@madarco/agentbox 0.11.3 → 0.13.0

package/runtime/vercel/ctl.cjs

@@ -18509,6 +18509,35 @@ var KEY_REGISTRY = [
     description: "Per-provider override of `box.defaultCheckpoint` for vercel. Wins over the global when set; set via `agentbox checkpoint set-default --provider vercel`.",
     advanced: true
   },
+  {
+    key: "box.size",
+    type: "string",
+    description: "Default VM size for cloud providers. Provider-interpreted: hetzner = server type (e.g. `cx33`); daytona = `cpu-memory-disk` GB (e.g. `4-8-20`). Used as fallback when no per-provider override is set. Docker/Vercel ignore it."
+  },
+  {
+    key: "box.sizeDocker",
+    type: "string",
+    description: "Per-provider override of `box.size` for docker. Reserved \u2014 docker sizing is controlled via `box.memory` / `box.cpus` / `box.disk`.",
+    advanced: true
+  },
+  {
+    key: "box.sizeDaytona",
+    type: "string",
+    description: "Per-provider override of `box.size` for daytona. `cpu-memory-disk` GB spec (e.g. `4-8-20`). Only honored on the image/Dockerfile create path; Daytona rejects custom resources on snapshot-resume.",
+    advanced: true
+  },
+  {
+    key: "box.sizeHetzner",
+    type: "string",
+    description: "Per-provider override of `box.size` for hetzner. Server type string (e.g. `cx23`, `cx33`, `cx43`).",
+    advanced: true
+  },
+  {
+    key: "box.sizeVercel",
+    type: "string",
+    description: "Per-provider override of `box.size` for vercel. Reserved \u2014 vercel sizing is controlled via `box.vercelVcpus`.",
+    advanced: true
+  },
   {
     key: "checkpoint.maxLayers",
     type: "int",
@@ -18525,6 +18554,11 @@ var KEY_REGISTRY = [
     type: "bool",
     description: "Copy host env/config files (.env*, secrets.toml, agentbox.yaml, ...) into /workspace at box create time (gitignore-bypassing)."
   },
+  {
+    key: "box.resyncOnStart",
+    type: "bool",
+    description: "Merge the host's current branch into the box and overlay the host's uncommitted/untracked changes when starting an agent session (keeps the box's version on conflict and warns the agent)."
+  },
   {
     key: "box.vnc",
     type: "bool",
@@ -18548,7 +18582,31 @@ var KEY_REGISTRY = [
   {
     key: "box.image",
     type: "string",
-    description: "Box image ref (advanced).",
+    description: "Generic box image ref (fallback). Used as fallback when no per-provider override is set; the default `agentbox/box:dev` is treated as a sentinel by cloud backends (boot from their prepared base snapshot instead).",
+    advanced: true
+  },
+  {
+    key: "box.imageDocker",
+    type: "string",
+    description: "Per-provider override of `box.image` for docker (local docker image ref, e.g. `agentbox/box:dev`). Wins over the generic when set.",
+    advanced: true
+  },
+  {
+    key: "box.imageDaytona",
+    type: "string",
+    description: "Per-provider override of `box.image` for daytona (named snapshot, e.g. `agentbox-base-<fingerprint>`). Written by `agentbox prepare --provider daytona`.",
+    advanced: true
+  },
+  {
+    key: "box.imageHetzner",
+    type: "string",
+    description: "Per-provider override of `box.image` for hetzner (image description, e.g. `agentbox-base-<fingerprint>`). Written by `agentbox prepare --provider hetzner`.",
+    advanced: true
+  },
+  {
+    key: "box.imageVercel",
+    type: "string",
+    description: "Per-provider override of `box.image` for vercel (snapshot id, e.g. `snap_\u2026`). Written by `agentbox prepare --provider vercel`.",
     advanced: true
   },
   {
@@ -18632,7 +18690,12 @@ var KEY_REGISTRY = [
     key: "attach.openIn",
     type: "enum",
     enumValues: ["split", "window", "tab", "same"],
-    description: "Where `agentbox claude|codex|opencode` opens the attached session when run from tmux or iTerm2: `split` (tmux split-window / iTerm2 vertical split, default), `window` (tmux new-window / new iTerm2 window), `tab` (tmux new-window / new iTerm2 tab), or `same` (attach inline in the current terminal). Outside tmux/iTerm2 every value behaves like `same`."
+    description: "Where `agentbox claude|codex|opencode` opens the attached session when run from tmux, cmux, or iTerm2: `split` (tmux split-window / cmux new-split / iTerm2 vertical split, default \u2014 same workspace), `window` (tmux new-window / cmux new-workspace / new iTerm2 window), `tab` (tmux new-window / cmux new-surface tab in the current pane, same workspace / new iTerm2 tab), or `same` (attach inline in the current terminal). Outside tmux/cmux/iTerm2 every value behaves like `same`."
+  },
+  {
+    key: "attach.cmuxStatus",
+    type: "bool",
