@clipboard-health/groundcrew 4.0.2 → 4.1.0

package/dist/commands/sandbox/auth.js

@@ -1,227 +0,0 @@
-import { runCommandAsync } from "../../lib/commandRunner.js";
-import { writeOutput } from "../../lib/util.js";
-import { ensureOne } from "./lifecycle.js";
-import { resolveModel, sandboxModels } from "./model.js";
-import { pickTools } from "./picker.js";
-/**
- * Built-in recipes shipped with crew. Users register additional tools
- * by adding entries under `sandbox.authRecipes` in `crew.config.ts`;
- * a user recipe under the same key overrides the built-in.
- *
- * `kind: "agent"` recipes only appear in the picker when the current
- * sandbox's agent matches the recipe key. `kind: "tool"` (the default
- * for user recipes) is cross-cutting and always appears.
- */
-const BUILTIN_AUTH_RECIPES = {
-    claude: {
-        displayName: "Claude",
-        loginArgs: ["auth", "login"],
-        statusArgs: ["auth", "status"],
-        authenticatedPattern: /"loggedIn"\s*:\s*true/,
-        kind: "agent",
-    },
-    codex: {
-        displayName: "Codex",
-        // `--device-auth` keeps the OAuth flow headless: codex prints a URL
-        // and a code instead of trying to open a browser inside the sandbox.
-        loginArgs: ["login", "--device-auth"],
-        statusArgs: ["login", "status"],
-        // Match "Logged in using …" but not a hypothetical "Not logged in".
-        authenticatedPattern: /(^|\W)Logged in using\b/i,
-        kind: "agent",
-    },
-    cursor: {
-        displayName: "Cursor",
-        binary: "cursor-agent",
-        loginArgs: ["login"],
-        statusArgs: ["status"],
-        // Authenticated output is "✓ Logged in as <email>"; the unauthenticated
-        // output is "Not logged in", which a loose /Logged in/i would falsely
-        // match.
-        authenticatedPattern: /Logged in as\b/i,
-        kind: "agent",
-        // cursor-agent tries to open a browser by default and silently
-        // writes a partial auth file when xdg-open fails; this env var
-        // switches it to a device-code flow that works without a browser.
-        env: { NO_OPEN_BROWSER: "1" },
-    },
-    github: {
-        displayName: "GitHub CLI",
-        binary: "gh",
-        loginArgs: ["auth", "login"],
-        statusArgs: ["auth", "status"],
-        authenticatedPattern: /Logged in to github\.com/i,
-        kind: "tool",
-    },
-};
-function binaryFor(toolKey, recipe) {
-    return recipe.binary ?? toolKey;
-}
-function envFlags(recipe) {
-    const entries = Object.entries(recipe.env ?? {});
-    return entries.flatMap(([key, value]) => ["-e", `${key}=${value}`]);
-}
-// User-supplied recipes can carry arbitrary tokens; wrap each in single
-// quotes so spaces and shell metacharacters can't change how the in-sandbox
-// shell tokenizes the status command.
-function shellQuote(value) {
-    return `'${value.replaceAll("'", `'\\''`)}'`;
-}
-async function probeAuthStatus(sandboxName, toolKey, recipe) {
-    // Some CLIs print status to stderr instead of stdout (codex does
-    // this). Fold stderr into stdout via the in-sandbox shell so the
-    // pattern match sees the message regardless of which stream it
-    // landed on.
-    const innerCommand = `${[binaryFor(toolKey, recipe), ...recipe.statusArgs]
-        .map(shellQuote)
-        .join(" ")} 2>&1`;
-    try {
-        const output = await runCommandAsync("sbx", [
-            "exec",
-            ...envFlags(recipe),
-            sandboxName,
-            "sh",
-            "-c",
-            innerCommand,
-        ]);
-        // Reset lastIndex so a /g or /y user recipe doesn't carry state
-        // across probes and return a false negative.
-        recipe.authenticatedPattern.lastIndex = 0;
-        return recipe.authenticatedPattern.test(output);
-    }
-    catch {
-        return false;
-    }
-}
-async function loginAndVerify(input) {
-    const { sandboxName, toolKey, recipe, modelName, gitDefaults } = input;
-    const binary = binaryFor(toolKey, recipe);
-    writeOutput(`${sandboxName}: launching '${recipe.displayName}' login...`);
-    writeOutput("Complete the login flow in the prompts/browser, then return here.");
-    await runCommandAsync("sbx", ["exec", "-it", ...envFlags(recipe), sandboxName, binary, ...recipe.loginArgs], { stdio: "inherit" });
-    writeOutput("");
-    writeOutput(`${sandboxName}: verifying '${recipe.displayName}' authentication...`);
-    const authenticated = await probeAuthStatus(sandboxName, toolKey, recipe);
-    if (authenticated) {
-        writeOutput(`${sandboxName}: '${recipe.displayName}' authenticated.`);
-        if (gitDefaults && toolKey === "github" && binary === "gh") {
-            await runGhSetupGit(sandboxName);
-        }
-        return;
-    }
-    writeOutput(`${sandboxName}: could not confirm '${recipe.displayName}' authentication — re-run 'crew sandbox auth ${modelName}' to retry.`);
