npm - @boxes-dev/dvb - Versions diffs - 1.0.63 → 1.0.65 - Mend

@boxes-dev/dvb 1.0.63 → 1.0.65

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (23) hide show

package/dist/bin/dvb.cjs CHANGED Viewed

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 "use strict";
-!function(){try{var e="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof globalThis?globalThis:"undefined"!=typeof self?self:{},n=(new e.Error).stack;n&&(e._sentryDebugIds=e._sentryDebugIds||{},e._sentryDebugIds[n]="4e18cf4e-c377-5d7b-a7bf-2022f0e42fc7")}catch(e){}}();
+!function(){try{var e="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof globalThis?globalThis:"undefined"!=typeof self?self:{},n=(new e.Error).stack;n&&(e._sentryDebugIds=e._sentryDebugIds||{},e._sentryDebugIds[n]="c3ed3072-4c93-5461-97f3-5f404303f107")}catch(e){}}();
 var __create = Object.create;
 var __defProp = Object.defineProperty;
@@ -88683,8 +88683,8 @@ var init_otel = __esm({
       return trimmed && trimmed.length > 0 ? trimmed : void 0;
     };
     readBuildMetadata = () => {
-      const rawPackageVersion = "1.0.63";
-      const rawGitSha = "8154e02788e4a85dd7d1111dde9daad78a290b63";
+      const rawPackageVersion = "1.0.65";
+      const rawGitSha = "38e55fd1bc87f0994f09522d4e932ccef8b98c10";
       const packageVersion = typeof rawPackageVersion === "string" ? rawPackageVersion : void 0;
       const gitSha = typeof rawGitSha === "string" ? rawGitSha : void 0;
       return { packageVersion, gitSha };
@@ -120672,9 +120672,9 @@ var init_sentry = __esm({
     sentryEnabled = false;
     uncaughtExceptionMonitorInstalled = false;
     readBuildMetadata2 = () => {
-      const rawPackageVersion = "1.0.63";
-      const rawGitSha = "8154e02788e4a85dd7d1111dde9daad78a290b63";
-      const rawSentryRelease = "boxes-dev-dvb@1.0.63+8154e02788e4a85dd7d1111dde9daad78a290b63";
+      const rawPackageVersion = "1.0.65";
+      const rawGitSha = "38e55fd1bc87f0994f09522d4e932ccef8b98c10";
+      const rawSentryRelease = "boxes-dev-dvb@1.0.65+38e55fd1bc87f0994f09522d4e932ccef8b98c10";
       const packageVersion = typeof rawPackageVersion === "string" ? rawPackageVersion : void 0;
       const gitSha = typeof rawGitSha === "string" ? rawGitSha : void 0;
       const sentryRelease = typeof rawSentryRelease === "string" ? rawSentryRelease : void 0;
@@ -130499,7 +130499,7 @@ var init_simple_client_node = __esm({
         var http6 = __require("http");
         var net5 = __require("net");
         var tls2 = __require("tls");
-        var { randomBytes, createHash: createHash4 } = __require("crypto");
+        var { randomBytes, createHash: createHash5 } = __require("crypto");
         var { Duplex, Readable: Readable2 } = __require("stream");
         var { URL: URL2 } = __require("url");
         var PerMessageDeflate = require_permessage_deflate();
@@ -131156,7 +131156,7 @@ var init_simple_client_node = __esm({
               abortHandshake(websocket, socket, "Invalid Upgrade header");
               return;
             }
-            const digest = createHash4("sha1").update(key + GUID).digest("base64");
+            const digest = createHash5("sha1").update(key + GUID).digest("base64");
             if (res.headers["sec-websocket-accept"] !== digest) {
               abortHandshake(websocket, socket, "Invalid Sec-WebSocket-Accept header");
               return;
@@ -131421,7 +131421,7 @@ var init_simple_client_node = __esm({
         var EventEmitter = __require("events");
         var http6 = __require("http");
         var { Duplex } = __require("stream");
-        var { createHash: createHash4 } = __require("crypto");
+        var { createHash: createHash5 } = __require("crypto");
         var extension = require_extension();
         var PerMessageDeflate = require_permessage_deflate();
         var subprotocol = require_subprotocol();
@@ -131716,7 +131716,7 @@ var init_simple_client_node = __esm({
               );
             }
             if (this._state > RUNNING) return abortHandshake(socket, 503);
-            const digest = createHash4("sha1").update(key + GUID).digest("base64");
+            const digest = createHash5("sha1").update(key + GUID).digest("base64");
             const headers = [
               "HTTP/1.1 101 Switching Protocols",
               "Upgrade: websocket",
@@ -198554,16 +198554,18 @@ var init_modalRuntime = __esm({
 });
 // src/devbox/commands/provider/modalLifecycle.ts
-var DEFAULT_APP_NAME, DEFAULT_MODAL_DEVBOX_IMAGE, DEFAULT_TIMEOUT_MS, SANDBOX_LIST_PAGE_LIMIT, MODAL_DAEMON_WRAPPER_PATH, MODAL_DAEMON_SUPERVISOR_ENTRYPOINT, FINISHED_STATUS_LABELS, trimEnv2, decodeJwtExpMs, createSafeModalAuthTokenManager, installSafeModalAuthTokenManager, parsePositiveInt, resolveRegions, resolveAppName, resolveModalSandboxTimeoutMs, isNotFoundError, isModalAlreadyExistsError, trimToNull, resolveControlPlaneToken, hasContextModalCredentialPair, shouldUseControlPlaneFallback, withModalClient, resolveModalApp, listSandboxesRaw, formatSandboxStatus, isRunningSandbox, resolveImageFromTag, provisionModalSandbox, findModalSandbox, terminateModalSandboxesByAlias;
