Documentation Index
Fetch the complete documentation index at: https://superradcompanyinc-mintlify-changelog-1777648095.mintlify.app/llms.txt
Use this file to discover all available pages before exploring further.
New features
Redesigned TypeScript SDK with builder APIThe TypeScript SDK has been rewritten to match the ergonomics of the Rust SDK. Configure sandboxes with fluent builders likeSandbox.builder(name).image(...).cpus(...).create(), use await using for automatic cleanup, and benefit from typed errors and async iterables. Native binaries are now bundled per-platform, so installs no longer need a postinstall download step. See the TypeScript SDK reference.Redesigned network policy with per-rule directionThe network policy schema has been overhauled. Each rule now carries its own direction (egress or ingress), action, target, protocol, and ports through a unified grammar. The CLI replaces --network-policy with four new flags:--net-rule <TOKEN>[,<TOKEN>...](repeatable)--net-default-egress allow|deny--net-default-ingress allow|deny--no-net(sugar for deny-all)
any, group keywords (public, private, loopback, link-local, meta, multicast, host), bare IPs, CIDRs, domains, plus domain= and suffix= escape hatches. Domain rules are now enforced consistently across DNS, SNI, and policy layers. See the networking overview.Disk-image volume mountsAttach host disk images (qcow2, raw, or vmdk) directly to sandboxes as virtio-blk devices at any guest path. Format auto-detects from the file extension and readonly is now a consistent property across every volume type. See Sandbox volumes.Inline --script flagRegister sandbox scripts directly on the command line with --script NAME=BODY, no host file required. The previous file-based form is now --script-path NAME:PATH. See the CLI reference.msb alias for the CLIInstalling microsandbox via npm, pip, or cargo now puts both microsandbox and msb on your PATH, so you can use the shorter alias interchangeably.host.microsandbox.internal aliasSandboxes can now reach the host machine through the well-known DNS name host.microsandbox.internal, mirroring the Docker convention.Trust host CAs inside sandboxes (opt-in)Sandboxes can now opt in to trusting the host’s CA bundle, making it easier to talk to internal TLS endpoints from inside a sandbox. See Networking TLS.DNS interception over TCP and DoTThe in-sandbox DNS resolver now intercepts queries over TCP/53 and DNS-over-TLS on 853, in addition to UDP/53. This closes gaps where applications would bypass policy by switching transports. See Networking DNS.Custom TLS certs and insecure registries for imagesmsb can now pull images from registries that use custom CAs or that you want to mark as insecure. Useful for self-hosted registries. See the images overview.Per-sandbox libkrunfw overrideSDK callers can now point an individual sandbox at a specific libkrunfw shared library instead of relying on the global resolver, useful when developing against unreleased firmware builds.Installer rejects unsupported glibcThe installer now detects unsupported glibc versions up-front and fails with a clear message, instead of producing confusing runtime errors later.Bug fixes
Domain and domain-suffix rule enforcementDomain andsuffix= rules now match consistently at the DNS, SNI, and policy layers, fixing edge cases where some traffic could slip through.TypeScript SDK secret injectionThe Node/TypeScript SDK now supports the same secret injection options as the Rust SDK.DNS nameserver discovery on macOSOn macOS, microsandbox now reads the system nameservers via SCDynamicStore, matching what the OS actually uses and avoiding stale configurations.libkrunfw packaging in npmThe npm platform package now ships libkrunfw under its canonical name, fixing load failures on some Linux distributions.