-}
-/**
- * Register `gh` as git's credential helper inside the sandbox so HTTPS
- * pushes succeed without prompting. Best-effort — a failure here doesn't
- * undo the login itself, so we warn and move on.
- */
-async function runGhSetupGit(sandboxName) {
-    writeOutput(`${sandboxName}: wiring 'gh' as git credential helper...`);
-    try {
-        await runCommandAsync("sbx", ["exec", sandboxName, "gh", "auth", "setup-git"]);
-        writeOutput(`${sandboxName}: 'gh auth setup-git' done.`);
-    }
-    catch (error) {
-        writeOutput(`${sandboxName}: warning — 'gh auth setup-git' failed: ${String(error)}`);
-    }
-}
-function availableRecipes(config) {
-    const merged = {
-        ...BUILTIN_AUTH_RECIPES,
-        ...config.sandbox.authRecipes,
-    };
-    return Object.entries(merged)
-        .map(([key, recipe]) => ({ key, recipe }))
-        .toSorted((a, b) => a.key.localeCompare(b.key));
-}
-function shouldShowInPicker(entry, currentAgent) {
-    // Tools (the default) appear in every sandbox. Agent recipes only
-    // appear when they match the current sandbox's agent, so opening
-    // 'crew sandbox auth codex' doesn't list Claude or Cursor.
-    const kind = entry.recipe.kind ?? "tool";
-    return kind === "tool" || entry.key === currentAgent;
-}
-const AUTH_USAGE = "Usage: crew sandbox auth <model> | --all";
-function parseAuthArgs(config, argv) {
-    const positionals = [];
-    let all = false;
-    for (const argument of argv) {
-        if (argument === "--all") {
-            all = true;
-            continue;
-        }
-        if (argument.startsWith("-")) {
-            throw new Error(`crew sandbox auth: unknown option '${argument}'`);
-        }
-        positionals.push(argument);
-    }
-    if (all && positionals.length > 0) {
-        throw new Error("crew sandbox auth: --all cannot be combined with a model name");
-    }
-    if (all) {
-        const models = sandboxModels(config);
-        if (models.length === 0) {
-            throw new Error("crew sandbox auth --all: no sandbox-bearing models configured");
-        }
-        return { models: models.map((model) => ({ modelName: model.modelName, model })) };
-    }
-    const [modelName, ...extras] = positionals;
-    if (modelName === undefined || extras.length > 0) {
-        throw new Error(AUTH_USAGE);
-    }
-    return { models: [{ modelName, model: resolveModel(config, modelName) }] };
-}
-export async function runAuth(config, argv) {
-    const { models } = parseAuthArgs(config, argv);
-    for (const [index, { modelName, model }] of models.entries()) {
-        if (models.length > 1) {
-            writeOutput("");
-            writeOutput(`════ ${modelName} (${index + 1}/${models.length}) ════`);
-        }
-        writeOutput(`${model.sandboxName}: ensuring sandbox is up...`);
-        // oxlint-disable-next-line no-await-in-loop -- each sandbox is interactive; running them sequentially keeps the prompts coherent
-        await ensureOne(config, model);
-        writeOutput("");
-        // oxlint-disable-next-line no-await-in-loop -- intentionally sequential, see above
-        await runAuthInteractive(config, model, modelName);
-    }
-}
-async function runAuthInteractive(config, model, modelName) {
-    const recipes = availableRecipes(config).filter((entry) => shouldShowInPicker(entry, model.sandbox.agent));
-    writeOutput(`${model.sandboxName}: probing authentication status for ${recipes.length} tools...`);
-    const statuses = await Promise.all(recipes.map(async ({ key, recipe }) => ({
-        key,
-        recipe,
-        authenticated: await probeAuthStatus(model.sandboxName, key, recipe),
-    })));
-    const choices = statuses.map(({ key, recipe, authenticated }) => ({
-        key,
-        label: `${recipe.displayName} (${key})`,
-        authenticated,
-    }));
-    writeOutput("");
-    const selectedKeys = await pickTools(choices);
-    if (selectedKeys.length === 0) {
-        writeOutput("Nothing selected. Exiting.");
-        return;
-    }
-    const selectedRecipes = new Map(statuses.map((entry) => [entry.key, entry.recipe]));
-    for (const key of selectedKeys) {
-        const recipe = selectedRecipes.get(key);
-        /* v8 ignore next 3 @preserve - defensive; selectedKeys come from the same map */
-        if (recipe === undefined) {
-            continue;
-        }
-        writeOutput("");
-        writeOutput(`── ${recipe.displayName} ──`);
-        // oxlint-disable-next-line no-await-in-loop -- each login is interactive; running them sequentially keeps the prompts coherent
-        await loginAndVerify({
-            sandboxName: model.sandboxName,
-            toolKey: key,
-            recipe,
-            modelName,
-            gitDefaults: config.sandbox.gitDefaults,
-        });
-    }
-}