+var import_node_crypto9, DEFAULT_APP_NAME, DEFAULT_MODAL_DEVBOX_IMAGE, DEFAULT_TIMEOUT_MS, IMAGE_TAG_RESOLUTION_CACHE_TTL_MS, SANDBOX_LIST_PAGE_LIMIT, MODAL_DAEMON_WRAPPER_PATH, MODAL_DAEMON_SUPERVISOR_ENTRYPOINT, FINISHED_STATUS_LABELS, REGISTRY_MANIFEST_ACCEPT_HEADER, resolvedImageTagCache, trimEnv2, parseRegistryImageTag, parseWwwAuthenticateBearer, fetchRegistryToken, resolveLatestImageTagToDigest, resolveImageTagForBuild, decodeJwtExpMs, createSafeModalAuthTokenManager, installSafeModalAuthTokenManager, parsePositiveInt, resolveRegions, resolveAppName, resolveModalSandboxTimeoutMs, isNotFoundError, isModalAlreadyExistsError, trimToNull, resolveControlPlaneToken, hasContextModalCredentialPair, shouldUseControlPlaneFallback, withModalClient, resolveModalApp, listSandboxesRaw, formatSandboxStatus, isRunningSandbox, resolveImageFromTag, provisionModalSandbox, findModalSandbox, terminateModalSandboxesByAlias;
 var init_modalLifecycle = __esm({
   "src/devbox/commands/provider/modalLifecycle.ts"() {
     "use strict";
     init_src();
+    import_node_crypto9 = require("node:crypto");
     init_dist5();
     init_controlPlane();
     DEFAULT_APP_NAME = "sandbox-modal-smoke";
     DEFAULT_MODAL_DEVBOX_IMAGE = "public.ecr.aws/d8m4p4w9/modal-devbox:latest";
     DEFAULT_TIMEOUT_MS = 24 * 60 * 60 * 1e3;
+    IMAGE_TAG_RESOLUTION_CACHE_TTL_MS = 5 * 60 * 1e3;
     SANDBOX_LIST_PAGE_LIMIT = 100;
     MODAL_DAEMON_WRAPPER_PATH = "/home/sprite/.devbox/daemon/run-daemon.sh";
     MODAL_DAEMON_SUPERVISOR_ENTRYPOINT = [
@@ -198590,7 +198592,178 @@ var init_modalLifecycle = __esm({
       6: "internal_failure",
       7: "idle_timeout"
     };
+    REGISTRY_MANIFEST_ACCEPT_HEADER = [
+      "application/vnd.oci.image.index.v1+json",
+      "application/vnd.oci.image.manifest.v1+json",
+      "application/vnd.docker.distribution.manifest.list.v2+json",
+      "application/vnd.docker.distribution.manifest.v2+json"
+    ].join(", ");
+    resolvedImageTagCache = /* @__PURE__ */ new Map();
     trimEnv2 = (value) => value?.trim() ?? "";
+    parseRegistryImageTag = (imageTag) => {
+      const trimmed = imageTag.trim();
+      if (!trimmed || trimmed.includes("@")) {
+        return null;
+      }
+      const lastSlashIndex = trimmed.lastIndexOf("/");
+      const lastColonIndex = trimmed.lastIndexOf(":");
+      if (lastColonIndex <= lastSlashIndex) {
+        return null;
+      }
+      const repositoryWithHost = trimmed.slice(0, lastColonIndex);
+      const tag = trimmed.slice(lastColonIndex + 1).trim();
+      if (!repositoryWithHost || !tag) {
+        return null;
+      }
+      const firstSlashIndex = repositoryWithHost.indexOf("/");
+      if (firstSlashIndex <= 0) {
+        return null;
+      }
+      const registryHost = repositoryWithHost.slice(0, firstSlashIndex);
+      const repository = repositoryWithHost.slice(firstSlashIndex + 1);
+      if (!repository) {
+        return null;
+      }
+      const hasExplicitRegistryHost = registryHost.includes(".") || registryHost.includes(":") || registryHost === "localhost";
+      if (!hasExplicitRegistryHost) {
+        return null;
+      }
+      return {
+        registryHost,
+        repository,
+        tag,
+        repositoryWithHost
+      };
+    };
+    parseWwwAuthenticateBearer = (headerValue) => {
+      const trimmed = headerValue.trim();
+      if (!trimmed.toLowerCase().startsWith("bearer ")) {
+        return null;
+      }
+      const attributes = /* @__PURE__ */ new Map();
+      for (const match2 of trimmed.slice("bearer ".length).matchAll(/([A-Za-z0-9_-]+)="([^"]*)"/g)) {
+        const [, key, value] = match2;
+        if (!key) {
+          continue;
+        }
+        attributes.set(key.toLowerCase(), value ?? "");
+      }
+      const realm = attributes.get("realm");
+      const service = attributes.get("service");
+      const scope = attributes.get("scope");
+      if (!realm || !service) {
+        return null;
+      }
+      return {
+        realm,
+        service,
+        scope: scope || null
+      };
+    };
+    fetchRegistryToken = async ({
+      realm,
+      service,
+      scope
+    }) => {
+      const tokenUrl = new URL(realm);
+      tokenUrl.searchParams.set("service", service);
+      if (scope) {
+        tokenUrl.searchParams.set("scope", scope);
+      }
+      const response = await fetch(tokenUrl.toString());
+      if (!response.ok) {
+        throw new Error(
+          `Container registry auth token request failed (${response.status}).`
+        );
+      }
+      const payload = await response.json();
+      const token = typeof payload.token === "string" ? payload.token.trim() : typeof payload.access_token === "string" ? payload.access_token.trim() : "";
+      if (!token) {
+        throw new Error("Container registry auth token response was empty.");
+      }
+      return token;
+    };
+    resolveLatestImageTagToDigest = async (parsed) => {
+      const manifestUrl = `https://${parsed.registryHost}/v2/${parsed.repository}/manifests/${encodeURIComponent(parsed.tag)}`;
+      const fetchManifest = async ({
+        method,
+        token: token2
+      }) => {
+        const headers = {
+          Accept: REGISTRY_MANIFEST_ACCEPT_HEADER
+        };
+        if (token2) {
+          headers.Authorization = `Bearer ${token2}`;
+        }
+        return await fetch(manifestUrl, {
+          headers,
+          method
+        });
+      };
+      let token = null;
+      let headResponse = await fetchManifest({ method: "HEAD" });
+      if (headResponse.status === 401) {