+    description: "When attached inside cmux, reflect the box agent's live activity on its cmux workspace (colour + description: blue=working, amber=needs input, idle clears; restored on detach) and, when the agent needs input, flag the box's own tab via a cmux notification (tab badge + reorder + desktop notification) so it stands out among sibling tabs. cmux only; no-op in other terminals."
   },
   {
     key: "code.ide",
@@ -19163,6 +19226,8 @@ var GH_PR_OPS = [
   "create",
   "view",
   "list",
+  "diff",
+  "checks",
   "comment",
   "review",
   "merge",
@@ -19173,7 +19238,84 @@ var GH_PR_OPS = [
 function isGhPrOp(value) {
   return GH_PR_OPS.includes(value);
 }
-var GH_PR_READ_ONLY_OPS = /* @__PURE__ */ new Set(["view", "list"]);
+var GH_PR_READ_ONLY_OPS = /* @__PURE__ */ new Set([
+  "view",
+  "list",
+  "diff",
+  "checks"
+]);
+var GH_RUN_OPS = ["list", "view", "rerun"];
+function isGhRunOp(value) {
+  return GH_RUN_OPS.includes(value);
+}
+var GH_RUN_READ_ONLY_OPS = /* @__PURE__ */ new Set(["list", "view"]);
+var PR_REVIEW_COMMENT = /^repos\/[^/]+\/[^/]+\/pulls\/\d+\/comments(\?.*)?$/;
+var PR_REVIEW_COMMENT_REPLY = /^repos\/[^/]+\/[^/]+\/pulls\/\d+\/comments\/\d+\/replies(\?.*)?$/;
+var GH_API_WRITE_ALLOWED_ENDPOINTS = [
+  PR_REVIEW_COMMENT,
+  PR_REVIEW_COMMENT_REPLY
+];
+var GH_API_ALLOWED_ENDPOINTS = [...GH_API_WRITE_ALLOWED_ENDPOINTS];
+function isAllowedGhApiEndpoint(endpoint) {
+  return GH_API_ALLOWED_ENDPOINTS.some((re) => re.test(normalizeGhApiEndpoint(endpoint)));
+}
+function isWriteAllowedGhApiEndpoint(endpoint) {
+  return GH_API_WRITE_ALLOWED_ENDPOINTS.some((re) => re.test(normalizeGhApiEndpoint(endpoint)));
+}
+function normalizeGhApiEndpoint(endpoint) {
+  return endpoint.replace(/^\/+/, "");
+}
+var GH_API_ENDPOINT_REFUSAL = {
+  exitCode: 65,
+  stdout: "",
+  stderr: "gh api: endpoint not allowlisted. Proxied: GET on repos/:owner/:repo/pulls/:number/comments (and /:id/replies); POST to those endpoints to add a review comment.\n"
+};
+function refuseGhApiCall(endpoint, args) {
+  const refuse = (reason) => ({
+    exitCode: 65,
+    stdout: "",
+    stderr: `gh api: ${reason}
+`
+  });
+  let explicitMethod = null;
+  let hasFieldFlag = false;
+  for (let i2 = 0; i2 < args.length; i2++) {
+    const arg = args[i2] ?? "";
+    if (arg === "-X" || arg === "--method") {
+      explicitMethod = args[i2 + 1] ?? "";
+      i2++;
+      continue;
+    }
+    if (arg.startsWith("--method=")) {
+      explicitMethod = arg.slice("--method=".length);
+      continue;
+    }
+    if (arg.startsWith("-X") && arg.length > 2) {
+      explicitMethod = arg.slice(2).replace(/^=/, "");
+      continue;
+    }
+    if (arg === "--input" || arg.startsWith("--input=")) {
+      return refuse("'--input' (stdin/file body) isn't supported through the relay; use -f/-F fields");
+    }
+    if (arg === "-f" || arg === "-F" || arg === "--field" || arg === "--raw-field") {
+      hasFieldFlag = true;
+      i2++;
+      continue;
+    }
+    if (arg.startsWith("-f") || arg.startsWith("-F") || arg.startsWith("--field=") || arg.startsWith("--raw-field=")) {
+      hasFieldFlag = true;
+    }
+  }
+  const method = (explicitMethod ?? (hasFieldFlag ? "POST" : "GET")).toUpperCase();
+  if (method === "GET") return null;
+  if (method === "POST") {
+    if (isWriteAllowedGhApiEndpoint(endpoint)) return null;
+    return refuse(
+      `POST is only proxied to PR review-comment endpoints (repos/:o/:r/pulls/:n/comments[/:id/replies]), not '${endpoint}'`
+    );
+  }
+  return refuse(`method '${method}' is not proxied \u2014 only GET, and POST to comment endpoints, are allowed`);
+}
 function injectPrCreateHead(op, branch, args) {
   if (op !== "create") return args;
   if (!branch || branch === "HEAD") return args;
@@ -19451,6 +19593,12 @@ async function executeCloudAction(action, deps) {
   if (action.method.startsWith("gh.pr.")) {
     return runGhPrRpc(action, deps);
   }
+  if (action.method.startsWith("gh.run.")) {
+    return runGhRunRpc(action, deps);
+  }
+  if (action.method === "gh.api") {
+    return runGhApiRpc(action, deps);
+  }
   if (action.method === "git.clone" || action.method === "gh.repo.clone") {
     return {
       exitCode: 64,
@@ -19559,6 +19707,66 @@ async function runGhPrRpc(action, deps) {
   if (prCreateNeedsHead(op, finalArgs)) return PR_CREATE_NO_HEAD_REFUSAL;
   return runHostGh(["pr", op, ...finalArgs], lookup.workspacePath);
 }
+async function cloudWriteConfirm(deps, command, cwd, args) {
+  if (!deps.prompts || !deps.subscribers) return null;
+  const ctx = {
+    kind: "confirm",
+    message: `Allow ${command} from cloud box ${deps.boxName ?? deps.boxId}?`,
