@clipboard-health/groundcrew 3.1.9 → 3.2.1

package/README.md

@@ -60,16 +60,19 @@ Installs the `crew` binary. `@clipboard-health/clearance` is pulled in transitiv
 
 3. **Create a Linear project to scope your work.** Any team works — make a project inside it and drop tickets in. The orchestrator polls by project, not by team.
 
-4. **Configure.** Copy the shipped example into XDG config and edit:
+4. **Configure.** Create a `crew.config.ts` you can edit:
 
    ```bash
-   mkdir -p "${XDG_CONFIG_HOME:-$HOME/.config}/groundcrew"
-   cp "$(npm root -g)/@clipboard-health/groundcrew/crew.config.example.ts" \
-      "${XDG_CONFIG_HOME:-$HOME/.config}/groundcrew/crew.config.ts"
-   $EDITOR "${XDG_CONFIG_HOME:-$HOME/.config}/groundcrew/crew.config.ts"
+   # Write into the current folder:
+   crew init && $EDITOR crew.config.ts
+
+   # ...or into the XDG config dir:
+   crew init --global && $EDITOR "${XDG_CONFIG_HOME:-$HOME/.config}/groundcrew/crew.config.ts"
    ```
 
-   Or drop `crew.config.ts` at the root of any repo you run `crew` from — `crew` discovers it via cosmiconfig project-walk. Any of `crew.config.{ts,mjs,js,json}`, `.crewrc{,.json,.ts}`, `.config/crew.config.{ts,json}`, or `.config/crewrc{,.json}` work.
+   `crew init` refuses to overwrite an existing config; pass `--force` to replace it, or `--dry-run` to preview the destination path.
+
+   `crew` discovers the config via cosmiconfig project-walk, so dropping it at the root of any repo you run `crew` from works too. Any of `crew.config.{ts,mjs,js,json}`, `.crewrc{,.json,.ts}`, `.config/crew.config.{ts,json}`, or `.config/crewrc{,.json}` are recognized.
 
    Set `linear.projects[].projectSlug` (paste the trailing slug of your Linear project URL, e.g. `ai-strategy-5152195762f3`), `workspace.projectDir`, and `workspace.knownRepositories`. Defaults cover everything else. To watch multiple projects from one `crew` instance, add more entries to `linear.projects`; they all share the same `orchestrator.maximumInProgress` budget.
 
@@ -359,6 +362,7 @@ To have a coding agent (Claude Code, Cursor, etc.) scaffold `.groundcrew/setup.s
 ## Commands
 
 ```bash
+crew init [--global | --local] [--force] [--dry-run] # create a crew.config.ts (cwd by default)
 crew doctor                                              # full setup check
 crew doctor --ticket <TICKET> [--no-linear] [--no-fetch] # full ticket lifecycle (dispatch + recovery)
 crew run                                                 # one-shot dispatch

package/crew.config.example.ts

@@ -92,6 +92,25 @@ export default {
   // // macOS when you need an agent to use Docker safely.
   // local: { runner: "auto" },
   //
+  // // Additional auth recipes for `crew sandbox auth <model> <tool>`. The
+  // // shipped recipes (claude/codex/cursor agents + github tool) are merged
+  // // with whatever you declare here; your recipe wins on key collision.
+  // // Describe each tool's in-sandbox login + status commands and a regex
+  // // that matches its logged-in output. Omit `kind` for cross-cutting
+  // // tools that should appear in every sandbox's picker; set
+  // // `kind: "agent"` to scope a recipe to a single sbx agent.
+  // sandbox: {
+  //   authRecipes: {
+  //     gcloud: {
+  //       displayName: "gcloud",
+  //       binary: "gcloud",
+  //       loginArgs: ["auth", "login", "--no-launch-browser"],
+  //       statusArgs: ["auth", "list", "--filter=status:ACTIVE", "--format=value(account)"],
+  //       authenticatedPattern: /@/,
+  //     },
+  //   },
+  // },
+  //
   // prompts: {
   //   // Keep personal workflow instructions next to this config, for example
   //   // `${XDG_CONFIG_HOME:-$HOME/.config}/groundcrew/initial-prompt.md`.