+        const authHeader = headResponse.headers.get("www-authenticate") ?? "";
+        const challenge = parseWwwAuthenticateBearer(authHeader);
+        if (!challenge) {
+          throw new Error(
+            `Container registry auth challenge missing or invalid for ${parsed.repositoryWithHost}:${parsed.tag}.`
+          );
+        }
+        token = await fetchRegistryToken(challenge);
+        headResponse = await fetchManifest({
+          method: "HEAD",
+          token
+        });
+      }
+      if (!headResponse.ok) {
+        throw new Error(
+          `Container registry manifest lookup failed for ${parsed.repositoryWithHost}:${parsed.tag} (${headResponse.status}).`
+        );
+      }
+      const headDigest = headResponse.headers.get("docker-content-digest")?.trim();
+      if (headDigest) {
+        return `${parsed.repositoryWithHost}@${headDigest}`;
+      }
+      const getResponse = await fetchManifest(
+        token ? {
+          method: "GET",
+          token
+        } : {
+          method: "GET"
+        }
+      );
+      if (!getResponse.ok) {
+        throw new Error(
+          `Container registry manifest body lookup failed for ${parsed.repositoryWithHost}:${parsed.tag} (${getResponse.status}).`
+        );
+      }
+      const headerDigest = getResponse.headers.get("docker-content-digest")?.trim();
+      if (headerDigest) {
+        return `${parsed.repositoryWithHost}@${headerDigest}`;
+      }
+      const manifestBytes = Buffer.from(await getResponse.arrayBuffer());
+      const bodyDigest = `sha256:${(0, import_node_crypto9.createHash)("sha256").update(manifestBytes).digest("hex")}`;
+      return `${parsed.repositoryWithHost}@${bodyDigest}`;
+    };
+    resolveImageTagForBuild = async (imageTag) => {
+      const parsed = parseRegistryImageTag(imageTag);
+      if (!parsed || parsed.tag !== "latest") {
+        return imageTag;
+      }
+      const cacheKey = `${parsed.repositoryWithHost}:${parsed.tag}`;
+      const now = Date.now();
+      const cached = resolvedImageTagCache.get(cacheKey);
+      if (cached && cached.expiresAt > now) {
+        return cached.value;
+      }
+      const resolved = await resolveLatestImageTagToDigest(parsed);
+      resolvedImageTagCache.set(cacheKey, {
+        value: resolved,
+        expiresAt: now + IMAGE_TAG_RESOLUTION_CACHE_TTL_MS
+      });
+      return resolved;
+    };
     decodeJwtExpMs = (token) => {
       const segments = token.split(".");
       if (segments.length < 2) return null;
@@ -198781,6 +198954,7 @@ var init_modalLifecycle = __esm({
       const appName = resolveAppName();
       const envImageTag = trimEnv2(process.env.MODAL_SANDBOX_IMAGE);
       const imageTag = envImageTag || DEFAULT_MODAL_DEVBOX_IMAGE;
+      const resolvedImageTag = await resolveImageTagForBuild(imageTag);
       const timeoutMs = resolveModalSandboxTimeoutMs();
       const timeoutSecs = Math.max(1, Math.floor(timeoutMs / 1e3));
       const regions = resolveRegions();
@@ -198793,7 +198967,7 @@ var init_modalLifecycle = __esm({
           const image = await resolveImageFromTag(modal, tag);
           return await image.build({ appId: app.appId });
         };
-        const builtImage = await buildImage(imageTag);
+        const builtImage = await buildImage(resolvedImageTag);
         const createResponse = await modal.cpClient.sandboxCreate({
           appId: app.appId,
           definition: {
@@ -198809,7 +198983,7 @@ var init_modalLifecycle = __esm({
           sandboxId: createResponse.sandboxId,
           appId: app.appId,
           appName,
-          imageTag,
+          imageTag: resolvedImageTag,
           timeoutMs,
           memorySnapshotEnabled: false,
           regions
@@ -199597,12 +199771,12 @@ var init_sessionUtils = __esm({
 });
 // src/devbox/commands/connect.ts
-var import_node_child_process4, import_node_crypto9, import_node_os9, import_node_path16, import_node_readline3, import_promises13, resolveInitialSessionId, shouldAttachToExistingSession, resolveSessionSpecifierFromExplicitTarget, isAttachReplacedCloseCode, shouldCancelConnectOnSigint, DEFAULT_TTY_COLS, DEFAULT_TTY_ROWS, TERMINAL_INPUT_MODE_RESET, resetTerminalInputModes, openBrowser2, warnSetupStatus, resolveTtyEnv, formatEnvExports, parseEnvSize, readStreamSize, resolveTtySize, resolveSessionEnv, parseReachabilityState, runCommand, checkReachability, watchReachabilityWithScutil, watchReachabilityWithNotifyutil, waitForNetworkOnline, parseConnectArgs, parseConnectTarget, isSessionNotFoundError, SESSION_NAME_TOKEN_KEY, encodeSessionNameToken, decodeSessionNameToken, extractSessionNameFromCommand, SESSION_LOG_FLUSH_BYTES, SESSION_LOG_EOF_MARKER, createRemoteSessionLogSink, CONNECT_SHELL_CANDIDATES, resolveConnectShell, confirmNewSession, promptRenameSession, HEARTBEAT_INTERVAL_MS, HEARTBEAT_TIMEOUT_MS, INPUT_PROBE_TIMEOUT_MS, STREAM_STALL_PROBE_MISS_THRESHOLD, CONNECT_OPEN_TIMEOUT_MS, WS_OPEN_STATE, streamExecSession, runConnect;
