@madarco/agentbox 0.1.0

package/runtime/docker/packages/sandbox-docker/scripts/agentbox-dockerd-start

@@ -0,0 +1,52 @@
+#!/usr/bin/env bash
+# Start the in-box dockerd. Launched by the host via
+# `docker exec -d --user root` after the FUSE overlay is up. Idempotent — safe
+# to call again on `agentbox start`. Storage driver is fuse-overlayfs (set in
+# /etc/docker/daemon.json baked into the image) so the inner daemon doesn't
+# need the kernel `overlay` driver, which an unprivileged container can't load.
+
+set -euo pipefail
+
+if pgrep -x dockerd >/dev/null; then
+  exit 0
+fi
+
+mkdir -p /var/lib/docker /var/run /var/log/agentbox
+
+# /var/run lives in the container's writable layer (not a volume), so files
+# written by the previous dockerd run survive `docker stop`/`start`. dockerd
+# refuses to start if `/var/run/docker.pid` exists with a PID in /proc — and
+# after restart, that PID number has been reassigned to (probably) the new
+# `sleep infinity`. Wipe both the pidfile and the stale socket here; pgrep
+# above already confirmed no real dockerd is running.
+rm -f /var/run/docker.pid /var/run/docker.sock
+
+# Cgroup v2 + unprivileged DinD on OrbStack/Docker Desktop: the outer
+# container has /sys/fs/cgroup and /proc/sys bind-mounted RO from the host
+# (Docker's standard hardening). We need both writable for dockerd to:
+#   * mkdir /sys/fs/cgroup/docker (its own cgroup slice for child containers)
+#   * write /proc/sys/net/ipv6/conf/<veth>/disable_ipv6 (default bridge setup)
+# Without these, `docker run` fails with EROFS or "failed to disable IPv6".
+# SYS_ADMIN + the private cgroup namespace let us remount these RW; the
+# writes only affect the box's own namespaces (not the host). Failure is
+# tolerable — some hosts already mount these RW.
+mount -o remount,rw /sys/fs/cgroup 2>/dev/null || true
+mount -o remount,rw /proc/sys 2>/dev/null || true
+
+# nohup + & + disown lets us survive the `docker exec -d` returning. dockerd
+# reads /etc/docker/daemon.json on its own; no flags here keeps the start path
+# debuggable from inside the container (just edit the file and restart).
+nohup dockerd >/var/log/agentbox/dockerd.log 2>&1 &
+
+# Wait for the socket to become accept()-able. Bound by ~30s — first start has
+# to initialize iptables chains and the fuse-overlayfs graphdriver, which is
+# noticeably slower than overlay2.
+for _ in $(seq 1 300); do
+  if [ -S /var/run/docker.sock ] \
+     && docker -H unix:///var/run/docker.sock info >/dev/null 2>&1; then
+    break
+  fi
+  sleep 0.1
+done
+
+disown -a

package/runtime/docker/packages/sandbox-docker/scripts/agentbox-vnc-start

@@ -0,0 +1,77 @@
+#!/usr/bin/env bash
+# Start the per-box VNC stack: Xvnc on :1 (loopback inside container) +
+# websockify on 0.0.0.0:6080 serving noVNC's HTML5 client and proxying RFB.
+# Launched by the host via `docker exec -d --user vscode` after the container
+# is up. Idempotent — re-running while the daemons are alive is a no-op, so
+# `agentbox start` can blindly call us again.
+
+set -euo pipefail
+
+PASS="${AGENTBOX_VNC_PASSWORD:-}"
+if [[ -z "$PASS" ]]; then
+  echo "agentbox-vnc-start: AGENTBOX_VNC_PASSWORD is not set" >&2
+  exit 64
+fi
+
+if pgrep -u "$(id -u)" -x Xvnc >/dev/null \
+   && pgrep -u "$(id -u)" -f "websockify.*6080" >/dev/null; then
+  exit 0
+fi
+
+mkdir -p "$HOME/.vnc"
+# vncpasswd's -f mode reads plaintext on stdin, writes the DES blob to stdout.
+# VncAuth truncates >8 chars at compare time, which is fine — the host writes
+# an 8-char password. Write to a temp file + rename so a failure (e.g.,
+# vncpasswd missing) doesn't leave an empty file that Xvnc would then reject.
+TMP_PASSWD="$(mktemp "$HOME/.vnc/passwd.XXXXXX")"
+printf '%s\n' "$PASS" | vncpasswd -f > "$TMP_PASSWD"
+chmod 600 "$TMP_PASSWD"
+mv "$TMP_PASSWD" "$HOME/.vnc/passwd"
+
+mkdir -p /var/log/agentbox 2>/dev/null || true
+
+# Xvnc on display :1, loopback-only (websockify is the only public ingress).
+# 1280x800x24 is a sensible laptop-browser viewport.
+# The clipboard params are on-by-default in TigerVNC 1.13 but pinned here so a
+# base-image bump can't silently break host->box paste, and to document intent:
+# accept cut-text from noVNC, set both the X CLIPBOARD and PRIMARY selections.
+Xvnc :1 \
+  -localhost \
+  -SecurityTypes VncAuth \
+  -PasswordFile "$HOME/.vnc/passwd" \
+  -geometry 1280x800 \
+  -depth 24 \
+  -AlwaysShared \
+  -AcceptCutText=1 \
+  -SendCutText=1 \
+  -SetPrimary=1 \
+  -SendPrimary=1 \
+  >/var/log/agentbox/xvnc.log 2>&1 &
+
+# Wait for Xvnc's RFB socket (5901). bash's /dev/tcp pseudo-device makes the
+# probe a one-liner without needing netcat in the image.
+for _ in $(seq 1 50); do
+  if (echo > /dev/tcp/127.0.0.1/5901) 2>/dev/null; then break; fi
+  sleep 0.1
+done
+
+# With no window manager, nothing owns the X selections, so Xvnc's RFB cut-text
+# isn't reliably handed to Chromium on Ctrl+V. autocutsel (one daemon per
+# selection) keeps CLIPBOARD and PRIMARY populated and synced. Best-effort: a
+# clipboard failure must never abort VNC, and the pgrep guard keeps a stray
+# re-entry from spawning duplicates (Xvnc is up now, so DISPLAY=:1 resolves).
+if ! pgrep -u "$(id -u)" -x autocutsel >/dev/null; then
+  DISPLAY=:1 autocutsel -selection CLIPBOARD -fork >/dev/null 2>&1 || true
+  DISPLAY=:1 autocutsel -selection PRIMARY -fork >/dev/null 2>&1 || true
+fi
+
+# websockify serves noVNC at /vnc.html (--web) and tunnels WS frames to Xvnc's
+# RFB. Bind 0.0.0.0:6080 so both Docker `-p` mappings and OrbStack's
+# <name>.orb.local routing reach it.
+websockify \
+  --web=/usr/share/novnc \
+  0.0.0.0:6080 \
+  127.0.0.1:5901 \
+  >/var/log/agentbox/websockify.log 2>&1 &
+
+disown -a