package/dist/cli.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":"AA6JA,wBAAsB,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CA8BvD"}
+{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":"AAyKA,wBAAsB,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CA8BvD"}

package/dist/cli.js

@@ -1,9 +1,11 @@
 import { createRequire } from "node:module";
 import { cleanupWorkspaceCli } from "./commands/cleanupWorkspace.js";
 import { doctor } from "./commands/doctor.js";
+import { initConfigCli } from "./commands/init.js";
 import { interruptWorkspaceCli } from "./commands/interruptWorkspace.js";
 import { orchestrate } from "./commands/orchestrator.js";
 import { resumeWorkspaceCli } from "./commands/resumeWorkspace.js";
+import { sandboxCli } from "./commands/sandbox/index.js";
 import { setupReposCli } from "./commands/setupRepos.js";
 import { setupWorkspaceCli } from "./commands/setupWorkspace.js";
 import { errorMessage, readTicketArgument, writeError, writeOutput } from "./lib/util.js";
@@ -77,6 +79,11 @@ async function doctorCli(argv) {
     process.exitCode = ok ? process.exitCode : 1;
 }
 const SUBCOMMANDS = {
+    init: {
+        summary: "Create a crew.config.ts in the cwd (or --global into the XDG config dir)",
+        usage: "[--global | --local] [--force] [--dry-run]",
+        invoke: initConfigCli,
+    },
     run: {
         summary: "Run the orchestrator (one-shot by default), or provision one ticket with --ticket",
         usage: "[--watch] [--dry-run] [--ticket <ticket>]",
@@ -102,6 +109,11 @@ const SUBCOMMANDS = {
         usage: "<ticket>",
         invoke: resumeWorkspaceCli,
     },
+    sandbox: {
+        summary: "Manage Docker Sandboxes (sbx) for configured models",
+        usage: "<list|ensure|regenerate|auth|rm> [...args]",
+        invoke: sandboxCli,
+    },
     setup: {
         summary: "Project-level setup commands (currently: repos)",
         usage: "repos [--dry-run] [<repo>...]",

package/dist/commands/dispatcher.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"dispatcher.d.ts","sourceRoot":"","sources":["../../src/commands/dispatcher.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAEhD,OAAO,EACL,KAAK,UAAU,EAIhB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAEvD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAGpD,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAWzD,UAAU,cAAc;IACtB,MAAM,EAAE,cAAc,CAAC;IACvB,MAAM,EAAE,YAAY,CAAC;CACtB;AAED,MAAM,WAAW,UAAU;IACzB,OAAO,CAAC,UAAU,EAAE;QAClB,KAAK,EAAE,UAAU,CAAC;QAClB,eAAe,EAAE,SAAS,aAAa,EAAE,CAAC;QAC1C,+FAA+F;QAC/F,KAAK,EAAE,CAAC,MAAM,CAAC,EAAE,WAAW,KAAK,OAAO,CAAC,YAAY,CAAC,CAAC;QACvD,MAAM,EAAE,OAAO,CAAC;QAChB,MAAM,CAAC,EAAE,WAAW,CAAC;QACrB;;;;WAIG;QACH,UAAU,CAAC,EAAE,MAAM,CAAC;KACrB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACnB;AAED,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,cAAc,GAAG,UAAU,CAuMjE"}
+{"version":3,"file":"dispatcher.d.ts","sourceRoot":"","sources":["../../src/commands/dispatcher.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAEhD,OAAO,EACL,KAAK,UAAU,EAIhB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAEvD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAGpD,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAWzD,UAAU,cAAc;IACtB,MAAM,EAAE,cAAc,CAAC;IACvB,MAAM,EAAE,YAAY,CAAC;CACtB;AAED,MAAM,WAAW,UAAU;IACzB,OAAO,CAAC,UAAU,EAAE;QAClB,KAAK,EAAE,UAAU,CAAC;QAClB,eAAe,EAAE,SAAS,aAAa,EAAE,CAAC;QAC1C,+FAA+F;QAC/F,KAAK,EAAE,CAAC,MAAM,CAAC,EAAE,WAAW,KAAK,OAAO,CAAC,YAAY,CAAC,CAAC;QACvD,MAAM,EAAE,OAAO,CAAC;QAChB,MAAM,CAAC,EAAE,WAAW,CAAC;QACrB;;;;WAIG;QACH,UAAU,CAAC,EAAE,MAAM,CAAC;KACrB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACnB;AAaD,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,cAAc,GAAG,UAAU,CA4LjE"}