+var import_node_child_process4, import_node_crypto10, import_node_os9, import_node_path16, import_node_readline3, import_promises13, resolveInitialSessionId, shouldAttachToExistingSession, resolveSessionSpecifierFromExplicitTarget, isAttachReplacedCloseCode, shouldCancelConnectOnSigint, DEFAULT_TTY_COLS, DEFAULT_TTY_ROWS, TERMINAL_INPUT_MODE_RESET, resetTerminalInputModes, openBrowser2, warnSetupStatus, resolveTtyEnv, formatEnvExports, parseEnvSize, readStreamSize, resolveTtySize, resolveSessionEnv, parseReachabilityState, runCommand, checkReachability, watchReachabilityWithScutil, watchReachabilityWithNotifyutil, waitForNetworkOnline, parseConnectArgs, parseConnectTarget, isSessionNotFoundError, SESSION_NAME_TOKEN_KEY, encodeSessionNameToken, decodeSessionNameToken, extractSessionNameFromCommand, SESSION_LOG_FLUSH_BYTES, SESSION_LOG_EOF_MARKER, createRemoteSessionLogSink, CONNECT_SHELL_CANDIDATES, resolveConnectShell, confirmNewSession, promptRenameSession, HEARTBEAT_INTERVAL_MS, HEARTBEAT_TIMEOUT_MS, INPUT_PROBE_TIMEOUT_MS, STREAM_STALL_PROBE_MISS_THRESHOLD, CONNECT_OPEN_TIMEOUT_MS, WS_OPEN_STATE, streamExecSession, runConnect;
 var init_connect2 = __esm({
   "src/devbox/commands/connect.ts"() {
     "use strict";
     import_node_child_process4 = require("node:child_process");
-    import_node_crypto9 = require("node:crypto");
+    import_node_crypto10 = require("node:crypto");
     import_node_os9 = __toESM(require("node:os"), 1);
     import_node_path16 = require("node:path");
     import_node_readline3 = require("node:readline");
@@ -201025,7 +201199,7 @@ var init_connect2 = __esm({
         const weztermPane = process.env.WEZTERM_PANE?.trim() || "";
         const weztermSocket = process.env.WEZTERM_UNIX_SOCKET?.trim() || "";
         const weztermSessionId = weztermPane ? `wezterm:${weztermPane}${weztermSocket ? `:${(0, import_node_path16.basename)(weztermSocket)}` : ""}` : "";
-        const terminalSessionId = process.env.DEVBOX_TERM_SESSION_ID?.trim() || weztermSessionId || process.env.TERM_SESSION_ID?.trim() || process.env.ITERM_SESSION_ID?.trim() || `dvb-${(0, import_node_crypto9.randomUUID)()}`;
+        const terminalSessionId = process.env.DEVBOX_TERM_SESSION_ID?.trim() || weztermSessionId || process.env.TERM_SESSION_ID?.trim() || process.env.ITERM_SESSION_ID?.trim() || `dvb-${(0, import_node_crypto10.randomUUID)()}`;
         const logPath = shouldLog2 && sessionName ? buildSessionLogPath(sessionName) : null;
         const modalSessionLogPath = computeProvider === "modal" ? logPath : null;
         const sessionLogSink = logPath && computeProvider !== "modal" ? createRemoteSessionLogSink(client2, spriteAlias, logPath) : null;
@@ -202744,11 +202918,11 @@ var init_session3 = __esm({
 });
 // src/devbox/commands/init/repo.ts
-var import_node_crypto10, import_node_child_process5, import_node_path20, buildSpawnEnv, runCommand2, runCommandRaw, findRepoRoot, readRepoOrigin, readLocalGitConfigValue, writeLocalGitConfigValue, ensureRepoProjectId, resolveGitCommonDir, readHeadState, readNullSeparatedPaths, readWorktreeState, confirmCopyWorktree, readGlobalGitConfigFiles, mapGlobalGitConfigDestinations;
+var import_node_crypto11, import_node_child_process5, import_node_path20, buildSpawnEnv, runCommand2, runCommandRaw, findRepoRoot, readRepoOrigin, readLocalGitConfigValue, writeLocalGitConfigValue, ensureRepoProjectId, resolveGitCommonDir, readHeadState, readNullSeparatedPaths, readWorktreeState, confirmCopyWorktree, readGlobalGitConfigFiles, mapGlobalGitConfigDestinations;
 var init_repo2 = __esm({
   "src/devbox/commands/init/repo.ts"() {
     "use strict";
-    import_node_crypto10 = require("node:crypto");
+    import_node_crypto11 = require("node:crypto");
     import_node_child_process5 = require("node:child_process");
     import_node_path20 = __toESM(require("node:path"), 1);
     init_dist3();
@@ -202835,7 +203009,7 @@ var init_repo2 = __esm({
       const key = "devbox.projectId";
       const existing = await readLocalGitConfigValue(repoRoot, key);
       if (existing) return existing;
-      const created = (0, import_node_crypto10.randomUUID)();
+      const created = (0, import_node_crypto11.randomUUID)();
       await writeLocalGitConfigValue(repoRoot, key, created);
       return created;
     };
@@ -203009,11 +203183,11 @@ var init_config2 = __esm({
 });
 // src/devbox/commands/init/remote.ts
-var import_node_crypto11, DAEMON_DIR, DAEMON_TARBALL, DAEMON_BUNDLE_DIR, DAEMON_ENTRY, DAEMON_WRAPPER, DAEMON_SERVICE_NAME, DAEMON_CONFIG_FILE, MODAL_DAEMON_HEALTH_PORT, DEFAULT_DAEMON_BASE_URL, DEFAULT_HEARTBEAT_MS, BOOTSTRAP_EXEC_TIMEOUT_MS, BOOTSTRAP_EXEC_HANDSHAKE_TIMEOUT_MS, BASHRC_PATH, ZSHRC_PATH, CODEX_CONFIG_DIR, CODEX_CONFIG_PATH, BASIC_ALIASES_MARKER, LEGACY_BASH_TRAP, SAFE_BASH_TRAP, BASH_HISTORY_BLOCK, ZSH_HISTORY_BLOCK, HISTORY_BLOCK_PATTERN, BASH_HISTORY_LINE_PATTERN, ZSH_HISTORY_LINE_PATTERN, logger8, truncateTail, shellQuote3, expandHome2, execWithLog, writeRemoteFile, readRemoteFile, ensureTrailingNewline, upsertHistoryBlock, patchBashrcContent, patchZshrcContent, bootstrapDevbox, buildWeztermMuxConfig, buildWeztermMuxRunner, patchRemoteRcFile, patchBashrc, patchZshrc, ensureRemoteCodexConfig, stageRemoteSetupArtifacts, resolveDaemonUrl, fetchDaemonBinary, buildDaemonConfig, buildDaemonWrapperScript, isSameArgs, ensureSpriteDaemonService, installWeztermMux, ensureWeztermMuxService, hasWeztermMuxBinary, isWeztermMuxHealthy, installSpriteDaemon;