package/dist/commands/sandbox/index.d.ts

@@ -1,2 +0,0 @@
-export declare function sandboxCli(argv: string[]): Promise<void>;
-//# sourceMappingURL=index.d.ts.map

package/dist/commands/sandbox/index.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/commands/sandbox/index.ts"],"names":[],"mappings":"AAkBA,wBAAsB,UAAU,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CA8B9D"}

package/dist/commands/sandbox/index.js

@@ -1,47 +0,0 @@
-import { loadConfig } from "../../lib/config.js";
-import { runAuth } from "./auth.js";
-import { runList } from "./inspect.js";
-import { runEnsure, runRegenerate, runRemove } from "./lifecycle.js";
-const USAGE = [
-    "Usage: crew sandbox <verb> [...args]",
-    "",
-    "Verbs:",
-    "  list                      Show every groundcrew-owned sandbox known to sbx",
-    "  ensure [<model>]          Provision the sandbox for one model, or all when omitted",
-    "  regenerate <model>|--all  Tear down and recreate from current template/kits",
-    "  auth <model>|--all        Open a checkbox picker of every tool available in <model>'s",
-    "                            sandbox and run the login flow for each one you select;",
-    "                            --all loops through every configured sandbox in turn",
-    "  rm <model>                Remove the sandbox for a model",
-].join("\n");
-export async function sandboxCli(argv) {
-    const [verb, ...rest] = argv;
-    if (verb === undefined) {
-        throw new Error(USAGE);
-    }
-    switch (verb) {
-        case "list": {
-            await runList();
-            return;
-        }
-        case "ensure": {
-            await runEnsure(await loadConfig(), rest);
-            return;
-        }
-        case "regenerate": {
-            await runRegenerate(await loadConfig(), rest);
-            return;
-        }
-        case "auth": {
-            await runAuth(await loadConfig(), rest);
-            return;
-        }
-        case "rm": {
-            await runRemove(await loadConfig(), rest);
-            return;
-        }
-        default: {
-            throw new Error(`Unknown sandbox sub-verb: ${verb}\n${USAGE}`);
-        }
-    }
-}

package/dist/commands/sandbox/inspect.d.ts

@@ -1,2 +0,0 @@
-export declare function runList(): Promise<void>;
-//# sourceMappingURL=inspect.d.ts.map