+    detail: args.join(" ").slice(0, 200),
+    defaultAnswer: "n",
+    context: { command, cwd, argv: args }
+  };
+  const hasSubscriber = deps.subscribers.forBox(deps.boxId).length > 0;
+  if (!hasSubscriber && process.env["AGENTBOX_PROMPT"] !== "off") {
+    const noSubMode = (process.env["AGENTBOX_GH_NO_SUB"] ?? "deny").toLowerCase();
+    if (noSubMode === "deny") {
+      return {
+        exitCode: 10,
+        stdout: "",
+        stderr: "denied automatically \u2014 no attached wrapper to confirm. Attach `agentbox claude` (or similar) and retry, or set AGENTBOX_GH_NO_SUB=allow.\n"
+      };
+    }
+    if (noSubMode === "allow") {
+      deps.log?.(`${command} auto-approved (no subscribers, AGENTBOX_GH_NO_SUB=allow)`);
+      return null;
+    }
+    const verdict2 = await askPrompt(deps.prompts, deps.subscribers, deps.boxId, ctx, {
+      ttlMs: 5 * 60 * 1e3
+    });
+    return verdict2.answer === "y" ? null : { exitCode: 10, stdout: "", stderr: "denied by user\n" };
+  }
+  const verdict = await askPrompt(deps.prompts, deps.subscribers, deps.boxId, ctx);
+  return verdict.answer === "y" ? null : { exitCode: 10, stdout: "", stderr: "denied by user\n" };
+}
+async function runGhRunRpc(action, deps) {
+  const op = action.method.slice("gh.run.".length);
+  if (!isGhRunOp(op)) {
+    return { exitCode: 64, stdout: "", stderr: `unknown gh.run.* op: ${op}
+` };
+  }
+  const params = action.params ?? {};
+  const args = Array.isArray(params.args) ? params.args.filter((a2) => typeof a2 === "string") : [];
+  const ghReady = await assertGhReady();
+  if (ghReady) return ghReady;
+  const lookup = await lookupCloudBox(deps.boxId);
+  if (!GH_RUN_READ_ONLY_OPS.has(op)) {
+    const denied = await cloudWriteConfirm(deps, `gh run ${op}`, params.path, args);
+    if (denied) return denied;
+  }
+  return runHostGh(["run", op, ...args], lookup.workspacePath);
+}
+async function runGhApiRpc(action, deps) {
+  const params = action.params ?? {};
+  const endpoint = typeof params.endpoint === "string" ? params.endpoint : "";
+  if (!isAllowedGhApiEndpoint(endpoint)) return GH_API_ENDPOINT_REFUSAL;
+  const args = Array.isArray(params.args) ? params.args.filter((a2) => typeof a2 === "string") : [];
+  const callRefusal = refuseGhApiCall(endpoint, args);
+  if (callRefusal) return callRefusal;
+  const ghReady = await assertGhReady();
+  if (ghReady) return ghReady;
+  const lookup = await lookupCloudBox(deps.boxId);
+  return runHostGh(["api", endpoint, ...args], lookup.workspacePath);
+}
 async function runBrowserOpenMirror(action, deps) {
   const params = action.params ?? {};
   const url = typeof params.url === "string" ? params.url.trim() : "";
@@ -20235,6 +20443,29 @@ function createRelayServer(opts) {
         send(res, status2, result);
         return;
       }
+      if (body.method.startsWith("gh.run.")) {
+        const op = body.method.slice("gh.run.".length);
+        if (!isGhRunOp(op)) {
+          send(res, 400, { error: `unknown gh.run.* op: ${op}` });
+          return;
+        }
+        const result = await handleGhRunRpc(
+          op,
+          reg,
+          body.params,
+          prompts,
+          subscribers
+        );
+        const status2 = result.exitCode === 0 ? 200 : 500;
+        send(res, status2, result);
+        return;
+      }
+      if (body.method === "gh.api") {
+        const result = await handleGhApiRpc(reg, body.params);
+        const status2 = result.exitCode === 0 ? 200 : 500;
+        send(res, status2, result);
+        return;
+      }
       if (body.method === "git.clone" || body.method === "gh.repo.clone") {
         send(res, 501, {
           exitCode: 64,
@@ -20712,6 +20943,53 @@ async function handleGhPrRpc(op, reg, params, prompts, subscribers, hostInitiate
   if (prCreateNeedsHead(op, finalArgs)) return PR_CREATE_NO_HEAD_REFUSAL;
   return runHostGh(["pr", op, ...finalArgs], worktree.hostMainRepo);
 }
+async function handleGhRunRpc(op, reg, params, prompts, subscribers) {
+  const containerPath = params?.path ?? "/workspace";
+  const worktree = resolveWorktree(reg, containerPath);
+  if (!worktree) {
+    return {
+      exitCode: 64,
+      stdout: "",
+      stderr: `no worktree registered for box ${reg.boxId} matching ${containerPath}`
+    };
+  }
+  const ghReady = await assertGhReady();
+  if (ghReady) return ghReady;
+  const args = Array.isArray(params?.args) ? params.args.filter((a2) => typeof a2 === "string") : [];
+  if (!GH_RUN_READ_ONLY_OPS.has(op)) {
+    const detail = args.join(" ").slice(0, 200);
+    const verdict = await askPrompt(prompts, subscribers, reg.boxId, {
