@madarco/agentbox 0.11.3 → 0.12.0

package/runtime/hetzner/ctl.cjs

@@ -18509,6 +18509,35 @@ var KEY_REGISTRY = [
     description: "Per-provider override of `box.defaultCheckpoint` for vercel. Wins over the global when set; set via `agentbox checkpoint set-default --provider vercel`.",
     advanced: true
   },
+  {
+    key: "box.size",
+    type: "string",
+    description: "Default VM size for cloud providers. Provider-interpreted: hetzner = server type (e.g. `cx33`); daytona = `cpu-memory-disk` GB (e.g. `4-8-20`). Used as fallback when no per-provider override is set. Docker/Vercel ignore it."
+  },
+  {
+    key: "box.sizeDocker",
+    type: "string",
+    description: "Per-provider override of `box.size` for docker. Reserved \u2014 docker sizing is controlled via `box.memory` / `box.cpus` / `box.disk`.",
+    advanced: true
+  },
+  {
+    key: "box.sizeDaytona",
+    type: "string",
+    description: "Per-provider override of `box.size` for daytona. `cpu-memory-disk` GB spec (e.g. `4-8-20`). Only honored on the image/Dockerfile create path; Daytona rejects custom resources on snapshot-resume.",
+    advanced: true
+  },
+  {
+    key: "box.sizeHetzner",
+    type: "string",
+    description: "Per-provider override of `box.size` for hetzner. Server type string (e.g. `cx23`, `cx33`, `cx43`).",
+    advanced: true
+  },
+  {
+    key: "box.sizeVercel",
+    type: "string",
+    description: "Per-provider override of `box.size` for vercel. Reserved \u2014 vercel sizing is controlled via `box.vercelVcpus`.",
+    advanced: true
+  },
   {
     key: "checkpoint.maxLayers",
     type: "int",
@@ -18525,6 +18554,11 @@ var KEY_REGISTRY = [
     type: "bool",
     description: "Copy host env/config files (.env*, secrets.toml, agentbox.yaml, ...) into /workspace at box create time (gitignore-bypassing)."
   },
+  {
+    key: "box.resyncOnStart",
+    type: "bool",
+    description: "Merge the host's current branch into the box and overlay the host's uncommitted/untracked changes when starting an agent session (keeps the box's version on conflict and warns the agent)."
+  },
   {
     key: "box.vnc",
     type: "bool",
@@ -18548,7 +18582,31 @@ var KEY_REGISTRY = [
   {
     key: "box.image",
     type: "string",
-    description: "Box image ref (advanced).",
+    description: "Generic box image ref (fallback). Used as fallback when no per-provider override is set; the default `agentbox/box:dev` is treated as a sentinel by cloud backends (boot from their prepared base snapshot instead).",
+    advanced: true
+  },
+  {
+    key: "box.imageDocker",
+    type: "string",
+    description: "Per-provider override of `box.image` for docker (local docker image ref, e.g. `agentbox/box:dev`). Wins over the generic when set.",
+    advanced: true
+  },
+  {
+    key: "box.imageDaytona",
+    type: "string",
+    description: "Per-provider override of `box.image` for daytona (named snapshot, e.g. `agentbox-base-<fingerprint>`). Written by `agentbox prepare --provider daytona`.",
+    advanced: true
+  },
+  {
+    key: "box.imageHetzner",
+    type: "string",
+    description: "Per-provider override of `box.image` for hetzner (image description, e.g. `agentbox-base-<fingerprint>`). Written by `agentbox prepare --provider hetzner`.",
+    advanced: true
+  },
+  {
+    key: "box.imageVercel",
+    type: "string",
+    description: "Per-provider override of `box.image` for vercel (snapshot id, e.g. `snap_\u2026`). Written by `agentbox prepare --provider vercel`.",
     advanced: true