package/dist/commands/sandbox/inspect.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"inspect.d.ts","sourceRoot":"","sources":["../../../src/commands/sandbox/inspect.ts"],"names":[],"mappings":"AAKA,wBAAsB,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC,CAc7C"}

package/dist/commands/sandbox/inspect.js

@@ -1,18 +0,0 @@
-import { runCommandAsync } from "../../lib/commandRunner.js";
-import { writeOutput } from "../../lib/util.js";
-const SANDBOX_NAME_PREFIX = "groundcrew-";
-export async function runList() {
-    const output = await runCommandAsync("sbx", ["ls"]);
-    const names = output
-        .split("\n")
-        .map((line) => line.trim().split(/\s+/)[0])
-        .filter((name) => name !== undefined && name.startsWith(SANDBOX_NAME_PREFIX))
-        .map((name) => name.slice(SANDBOX_NAME_PREFIX.length));
-    if (names.length === 0) {
-        writeOutput("(none)");
-        return;
-    }
-    for (const name of names) {
-        writeOutput(name);
-    }
-}

package/dist/commands/sandbox/lifecycle.d.ts

@@ -1,7 +0,0 @@
-import type { ResolvedConfig } from "../../lib/config.ts";
-import { type SandboxModel } from "./model.ts";
-export declare function ensureOne(config: ResolvedConfig, model: SandboxModel, alreadyExists?: boolean): Promise<void>;
-export declare function runEnsure(config: ResolvedConfig, argv: string[]): Promise<void>;
-export declare function runRegenerate(config: ResolvedConfig, argv: string[]): Promise<void>;
-export declare function runRemove(config: ResolvedConfig, argv: string[]): Promise<void>;
-//# sourceMappingURL=lifecycle.d.ts.map

package/dist/commands/sandbox/lifecycle.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"lifecycle.d.ts","sourceRoot":"","sources":["../../../src/commands/sandbox/lifecycle.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAG1D,OAAO,EAAsC,KAAK,YAAY,EAAiB,MAAM,YAAY,CAAC;AAElG,wBAAsB,SAAS,CAC7B,MAAM,EAAE,cAAc,EACtB,KAAK,EAAE,YAAY,EACnB,aAAa,CAAC,EAAE,OAAO,GACtB,OAAO,CAAC,IAAI,CAAC,CAQf;AAMD,wBAAsB,SAAS,CAAC,MAAM,EAAE,cAAc,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAuBrF;AAUD,wBAAsB,aAAa,CAAC,MAAM,EAAE,cAAc,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAiBzF;AAED,wBAAsB,SAAS,CAAC,MAAM,EAAE,cAAc,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAMrF"}