+      kind: "confirm",
+      message: `Allow gh run ${op} from box ${reg.name}?`,
+      detail,
+      defaultAnswer: "n",
+      context: { command: `gh run ${op}`, cwd: containerPath, argv: args }
+    });
+    if (verdict.answer !== "y") {
+      return { exitCode: 10, stdout: "", stderr: "denied by user\n" };
+    }
+  }
+  return runHostGh(["run", op, ...args], worktree.hostMainRepo);
+}
+async function handleGhApiRpc(reg, params) {
+  const containerPath = params?.path ?? "/workspace";
+  const worktree = resolveWorktree(reg, containerPath);
+  if (!worktree) {
+    return {
+      exitCode: 64,
+      stdout: "",
+      stderr: `no worktree registered for box ${reg.boxId} matching ${containerPath}`
+    };
+  }
+  const endpoint = typeof params?.endpoint === "string" ? params.endpoint : "";
+  if (!isAllowedGhApiEndpoint(endpoint)) return GH_API_ENDPOINT_REFUSAL;
+  const args = Array.isArray(params?.args) ? params.args.filter((a2) => typeof a2 === "string") : [];
+  const callRefusal = refuseGhApiCall(endpoint, args);
+  if (callRefusal) return callRefusal;
+  const ghReady = await assertGhReady();
+  if (ghReady) return ghReady;
+  return runHostGh(["api", endpoint, ...args], worktree.hostMainRepo);
+}
 async function handleCpRpc(reg, method, params) {
   const entry = process.env.AGENTBOX_CLI_ENTRY;
   if (!entry) {
@@ -23083,6 +23361,8 @@ var PR_SUBCOMMANDS = [
   },
   { op: "view", description: "Run `gh pr view` on the host (read-only; no prompt)." },
   { op: "list", description: "Run `gh pr list` on the host (read-only; no prompt)." },
+  { op: "diff", description: "Run `gh pr diff` on the host (read-only; no prompt)." },
+  { op: "checks", description: "Run `gh pr checks` on the host (read-only; no prompt)." },
   { op: "comment", description: "Run `gh pr comment` on the host (prompted; visible to others)." },
   { op: "review", description: "Run `gh pr review` on the host (prompted; visible to others)." },
   {
@@ -23144,7 +23424,42 @@ var repoCommand = new Command("repo").description("GitHub repo operations via th
     }
   )
 );
-var ghCommand = new Command("gh").description("GitHub CLI operations routed through the relay (host `gh` runs with host creds; box never sees a token)").addCommand(buildPrCommand("agentbox-ctl gh pr")).addCommand(repoCommand);
+var RUN_SUBCOMMANDS = [
+  { op: "list", description: "Run `gh run list` on the host (read-only; no prompt)." },
+  { op: "view", description: "Run `gh run view` on the host (read-only; no prompt)." },
+  {
+    op: "rerun",
+    description: "Run `gh run rerun` on the host (prompted; re-triggers CI)."
+  }
+];
+function buildRunCommand(errorPrefix) {
+  const runCommand = new Command("run").description(
+    "GitHub Actions run operations via the host `gh` CLI (requires `gh` installed and `gh auth login` on the host)"
+  );
+  for (const spec of RUN_SUBCOMMANDS) {
+    runCommand.addCommand(
+      new Command(spec.op).description(spec.description).option("--cwd <path>", "container path identifying which registered worktree to use").allowExcessArguments(true).allowUnknownOption(true).argument(
+        "[args...]",
+        "extra flags forwarded to `gh run <op>` verbatim (e.g. `--json`, `--limit`, `<run-id>`)."
+      ).action(async (args, opts) => {
+        const params = { path: opts.cwd ?? process.cwd() };
+        if (args.length > 0) params.args = args;
+        const code = await postRpcAndExit(`gh.run.${spec.op}`, params, { errorPrefix });
+        process.exit(code);
+      })
+    );
+  }
+  return runCommand;
+}
+var apiCommand = new Command("api").description(
+  "Allowlisted `gh api` (host runs `gh api`): GET on proxied endpoints, plus POST to add a PR review comment. Other methods are rejected."
+).option("--cwd <path>", "container path identifying which registered worktree to use").allowExcessArguments(true).allowUnknownOption(true).argument("<endpoint>", "REST endpoint, e.g. repos/:owner/:repo/pulls/:number/comments").argument("[args...]", "extra flags forwarded to `gh api` verbatim (e.g. `--jq`, `-f body=\u2026`).").action(async (endpoint, args, opts) => {
+  const params = { path: opts.cwd ?? process.cwd(), endpoint };
+  if (args.length > 0) params.args = args;
+  const code = await postRpcAndExit("gh.api", params, { errorPrefix: "agentbox-ctl gh api" });
+  process.exit(code);
+});
+var ghCommand = new Command("gh").description("GitHub CLI operations routed through the relay (host `gh` runs with host creds; box never sees a token)").addCommand(buildPrCommand("agentbox-ctl gh pr")).addCommand(buildRunCommand("agentbox-ctl gh run")).addCommand(apiCommand).addCommand(repoCommand);
 