package/dist/commands/dispatcher.js

@@ -12,6 +12,16 @@ import { errorMessage, log, logEvent } from "../lib/util.js";
 import { workspaces } from "../lib/workspaces.js";
 import { classifyBlockers, classifyEligibility, classifyUsageExhaustion, } from "./eligibility.js";
 import { setupWorkspace } from "./setupWorkspace.js";
+function logSkip(verdict) {
+    log(verdict.message);
+    logEvent("dispatch", {
+        outcome: "skipped",
+        reason: verdict.eventReason,
+        ticket: verdict.issue.id,
+        blockers: verdict.blockers,
+        model: verdict.model,
+    });
+}
 export function createDispatcher(deps) {
     const { config, client } = deps;
     const issueStatusUpdater = createLinearIssueStatusUpdater({ config, client });
@@ -23,16 +33,6 @@ export function createDispatcher(deps) {
         }
         return exhausted;
     }
-    function logSkip(verdict) {
-        log(verdict.message);
-        logEvent("dispatch", {
-            outcome: "skipped",
-            reason: verdict.eventReason,
-            ticket: verdict.issue.id,
-            blockers: verdict.blockers,
-            model: verdict.model,
-        });
-    }
     async function startEligibleIssue(start, dryRun, signal) {
         const { issue, recovery } = start;
         if (start.resolvedFromAny) {

package/dist/commands/init.d.ts

@@ -0,0 +1,26 @@
+/**
+ * `crew init` — create a `crew.config.ts` in the current working directory or,
+ * with `--global`, in the XDG groundcrew config dir. The contents come from
+ * the shipped `crew.config.example.ts` so a fresh install skips the manual
+ * `cp` dance documented in the README.
+ */
+type InitConfigScope = "global" | "local";
+interface InitConfigOptions {
+    /** Where to write the config. Defaults to "local" (cwd). */
+    scope?: InitConfigScope;
+    /** Overwrite an existing destination. */
+    force?: boolean;
+    /** Report the planned action without touching the filesystem. */
+    dryRun?: boolean;
+    /** Override for the working directory; defaults to `process.cwd()`. */
+    cwd?: string;
+}
+type InitConfigOutcome = "dry-run-would-write" | "exists" | "wrote";
+interface InitConfigResult {
+    destination: string;
+    outcome: InitConfigOutcome;
+}
+export declare function initConfig(options?: InitConfigOptions): InitConfigResult;
+export declare function initConfigCli(argv: string[]): Promise<void>;
+export {};
+//# sourceMappingURL=init.d.ts.map

package/dist/commands/init.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"init.d.ts","sourceRoot":"","sources":["../../src/commands/init.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAWH,KAAK,eAAe,GAAG,QAAQ,GAAG,OAAO,CAAC;AAE1C,UAAU,iBAAiB;IACzB,4DAA4D;IAC5D,KAAK,CAAC,EAAE,eAAe,CAAC;IACxB,yCAAyC;IACzC,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,iEAAiE;IACjE,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,uEAAuE;IACvE,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,KAAK,iBAAiB,GAAG,qBAAqB,GAAG,QAAQ,GAAG,OAAO,CAAC;AAEpE,UAAU,gBAAgB;IACxB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,iBAAiB,CAAC;CAC5B;AAED,wBAAgB,UAAU,CAAC,OAAO,GAAE,iBAAsB,GAAG,gBAAgB,CAoB5E;AAED,wBAAsB,aAAa,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAkBjE"}

package/dist/commands/init.js

@@ -0,0 +1,82 @@
+/**
+ * `crew init` — create a `crew.config.ts` in the current working directory or,
+ * with `--global`, in the XDG groundcrew config dir. The contents come from
+ * the shipped `crew.config.example.ts` so a fresh install skips the manual
+ * `cp` dance documented in the README.