package/dist/commands/sandbox/lifecycle.js

@@ -1,68 +0,0 @@
-import { resolve } from "node:path";
-import { runCommandAsync } from "../../lib/commandRunner.js";
-import { ensureSandbox, sandboxExists } from "../../lib/dockerSandbox.js";
-import { writeOutput } from "../../lib/util.js";
-import { requireOnePositional, resolveModel, sandboxModels } from "./model.js";
-export async function ensureOne(config, model, alreadyExists) {
-    await ensureSandbox({
-        sandboxName: model.sandboxName,
-        sandbox: model.sandbox,
-        mountPath: resolve(config.workspace.projectDir),
-        gitDefaults: config.sandbox.gitDefaults,
-        ...(alreadyExists === undefined ? {} : { alreadyExists }),
-    });
-}
-async function removeOne(model) {
-    await runCommandAsync("sbx", ["rm", "--force", model.sandboxName]);
-}
-export async function runEnsure(config, argv) {
-    const targets = argv.length === 0
-        ? sandboxModels(config)
-        : [resolveModel(config, requireOnePositional(argv, "Usage: crew sandbox ensure [<model>]"))];
-    if (targets.length === 0) {
-        writeOutput("No sandbox models configured.");
-        return;
-    }
-    for (const model of targets) {
-        // oxlint-disable-next-line no-await-in-loop -- one sandbox at a time; probe then ensure
-        const existed = await sandboxExists(model.sandboxName);
-        writeOutput(existed
-            ? `${model.sandboxName}: already exists`
-            : `${model.sandboxName}: creating (agent=${model.sandbox.agent}, template=${model.sandbox.template ?? "default"})`);
-        // oxlint-disable-next-line no-await-in-loop -- sbx create is intentionally sequential
-        await ensureOne(config, model, existed);
-        if (!existed) {
-            writeOutput(`${model.sandboxName}: created`);
-        }
-    }
-}
-function regenerateTargets(config, argv) {
-    const target = requireOnePositional(argv, "Usage: crew sandbox regenerate <model>|--all");
-    if (target === "--all") {
-        return sandboxModels(config);
-    }
-    return [resolveModel(config, target)];
-}
-export async function runRegenerate(config, argv) {
-    const targets = regenerateTargets(config, argv);
-    if (targets.length === 0) {
-        writeOutput("No sandbox models configured.");
-        return;
-    }
-    for (const model of targets) {
-        writeOutput(`${model.sandboxName}: removing existing sandbox...`);
-        // oxlint-disable-next-line no-await-in-loop -- sbx rm/create are intentionally sequential
-        await removeOne(model);
-        writeOutput(`${model.sandboxName}: creating (agent=${model.sandbox.agent}, template=${model.sandbox.template ?? "default"})`);
-        // oxlint-disable-next-line no-await-in-loop -- sbx rm/create are intentionally sequential
-        await ensureOne(config, model, false);
-        writeOutput(`${model.sandboxName}: regenerated`);
-    }
-}
-export async function runRemove(config, argv) {
-    const modelName = requireOnePositional(argv, "Usage: crew sandbox rm <model>");
-    const model = resolveModel(config, modelName);
-    writeOutput(`${model.sandboxName}: removing...`);
-    await removeOne(model);
-    writeOutput(`${model.sandboxName}: removed`);
-}

package/dist/commands/sandbox/model.d.ts

@@ -1,10 +0,0 @@
-import type { ResolvedConfig, SandboxDefinition } from "../../lib/config.ts";
-export interface SandboxModel {
-    modelName: string;
-    sandbox: SandboxDefinition;
-    sandboxName: string;
-}
-export declare function sandboxModels(config: ResolvedConfig): SandboxModel[];
-export declare function resolveModel(config: ResolvedConfig, modelName: string): SandboxModel;
-export declare function requireOnePositional(argv: string[], usage: string): string;
-//# sourceMappingURL=model.d.ts.map

package/dist/commands/sandbox/model.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"model.d.ts","sourceRoot":"","sources":["../../../src/commands/sandbox/model.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AAG7E,MAAM,WAAW,YAAY;IAC3B,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,iBAAiB,CAAC;IAC3B,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,wBAAgB,aAAa,CAAC,MAAM,EAAE,cAAc,GAAG,YAAY,EAAE,CAcpE;AAED,wBAAgB,YAAY,CAAC,MAAM,EAAE,cAAc,EAAE,SAAS,EAAE,MAAM,GAAG,YAAY,CAapF;AAED,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,CAM1E"}

package/dist/commands/sandbox/model.js

@@ -1,37 +0,0 @@
-import { sandboxNameFor } from "../../lib/dockerSandbox.js";
-export function sandboxModels(config) {
-    const models = [];
-    for (const [modelName, definition] of Object.entries(config.models.definitions)) {
-        const { sandbox } = definition;
-        if (sandbox === undefined) {
-            continue;
-        }
-        models.push({
-            modelName,
-            sandbox,
-            sandboxName: sandboxNameFor({ agent: sandbox.agent }),
-        });
-    }
-    return models;
-}
-export function resolveModel(config, modelName) {
-    const definition = config.models.definitions[modelName];
-    if (definition === undefined) {
-        throw new Error(`crew sandbox: unknown model '${modelName}'`);
-    }
-    if (definition.sandbox === undefined) {
-        throw new Error(`crew sandbox: model '${modelName}' has no sandbox config`);
-    }
-    return {
-        modelName,
-        sandbox: definition.sandbox,
-        sandboxName: sandboxNameFor({ agent: definition.sandbox.agent }),
-    };
-}
-export function requireOnePositional(argv, usage) {
-    const [first, ...rest] = argv;
-    if (first === undefined || rest.length > 0) {
-        throw new Error(usage);
-    }
-    return first;
-}