 // src/commands/git.ts
 var import_node_child_process11 = require("child_process");
@@ -23172,6 +23487,18 @@ function runLocalGit(args, cwd) {
     });
   });
 }
+function hasGitIdentity(cwd) {
+  return new Promise((resolve2) => {
+    const child = (0, import_node_child_process11.spawn)("git", ["config", "user.email"], {
+      cwd,
+      stdio: ["ignore", "pipe", "ignore"]
+    });
+    let out = "";
+    child.stdout.on("data", (c3) => out += c3.toString("utf8"));
+    child.on("close", (code) => resolve2(code === 0 && out.trim().length > 0));
+    child.on("error", () => resolve2(false));
+  });
+}
 var gitCommand = new Command("git").description("Git operations that need host credentials (routed through the agentbox relay)").addCommand(
   new Command("push").description("Run `git push` on the host main repo against this box's branch (user is prompted on the host wrapper to confirm)").option("--remote <name>", "remote name (default: origin)").option("--cwd <path>", "container path identifying which registered worktree to use").addOption(hostInitiatedOption()).allowExcessArguments(true).allowUnknownOption(true).argument(
     "[args...]",
@@ -23206,7 +23533,16 @@ var gitCommand = new Command("git").description("Git operations that need host c
       if (fetchCode !== 0) process.exit(fetchCode);
       const remote = opts.remote ?? "origin";
       const cwd = opts.cwd ?? process.cwd();
-      const mergeArgs = ["merge"];
+      const mergeArgs = [];
+      if (!await hasGitIdentity(cwd)) {
+        mergeArgs.push(
+          "-c",
+          "user.name=agentbox",
+          "-c",
+          "user.email=agentbox@users.noreply.github.com"
+        );
+      }
+      mergeArgs.push("merge");
       if (opts.ffOnly) mergeArgs.push("--ff-only");
       mergeArgs.push(`${remote}/HEAD`);
       const mergeCode = await runLocalGit(mergeArgs, cwd);