+var import_node_crypto12, DAEMON_DIR, DAEMON_TARBALL, DAEMON_BUNDLE_DIR, DAEMON_ENTRY, DAEMON_WRAPPER, DAEMON_SERVICE_NAME, DAEMON_CONFIG_FILE, MODAL_DAEMON_HEALTH_PORT, DEFAULT_DAEMON_BASE_URL, DEFAULT_HEARTBEAT_MS, BOOTSTRAP_EXEC_TIMEOUT_MS, BOOTSTRAP_EXEC_HANDSHAKE_TIMEOUT_MS, BASHRC_PATH, ZSHRC_PATH, CODEX_CONFIG_DIR, CODEX_CONFIG_PATH, BASIC_ALIASES_MARKER, LEGACY_BASH_TRAP, SAFE_BASH_TRAP, BASH_HISTORY_BLOCK, ZSH_HISTORY_BLOCK, HISTORY_BLOCK_PATTERN, BASH_HISTORY_LINE_PATTERN, ZSH_HISTORY_LINE_PATTERN, logger8, truncateTail, shellQuote3, expandHome2, execWithLog, writeRemoteFile, readRemoteFile, ensureTrailingNewline, upsertHistoryBlock, patchBashrcContent, patchZshrcContent, bootstrapDevbox, buildWeztermMuxConfig, buildWeztermMuxRunner, patchRemoteRcFile, patchBashrc, patchZshrc, ensureRemoteCodexConfig, stageRemoteSetupArtifacts, resolveDaemonUrl, fetchDaemonBinary, buildDaemonConfig, buildDaemonWrapperScript, isSameArgs, ensureSpriteDaemonService, installWeztermMux, ensureWeztermMuxService, hasWeztermMuxBinary, isWeztermMuxHealthy, installSpriteDaemon;
 var init_remote = __esm({
   "src/devbox/commands/init/remote.ts"() {
     "use strict";
-    import_node_crypto11 = require("node:crypto");
+    import_node_crypto12 = require("node:crypto");
     init_src();
     init_weztermMux();
     init_config2();
@@ -203070,7 +203244,7 @@ var init_remote = __esm({
       return value;
     };
     execWithLog = async (client2, spriteAlias, script, stage, options) => {
-      const requestId = (0, import_node_crypto11.randomUUID)();
+      const requestId = (0, import_node_crypto12.randomUUID)();
       const startedAt2 = Date.now();
       logger8.info("sprites_request", {
         requestId,
@@ -203104,7 +203278,7 @@ var init_remote = __esm({
       return result;
     };
     writeRemoteFile = async (client2, spriteAlias, path37, content, stage) => {
-      const requestId = (0, import_node_crypto11.randomUUID)();
+      const requestId = (0, import_node_crypto12.randomUUID)();
       logger8.info("sprites_request", {
         requestId,
         method: "writeFile",
@@ -203124,7 +203298,7 @@ var init_remote = __esm({
       });
     };
     readRemoteFile = async (client2, spriteAlias, path37, stage) => {
-      const requestId = (0, import_node_crypto11.randomUUID)();
+      const requestId = (0, import_node_crypto12.randomUUID)();
       logger8.info("sprites_request", {
         requestId,
         method: "readFile",
@@ -204671,7 +204845,7 @@ var init_prompts = __esm({
 });
 // src/devbox/commands/init/codex/remote.ts
-var import_node_child_process8, stripAnsi2, extractBoldText, extractAuthUrl, extractLocalPort, isRelayForbidden, isRelayMissingOpenAiProxyConfiguration, buildEntrypointsBlock, renderRemoteApplyPromptFromTemplate, renderRemoteApplyPrompt, openBrowser3, ensureRemoteCodexInstalled, isRemoteCodexLoggedIn, runRemoteCodexLogin, runRemoteCodexExec;
+var import_node_child_process8, stripAnsi2, extractBoldText, extractAuthUrl, extractLocalPort, isRelayForbidden, isRelayMissingOpenAiProxyConfiguration, buildEntrypointsBlock, resolveRemoteApplyTemplateName, renderRemoteApplyPromptFromTemplate, renderRemoteApplyPrompt, openBrowser3, ensureRemoteCodexInstalled, isRemoteCodexLoggedIn, runRemoteCodexLogin, runRemoteCodexExec;
 var init_remote2 = __esm({
   "src/devbox/commands/init/codex/remote.ts"() {
     "use strict";
@@ -204716,6 +204890,7 @@ var init_remote2 = __esm({
       ];
       return lines.join("\n");
     };
+    resolveRemoteApplyTemplateName = (computeProvider) => computeProvider === "modal" ? "remote-apply-modal.md" : "remote-apply.md";
     renderRemoteApplyPromptFromTemplate = ({
       template,
       setupPath,
@@ -204732,9 +204907,12 @@ var init_remote2 = __esm({
       setupPath,
       artifactsBundle,
       artifactsManifest,
-      entrypoints
+      entrypoints,
+      computeProvider
     }) => {
-      const template = await readPromptTemplate("remote-apply.md");
+      const template = await readPromptTemplate(
+        resolveRemoteApplyTemplateName(computeProvider)
+      );
       return renderRemoteApplyPromptFromTemplate({
         template,
         setupPath,
@@ -206338,11 +206516,11 @@ ${usageText}`;
 });
 // src/devbox/commands/init/codex/artifacts.ts
-var import_node_crypto12, import_node_fs10, import_promises23, import_node_path26, import_node_os13, macCopyfileDisabledEnv, SETUP_ARTIFACT_PART_SIZE_BYTES, SETUP_ARTIFACT_PARTS_DIRNAME, SETUP_ARTIFACT_PARTS_DESCRIPTOR_FILENAME, isWithinRepo, normalizeExternalPath, expandHomePath, buildArtifactEntry, buildEntries, copyArtifact, sha256File, readSetupArtifactsPartsDescriptor, createSetupArtifacts;
+var import_node_crypto13, import_node_fs10, import_promises23, import_node_path26, import_node_os13, macCopyfileDisabledEnv, SETUP_ARTIFACT_PART_SIZE_BYTES, SETUP_ARTIFACT_PARTS_DIRNAME, SETUP_ARTIFACT_PARTS_DESCRIPTOR_FILENAME, isWithinRepo, normalizeExternalPath, expandHomePath, buildArtifactEntry, buildEntries, copyArtifact, sha256File, readSetupArtifactsPartsDescriptor, createSetupArtifacts;
 var init_artifacts = __esm({
   "src/devbox/commands/init/codex/artifacts.ts"() {
     "use strict";
-    import_node_crypto12 = require("node:crypto");
+    import_node_crypto13 = require("node:crypto");
     import_node_fs10 = require("node:fs");
     import_promises23 = __toESM(require("node:fs/promises"), 1);
     import_node_path26 = __toESM(require("node:path"), 1);
@@ -206452,7 +206630,7 @@ var init_artifacts = __esm({
       await import_promises23.default.cp(entry.sourcePath, destPath, { recursive: false });
     };