package/dist/commands/sandbox/picker.d.ts

@@ -1,20 +0,0 @@
-export interface ToolChoice {
-    /** Recipe key (e.g. "claude", "github"). Returned in the selection. */
-    key: string;
-    /** Human-friendly label shown in the prompt. */
-    label: string;
-    /** Auth status decoration: ✓ when authenticated, ○ otherwise. */
-    authenticated: boolean;
-}
-/**
- * Show an interactive checkbox picker so the engineer chooses which
- * tools to authenticate. Items marked `authenticated` start unchecked
- * (no need to re-auth); unauthed items start checked (default action
- * is "auth what's missing"). The returned array is the list of `key`
- * values that the engineer left checked when they confirmed.
- *
- * Extracted to its own module so tests can vi.mock it and skip stdin
- * interaction; the real implementation pulls @inquirer/checkbox.
- */
-export declare function pickTools(choices: readonly ToolChoice[]): Promise<readonly string[]>;
-//# sourceMappingURL=picker.d.ts.map

package/dist/commands/sandbox/picker.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"picker.d.ts","sourceRoot":"","sources":["../../../src/commands/sandbox/picker.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,UAAU;IACzB,uEAAuE;IACvE,GAAG,EAAE,MAAM,CAAC;IACZ,gDAAgD;IAChD,KAAK,EAAE,MAAM,CAAC;IACd,iEAAiE;IACjE,aAAa,EAAE,OAAO,CAAC;CACxB;AAED;;;;;;;;;GASG;AACH,wBAAsB,SAAS,CAAC,OAAO,EAAE,SAAS,UAAU,EAAE,GAAG,OAAO,CAAC,SAAS,MAAM,EAAE,CAAC,CAW1F"}

package/dist/commands/sandbox/picker.js

@@ -1,23 +0,0 @@
-import checkbox from "@inquirer/checkbox";
-/**
- * Show an interactive checkbox picker so the engineer chooses which
- * tools to authenticate. Items marked `authenticated` start unchecked
- * (no need to re-auth); unauthed items start checked (default action
- * is "auth what's missing"). The returned array is the list of `key`
- * values that the engineer left checked when they confirmed.
- *
- * Extracted to its own module so tests can vi.mock it and skip stdin
- * interaction; the real implementation pulls @inquirer/checkbox.
- */
-export async function pickTools(choices) {
-    const selected = await checkbox({
-        message: "Select tools to authenticate (space to toggle, enter to confirm):",
-        choices: choices.map((choice) => ({
-            name: `${choice.authenticated ? "✓" : "○"} ${choice.label}`,
-            value: choice.key,
-            checked: !choice.authenticated,
-        })),
-        pageSize: Math.max(choices.length, 1),
-    });
-    return selected;
-}

package/dist/lib/dockerSandbox.d.ts

@@ -1,43 +0,0 @@
-import type { SandboxDefinition } from "./config.ts";
-/**
- * Derive a deterministic sbx sandbox name from the sbx agent so every
- * groundcrew model that targets the same agent reuses one sandbox across
- * repositories and tickets. Lowercased and reduced to the sbx-safe
- * charset (`a-z0-9.+-`) so unusual agent names still round-trip cleanly.
- * Keep the `groundcrew-` prefix stable — doctor and teardown use it to
- * identify groundcrew-owned sandboxes.
- */
-export declare function sandboxNameFor(arguments_: {
-    agent: string;
-}): string;
-/**
- * Probe `sbx ls` to see whether a sandbox with `sandboxName` already
- * exists. Used by `crew sandbox auth` to switch between create vs reuse
- * branches without surfacing the raw sbx error on first run.
- */
-export declare function sandboxExists(sandboxName: string, signal?: AbortSignal): Promise<boolean>;
-interface EnsureSandboxArguments {
-    sandboxName: string;
-    sandbox: SandboxDefinition;
-    /**
-     * Host path bound into the sandbox at the same path. Pass the workspace
-     * `projectDir` so all per-ticket worktrees (siblings of the bare repo
-     * clone) are visible to `sbx exec -w <worktreeDir>` after creation.
-     */
-    mountPath: string;
-    /**
-     * When true, apply the standard git defaults inside the sandbox after
-     * it exists (idempotent, runs whether the sandbox was just created or
-     * already there). See `sandboxGitDefaults.ts` for what gets set.
-     */
-    gitDefaults: boolean;
-    /**
-     * Result of an earlier `sandboxExists` probe by the caller, used to
-     * skip the initial `sbx ls` here. Leave undefined to let this function
-     * probe on its own.
-     */
-    alreadyExists?: boolean;
-}
-export declare function ensureSandbox(arguments_: EnsureSandboxArguments, signal?: AbortSignal): Promise<void>;
-export {};
-//# sourceMappingURL=dockerSandbox.d.ts.map