package/runtime/vercel/gh-shim

@@ -89,7 +89,7 @@ first_positional() {
 handle_pr() {
   local op="${1-}"; shift || true
   if [ -z "$op" ]; then
-    die "missing subcommand for 'gh pr'. Supported: view, list, create, comment, review, merge, checkout, close, reopen"
+    die "missing subcommand for 'gh pr'. Supported: view, list, diff, checks, create, comment, review, merge, checkout, close, reopen"
   fi
   local branch
   branch="$(box_branch)"
@@ -109,6 +109,20 @@ handle_pr() {
       fi
       exec "$CTL" gh pr list -- "$@"
       ;;
+    diff)
+      strict_flags "gh pr diff" "--color|--name-only|--patch" "$@"
+      if [ -z "$(first_positional "--color" "$@")" ] && [ -n "$branch" ]; then
+        set -- "$branch" "$@"
+      fi
+      exec "$CTL" gh pr diff -- "$@"
+      ;;
+    checks)
+      strict_flags "gh pr checks" "--json|--required" "$@"
+      if [ -z "$(first_positional "--json" "$@")" ] && [ -n "$branch" ]; then
+        set -- "$branch" "$@"
+      fi
+      exec "$CTL" gh pr checks -- "$@"
+      ;;
     create)
       strict_flags "gh pr create" "--fill|--draft|--title|--body|--base" "$@"
       if ! needle_present "--head" "$@" && [ -n "$branch" ]; then
@@ -162,11 +176,70 @@ handle_pr() {
       exec "$CTL" gh pr checkout -- "$@"
       ;;
     *)
-      die "'gh pr $op' is not proxied (supported: view, list, create, comment, review, merge, checkout, close, reopen)"
+      die "'gh pr $op' is not proxied (supported: view, list, diff, checks, create, comment, review, merge, checkout, close, reopen)"
       ;;
   esac
 }
 