   },
   {
@@ -19163,6 +19221,8 @@ var GH_PR_OPS = [
   "create",
   "view",
   "list",
+  "diff",
+  "checks",
   "comment",
   "review",
   "merge",
@@ -19173,7 +19233,84 @@ var GH_PR_OPS = [
 function isGhPrOp(value) {
   return GH_PR_OPS.includes(value);
 }
-var GH_PR_READ_ONLY_OPS = /* @__PURE__ */ new Set(["view", "list"]);
+var GH_PR_READ_ONLY_OPS = /* @__PURE__ */ new Set([
+  "view",
+  "list",
+  "diff",
+  "checks"
+]);
+var GH_RUN_OPS = ["list", "view", "rerun"];
+function isGhRunOp(value) {
+  return GH_RUN_OPS.includes(value);
+}
+var GH_RUN_READ_ONLY_OPS = /* @__PURE__ */ new Set(["list", "view"]);
+var PR_REVIEW_COMMENT = /^repos\/[^/]+\/[^/]+\/pulls\/\d+\/comments(\?.*)?$/;
+var PR_REVIEW_COMMENT_REPLY = /^repos\/[^/]+\/[^/]+\/pulls\/\d+\/comments\/\d+\/replies(\?.*)?$/;
+var GH_API_WRITE_ALLOWED_ENDPOINTS = [
+  PR_REVIEW_COMMENT,
+  PR_REVIEW_COMMENT_REPLY
+];
+var GH_API_ALLOWED_ENDPOINTS = [...GH_API_WRITE_ALLOWED_ENDPOINTS];
+function isAllowedGhApiEndpoint(endpoint) {
+  return GH_API_ALLOWED_ENDPOINTS.some((re) => re.test(normalizeGhApiEndpoint(endpoint)));
+}
+function isWriteAllowedGhApiEndpoint(endpoint) {
+  return GH_API_WRITE_ALLOWED_ENDPOINTS.some((re) => re.test(normalizeGhApiEndpoint(endpoint)));
+}
+function normalizeGhApiEndpoint(endpoint) {
+  return endpoint.replace(/^\/+/, "");
+}
+var GH_API_ENDPOINT_REFUSAL = {
+  exitCode: 65,
+  stdout: "",
+  stderr: "gh api: endpoint not allowlisted. Proxied: GET on repos/:owner/:repo/pulls/:number/comments (and /:id/replies); POST to those endpoints to add a review comment.\n"
+};
+function refuseGhApiCall(endpoint, args) {
+  const refuse = (reason) => ({
+    exitCode: 65,
+    stdout: "",
+    stderr: `gh api: ${reason}
+`
+  });
+  let explicitMethod = null;
+  let hasFieldFlag = false;
+  for (let i2 = 0; i2 < args.length; i2++) {
+    const arg = args[i2] ?? "";
+    if (arg === "-X" || arg === "--method") {
+      explicitMethod = args[i2 + 1] ?? "";
+      i2++;
+      continue;
+    }
+    if (arg.startsWith("--method=")) {
+      explicitMethod = arg.slice("--method=".length);
+      continue;
+    }
+    if (arg.startsWith("-X") && arg.length > 2) {
+      explicitMethod = arg.slice(2).replace(/^=/, "");
+      continue;
+    }
+    if (arg === "--input" || arg.startsWith("--input=")) {
+      return refuse("'--input' (stdin/file body) isn't supported through the relay; use -f/-F fields");
+    }
+    if (arg === "-f" || arg === "-F" || arg === "--field" || arg === "--raw-field") {
+      hasFieldFlag = true;
+      i2++;
+      continue;
+    }
+    if (arg.startsWith("-f") || arg.startsWith("-F") || arg.startsWith("--field=") || arg.startsWith("--raw-field=")) {
+      hasFieldFlag = true;
+    }
+  }
+  const method = (explicitMethod ?? (hasFieldFlag ? "POST" : "GET")).toUpperCase();
+  if (method === "GET") return null;
+  if (method === "POST") {
+    if (isWriteAllowedGhApiEndpoint(endpoint)) return null;
+    return refuse(
+      `POST is only proxied to PR review-comment endpoints (repos/:o/:r/pulls/:n/comments[/:id/replies]), not '${endpoint}'`
+    );
+  }
+  return refuse(`method '${method}' is not proxied \u2014 only GET, and POST to comment endpoints, are allowed`);
+}
 function injectPrCreateHead(op, branch, args) {
   if (op !== "create") return args;
   if (!branch || branch === "HEAD") return args;
@@ -19451,6 +19588,12 @@ async function executeCloudAction(action, deps) {
   if (action.method.startsWith("gh.pr.")) {
     return runGhPrRpc(action, deps);