+ */
+import { copyFileSync, existsSync, mkdirSync } from "node:fs";
+import { dirname, resolve } from "node:path";
+import { log, writeOutput } from "../lib/util.js";
+import { xdgConfigPath } from "../lib/xdg.js";
+const CONFIG_FILE_NAME = "crew.config.ts";
+const EXAMPLE_FILE_NAME = "crew.config.example.ts";
+export function initConfig(options = {}) {
+    const scope = options.scope ?? "local";
+    const cwd = options.cwd ?? process.cwd();
+    const source = resolveExamplePath();
+    const destination = destinationFor({ scope, cwd });
+    if (existsSync(destination) && options.force !== true) {
+        log(`[exists] ${destination} — pass --force to overwrite`);
+        return { destination, outcome: "exists" };
+    }
+    if (options.dryRun === true) {
+        log(`[dry-run] would write ${destination}`);
+        return { destination, outcome: "dry-run-would-write" };
+    }
+    mkdirSync(dirname(destination), { recursive: true });
+    copyFileSync(source, destination);
+    log(`[wrote] ${destination}`);
+    return { destination, outcome: "wrote" };
+}
+export async function initConfigCli(argv) {
+    const options = parseArguments(argv);
+    const result = initConfig(options);
+    if (result.outcome === "exists") {
+        process.exitCode = 1;
+        return;
+    }
+    if (result.outcome === "wrote") {
+        writeOutput("");
+        writeOutput("Next steps:");
+        writeOutput(`  - Edit ${result.destination}`);
+        writeOutput("  - Set linear.projects[].projectSlug, workspace.projectDir, workspace.knownRepositories");
+        writeOutput("  - Export GROUNDCREW_LINEAR_API_KEY (or LINEAR_API_KEY)");
+        writeOutput("  - Verify with `crew doctor`");
+    }
+}
+function parseArguments(argv) {
+    let scope;
+    let force = false;
+    let dryRun = false;
+    for (const argument of argv) {
+        if (argument === "--global" || argument === "--local") {
+            const next = argument === "--global" ? "global" : "local";
+            if (scope !== undefined && scope !== next) {
+                throw new Error("crew init: --global and --local are mutually exclusive.\nUsage: crew init [--global | --local] [--force] [--dry-run]");
+            }
+            scope = next;
+            continue;
+        }
+        if (argument === "--force") {
+            force = true;
+            continue;
+        }
+        if (argument === "--dry-run") {
+            dryRun = true;
+            continue;
+        }
+        throw new Error(`Unknown option: ${argument}\nUsage: crew init [--global | --local] [--force] [--dry-run]`);
+    }
+    return { scope: scope ?? "local", force, dryRun };
+}
+function destinationFor(args) {
+    if (args.scope === "global") {
+        return xdgConfigPath("groundcrew", CONFIG_FILE_NAME);
+    }
+    return resolve(args.cwd, CONFIG_FILE_NAME);
+}
+function resolveExamplePath() {
+    // `init.ts` lives at src/commands/init.ts in source and dist/commands/init.js
+    // after build; the example ships at the package root in both cases.
+    return resolve(import.meta.dirname, "..", "..", EXAMPLE_FILE_NAME);
+}

package/dist/commands/sandbox/auth.d.ts

@@ -0,0 +1,3 @@
+import type { ResolvedConfig } from "../../lib/config.ts";
+export declare function runAuth(config: ResolvedConfig, argv: string[]): Promise<void>;
+//# sourceMappingURL=auth.d.ts.map

package/dist/commands/sandbox/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../../src/commands/sandbox/auth.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAc,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAuNtE,wBAAsB,OAAO,CAAC,MAAM,EAAE,cAAc,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAcnF"}

package/dist/commands/sandbox/auth.js

@@ -0,0 +1,227 @@
+import { runCommandAsync } from "../../lib/commandRunner.js";
+import { writeOutput } from "../../lib/util.js";
+import { ensureOne } from "./lifecycle.js";
+import { resolveModel, sandboxModels } from "./model.js";
+import { pickTools } from "./picker.js";
+/**
+ * Built-in recipes shipped with crew. Users register additional tools
+ * by adding entries under `sandbox.authRecipes` in `crew.config.ts`;
+ * a user recipe under the same key overrides the built-in.
+ *
+ * `kind: "agent"` recipes only appear in the picker when the current
+ * sandbox's agent matches the recipe key. `kind: "tool"` (the default
+ * for user recipes) is cross-cutting and always appears.
+ */
+const BUILTIN_AUTH_RECIPES = {
+    claude: {
+        displayName: "Claude",
+        loginArgs: ["auth", "login"],
+        statusArgs: ["auth", "status"],
+        authenticatedPattern: /"loggedIn"\s*:\s*true/,
+        kind: "agent",
+    },
+    codex: {
+        displayName: "Codex",
+        // `--device-auth` keeps the OAuth flow headless: codex prints a URL
+        // and a code instead of trying to open a browser inside the sandbox.