     sha256File = async (filePath) => await new Promise((resolve2, reject) => {
-      const hash = (0, import_node_crypto12.createHash)("sha256");
+      const hash = (0, import_node_crypto13.createHash)("sha256");
       const stream = (0, import_node_fs10.createReadStream)(filePath);
       stream.on("data", (chunk) => hash.update(chunk));
       stream.on("error", reject);
@@ -206855,12 +207033,12 @@ var init_progress = __esm({
 });
 // src/devbox/commands/init/codex/index.ts
-var import_node_path27, import_node_crypto13, import_promises24, import_node_os14, resolveLocalCodexRoot, readLocalCodexAuthCache, syncLocalCodexAuthCacheToSprite, uploadSetupPlan, runRemoteCodexSetup;
+var import_node_path27, import_node_crypto14, import_promises24, import_node_os14, CODEX_REQUEST_URL_REGEX2, extractRequestUrl2, isLoopbackRelayUrl2, resolveLocalCodexAuthPathCandidates, readLocalCodexAuthCache, syncLocalCodexAuthCacheToSprite, uploadSetupPlan, runRemoteCodexSetup;
 var init_codex = __esm({
   "src/devbox/commands/init/codex/index.ts"() {
     "use strict";
     import_node_path27 = __toESM(require("node:path"), 1);
-    import_node_crypto13 = require("node:crypto");
+    import_node_crypto14 = require("node:crypto");
     import_promises24 = __toESM(require("node:fs/promises"), 1);
     import_node_os14 = require("node:os");
     init_dist3();
@@ -206875,17 +207053,40 @@ var init_codex = __esm({
     init_proxy2();
     init_artifacts();
     init_progress();
-    resolveLocalCodexRoot = () => {
-      const configured = (process.env.CODEX_HOME ?? "").trim();
-      return configured || import_node_path27.default.join((0, import_node_os14.homedir)(), ".codex");
+    CODEX_REQUEST_URL_REGEX2 = /error sending request for url \(([^)]+)\)/i;
+    extractRequestUrl2 = (value) => {
+      const match2 = value.match(CODEX_REQUEST_URL_REGEX2);
+      const url = match2?.[1]?.trim();
+      return url && url.length > 0 ? url : null;
     };
-    readLocalCodexAuthCache = async () => {
-      const authPath = import_node_path27.default.join(resolveLocalCodexRoot(), "auth.json");
+    isLoopbackRelayUrl2 = (requestUrl) => {
       try {
-        return await import_promises24.default.readFile(authPath);
+        const url = new URL(requestUrl);
+        return url.hostname === "127.0.0.1" || url.hostname === "localhost" || url.hostname === "::1";
       } catch {
-        return null;
+        return false;
+      }
+    };
+    resolveLocalCodexAuthPathCandidates = () => {
+      const configured = (process.env.CODEX_HOME ?? "").trim();
+      const defaultRoot = import_node_path27.default.join((0, import_node_os14.homedir)(), ".codex");
+      const candidates = [import_node_path27.default.join(defaultRoot, "auth.json")];
+      if (configured) {
+        const configuredPath = import_node_path27.default.join(configured, "auth.json");
+        if (!candidates.includes(configuredPath)) {
+          candidates.unshift(configuredPath);
+        }
       }
+      return candidates;
+    };
+    readLocalCodexAuthCache = async () => {
+      for (const authPath of resolveLocalCodexAuthPathCandidates()) {
+        try {
+          return await import_promises24.default.readFile(authPath);
+        } catch {
+        }
+      }
+      return null;
     };
     syncLocalCodexAuthCacheToSprite = async ({
       client: client2,
@@ -207101,7 +207302,7 @@ var init_codex = __esm({
       }
       if (splitArtifacts && remoteArtifactsBundlePath) {
         status.stage("Assembling artifacts on remote");
-        const assembledTmpPath = `${remoteArtifactsBundlePath}.tmp-assemble-${(0, import_node_crypto13.randomUUID)()}`;
+        const assembledTmpPath = `${remoteArtifactsBundlePath}.tmp-assemble-${(0, import_node_crypto14.randomUUID)()}`;
         const assembleScript = [
           "set -euo pipefail",
           `bundle=${shellQuote3(remoteArtifactsBundlePath)}`,
@@ -207173,6 +207374,7 @@ var init_codex = __esm({
     runRemoteCodexSetup = async ({
       client: client2,
       spriteAlias,
+      computeProvider,
       expandedWorkdir,
       remoteSetupPath,
       remoteArtifactsBundlePath,
@@ -207185,18 +207387,13 @@ var init_codex = __esm({
       emitCodexOutput = true
     }) => {
       if (!proxyOptions) {
+        await syncLocalCodexAuthCacheToSprite({
+          client: client2,
+          spriteAlias,
+          status
+        });
         status.stage("Check Codex login");
-        let loggedIn = await isRemoteCodexLoggedIn(client2, spriteAlias);
-        if (!loggedIn) {
-          const synced = await syncLocalCodexAuthCacheToSprite({
-            client: client2,
-            spriteAlias,
-            status
-          });
-          if (synced) {
-            loggedIn = await isRemoteCodexLoggedIn(client2, spriteAlias);
-          }
-        }
+        const loggedIn = await isRemoteCodexLoggedIn(client2, spriteAlias);
         if (!loggedIn) {
           await requireDaemonFeatures(socketInfo.socketPath, ["ports"]);
           status.stage("Waiting for Codex login");
@@ -207300,10 +207497,11 @@ codex login`
         setupPath: remoteSetupPath,
         artifactsBundle: remoteArtifactsBundlePath,
         artifactsManifest: remoteArtifactsManifestPath,
-        entrypoints
+        entrypoints,
+        computeProvider
       });
       const codexLastMessagePath = "/home/sprite/.devbox/codex-setup-output.txt";