   }
+  if (action.method.startsWith("gh.run.")) {
+    return runGhRunRpc(action, deps);
+  }
+  if (action.method === "gh.api") {
+    return runGhApiRpc(action, deps);
+  }
   if (action.method === "git.clone" || action.method === "gh.repo.clone") {
     return {
       exitCode: 64,
@@ -19559,6 +19702,66 @@ async function runGhPrRpc(action, deps) {
   if (prCreateNeedsHead(op, finalArgs)) return PR_CREATE_NO_HEAD_REFUSAL;
   return runHostGh(["pr", op, ...finalArgs], lookup.workspacePath);
 }
+async function cloudWriteConfirm(deps, command, cwd, args) {
+  if (!deps.prompts || !deps.subscribers) return null;
+  const ctx = {
+    kind: "confirm",
+    message: `Allow ${command} from cloud box ${deps.boxName ?? deps.boxId}?`,
+    detail: args.join(" ").slice(0, 200),
+    defaultAnswer: "n",
+    context: { command, cwd, argv: args }
+  };
+  const hasSubscriber = deps.subscribers.forBox(deps.boxId).length > 0;
+  if (!hasSubscriber && process.env["AGENTBOX_PROMPT"] !== "off") {
+    const noSubMode = (process.env["AGENTBOX_GH_NO_SUB"] ?? "deny").toLowerCase();
+    if (noSubMode === "deny") {
+      return {
+        exitCode: 10,
+        stdout: "",
+        stderr: "denied automatically \u2014 no attached wrapper to confirm. Attach `agentbox claude` (or similar) and retry, or set AGENTBOX_GH_NO_SUB=allow.\n"
+      };
+    }
+    if (noSubMode === "allow") {
+      deps.log?.(`${command} auto-approved (no subscribers, AGENTBOX_GH_NO_SUB=allow)`);
+      return null;
+    }
+    const verdict2 = await askPrompt(deps.prompts, deps.subscribers, deps.boxId, ctx, {
+      ttlMs: 5 * 60 * 1e3
+    });
+    return verdict2.answer === "y" ? null : { exitCode: 10, stdout: "", stderr: "denied by user\n" };
+  }
+  const verdict = await askPrompt(deps.prompts, deps.subscribers, deps.boxId, ctx);
+  return verdict.answer === "y" ? null : { exitCode: 10, stdout: "", stderr: "denied by user\n" };
+}
+async function runGhRunRpc(action, deps) {
+  const op = action.method.slice("gh.run.".length);
+  if (!isGhRunOp(op)) {
+    return { exitCode: 64, stdout: "", stderr: `unknown gh.run.* op: ${op}
+` };
+  }
+  const params = action.params ?? {};
+  const args = Array.isArray(params.args) ? params.args.filter((a2) => typeof a2 === "string") : [];
+  const ghReady = await assertGhReady();
+  if (ghReady) return ghReady;
+  const lookup = await lookupCloudBox(deps.boxId);
+  if (!GH_RUN_READ_ONLY_OPS.has(op)) {
+    const denied = await cloudWriteConfirm(deps, `gh run ${op}`, params.path, args);
+    if (denied) return denied;
+  }
+  return runHostGh(["run", op, ...args], lookup.workspacePath);
+}
+async function runGhApiRpc(action, deps) {
+  const params = action.params ?? {};
+  const endpoint = typeof params.endpoint === "string" ? params.endpoint : "";
+  if (!isAllowedGhApiEndpoint(endpoint)) return GH_API_ENDPOINT_REFUSAL;
+  const args = Array.isArray(params.args) ? params.args.filter((a2) => typeof a2 === "string") : [];
+  const callRefusal = refuseGhApiCall(endpoint, args);
+  if (callRefusal) return callRefusal;
+  const ghReady = await assertGhReady();
+  if (ghReady) return ghReady;
+  const lookup = await lookupCloudBox(deps.boxId);
+  return runHostGh(["api", endpoint, ...args], lookup.workspacePath);
+}
 async function runBrowserOpenMirror(action, deps) {
   const params = action.params ?? {};
   const url = typeof params.url === "string" ? params.url.trim() : "";
@@ -20235,6 +20438,29 @@ function createRelayServer(opts) {
         send(res, status2, result);