+handle_run() {
+  local op="${1-}"; shift || true
+  if [ -z "$op" ]; then
+    die "missing subcommand for 'gh run'. Supported: list, view, rerun"
+  fi
+  case "$op" in
+    list)
+      strict_flags "gh run list" "--json|--limit|-L|--workflow|-w|--branch|-b|--status|--user" "$@"
+      exec "$CTL" gh run list -- "$@"
+      ;;
+    view)
+      strict_flags "gh run view" "--json|--log|--log-failed|--job" "$@"
+      # gh run view needs a run-id OR a --job <id>; refuse when neither is
+      # present (host-side gh would otherwise try an interactive picker and
+      # fail without a TTY).
+      if [ -z "$(first_positional "--json|--job" "$@")" ] && ! needle_present "--job" "$@"; then
+        die "'gh run view' requires a positional <run-id> (or --job <job-id>)"
+      fi
+      exec "$CTL" gh run view -- "$@"
+      ;;
+    rerun)
+      strict_flags "gh run rerun" "--failed|--job" "$@"
+      if [ -z "$(first_positional "--job" "$@")" ] && ! needle_present "--job" "$@"; then
+        die "'gh run rerun' requires a positional <run-id> (or --job <job-id>)"
+      fi
+      exec "$CTL" gh run rerun -- "$@"
+      ;;
+    watch)
+      die "'gh run watch' is not proxied (it blocks until CI finishes). Poll status with 'gh run view <run-id>' instead."
+      ;;
+    *)
+      die "'gh run $op' is not proxied (supported: list, view, rerun)"
+      ;;
+  esac
+}
+
+handle_api() {
+  local endpoint="${1-}"
+  if [ -z "$endpoint" ] || [ "${endpoint:0:1}" = "-" ]; then
+    die "'gh api' requires a positional <endpoint> (e.g. repos/:owner/:repo/pulls/:number/comments)"
+  fi
+  shift
+  # GET reads are proxied for any allowlisted endpoint; POST is proxied only to
+  # the PR review-comment endpoints (the relay enforces the endpoint + method
+  # policy). `--input` (stdin/file body) can't cross the relay — the host `gh`
+  # runs with stdin ignored — so reject it locally and point at -f/-F fields.
+  local arg
+  for arg in "$@"; do
+    case "$arg" in
+      --input|--input=*)
+        die "'gh api --input' (stdin/file body) isn't supported through the relay; use -f/-F fields"
+        ;;
+    esac
+  done
+  strict_flags "gh api" \
+    "--method|-X|-f|-F|--field|--raw-field|--jq|-q|--paginate|--cache|--hostname|-H|--header" "$@"
+  exec "$CTL" gh api "$endpoint" -- "$@"
+}
+
 handle_repo() {
   local op="${1-}"; shift || true
   if [ "$op" != "clone" ]; then
@@ -218,7 +291,7 @@ handle_repo() {
 
 # Top-level dispatch.
 if [ $# -eq 0 ]; then
-  die "no subcommand. Supported: pr {view,list,create,comment,review,merge,checkout,close,reopen}, repo clone, auth status, --version"
+  die "no subcommand. Supported: pr {view,list,diff,checks,create,comment,review,merge,checkout,close,reopen}, run {list,view,rerun}, api <endpoint>, repo clone, auth status, --version"
 fi
 
 case "$1" in
@@ -232,7 +305,7 @@ case "$1" in
     ;;
   --help|-h)
     printf 'agentbox gh shim — strict subset.\n' >&2
-    printf 'Supported: pr {view,list,create,comment,review,merge,checkout,close,reopen}, repo clone, auth status, --version\n' >&2
+    printf 'Supported: pr {view,list,diff,checks,create,comment,review,merge,checkout,close,reopen}, run {list,view,rerun}, api <endpoint>, repo clone, auth status, --version\n' >&2
     printf 'Anything else is rejected. Run host `gh --help` for full upstream docs.\n' >&2
     ;;
   auth)
@@ -253,11 +326,19 @@ case "$1" in
     shift
     handle_pr "$@"
     ;;
+  run)
+    shift
+    handle_run "$@"
+    ;;
+  api)
+    shift
+    handle_api "$@"
+    ;;
   repo)
     shift
     handle_repo "$@"
     ;;
   *)
-    die "'gh $1' is not proxied (supported: pr {…}, repo clone, auth status, --version)"
+    die "'gh $1' is not proxied (supported: pr {…}, run {…}, api <endpoint>, repo clone, auth status, --version)"
     ;;
 esac

package/share/host-skills/agentbox/SKILL.md

@@ -12,16 +12,27 @@ Fork the current Claude Code session into a fresh AgentBox box.
 