-      const proxyRoot = proxyOptions ? `/home/sprite/.devbox/tmp/codex-proxy-${(0, import_node_crypto13.randomUUID)()}` : null;
+      const proxyRoot = proxyOptions ? `/home/sprite/.devbox/tmp/codex-proxy-${(0, import_node_crypto14.randomUUID)()}` : null;
       const proxyTokenPath = proxyRoot ? `${proxyRoot}/devbox-token` : null;
       const proxyCodexHome = proxyRoot ? `${proxyRoot}/codex-home` : null;
       const proxyConfigPath = proxyCodexHome ? `${proxyCodexHome}/config.toml` : null;
@@ -207454,15 +207652,59 @@ codex login`
       };
       writeCodexOutput(process.stdout, execResult?.stdout, "stdout");
       writeCodexOutput(process.stderr, execResult?.stderr, "stderr");
-      if (!emitCodexOutput) return;
+      let lastMessage = "";
+      let lastMessageReadError = null;
       try {
         const bytes = await client2.readFile(spriteAlias, {
           path: codexLastMessagePath
         });
-        const message = Buffer.from(bytes).toString("utf8").trim();
-        if (message && !printedCodexStdout) {
+        lastMessage = Buffer.from(bytes).toString("utf8").trim();
+      } catch (error2) {
+        lastMessageReadError = error2 instanceof Error ? error2 : new Error(String(error2));
+      }
+      if (!lastMessage) {
+        const combinedOutputRaw = `${execResult?.stdout ?? ""}
+${execResult?.stderr ?? ""}`;
+        const combinedOutput = combinedOutputRaw.toLowerCase();
+        if (combinedOutput.includes("401 unauthorized")) {
+          throw new Error(
+            "codex exec failed: remote Codex auth returned 401 unauthorized. Re-run `dvb setup --codex-auth byo` (or ensure proxy auth is configured), then retry with `dvb init --resume`."
+          );
+        }
+        if (combinedOutput.includes("stream disconnected before completion")) {
+          const requestUrl = extractRequestUrl2(combinedOutputRaw);
+          if (requestUrl && isLoopbackRelayUrl2(requestUrl)) {
+            throw new Error(
+              `codex exec failed: local relay is unreachable at ${requestUrl}. Set a reachable remote relay URL (for example \`DEVBOX_REMOTE_RELAY_BASE_URL=https://relay.boxes.dev\`), run \`dvb setup\`, then retry with \`dvb init --resume\`.`
+            );
+          }
+          const requestTarget = requestUrl ?? "relay /v1/responses endpoint";
+          throw new Error(
+            `codex exec failed: proxy stream disconnected before completion while calling ${requestTarget}. Ensure relay connectivity from the remote devbox, then retry with \`dvb init --resume\`.`
+          );
+        }
+        if (combinedOutput.includes("no last agent message")) {
+          throw new Error(
+            "codex exec failed: Codex returned no final response. Setup was not applied; retry with `dvb init --resume`."
+          );
+        }
+        if (lastMessageReadError) {
+          throw new Error(
+            "codex exec failed: missing Codex final output file. Setup may not have run; retry with `dvb init --resume`."
+          );
+        }
+        throw new Error(
+          "codex exec failed: empty Codex final response. Setup was not applied; retry with `dvb init --resume`."
+        );
+      }
+      if (!emitCodexOutput) return;
+      try {
+        const stdoutText = execResult?.stdout ?? "";
+        const stdoutHasAssistantTurn = /\nassistant(\n|$)/i.test(stdoutText);
+        const shouldPrintLastMessage = !printedCodexStdout || !stdoutHasAssistantTurn || !stdoutText.includes(lastMessage);
+        if (shouldPrintLastMessage) {
           status.stop();
-          process.stdout.write(`${message}
+          process.stdout.write(`${lastMessage}
 `);
         }
       } catch {
@@ -208915,11 +209157,11 @@ var init_provisionFlow = __esm({
 });
 // src/devbox/commands/init/ssh.ts
-var import_node_crypto14, import_node_child_process10, logger9, SSH_IDENTITY_FILE, SSH_ED25519_PUBLIC_KEY_PATTERN, stripGitSuffix2, buildSshUrl, buildSettingsUrl, parseScpLike, parseGitRemote, execRemote, extractEd25519PublicKey, readRemoteOrigin, setRemoteOrigin, ensureSshKey, ensureSshConfig, verifySshAuth, openBrowser4, runClipboardCommand, copyToClipboard;
+var import_node_crypto15, import_node_child_process10, logger9, SSH_IDENTITY_FILE, SSH_ED25519_PUBLIC_KEY_PATTERN, stripGitSuffix2, buildSshUrl, buildSettingsUrl, parseScpLike, parseGitRemote, execRemote, extractEd25519PublicKey, readRemoteOrigin, setRemoteOrigin, ensureSshKey, ensureSshConfig, verifySshAuth, openBrowser4, runClipboardCommand, copyToClipboard;
 var init_ssh = __esm({
   "src/devbox/commands/init/ssh.ts"() {
     "use strict";
-    import_node_crypto14 = require("node:crypto");
+    import_node_crypto15 = require("node:crypto");
     import_node_child_process10 = require("node:child_process");
     init_src();
     init_remote();
@@ -209001,7 +209243,7 @@ var init_ssh = __esm({
       return null;
     };
     execRemote = async (client2, spriteAlias, script, stage) => {
-      const requestId = (0, import_node_crypto14.randomUUID)();
+      const requestId = (0, import_node_crypto15.randomUUID)();
       logger9.info("sprites_request", {
         requestId,
         method: "exec",
@@ -209873,7 +210115,7 @@ var init_finalizeFlow = __esm({
               } else {
                 R2.warn("Could not copy the SSH key automatically.");
               }