         return;
       }
+      if (body.method.startsWith("gh.run.")) {
+        const op = body.method.slice("gh.run.".length);
+        if (!isGhRunOp(op)) {
+          send(res, 400, { error: `unknown gh.run.* op: ${op}` });
+          return;
+        }
+        const result = await handleGhRunRpc(
+          op,
+          reg,
+          body.params,
+          prompts,
+          subscribers
+        );
+        const status2 = result.exitCode === 0 ? 200 : 500;
+        send(res, status2, result);
+        return;
+      }
+      if (body.method === "gh.api") {
+        const result = await handleGhApiRpc(reg, body.params);
+        const status2 = result.exitCode === 0 ? 200 : 500;
+        send(res, status2, result);
+        return;
+      }
       if (body.method === "git.clone" || body.method === "gh.repo.clone") {
         send(res, 501, {
           exitCode: 64,
@@ -20712,6 +20938,53 @@ async function handleGhPrRpc(op, reg, params, prompts, subscribers, hostInitiate
   if (prCreateNeedsHead(op, finalArgs)) return PR_CREATE_NO_HEAD_REFUSAL;
   return runHostGh(["pr", op, ...finalArgs], worktree.hostMainRepo);
 }
+async function handleGhRunRpc(op, reg, params, prompts, subscribers) {
+  const containerPath = params?.path ?? "/workspace";
+  const worktree = resolveWorktree(reg, containerPath);
+  if (!worktree) {
+    return {
+      exitCode: 64,
+      stdout: "",
+      stderr: `no worktree registered for box ${reg.boxId} matching ${containerPath}`
+    };
+  }
+  const ghReady = await assertGhReady();
+  if (ghReady) return ghReady;
+  const args = Array.isArray(params?.args) ? params.args.filter((a2) => typeof a2 === "string") : [];
+  if (!GH_RUN_READ_ONLY_OPS.has(op)) {
+    const detail = args.join(" ").slice(0, 200);
+    const verdict = await askPrompt(prompts, subscribers, reg.boxId, {
+      kind: "confirm",
+      message: `Allow gh run ${op} from box ${reg.name}?`,
+      detail,
+      defaultAnswer: "n",
+      context: { command: `gh run ${op}`, cwd: containerPath, argv: args }
+    });
+    if (verdict.answer !== "y") {
+      return { exitCode: 10, stdout: "", stderr: "denied by user\n" };
+    }
+  }
+  return runHostGh(["run", op, ...args], worktree.hostMainRepo);
+}
+async function handleGhApiRpc(reg, params) {
+  const containerPath = params?.path ?? "/workspace";
+  const worktree = resolveWorktree(reg, containerPath);
+  if (!worktree) {
+    return {
+      exitCode: 64,
+      stdout: "",
+      stderr: `no worktree registered for box ${reg.boxId} matching ${containerPath}`
+    };
+  }
+  const endpoint = typeof params?.endpoint === "string" ? params.endpoint : "";
+  if (!isAllowedGhApiEndpoint(endpoint)) return GH_API_ENDPOINT_REFUSAL;
+  const args = Array.isArray(params?.args) ? params.args.filter((a2) => typeof a2 === "string") : [];
+  const callRefusal = refuseGhApiCall(endpoint, args);
+  if (callRefusal) return callRefusal;
+  const ghReady = await assertGhReady();
+  if (ghReady) return ghReady;
+  return runHostGh(["api", endpoint, ...args], worktree.hostMainRepo);
+}
 async function handleCpRpc(reg, method, params) {
   const entry = process.env.AGENTBOX_CLI_ENTRY;
   if (!entry) {
@@ -23083,6 +23356,8 @@ var PR_SUBCOMMANDS = [
   },
   { op: "view", description: "Run `gh pr view` on the host (read-only; no prompt)." },
   { op: "list", description: "Run `gh pr list` on the host (read-only; no prompt)." },
+  { op: "diff", description: "Run `gh pr diff` on the host (read-only; no prompt)." },