package/runtime/docker/packages/sandbox-docker/scripts/claude-managed-settings.json

@@ -0,0 +1,54 @@
+{
+  "$comment": "AgentBox enterprise-managed Claude Code settings, baked into the box image at /etc/claude-code/managed-settings.json. Highest precedence and NOT synced from the host ~/.claude, so claude-hooks-filter.ts never touches it; per Claude Code, hook arrays MERGE across settings sources, so the user's own hooks still run. These hooks report Claude's activity to the box supervisor (agentbox-ctl claude-state -> ctl socket -> relay -> ~/.agentbox/boxes/<id>/status.json) so `agentbox status/list/inspect` can show it even when the box is paused. Each command is exit-0 fast and shell-backgrounded so a hook can never block or fail a Claude turn.",
+  "hooks": {
+    "UserPromptSubmit": [
+      {
+        "hooks": [
+          { "type": "command", "command": "agentbox-ctl claude-state working >/dev/null 2>&1 &", "timeout": 3 }
+        ]
+      }
+    ],
+    "PreToolUse": [
+      {
+        "hooks": [
+          { "type": "command", "command": "agentbox-ctl claude-state working >/dev/null 2>&1 &", "timeout": 3 }
+        ]
+      }
+    ],
+    "Stop": [
+      {
+        "hooks": [
+          { "type": "command", "command": "agentbox-ctl claude-state idle >/dev/null 2>&1 &", "timeout": 3 }
+        ]
+      }
+    ],
+    "Notification": [
+      {
+        "matcher": "permission_prompt",
+        "hooks": [
+          { "type": "command", "command": "agentbox-ctl claude-state waiting >/dev/null 2>&1 &", "timeout": 3 }
+        ]
+      },
+      {
+        "matcher": "idle_prompt",
+        "hooks": [
+          { "type": "command", "command": "agentbox-ctl claude-state idle >/dev/null 2>&1 &", "timeout": 3 }
+        ]
+      }
+    ],
+    "SessionStart": [
+      {
+        "hooks": [
+          { "type": "command", "command": "agentbox-ctl claude-state idle >/dev/null 2>&1 &", "timeout": 3 }
+        ]
+      }
+    ],
+    "SessionEnd": [
+      {
+        "hooks": [
+          { "type": "command", "command": "agentbox-ctl claude-state idle >/dev/null 2>&1 &", "timeout": 3 }
+        ]
+      }
+    ]
+  }
+}

package/runtime/docker/packages/sandbox-docker/scripts/custom-system-CLAUDE.md

@@ -0,0 +1,21 @@
+# AgentBox sandbox
+
+You are running inside an AgentBox sandbox: a Linux Docker container with
+docker-in-docker (run `docker` directly, no sudo). The host filesystem is
+mounted read-only at /host-src; /workspace is a FUSE overlay where your
+writes go to a per-box volume.
+
+This container has no SSH credentials and no host gitconfig identity.
+For git operations that need the user (push, pull from private remotes),
+use `agentbox-ctl git pull|push -- <args>` — it RPCs to the host, which
+runs git with the real SSH agent and gitconfig. Local commits work as
+normal because the main `.git/` is bind-mounted at the same absolute
+path as on the host.
+
+Your `~/.claude` and `/workspace` env files live only in this box. If
+you install a skill/plugin (or otherwise change `~/.claude`), tell the
+user to run `agentbox pull claude` on the host to copy it back. If you
+create or change `.env`/`.envrc`/secrets files, tell them to run
+`agentbox pull env`. Both are additive and never overwrite host files.
+
+Box identity is in /etc/agentbox/box.env and the AGENTBOX_* env vars.