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/manuals/ai/sandboxes/troubleshooting.md b/content/manuals/ai/sandboxes/troubleshooting.md
index 16eef2a8b461..14139406166b 100644
--- a/content/manuals/ai/sandboxes/troubleshooting.md
+++ b/content/manuals/ai/sandboxes/troubleshooting.md
@@ -56,7 +56,7 @@ If credentials are configured correctly but API calls still fail, check
 the `transparent` proxy don't get credential injection. This can happen when a
 client inside the sandbox (such as a process in a Docker container) isn't
 configured to use the forward proxy. See
-[Monitoring network activity](security/policy.md#monitoring-network-activity)
+[Monitoring network activity](security/policy.md#monitoring)
 for details.
 
 ## Docker not available inside the sandbox on Windows

From 98804a4f357355597817baced19da9759de0cbfc Mon Sep 17 00:00:00 2001
From: David Karlsson <35727626+dvdksn@users.noreply.github.com>
Date: Tue, 31 Mar 2026 18:30:54 +0200
Subject: [PATCH 2/7] check-pr: respond to and resolve review comments on
 merged PRs

Step 2 (merged) previously stopped immediately with "no further action
needed", skipping all comment handling. Now it checks for unanswered
review comments and replies to them. Also adds GraphQL thread-resolution
to step 5 so threads get marked resolved after being addressed.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .agents/skills/check-pr/SKILL.md | 26 ++++++++++++++++++++++++--
 1 file changed, 24 insertions(+), 2 deletions(-)

diff --git a/.agents/skills/check-pr/SKILL.md b/.agents/skills/check-pr/SKILL.md
index e0c9e5922ac5..bbfc43e696c6 100644
--- a/.agents/skills/check-pr/SKILL.md
+++ b/.agents/skills/check-pr/SKILL.md
@@ -36,7 +36,9 @@ action.
 
 ## 2. If merged
 
-Report the final state. No further action needed.
+Report the final state. Then check for any unanswered review comments (both
+top-level and inline) and reply to each one explaining what was done or that
+the issue was addressed in a follow-up. Skip to step 6 after.
 
 ## 3. If closed without merge
 
@@ -75,7 +77,27 @@ another PR, closed by automation.
     --field in_reply_to=<comment-id> \
     --field body="<response>"
   ```
-- End every comment with a `Generated by [Claude Code](https://claude.com/claude-code)` footer
+- End every comment reply with a `Generated by [Claude Code](https://claude.com/claude-code)` footer
+- Resolve each thread via GraphQL after replying:
+  ```bash
+  # Get thread IDs
+  gh api graphql -f query='
+    query($owner:String!, $repo:String!, $pr:Int!) {
+      repository(owner:$owner, name:$repo) {
+        pullRequest(number:$pr) {
+          reviewThreads(first:50) {
+            nodes { id isResolved comments(first:1) { nodes { path } } }
+          }
+        }
+      }
+    }' -f owner=docker -f repo=docs -F pr=$ARGUMENTS \
+    --jq '.data.repository.pullRequest.reviewThreads.nodes[] | select(.isResolved == false) | {id, path: .comments.nodes[0].path}'
+
+  # Resolve a thread
+  gh api graphql -f query='
+    mutation($id:ID!) { resolveReviewThread(input:{threadId:$id}) { thread { isResolved } } }
+  ' -f id=<thread-id>
+  ```
 - Re-request review if changes were requested
 
 ## 6. Report

From e02c221a0d6331412a77f8da328f409527639a9a Mon Sep 17 00:00:00 2001
From: David Karlsson <35727626+dvdksn@users.noreply.github.com>
Date: Tue, 31 Mar 2026 18:37:36 +0200
Subject: [PATCH 3/7] sandboxes: address bot review feedback from #24590

- troubleshooting: add mkdir -p ./result prerequisite before tar extract
- docker-desktop: replace vague "limited features" with direct pointer to sbx CLI
- docker-desktop: clarify restart (not source) is what matters for daemon env vars
- docker-desktop: promote Windows Docker daemon caveat to NOTE callout
- get-started: replace "elevated permissions" with explicit "Run as Administrator"

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../manuals/ai/sandboxes/docker-desktop.md    | 19 +++++++++++--------
 content/manuals/ai/sandboxes/get-started.md   |  4 ++--
 .../manuals/ai/sandboxes/troubleshooting.md   |  1 +
 3 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/content/manuals/ai/sandboxes/docker-desktop.md b/content/manuals/ai/sandboxes/docker-desktop.md
index 4aa0e61823e1..1ee837e83622 100644
--- a/content/manuals/ai/sandboxes/docker-desktop.md
+++ b/content/manuals/ai/sandboxes/docker-desktop.md
@@ -9,8 +9,8 @@ weight: 80
 
 Docker Desktop includes a built-in sandbox feature for running AI coding
 agents in isolated microVMs using the `docker sandbox` command. This is a
-convenience integration with limited features compared to the standalone
-sandbox CLI.
+convenience integration. For full functionality, use the standalone `sbx`
+CLI instead.
 
 > [!NOTE]
 > The standalone `sbx` CLI provides more features, more flexibility, and doesn't
@@ -31,8 +31,9 @@ sandbox CLI.
    export ANTHROPIC_API_KEY=sk-ant-api03-xxxxx
    ```
 
-   Source your shell configuration and restart Docker Desktop so the daemon
-   picks up the variable.
+   Restart Docker Desktop so the daemon picks up the variable. Optionally,
+   source your shell configuration if you want the variable in your current
+   terminal session.
 
 2. Create and run a sandbox:
 
@@ -112,10 +113,12 @@ $ docker sandbox run <name> -- --continue
 Each sandbox is a lightweight microVM with its own kernel, using your system's
 native virtualization (macOS virtualization.framework, Windows Hyper-V). The
 default agent templates include a private Docker daemon, so `docker build` and
-`docker compose up` run inside the sandbox without affecting your host. On
-Windows, the Docker daemon is not included by default. See
-[Troubleshooting](troubleshooting.md#docker-not-available-inside-the-sandbox-on-windows)
-for a workaround.
+`docker compose up` run inside the sandbox without affecting your host.
+
+> [!NOTE]
+> On Windows, the Docker daemon is not included by default. See
+> [Troubleshooting](troubleshooting.md#docker-not-available-inside-the-sandbox-on-windows)
+> for a workaround.
 