+        loginArgs: ["login", "--device-auth"],
+        statusArgs: ["login", "status"],
+        // Match "Logged in using …" but not a hypothetical "Not logged in".
+        authenticatedPattern: /(^|\W)Logged in using\b/i,
+        kind: "agent",
+    },
+    cursor: {
+        displayName: "Cursor",
+        binary: "cursor-agent",
+        loginArgs: ["login"],
+        statusArgs: ["status"],
+        // Authenticated output is "✓ Logged in as <email>"; the unauthenticated
+        // output is "Not logged in", which a loose /Logged in/i would falsely
+        // match.
+        authenticatedPattern: /Logged in as\b/i,
+        kind: "agent",
+        // cursor-agent tries to open a browser by default and silently
+        // writes a partial auth file when xdg-open fails; this env var
+        // switches it to a device-code flow that works without a browser.
+        env: { NO_OPEN_BROWSER: "1" },
+    },
+    github: {
+        displayName: "GitHub CLI",
+        binary: "gh",
+        loginArgs: ["auth", "login"],
+        statusArgs: ["auth", "status"],
+        authenticatedPattern: /Logged in to github\.com/i,
+        kind: "tool",
+    },
+};
+function binaryFor(toolKey, recipe) {
+    return recipe.binary ?? toolKey;
+}
+function envFlags(recipe) {
+    const entries = Object.entries(recipe.env ?? {});
+    return entries.flatMap(([key, value]) => ["-e", `${key}=${value}`]);
+}
+// User-supplied recipes can carry arbitrary tokens; wrap each in single
+// quotes so spaces and shell metacharacters can't change how the in-sandbox
+// shell tokenizes the status command.
+function shellQuote(value) {
+    return `'${value.replaceAll("'", `'\\''`)}'`;
+}
+async function probeAuthStatus(sandboxName, toolKey, recipe) {
+    // Some CLIs print status to stderr instead of stdout (codex does
+    // this). Fold stderr into stdout via the in-sandbox shell so the
+    // pattern match sees the message regardless of which stream it
+    // landed on.
+    const innerCommand = `${[binaryFor(toolKey, recipe), ...recipe.statusArgs]
+        .map(shellQuote)
+        .join(" ")} 2>&1`;
+    try {
+        const output = await runCommandAsync("sbx", [
+            "exec",
+            ...envFlags(recipe),
+            sandboxName,
+            "sh",
+            "-c",
+            innerCommand,
+        ]);
+        // Reset lastIndex so a /g or /y user recipe doesn't carry state
+        // across probes and return a false negative.
+        recipe.authenticatedPattern.lastIndex = 0;
+        return recipe.authenticatedPattern.test(output);
+    }
+    catch {
+        return false;
+    }
+}
+async function loginAndVerify(input) {
+    const { sandboxName, toolKey, recipe, modelName, gitDefaults } = input;
+    const binary = binaryFor(toolKey, recipe);
+    writeOutput(`${sandboxName}: launching '${recipe.displayName}' login...`);
+    writeOutput("Complete the login flow in the prompts/browser, then return here.");
+    await runCommandAsync("sbx", ["exec", "-it", ...envFlags(recipe), sandboxName, binary, ...recipe.loginArgs], { stdio: "inherit" });
+    writeOutput("");
+    writeOutput(`${sandboxName}: verifying '${recipe.displayName}' authentication...`);
+    const authenticated = await probeAuthStatus(sandboxName, toolKey, recipe);
+    if (authenticated) {
+        writeOutput(`${sandboxName}: '${recipe.displayName}' authenticated.`);
+        if (gitDefaults && toolKey === "github" && binary === "gh") {
+            await runGhSetupGit(sandboxName);
+        }
+        return;
+    }
+    writeOutput(`${sandboxName}: could not confirm '${recipe.displayName}' authentication — re-run 'crew sandbox auth ${modelName}' to retry.`);
+}
+/**
+ * Register `gh` as git's credential helper inside the sandbox so HTTPS
+ * pushes succeed without prompting. Best-effort — a failure here doesn't
+ * undo the login itself, so we warn and move on.