+  { op: "checks", description: "Run `gh pr checks` on the host (read-only; no prompt)." },
   { op: "comment", description: "Run `gh pr comment` on the host (prompted; visible to others)." },
   { op: "review", description: "Run `gh pr review` on the host (prompted; visible to others)." },
   {
@@ -23144,7 +23419,42 @@ var repoCommand = new Command("repo").description("GitHub repo operations via th
     }
   )
 );
-var ghCommand = new Command("gh").description("GitHub CLI operations routed through the relay (host `gh` runs with host creds; box never sees a token)").addCommand(buildPrCommand("agentbox-ctl gh pr")).addCommand(repoCommand);
+var RUN_SUBCOMMANDS = [
+  { op: "list", description: "Run `gh run list` on the host (read-only; no prompt)." },
+  { op: "view", description: "Run `gh run view` on the host (read-only; no prompt)." },
+  {
+    op: "rerun",
+    description: "Run `gh run rerun` on the host (prompted; re-triggers CI)."
+  }
+];
+function buildRunCommand(errorPrefix) {
+  const runCommand = new Command("run").description(
+    "GitHub Actions run operations via the host `gh` CLI (requires `gh` installed and `gh auth login` on the host)"
+  );
+  for (const spec of RUN_SUBCOMMANDS) {
+    runCommand.addCommand(
+      new Command(spec.op).description(spec.description).option("--cwd <path>", "container path identifying which registered worktree to use").allowExcessArguments(true).allowUnknownOption(true).argument(
+        "[args...]",
+        "extra flags forwarded to `gh run <op>` verbatim (e.g. `--json`, `--limit`, `<run-id>`)."
+      ).action(async (args, opts) => {
+        const params = { path: opts.cwd ?? process.cwd() };
+        if (args.length > 0) params.args = args;
+        const code = await postRpcAndExit(`gh.run.${spec.op}`, params, { errorPrefix });
+        process.exit(code);
+      })
+    );
+  }
+  return runCommand;
+}
+var apiCommand = new Command("api").description(
+  "Allowlisted `gh api` (host runs `gh api`): GET on proxied endpoints, plus POST to add a PR review comment. Other methods are rejected."
+).option("--cwd <path>", "container path identifying which registered worktree to use").allowExcessArguments(true).allowUnknownOption(true).argument("<endpoint>", "REST endpoint, e.g. repos/:owner/:repo/pulls/:number/comments").argument("[args...]", "extra flags forwarded to `gh api` verbatim (e.g. `--jq`, `-f body=\u2026`).").action(async (endpoint, args, opts) => {
+  const params = { path: opts.cwd ?? process.cwd(), endpoint };
+  if (args.length > 0) params.args = args;
+  const code = await postRpcAndExit("gh.api", params, { errorPrefix: "agentbox-ctl gh api" });
+  process.exit(code);
+});
+var ghCommand = new Command("gh").description("GitHub CLI operations routed through the relay (host `gh` runs with host creds; box never sees a token)").addCommand(buildPrCommand("agentbox-ctl gh pr")).addCommand(buildRunCommand("agentbox-ctl gh run")).addCommand(apiCommand).addCommand(repoCommand);
 
 // src/commands/git.ts
 var import_node_child_process11 = require("child_process");
@@ -23172,6 +23482,18 @@ function runLocalGit(args, cwd) {
     });
   });
 }
+function hasGitIdentity(cwd) {
+  return new Promise((resolve2) => {
+    const child = (0, import_node_child_process11.spawn)("git", ["config", "user.email"], {
+      cwd,
+      stdio: ["ignore", "pipe", "ignore"]
+    });
+    let out = "";
+    child.stdout.on("data", (c3) => out += c3.toString("utf8"));
+    child.on("close", (code) => resolve2(code === 0 && out.trim().length > 0));
