diff --git a/content/manuals/ai/sandboxes/customize/kits.md b/content/manuals/ai/sandboxes/customize/kits.md
index 8aeb1596d0d3..0e66ef55a47a 100644
--- a/content/manuals/ai/sandboxes/customize/kits.md
+++ b/content/manuals/ai/sandboxes/customize/kits.md
@@ -443,6 +443,42 @@ For Docker Hub, include the full `docker.io` prefix. See
 > Without stored credentials, pulls from non-Docker Hub registries are
 > anonymous and private kits fail to pull.
 
+### Restrict kit sources
+
+`sbx` restricts which sources a kit can install from. A kit's install
+commands run with root privileges inside the sandbox, so limiting where kits
+come from reduces supply-chain risk. By default, only kits hosted on Docker
+Hub (`docker.io/`) are allowed. Loading a kit from any other source fails:
+
+```console
+$ sbx run claude --kit "git+https://github.com/docker/sbx-kits-contrib.git#dir=vale"
+ERROR: resolve kits: kit "git+https://github.com/docker/sbx-kits-contrib.git#dir=vale" cannot be installed — its source is not in your allowlist.
+```
+
+To allow another publisher, add its host or host/path prefix to the
+`kit.allowedSources` setting. The setting replaces the whole list, so include
+the entries you want to keep:
+
+```console
+$ sbx settings set kit.allowedSources '["docker.io/","github.com/docker/"]'
+```
+
+Entries match as prefixes on a path-segment boundary, so `github.com/docker/`
+allows `github.com/docker/sbx-kits-contrib` but not `github.com/docker-evil/kit`.
+To remove the restriction and allow any remote source, set the list to
+`["*"]`. This isn't recommended.
+
+Installing from a local directory or ZIP file is governed separately by the
+`kit.allowLocalKits` setting, which defaults to `true`. Set it to `false` to
+require a remote source:
+
+```console
+$ sbx settings set kit.allowLocalKits false
+```
+
+For non-interactive use, both settings have environment-variable equivalents:
+`DOCKER_SANDBOXES_KIT_ALLOWED_SOURCES` and `DOCKER_SANDBOXES_KIT_ALLOW_LOCAL`.
+
 ## Packaging and distribution
 
 The `sbx kit` subcommands validate, inspect, and publish kits:
diff --git a/content/manuals/ai/sandboxes/security/_index.md b/content/manuals/ai/sandboxes/security/_index.md
index 50919e94faf4..2991f9bcf81a 100644
--- a/content/manuals/ai/sandboxes/security/_index.md
+++ b/content/manuals/ai/sandboxes/security/_index.md
@@ -86,6 +86,11 @@ The default allowed domains include broad wildcards. Some defaults like
 see the full list of active rules, and remove entries you don't need. See
 [Default security posture](defaults/).
 
+Kits run install commands with root privileges inside the sandbox. To limit
+supply-chain risk, `sbx` restricts kit installs to an allowlist of sources
+that defaults to Docker Hub only. See
+[Restrict kit sources](../customize/kits.md#restrict-kit-sources).
+
 ## Organization-wide control
 
 On a single developer's machine, security and policy are configured locally —
diff --git a/content/manuals/ai/sandboxes/troubleshooting.md b/content/manuals/ai/sandboxes/troubleshooting.md
index c3fb70579219..ad50929dafb5 100644
--- a/content/manuals/ai/sandboxes/troubleshooting.md
+++ b/content/manuals/ai/sandboxes/troubleshooting.md
@@ -54,6 +54,27 @@ If `sbx policy allow` doesn't unblock the request, your organization may
 manage sandbox policies centrally and take precedence over local rules. See
 [Organization governance](governance/org.md).
 
+## Kit fails to install: source not in allowlist
+
+If loading a kit fails with a message like its source is not in your
+allowlist:
+
+```console
+$ sbx run claude --kit "git+https://github.com/docker/sbx-kits-contrib.git#dir=vale"
+ERROR: resolve kits: kit "git+https://github.com/docker/sbx-kits-contrib.git#dir=vale" cannot be installed — its source is not in your allowlist.
+```
+
+`sbx` restricts kit installs to an allowlist of sources, which defaults to
+Docker Hub (`docker.io/`) only. Add the kit's publisher to the
+`kit.allowedSources` setting, keeping the entries you want to retain:
+
+```console
+$ sbx settings set kit.allowedSources '["docker.io/","github.com/docker/"]'
+```
+
+Then run the command again. For details, including how to allow local kits or
+any remote source, see [Restrict kit sources](customize/kits.md#restrict-kit-sources).
+
 ## SSH and other non-HTTP connections fail
 
 Non-HTTP TCP connections like SSH can be allowed by adding a policy rule for