 1. **Resolve the provider flag from `$ARGUMENTS`:**
    - empty → no flag (uses the default docker provider)
-   - `docker` | `daytona` | `hetzner` → pass `--provider $ARGUMENTS`
-   - anything else → stop and tell the user the valid values are `docker`, `daytona`, `hetzner`
+   - `docker` | `daytona` | `hetzner` | `vercel` → pass `--provider $ARGUMENTS`
+   - anything else → stop and tell the user the valid values are `docker`, `daytona`, `hetzner`, `vercel`
 
-2. **Fork.** Run, via the Bash tool, exactly one command:
+2. **Detect an active plan (optional `--plan`).** If this session was just working on a Claude Code plan, carry it into the box so the fork resumes in plan mode.
+   - **If you know the plan file path** for this session (plan mode writes it to `~/.claude/plans/<slug>.md`, and you have it from the plan you just produced in this conversation), use that path.
+   - **Otherwise**, find the most recent plan only if it was touched in the last 15 minutes (a stale plan from another task should not be resurrected). Run via the Bash tool:
+
+     ```
+     find "$HOME/.claude/plans" -name '*.md' -mmin -15 -type f 2>/dev/null \
+       | xargs -r ls -t 2>/dev/null | head -1
+     ```
+
+     If it prints a path, that's the current plan; if it prints nothing, there is no active plan — skip `--plan`.
+
+3. **Fork.** If you are in plan mode, exit it, then run, via the Bash tool, exactly one command (add `--plan "<path>"` only if step 2 found a plan):
 
    ```
-   agentbox fork --session ${CLAUDE_SESSION_ID} [--provider $ARGUMENTS]
+   agentbox fork --session ${CLAUDE_SESSION_ID} [--provider $ARGUMENTS] [--plan "<plan path>"]
    ```
 
-3. **Report.** In one line, give the user the new box name (parse it from the command output) and confirm their host session is unaffected. Do not summarize the conversation — the fork already carries it.
+4. **Report.** In one line, give the user the new box name (parse it from the command output) and confirm their host session is unaffected. If you passed `--plan`, mention the box opens in plan mode ready to resume. Do not summarize the conversation — the fork already carries it.
 
 ## Troubleshooting
 

package/share/host-skills/agentbox-info/SKILL.md

@@ -68,9 +68,11 @@ agentbox claude attach <name|n>       # reattach to a specific box
 
 `-i` works on every provider — pass `--provider daytona|hetzner|vercel` (or set `box.provider`) and the queued job creates a cloud box and pre-starts the seeded agent session detached, same as docker. The host must have valid agent credentials. Extra args after `--` are forwarded to the in-box agent (e.g. `agentbox claude -i "<prompt>" --provider vercel -- --permission-mode=plan`).
 
+`-i` honors the project's `carry:` block: the carry gate runs on the host when you submit (it prompts there, since you're at the terminal), and the approved files ride the queued job and land in the box at create time. Auto-approve non-interactively with `--carry-yes` (or `AGENTBOX_CARRY_YES=1`); skip with `--carry skip` (or `AGENTBOX_CARRY=skip`).
+
 ## Forking the current session into a box
 
-From host Claude, run the **`/agentbox`** slash command (optional arg: `docker` | `daytona` | `hetzner`) to snapshot the *current* Claude Code session into a brand-new box that resumes it. With tmux or iTerm it opens in a new terminal tab; otherwise it starts in the background. The host session is unaffected — you get two parallel timelines. The underlying CLI is `agentbox fork` (`agentbox fork --help`); `/agentbox` requires `agentbox install` to have been run once. This is distinct from `-i`, which seeds a *new* prompt rather than resuming the live conversation.
+From host Claude, run the **`/agentbox`** slash command (optional arg: `docker` | `daytona` | `hetzner`) to snapshot the *current* Claude Code session into a brand-new box that resumes it. With tmux or iTerm it opens in a new terminal tab; otherwise it starts in the background. The host session is unaffected — you get two parallel timelines. The underlying CLI is `agentbox fork` (`agentbox fork --help`); `/agentbox` requires `agentbox install` to have been run once. This is distinct from `-i`, which seeds a *new* prompt rather than resuming the live conversation. Fork **sends** the project's `carry:` block by default (the host is trusted; the box is the untrusted side, so host→box copy is safe) — opt out with `agentbox fork --carry skip`.
 
 ## Driving one agent from another (`drive`, `agent`, `queue wait-for`)