 ```plaintext
 Host system
diff --git a/content/manuals/ai/sandboxes/get-started.md b/content/manuals/ai/sandboxes/get-started.md
index 4cbc1523fd9f..2e294cc9b0be 100644
--- a/content/manuals/ai/sandboxes/get-started.md
+++ b/content/manuals/ai/sandboxes/get-started.md
@@ -15,8 +15,8 @@ system.
 ## Prerequisites
 
 - macOS (Apple silicon) or Windows (x86_64, Windows 11 required)
-- If you're on Windows, enable Windows Hypervisor Platform (requires
-  elevated permissions):
+- If you're on Windows, enable Windows Hypervisor Platform. Open an elevated
+  PowerShell prompt (Run as Administrator) and run:
   ```powershell
   Enable-WindowsOptionalFeature -Online -FeatureName HypervisorPlatform -All
   ```
diff --git a/content/manuals/ai/sandboxes/troubleshooting.md b/content/manuals/ai/sandboxes/troubleshooting.md
index 14139406166b..df580a78d409 100644
--- a/content/manuals/ai/sandboxes/troubleshooting.md
+++ b/content/manuals/ai/sandboxes/troubleshooting.md
@@ -83,6 +83,7 @@ an unprivileged user without `CAP_CHOWN`, so the operation is denied.
 Use the tar exporter and extract the archive instead:
 
 ```console
+$ mkdir -p ./result
 $ docker build --output type=tar,dest=- . | tar xf - -C ./result
 ```
 

From 2771ab5ef31f41ab491136996cdbebfa16cbca5c Mon Sep 17 00:00:00 2001
From: David Karlsson <35727626+dvdksn@users.noreply.github.com>
Date: Tue, 31 Mar 2026 18:47:55 +0200
Subject: [PATCH 4/7] sandboxes: remove incorrect Windows Docker limitation
 from docker-desktop page
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The docker sandbox (legacy) command doesn't have the Docker-not-included
limitation on Windows — that only applies to the sbx CLI. Remove the
incorrect NOTE callout.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 content/manuals/ai/sandboxes/docker-desktop.md | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/content/manuals/ai/sandboxes/docker-desktop.md b/content/manuals/ai/sandboxes/docker-desktop.md
index 1ee837e83622..b1f7f6719acc 100644
--- a/content/manuals/ai/sandboxes/docker-desktop.md
+++ b/content/manuals/ai/sandboxes/docker-desktop.md
@@ -115,11 +115,6 @@ native virtualization (macOS virtualization.framework, Windows Hyper-V). The
 default agent templates include a private Docker daemon, so `docker build` and
 `docker compose up` run inside the sandbox without affecting your host.
 