package/dist/lib/dockerSandbox.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"dockerSandbox.d.ts","sourceRoot":"","sources":["../../src/lib/dockerSandbox.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAGrD;;;;;;;GAOG;AACH,wBAAgB,cAAc,CAAC,UAAU,EAAE;IAAE,KAAK,EAAE,MAAM,CAAA;CAAE,GAAG,MAAM,CAMpE;AAED;;;;GAIG;AACH,wBAAsB,aAAa,CAAC,WAAW,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,OAAO,CAAC,CAM/F;AAED,UAAU,sBAAsB;IAC9B,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,iBAAiB,CAAC;IAC3B;;;;OAIG;IACH,SAAS,EAAE,MAAM,CAAC;IAClB;;;;OAIG;IACH,WAAW,EAAE,OAAO,CAAC;IACrB;;;;OAIG;IACH,aAAa,CAAC,EAAE,OAAO,CAAC;CACzB;AAsBD,wBAAsB,aAAa,CACjC,UAAU,EAAE,sBAAsB,EAClC,MAAM,CAAC,EAAE,WAAW,GACnB,OAAO,CAAC,IAAI,CAAC,CAuBf"}

package/dist/lib/dockerSandbox.js

@@ -1,69 +0,0 @@
-import { runCommandAsync } from "./commandRunner.js";
-import { applyGitDefaults } from "./sandboxGitDefaults.js";
-/**
- * Derive a deterministic sbx sandbox name from the sbx agent so every
- * groundcrew model that targets the same agent reuses one sandbox across
- * repositories and tickets. Lowercased and reduced to the sbx-safe
- * charset (`a-z0-9.+-`) so unusual agent names still round-trip cleanly.
- * Keep the `groundcrew-` prefix stable — doctor and teardown use it to
- * identify groundcrew-owned sandboxes.
- */
-export function sandboxNameFor(arguments_) {
-    const raw = `groundcrew-${arguments_.agent}`.toLowerCase();
-    return raw
-        .replaceAll(/[^a-z0-9.+-]+/g, "-")
-        .replaceAll(/-+/g, "-")
-        .replaceAll(/^-|-$/g, "");
-}
-/**
- * Probe `sbx ls` to see whether a sandbox with `sandboxName` already
- * exists. Used by `crew sandbox auth` to switch between create vs reuse
- * branches without surfacing the raw sbx error on first run.
- */
-export async function sandboxExists(sandboxName, signal) {
-    const out = signal === undefined
-        ? await runCommandAsync("sbx", ["ls"])
-        : await runCommandAsync("sbx", ["ls"], { signal });
-    return out.split("\n").some((line) => line.trim().split(/\s+/)[0] === sandboxName);
-}
-/**
- * Idempotent guard: ensure a Docker Sandboxes container exists for the
- * given repository + model. Probes `sbx ls`; if `sandboxName` is missing,
- * calls `sbx create --name <name> [--template <t>] [--kit <k>]... <agent>
- * <mountPath>` to provision it. Once the container exists (newly created
- * or pre-existing), applies the standard git defaults when enabled.
- * First-time agent auth still happens inside the sandbox the first time
- * `sbx exec` runs the agent — `create` only provisions the container, it
- * does not attach.
- */
-async function resolveExistence(arguments_, signal) {
-    if (arguments_.alreadyExists === undefined) {
-        return await sandboxExists(arguments_.sandboxName, signal);
-    }
-    return arguments_.alreadyExists;
-}
-export async function ensureSandbox(arguments_, signal) {
-    const existed = await resolveExistence(arguments_, signal);
-    if (!existed) {
-        const createArguments = ["create", "--name", arguments_.sandboxName];
-        if (arguments_.sandbox.template !== undefined) {
-            createArguments.push("--template", arguments_.sandbox.template);
-        }
-        for (const kit of arguments_.sandbox.kits ?? []) {
-            createArguments.push("--kit", kit);
-        }
-        createArguments.push(arguments_.sandbox.agent, arguments_.mountPath);
-        const options = signal === undefined ? {} : { signal };
-        try {
-            await runCommandAsync("sbx", createArguments, options);
-        }
-        catch (error) {
-            if (!(await sandboxExists(arguments_.sandboxName, signal))) {
-                throw error;
-            }
-        }
-    }
-    if (arguments_.gitDefaults) {
-        await applyGitDefaults({ sandboxName: arguments_.sandboxName }, signal);
-    }
-}