+    child.on("error", () => resolve2(false));
+  });
+}
 var gitCommand = new Command("git").description("Git operations that need host credentials (routed through the agentbox relay)").addCommand(
   new Command("push").description("Run `git push` on the host main repo against this box's branch (user is prompted on the host wrapper to confirm)").option("--remote <name>", "remote name (default: origin)").option("--cwd <path>", "container path identifying which registered worktree to use").addOption(hostInitiatedOption()).allowExcessArguments(true).allowUnknownOption(true).argument(
     "[args...]",
@@ -23206,7 +23528,16 @@ var gitCommand = new Command("git").description("Git operations that need host c
       if (fetchCode !== 0) process.exit(fetchCode);
       const remote = opts.remote ?? "origin";
       const cwd = opts.cwd ?? process.cwd();
-      const mergeArgs = ["merge"];
+      const mergeArgs = [];
+      if (!await hasGitIdentity(cwd)) {
+        mergeArgs.push(
+          "-c",
+          "user.name=agentbox",
+          "-c",
+          "user.email=agentbox@users.noreply.github.com"
+        );
+      }
+      mergeArgs.push("merge");
       if (opts.ffOnly) mergeArgs.push("--ff-only");
       mergeArgs.push(`${remote}/HEAD`);
       const mergeCode = await runLocalGit(mergeArgs, cwd);

package/runtime/hetzner/gh-shim

@@ -89,7 +89,7 @@ first_positional() {
 handle_pr() {
   local op="${1-}"; shift || true
   if [ -z "$op" ]; then
-    die "missing subcommand for 'gh pr'. Supported: view, list, create, comment, review, merge, checkout, close, reopen"
+    die "missing subcommand for 'gh pr'. Supported: view, list, diff, checks, create, comment, review, merge, checkout, close, reopen"
   fi
   local branch
   branch="$(box_branch)"
@@ -109,6 +109,20 @@ handle_pr() {
       fi
       exec "$CTL" gh pr list -- "$@"
       ;;
+    diff)
+      strict_flags "gh pr diff" "--color|--name-only|--patch" "$@"
+      if [ -z "$(first_positional "--color" "$@")" ] && [ -n "$branch" ]; then
+        set -- "$branch" "$@"
+      fi
+      exec "$CTL" gh pr diff -- "$@"
+      ;;
+    checks)
+      strict_flags "gh pr checks" "--json|--required" "$@"
+      if [ -z "$(first_positional "--json" "$@")" ] && [ -n "$branch" ]; then
+        set -- "$branch" "$@"
+      fi
+      exec "$CTL" gh pr checks -- "$@"
+      ;;
     create)
       strict_flags "gh pr create" "--fill|--draft|--title|--body|--base" "$@"
       if ! needle_present "--head" "$@" && [ -n "$branch" ]; then
@@ -162,11 +176,70 @@ handle_pr() {
       exec "$CTL" gh pr checkout -- "$@"
       ;;
     *)
-      die "'gh pr $op' is not proxied (supported: view, list, create, comment, review, merge, checkout, close, reopen)"
+      die "'gh pr $op' is not proxied (supported: view, list, diff, checks, create, comment, review, merge, checkout, close, reopen)"
       ;;
   esac
 }
 
+handle_run() {
+  local op="${1-}"; shift || true
+  if [ -z "$op" ]; then
+    die "missing subcommand for 'gh run'. Supported: list, view, rerun"
+  fi
+  case "$op" in
+    list)
+      strict_flags "gh run list" "--json|--limit|-L|--workflow|-w|--branch|-b|--status|--user" "$@"
+      exec "$CTL" gh run list -- "$@"
+      ;;
+    view)
+      strict_flags "gh run view" "--json|--log|--log-failed|--job" "$@"
+      # gh run view needs a run-id OR a --job <id>; refuse when neither is
+      # present (host-side gh would otherwise try an interactive picker and
+      # fail without a TTY).