+ */
+async function runGhSetupGit(sandboxName) {
+    writeOutput(`${sandboxName}: wiring 'gh' as git credential helper...`);
+    try {
+        await runCommandAsync("sbx", ["exec", sandboxName, "gh", "auth", "setup-git"]);
+        writeOutput(`${sandboxName}: 'gh auth setup-git' done.`);
+    }
+    catch (error) {
+        writeOutput(`${sandboxName}: warning — 'gh auth setup-git' failed: ${String(error)}`);
+    }
+}
+function availableRecipes(config) {
+    const merged = {
+        ...BUILTIN_AUTH_RECIPES,
+        ...config.sandbox.authRecipes,
+    };
+    return Object.entries(merged)
+        .map(([key, recipe]) => ({ key, recipe }))
+        .toSorted((a, b) => a.key.localeCompare(b.key));
+}
+function shouldShowInPicker(entry, currentAgent) {
+    // Tools (the default) appear in every sandbox. Agent recipes only
+    // appear when they match the current sandbox's agent, so opening
+    // 'crew sandbox auth codex' doesn't list Claude or Cursor.
+    const kind = entry.recipe.kind ?? "tool";
+    return kind === "tool" || entry.key === currentAgent;
+}
+const AUTH_USAGE = "Usage: crew sandbox auth <model> | --all";
+function parseAuthArgs(config, argv) {
+    const positionals = [];
+    let all = false;
+    for (const argument of argv) {
+        if (argument === "--all") {
+            all = true;
+            continue;
+        }
+        if (argument.startsWith("-")) {
+            throw new Error(`crew sandbox auth: unknown option '${argument}'`);
+        }
+        positionals.push(argument);
+    }
+    if (all && positionals.length > 0) {
+        throw new Error("crew sandbox auth: --all cannot be combined with a model name");
+    }
+    if (all) {
+        const models = sandboxModels(config);
+        if (models.length === 0) {
+            throw new Error("crew sandbox auth --all: no sandbox-bearing models configured");
+        }
+        return { models: models.map((model) => ({ modelName: model.modelName, model })) };
+    }
+    const [modelName, ...extras] = positionals;
+    if (modelName === undefined || extras.length > 0) {
+        throw new Error(AUTH_USAGE);
+    }
+    return { models: [{ modelName, model: resolveModel(config, modelName) }] };
+}
+export async function runAuth(config, argv) {
+    const { models } = parseAuthArgs(config, argv);
+    for (const [index, { modelName, model }] of models.entries()) {
+        if (models.length > 1) {
+            writeOutput("");
+            writeOutput(`════ ${modelName} (${index + 1}/${models.length}) ════`);
+        }
+        writeOutput(`${model.sandboxName}: ensuring sandbox is up...`);
+        // oxlint-disable-next-line no-await-in-loop -- each sandbox is interactive; running them sequentially keeps the prompts coherent
+        await ensureOne(config, model);
+        writeOutput("");
+        // oxlint-disable-next-line no-await-in-loop -- intentionally sequential, see above
+        await runAuthInteractive(config, model, modelName);
+    }
+}
+async function runAuthInteractive(config, model, modelName) {
+    const recipes = availableRecipes(config).filter((entry) => shouldShowInPicker(entry, model.sandbox.agent));
+    writeOutput(`${model.sandboxName}: probing authentication status for ${recipes.length} tools...`);
+    const statuses = await Promise.all(recipes.map(async ({ key, recipe }) => ({
+        key,
+        recipe,
+        authenticated: await probeAuthStatus(model.sandboxName, key, recipe),
+    })));
+    const choices = statuses.map(({ key, recipe, authenticated }) => ({
+        key,
+        label: `${recipe.displayName} (${key})`,
+        authenticated,
+    }));
+    writeOutput("");
+    const selectedKeys = await pickTools(choices);
+    if (selectedKeys.length === 0) {
+        writeOutput("Nothing selected. Exiting.");
+        return;
+    }
+    const selectedRecipes = new Map(statuses.map((entry) => [entry.key, entry.recipe]));
+    for (const key of selectedKeys) {
+        const recipe = selectedRecipes.get(key);
+        /* v8 ignore next 3 @preserve - defensive; selectedKeys come from the same map */
+        if (recipe === undefined) {
+            continue;