-> [!NOTE]
-> On Windows, the Docker daemon is not included by default. See
-> [Troubleshooting](troubleshooting.md#docker-not-available-inside-the-sandbox-on-windows)
-> for a workaround.
-
 ```plaintext
 Host system
   ├── Your containers and images

From 6cda8426571fc0ab5b9a57f8a583ca651cd05ff1 Mon Sep 17 00:00:00 2001
From: David Karlsson <35727626+dvdksn@users.noreply.github.com>
Date: Tue, 31 Mar 2026 18:50:24 +0200
Subject: [PATCH 5/7] sandboxes: clarify -docker variant runs inside microVM,
 not on host
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Make clear no local Docker daemon is needed
- Disambiguate "They" — replace with "These variants"
- Note that privileged mode applies inside the microVM boundary, not the host

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../manuals/ai/sandboxes/agents/custom-environments.md    | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/content/manuals/ai/sandboxes/agents/custom-environments.md b/content/manuals/ai/sandboxes/agents/custom-environments.md
index 4bfac553da5e..8db7fd921d84 100644
--- a/content/manuals/ai/sandboxes/agents/custom-environments.md
+++ b/content/manuals/ai/sandboxes/agents/custom-environments.md
@@ -86,9 +86,11 @@ CLI, and common development tools like Node.js, Python, Go, and Java.
 
 Each variant also has a `-docker` version (for example,
 `claude-code-docker`) that includes a full Docker Engine running inside the
-sandbox. The `-docker` variants are the defaults used by `sbx run` on macOS
-and Linux. They run in privileged mode with a dedicated block volume at
-`/var/lib/docker`, and `dockerd` starts automatically.
+sandbox — no local Docker daemon required. The `-docker` variants are the
+defaults used by `sbx run` on macOS and Linux. These variants run in
+privileged mode inside the microVM (not on your host), with a dedicated block
+volume at `/var/lib/docker`, and `dockerd` starts automatically inside the
+sandbox.
 
 The block volume defaults to 50 GB and uses a sparse file, so it only
 consumes disk space as Docker writes to it. On Windows, the volume is not

From c2573714de3e8c704803e99ab84b9ede1836722c Mon Sep 17 00:00:00 2001
From: David Karlsson <35727626+dvdksn@users.noreply.github.com>
Date: Tue, 31 Mar 2026 18:55:20 +0200
Subject: [PATCH 6/7] sandboxes: drop unnecessary shell sourcing instruction in
 docker-desktop

Restarting Docker Desktop is what causes the daemon to pick up the new
env var. Opening a new terminal already gives the user the variable.
Sourcing explicitly adds nothing.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 content/manuals/ai/sandboxes/docker-desktop.md | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/content/manuals/ai/sandboxes/docker-desktop.md b/content/manuals/ai/sandboxes/docker-desktop.md
index b1f7f6719acc..b9dc0d841b14 100644
--- a/content/manuals/ai/sandboxes/docker-desktop.md
+++ b/content/manuals/ai/sandboxes/docker-desktop.md
@@ -31,9 +31,7 @@ CLI instead.
    export ANTHROPIC_API_KEY=sk-ant-api03-xxxxx
    ```
 
-   Restart Docker Desktop so the daemon picks up the variable. Optionally,
-   source your shell configuration if you want the variable in your current
-   terminal session.
+   Restart Docker Desktop so the daemon picks up the variable.
 
 2. Create and run a sandbox:
 

From 363863b59f07e1c1c92e97db2894a4114717b425 Mon Sep 17 00:00:00 2001
From: David Karlsson <35727626+dvdksn@users.noreply.github.com>
Date: Tue, 31 Mar 2026 18:56:54 +0200
Subject: [PATCH 7/7] sandboxes: restore original shell sourcing instruction in
 docker-desktop

Reverts the unnecessary change to the sourcing step.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 content/manuals/ai/sandboxes/docker-desktop.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/content/manuals/ai/sandboxes/docker-desktop.md b/content/manuals/ai/sandboxes/docker-desktop.md
index b9dc0d841b14..2ea01f93fce2 100644
--- a/content/manuals/ai/sandboxes/docker-desktop.md
+++ b/content/manuals/ai/sandboxes/docker-desktop.md
@@ -31,7 +31,8 @@ CLI instead.
    export ANTHROPIC_API_KEY=sk-ant-api03-xxxxx
    ```
 
-   Restart Docker Desktop so the daemon picks up the variable.
+   Source your shell configuration and restart Docker Desktop so the daemon
+   picks up the variable.
 
 2. Create and run a sandbox: