chore(cask): update sbx to v0.30.0

[docker-read-write]

Automated update from Docker Sandboxes release workflow.

Version: v0.30.0
SHA256 (darwin-arm64): 998f60a353bfecb7a331ddd43bd6acf9a56f740fc168d6ba99addd0301c6fd90

Changes:

• Updated Casks/sbx.rb (latest)
• Added Casks/sbx@0.30.0.rb (pinned)

Release Notes

Highlights

This release introduces experimental MCP server management with an aggregate gateway, giving sandboxes a unified interface for accessing remote and local MCP servers — opt-in via the SBX_MCP_ENABLE environment variable (#2677). Sandbox profiles and multi-policy support land as the foundation for richer governance configurations (#2904). The CLI gets non-interactive Docker Hub login for scripted workflows (#2913), and sandboxes now have a configurable grace period before auto-stopping when the last session exits (#2849). Plus a wave of fixes covering Linux packaging, macOS worktree compatibility, Windows installer paths, network isolation, and recoverable sandbox state when host directories vanish.

What's New

MCP (experimental, opt-in)

• Add MCP server management and aggregate gateway (#2677). Opt-in via the SBX_MCP_ENABLE environment variable, then register servers with sbx mcp add and pass --mcp <name> (or --mcp all) to sbx create / sbx run. Supports remote endpoints, the community registry (managed or --local), and local stdio commands. Examples:

  # Remote MCP endpoint (OAuth auto-detected)
  sbx mcp add notion --url https://mcp.notion.com/mcp
  
  # Community registry, OCI image runs on host via docker run
  sbx mcp add fetch --local --url https://registry.modelcontextprotocol.io/v0/servers/fetch-mcp/versions/latest
  
  # Local stdio command (development only — no sandboxing, runs as host user)
  sbx mcp add github --command npx --args @modelcontextprotocol/server-github

Governance & Policy

• Introduce sandbox profiles and multi-policy support (#2904)
• Allow sbx policy setup before login (#2903)

Kits & Agents

• Re-run commands.startup on every container start so init hooks are idempotent across restarts (#2842)
• Per-kit memory files for progressive disclosure (#2899)
• Enumerate installed kits in the AI memory file's Kits section (#2906)

CLI & Auth

• Add non-interactive Docker Hub login for scripted workflows (#2913)
• Migrate /reset to /daemon/reset; state-dir wipe is now daemon-side (#2550)
• Print "Git repository detected" once when using --branch (#2923)
• Skip implicit run options when the user provides explicit args (#2880)

Networking & Sandboxd

• Bind both loopback stacks by default when publishing ports (#2830)
• Allow raw TCP to host.docker.internal when localhost is allowed in policy (#2929)
• Add grace period before auto-stopping a sandbox when the last session exits (#2849)

Bug Fixes

• Build sailor's ffi crate instead of ffi-krun for packaged Linux release artifacts (#2979)
• Keep sandboxes recoverable when workspace or worktree is deleted on the host (#2928)
• Add macOS /private path compatibility for worktrees (#2875)
• Probe canonical socket path for sun_path budget — fixes krun_start_enter failed on macOS with long usernames (#2885)
• Namespace gVisor socket dir and auth/secret stores by --app-name so concurrent daemons don't collide (#2896, #2900)
• Sanitize runtime ID when looking up gVisor network (#2949)
• Check database version before starting the daemon; surface an instructive error instead of crashing (#2882)
• Report Docker daemon startup time instead of the pre-start message in DinD (#2854)
• Harden BuildFileCredential to check more than just file existence (#2935)
• Open a sentinel connection in cp and kit add to prevent auto-stop race (#2910)
• Remove redundant ContainerKill before ContainerRemove in sandboxlib (#2909)
• Use a safe Windows start invocation for OpenURL in the TUI (#2915)
• Rename WiX install directory id to INSTALLFOLDER (#2945)

Documentation

• Warn agents about worktree path traps with --branch (#2932)
• Improve consistency and wording in CLI help strings (#2942)