package/dist/lib/sandboxGitDefaults.d.ts

@@ -1,10 +0,0 @@
-interface ApplyGitDefaultsArguments {
-    sandboxName: string;
-}
-/**
- * Apply the standard git defaults inside `sandboxName`. Idempotent —
- * safe to call on every `ensure`/`auth` run to repair drift.
- */
-export declare function applyGitDefaults(arguments_: ApplyGitDefaultsArguments, signal?: AbortSignal): Promise<void>;
-export {};
-//# sourceMappingURL=sandboxGitDefaults.d.ts.map

package/dist/lib/sandboxGitDefaults.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"sandboxGitDefaults.d.ts","sourceRoot":"","sources":["../../src/lib/sandboxGitDefaults.ts"],"names":[],"mappings":"AAyBA,UAAU,yBAAyB;IACjC,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;;GAGG;AACH,wBAAsB,gBAAgB,CACpC,UAAU,EAAE,yBAAyB,EACrC,MAAM,CAAC,EAAE,WAAW,GACnB,OAAO,CAAC,IAAI,CAAC,CAOf"}

package/dist/lib/sandboxGitDefaults.js

@@ -1,31 +0,0 @@
-import { runCommandAsync } from "./commandRunner.js";
-/**
- * Git defaults applied inside every sandbox when `sandbox.gitDefaults`
- * is enabled (the default).
- *
- * - Disable GPG signing — robot commits inside the sandbox have no key
- *   and would otherwise fail or end up unsigned silently.
- * - Rewrite GitHub SSH URLs to HTTPS so push/fetch go through the `gh`
- *   credential helper (wired by `gh auth setup-git` after a successful
- *   `crew sandbox auth` github login), regardless of how the user
- *   originally cloned the repo on the host.
- *
- * `url.<base>.insteadOf` is multi-valued in git; `--unset-all` before
- * `--add` keeps the set identical across repeated runs instead of
- * appending duplicates.
- */
-const GIT_DEFAULT_COMMANDS = [
-    "git config --global commit.gpgsign false",
-    "git config --global tag.gpgsign false",
-    '(git config --global --unset-all url."https://github.com/".insteadOf 2>/dev/null || true)',
-    'git config --global --add url."https://github.com/".insteadOf "git@github.com:"',
-    'git config --global --add url."https://github.com/".insteadOf "ssh://git@github.com/"',
-].join(" && ");
-/**
- * Apply the standard git defaults inside `sandboxName`. Idempotent —
- * safe to call on every `ensure`/`auth` run to repair drift.
- */
-export async function applyGitDefaults(arguments_, signal) {
-    const options = signal === undefined ? {} : { signal };
-    await runCommandAsync("sbx", ["exec", arguments_.sandboxName, "sh", "-c", GIT_DEFAULT_COMMANDS], options);
-}