-              const openBrowserPromptMessage = copied ? `Open ${remoteInfo.host} SSH key page in your browser? (SSH key copied to clipboard; paste it into the key box, then click "Add SSH key".)` : `Open ${remoteInfo.host} SSH key page in your browser?`;
+              const openBrowserPromptMessage = copied ? `SSH key copied to clipboard; click "Add SSH key". Open ${remoteInfo.host} SSH key page in your browser?` : `Open ${remoteInfo.host} SSH key page in your browser?`;
               const shouldOpen = await promptBeforeOpenBrowser({
                 url: remoteInfo.settingsUrl,
                 title: `${remoteInfo.host} SSH key page`,
@@ -210096,6 +210338,7 @@ var init_finalizeFlow = __esm({
             await runRemoteCodexSetup({
               client: client2,
               spriteAlias,
+              computeProvider,
               expandedWorkdir,
               remoteSetupPath,
               remoteArtifactsBundlePath,
@@ -215626,11 +215869,11 @@ var init_qr = __esm({
 });
 // src/devbox/commands/setup.ts
-var import_node_crypto15, trim, normalizeOrgSlug, extractOrgFromSpriteToken, parseCodexAuthMode, parseSpriteAuthMode, resolveSpriteAuthMode, normalizeSiteUrl, resolveSiteUrl, MOBILE_DOWNLOAD_LINK, parseSetupArgs, splitQrLines, printMobileDownloadQr, printFirstSetupCompleteMessage, normalizeUrlForCompare, resolveHostForCompare, resolveCliName3, formatSpritesApiError, probeSpritesAccess, runSetup;
+var import_node_crypto16, trim, normalizeOrgSlug, extractOrgFromSpriteToken, parseCodexAuthMode, parseSpriteAuthMode, resolveSpriteAuthMode, normalizeSiteUrl, resolveSiteUrl, MOBILE_DOWNLOAD_LINK, parseSetupArgs, splitQrLines, printMobileDownloadQr, printFirstSetupCompleteMessage, normalizeUrlForCompare, resolveHostForCompare, resolveCliName3, formatSpritesApiError, probeSpritesAccess, runSetup;
 var init_setup = __esm({
   "src/devbox/commands/setup.ts"() {
     "use strict";
-    import_node_crypto15 = require("node:crypto");
+    import_node_crypto16 = require("node:crypto");
     init_src();
     init_src();
     init_auth();
@@ -215853,7 +216096,7 @@ var init_setup = __esm({
       return lines.join("\n");
     };
     probeSpritesAccess = async (relayBaseUrl, token) => {
-      const requestId = (0, import_node_crypto15.randomUUID)();
+      const requestId = (0, import_node_crypto16.randomUUID)();
       const url = new URL("/v1/sprites", relayBaseUrl);
       url.searchParams.set("max_results", "1");
       logger7.info("sprites_request", {
@@ -216458,11 +216701,11 @@ var init_whoami = __esm({
 });
 // src/devbox/commands/wezterm.ts
-var import_node_crypto16, import_node_child_process12, import_promises32, import_node_os23, import_node_path37, import_promises33, logger10, WEZTERM_APP_PATH, WEZTERM_BIN_PATH, WEZTERM_BIN_DIR, WEZTERM_INSTALL_URL, WEZTERM_PATH_EXPORT, WEZTERM_HEALTH_POLL_INTERVAL_MS, WEZTERM_HEALTH_POLL_TIMEOUT_MS, WEZTERM_PROXY_BASE_ENV, WEZTERM_PROXY_LOG_NAME, WEZTERM_USAGE, parseWeztermArgs, resolveSpriteAlias2, initWeztermClient, waitForWeztermMuxHealthy, ensureWeztermMuxReady, runWeztermProxy, runCommand6, promptYesNo2, fileExists, hasWeztermOnPath, resolveShellProfilePath, ensureWeztermOnPath, ensureWeztermInstalled, expandPath, resolveDefaultConfigPath, escapeRegExp2, resolveCliName4, resolveDvbCommand, formatLuaArgs, resolveWeztermProxyEnv, buildProxyCommand, buildDomainBlock, canAppendToConfig, countReturns, applyReturnTableTransform, insertBlock, runWeztermSetup, startWeztermDomain, runWezterm;
+var import_node_crypto17, import_node_child_process12, import_promises32, import_node_os23, import_node_path37, import_promises33, logger10, WEZTERM_APP_PATH, WEZTERM_BIN_PATH, WEZTERM_BIN_DIR, WEZTERM_INSTALL_URL, WEZTERM_PATH_EXPORT, WEZTERM_HEALTH_POLL_INTERVAL_MS, WEZTERM_HEALTH_POLL_TIMEOUT_MS, WEZTERM_PROXY_BASE_ENV, WEZTERM_PROXY_LOG_NAME, WEZTERM_USAGE, parseWeztermArgs, resolveSpriteAlias2, initWeztermClient, waitForWeztermMuxHealthy, ensureWeztermMuxReady, runWeztermProxy, runCommand6, promptYesNo2, fileExists, hasWeztermOnPath, resolveShellProfilePath, ensureWeztermOnPath, ensureWeztermInstalled, expandPath, resolveDefaultConfigPath, escapeRegExp2, resolveCliName4, resolveDvbCommand, formatLuaArgs, resolveWeztermProxyEnv, buildProxyCommand, buildDomainBlock, canAppendToConfig, countReturns, applyReturnTableTransform, insertBlock, runWeztermSetup, startWeztermDomain, runWezterm;
 var init_wezterm = __esm({
   "src/devbox/commands/wezterm.ts"() {
     "use strict";
-    import_node_crypto16 = require("node:crypto");
+    import_node_crypto17 = require("node:crypto");
     import_node_child_process12 = require("node:child_process");
     import_promises32 = __toESM(require("node:fs/promises"), 1);
     import_node_os23 = __toESM(require("node:os"), 1);
@@ -216673,7 +216916,7 @@ var init_wezterm = __esm({
       await writeProxyLog(
         `proxy_ready box=${spriteAlias} setup=${skipSetup ? "skip" : "full"}`
       );
-      const requestId = (0, import_node_crypto16.randomUUID)();
+      const requestId = (0, import_node_crypto17.randomUUID)();
       const proxyPath = `/v1/sprites/${spriteAlias}/proxy`;
       logger10.info("sprites_request", {
         requestId,
@@ -217754,4 +217997,4 @@ smol-toml/dist/index.js:
 */
 //# sourceMappingURL=dvb.cjs.map
-//# debugId=4e18cf4e-c377-5d7b-a7bf-2022f0e42fc7
+//# debugId=c3ed3072-4c93-5461-97f3-5f404303f107