+        }
+        writeOutput("");
+        writeOutput(`── ${recipe.displayName} ──`);
+        // oxlint-disable-next-line no-await-in-loop -- each login is interactive; running them sequentially keeps the prompts coherent
+        await loginAndVerify({
+            sandboxName: model.sandboxName,
+            toolKey: key,
+            recipe,
+            modelName,
+            gitDefaults: config.sandbox.gitDefaults,
+        });
+    }
+}

package/dist/commands/sandbox/index.d.ts

@@ -0,0 +1,2 @@
+export declare function sandboxCli(argv: string[]): Promise<void>;
+//# sourceMappingURL=index.d.ts.map

package/dist/commands/sandbox/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/commands/sandbox/index.ts"],"names":[],"mappings":"AAkBA,wBAAsB,UAAU,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CA8B9D"}

package/dist/commands/sandbox/index.js

@@ -0,0 +1,47 @@
+import { loadConfig } from "../../lib/config.js";
+import { runAuth } from "./auth.js";
+import { runList } from "./inspect.js";
+import { runEnsure, runRegenerate, runRemove } from "./lifecycle.js";
+const USAGE = [
+    "Usage: crew sandbox <verb> [...args]",
+    "",
+    "Verbs:",
+    "  list                      Show every groundcrew-owned sandbox known to sbx",
+    "  ensure [<model>]          Provision the sandbox for one model, or all when omitted",
+    "  regenerate <model>|--all  Tear down and recreate from current template/kits",
+    "  auth <model>|--all        Open a checkbox picker of every tool available in <model>'s",
+    "                            sandbox and run the login flow for each one you select;",
+    "                            --all loops through every configured sandbox in turn",
+    "  rm <model>                Remove the sandbox for a model",
+].join("\n");
+export async function sandboxCli(argv) {
+    const [verb, ...rest] = argv;
+    if (verb === undefined) {
+        throw new Error(USAGE);
+    }
+    switch (verb) {
+        case "list": {
+            await runList();
+            return;
+        }
+        case "ensure": {
+            await runEnsure(await loadConfig(), rest);
+            return;
+        }
+        case "regenerate": {
+            await runRegenerate(await loadConfig(), rest);
+            return;
+        }
+        case "auth": {
+            await runAuth(await loadConfig(), rest);
+            return;
+        }
+        case "rm": {
+            await runRemove(await loadConfig(), rest);
+            return;
+        }
+        default: {
+            throw new Error(`Unknown sandbox sub-verb: ${verb}\n${USAGE}`);
+        }
+    }
+}

package/dist/commands/sandbox/inspect.d.ts

@@ -0,0 +1,2 @@
+export declare function runList(): Promise<void>;
+//# sourceMappingURL=inspect.d.ts.map

package/dist/commands/sandbox/inspect.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"inspect.d.ts","sourceRoot":"","sources":["../../../src/commands/sandbox/inspect.ts"],"names":[],"mappings":"AAKA,wBAAsB,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC,CAc7C"}

package/dist/commands/sandbox/inspect.js

@@ -0,0 +1,18 @@
+import { runCommandAsync } from "../../lib/commandRunner.js";
+import { writeOutput } from "../../lib/util.js";
+const SANDBOX_NAME_PREFIX = "groundcrew-";
+export async function runList() {
+    const output = await runCommandAsync("sbx", ["ls"]);
+    const names = output
+        .split("\n")
+        .map((line) => line.trim().split(/\s+/)[0])
+        .filter((name) => name !== undefined && name.startsWith(SANDBOX_NAME_PREFIX))
+        .map((name) => name.slice(SANDBOX_NAME_PREFIX.length));
+    if (names.length === 0) {
+        writeOutput("(none)");
+        return;
+    }
+    for (const name of names) {
+        writeOutput(name);
+    }
+}

package/dist/commands/sandbox/lifecycle.d.ts

@@ -0,0 +1,7 @@
+import type { ResolvedConfig } from "../../lib/config.ts";
+import { type SandboxModel } from "./model.ts";
+export declare function ensureOne(config: ResolvedConfig, model: SandboxModel, alreadyExists?: boolean): Promise<void>;
+export declare function runEnsure(config: ResolvedConfig, argv: string[]): Promise<void>;