+      if [ -z "$(first_positional "--json|--job" "$@")" ] && ! needle_present "--job" "$@"; then
+        die "'gh run view' requires a positional <run-id> (or --job <job-id>)"
+      fi
+      exec "$CTL" gh run view -- "$@"
+      ;;
+    rerun)
+      strict_flags "gh run rerun" "--failed|--job" "$@"
+      if [ -z "$(first_positional "--job" "$@")" ] && ! needle_present "--job" "$@"; then
+        die "'gh run rerun' requires a positional <run-id> (or --job <job-id>)"
+      fi
+      exec "$CTL" gh run rerun -- "$@"
+      ;;
+    watch)
+      die "'gh run watch' is not proxied (it blocks until CI finishes). Poll status with 'gh run view <run-id>' instead."
+      ;;
+    *)
+      die "'gh run $op' is not proxied (supported: list, view, rerun)"
+      ;;
+  esac
+}
+
+handle_api() {
+  local endpoint="${1-}"
+  if [ -z "$endpoint" ] || [ "${endpoint:0:1}" = "-" ]; then
+    die "'gh api' requires a positional <endpoint> (e.g. repos/:owner/:repo/pulls/:number/comments)"
+  fi
+  shift
+  # GET reads are proxied for any allowlisted endpoint; POST is proxied only to
+  # the PR review-comment endpoints (the relay enforces the endpoint + method
+  # policy). `--input` (stdin/file body) can't cross the relay — the host `gh`
+  # runs with stdin ignored — so reject it locally and point at -f/-F fields.
+  local arg
+  for arg in "$@"; do
+    case "$arg" in
+      --input|--input=*)
+        die "'gh api --input' (stdin/file body) isn't supported through the relay; use -f/-F fields"
+        ;;
+    esac
+  done
+  strict_flags "gh api" \
+    "--method|-X|-f|-F|--field|--raw-field|--jq|-q|--paginate|--cache|--hostname|-H|--header" "$@"
+  exec "$CTL" gh api "$endpoint" -- "$@"
+}
+
 handle_repo() {
   local op="${1-}"; shift || true
   if [ "$op" != "clone" ]; then
@@ -218,7 +291,7 @@ handle_repo() {
 
 # Top-level dispatch.
 if [ $# -eq 0 ]; then
-  die "no subcommand. Supported: pr {view,list,create,comment,review,merge,checkout,close,reopen}, repo clone, auth status, --version"
+  die "no subcommand. Supported: pr {view,list,diff,checks,create,comment,review,merge,checkout,close,reopen}, run {list,view,rerun}, api <endpoint>, repo clone, auth status, --version"
 fi
 
 case "$1" in
@@ -232,7 +305,7 @@ case "$1" in
     ;;
   --help|-h)
     printf 'agentbox gh shim — strict subset.\n' >&2
-    printf 'Supported: pr {view,list,create,comment,review,merge,checkout,close,reopen}, repo clone, auth status, --version\n' >&2
+    printf 'Supported: pr {view,list,diff,checks,create,comment,review,merge,checkout,close,reopen}, run {list,view,rerun}, api <endpoint>, repo clone, auth status, --version\n' >&2
     printf 'Anything else is rejected. Run host `gh --help` for full upstream docs.\n' >&2
     ;;
   auth)
@@ -253,11 +326,19 @@ case "$1" in
     shift
     handle_pr "$@"
     ;;
+  run)
+    shift
+    handle_run "$@"
+    ;;
+  api)
+    shift
+    handle_api "$@"
+    ;;
   repo)
     shift
     handle_repo "$@"
     ;;
   *)
-    die "'gh $1' is not proxied (supported: pr {…}, repo clone, auth status, --version)"
+    die "'gh $1' is not proxied (supported: pr {…}, run {…}, api <endpoint>, repo clone, auth status, --version)"
     ;;
 esac