+export declare function runRegenerate(config: ResolvedConfig, argv: string[]): Promise<void>;
+export declare function runRemove(config: ResolvedConfig, argv: string[]): Promise<void>;
+//# sourceMappingURL=lifecycle.d.ts.map

package/dist/commands/sandbox/lifecycle.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"lifecycle.d.ts","sourceRoot":"","sources":["../../../src/commands/sandbox/lifecycle.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAG1D,OAAO,EAAsC,KAAK,YAAY,EAAiB,MAAM,YAAY,CAAC;AAElG,wBAAsB,SAAS,CAC7B,MAAM,EAAE,cAAc,EACtB,KAAK,EAAE,YAAY,EACnB,aAAa,CAAC,EAAE,OAAO,GACtB,OAAO,CAAC,IAAI,CAAC,CAQf;AAMD,wBAAsB,SAAS,CAAC,MAAM,EAAE,cAAc,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAuBrF;AAUD,wBAAsB,aAAa,CAAC,MAAM,EAAE,cAAc,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAiBzF;AAED,wBAAsB,SAAS,CAAC,MAAM,EAAE,cAAc,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAMrF"}

package/dist/commands/sandbox/lifecycle.js

@@ -0,0 +1,68 @@
+import { resolve } from "node:path";
+import { runCommandAsync } from "../../lib/commandRunner.js";
+import { ensureSandbox, sandboxExists } from "../../lib/dockerSandbox.js";
+import { writeOutput } from "../../lib/util.js";
+import { requireOnePositional, resolveModel, sandboxModels } from "./model.js";
+export async function ensureOne(config, model, alreadyExists) {
+    await ensureSandbox({
+        sandboxName: model.sandboxName,
+        sandbox: model.sandbox,
+        mountPath: resolve(config.workspace.projectDir),
+        gitDefaults: config.sandbox.gitDefaults,
+        ...(alreadyExists === undefined ? {} : { alreadyExists }),
+    });
+}
+async function removeOne(model) {
+    await runCommandAsync("sbx", ["rm", "--force", model.sandboxName]);
+}
+export async function runEnsure(config, argv) {
+    const targets = argv.length === 0
+        ? sandboxModels(config)
+        : [resolveModel(config, requireOnePositional(argv, "Usage: crew sandbox ensure [<model>]"))];
+    if (targets.length === 0) {
+        writeOutput("No sandbox models configured.");
+        return;
+    }
+    for (const model of targets) {
+        // oxlint-disable-next-line no-await-in-loop -- one sandbox at a time; probe then ensure
+        const existed = await sandboxExists(model.sandboxName);
+        writeOutput(existed
+            ? `${model.sandboxName}: already exists`
+            : `${model.sandboxName}: creating (agent=${model.sandbox.agent}, template=${model.sandbox.template ?? "default"})`);
+        // oxlint-disable-next-line no-await-in-loop -- sbx create is intentionally sequential
+        await ensureOne(config, model, existed);
+        if (!existed) {
+            writeOutput(`${model.sandboxName}: created`);
+        }
+    }
+}
+function regenerateTargets(config, argv) {
+    const target = requireOnePositional(argv, "Usage: crew sandbox regenerate <model>|--all");
+    if (target === "--all") {
+        return sandboxModels(config);
+    }
+    return [resolveModel(config, target)];
+}
+export async function runRegenerate(config, argv) {
+    const targets = regenerateTargets(config, argv);
+    if (targets.length === 0) {
+        writeOutput("No sandbox models configured.");
+        return;
+    }
+    for (const model of targets) {
+        writeOutput(`${model.sandboxName}: removing existing sandbox...`);
+        // oxlint-disable-next-line no-await-in-loop -- sbx rm/create are intentionally sequential
+        await removeOne(model);
+        writeOutput(`${model.sandboxName}: creating (agent=${model.sandbox.agent}, template=${model.sandbox.template ?? "default"})`);
+        // oxlint-disable-next-line no-await-in-loop -- sbx rm/create are intentionally sequential
+        await ensureOne(config, model, false);
+        writeOutput(`${model.sandboxName}: regenerated`);
+    }
+}
+export async function runRemove(config, argv) {
+    const modelName = requireOnePositional(argv, "Usage: crew sandbox rm <model>");
+    const model = resolveModel(config, modelName);
+    writeOutput(`${model.sandboxName}: removing...`);
+    await removeOne(model);
+    writeOutput(`${model.sandboxName}: removed`);
+}