@madarco/agentbox 0.12.0 → 0.14.0

package/dist/{prepared-state-MQHD3M5F-KE4DT3GX.js → prepared-state-MQHD3M5F-Q27AZU53.js}

@@ -6,7 +6,7 @@ import {
   readPreparedDockerState,
   resolveContextFiles,
   writePreparedDockerState
-} from "./chunk-SNTHHWKY.js";
+} from "./chunk-XKH7NTT7.js";
 export {
   DOCKERFILE_PATH,
   computeDockerContextFingerprint,
@@ -15,4 +15,4 @@ export {
   resolveContextFiles,
   writePreparedDockerState
 };
-//# sourceMappingURL=prepared-state-MQHD3M5F-KE4DT3GX.js.map
+//# sourceMappingURL=prepared-state-MQHD3M5F-Q27AZU53.js.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@madarco/agentbox",
-  "version": "0.12.0",
+  "version": "0.14.0",
   "description": "Launch Claude Code, Codex, and other coding agents in isolated sandboxes",
   "license": "MIT",
   "author": "Marco D'Alia",
@@ -46,6 +46,7 @@
     "@vercel/sandbox": "^2.0.1",
     "@xterm/headless": "^5.5.0",
     "commander": "^12.1.0",
+    "e2b": "^2.27.1",
     "execa": "^9.5.2",
     "supports-hyperlinks": "^3.1.0",
     "yaml": "^2.6.1"
@@ -58,16 +59,17 @@
     "tsup": "^8.3.5",
     "typescript": "^5.7.2",
     "vitest": "^2.1.8",
-    "@agentbox/ctl": "0.0.0",
-    "@agentbox/core": "0.0.0",
     "@agentbox/config": "0.0.0",
-    "@agentbox/relay": "0.0.0",
+    "@agentbox/ctl": "0.0.0",
     "@agentbox/sandbox-cloud": "0.0.0",
+    "@agentbox/relay": "0.0.0",
+    "@agentbox/core": "0.0.0",
     "@agentbox/sandbox-daytona": "0.0.0",
-    "@agentbox/sandbox-docker": "0.0.0",
     "@agentbox/sandbox-core": "0.0.0",
-    "@agentbox/sandbox-hetzner": "0.0.0",
-    "@agentbox/sandbox-vercel": "0.0.0"
+    "@agentbox/sandbox-docker": "0.0.0",
+    "@agentbox/sandbox-e2b": "0.0.0",
+    "@agentbox/sandbox-vercel": "0.0.0",
+    "@agentbox/sandbox-hetzner": "0.0.0"
   },
   "scripts": {
     "build": "tsup",

package/runtime/docker/Dockerfile.box

@@ -268,16 +268,20 @@ RUN npm install -g opencode-ai
 #     the noble transition. If the base image moves back to jammy these will
 #     need the un-suffixed names.
 #
-#  2. Get an actual Chromium binary. `agent-browser install` would normally
-#     download Chrome for Testing, but Chrome for Testing has no Linux ARM64
-#     build (Apple Silicon hosts run linux/arm64 containers) and Noble's
-#     `chromium-browser` apt package is a snap stub that won't run inside a
-#     container. The reliable cross-arch source is Playwright's bundled
-#     Chromium, so we install playwright globally just for its
-#     `playwright install chromium` downloader, then point agent-browser at
-#     the resulting binary via AGENT_BROWSER_EXECUTABLE_PATH. agent-browser
-#     honours that env var (priority: CLI flag > env > config file >
-#     built-in default; see agent-browser's README).
+#  2. Provide a Chromium *lazily*, shared with the project's Playwright. We do
+#     NOT bake a Chromium download into the image: Playwright pins an exact
+#     build per playwright version, so a baked browser goes stale the instant a
+#     project pins a different Playwright — its `playwright install` fetches a
+#     different build and anything waiting on the baked path hangs. Instead,
+#     `AGENT_BROWSER_EXECUTABLE_PATH` points at the `chromium-resolver` script
+#     (installed as /usr/local/bin/chromium below), which reuses the project's
+#     Playwright Chromium when present and otherwise installs one on first use
+#     with the project's pinned Playwright (matching build), falling back to the
+#     box's global Playwright. agent-browser honours that env var (priority: CLI
+#     flag > env > config file > built-in default; see agent-browser's README).
+#     Chrome-for-Testing has no linux/arm64 build and Noble's chromium apt
+#     package is a snap stub, so Playwright's downloader stays the only reliable
+#     cross-arch source — we just invoke it lazily instead of at build time.
 #
 # Runtime state (sessions, auth cookies under ~/.agent-browser/) lives in the
 # container's writable layer, preserved across pause/unpause/stop/start and
@@ -290,6 +294,8 @@ RUN apt-get update \
         fonts-liberation xdg-utils \
     && rm -rf /var/lib/apt/lists/*
 
+# agent-browser + a global playwright (the latter is only the lazy fallback
+# Chromium downloader for projects that don't pin their own Playwright).
 RUN npm install -g agent-browser playwright
 
 # Portless CLI (https://portless.sh). Only the client — the box never runs the
@@ -299,22 +305,11 @@ RUN npm install -g agent-browser playwright
 # Requires Node 24+ — hence the setup_24.x bump above.
 RUN npm install -g portless
 
-# Download Chromium as `vscode` so the ms-playwright cache lands in vscode's
-# home (the user agent-browser runs as). The downloaded binary lives at
-# `chromium-XXXX/chrome-linux*/chrome`, where XXXX is a Playwright-internal
-# revision number that changes between releases — and the inner dir is
-# `chrome-linux` for old releases and `chrome-linux64` (or `chrome-linux/arm64`)
-# for current Chrome-for-Testing builds. Glob both. We resolve once and write
-# a stable symlink so AGENT_BROWSER_EXECUTABLE_PATH can point at something
-# predictable.
-USER vscode
-RUN playwright install chromium \
-    && CHROME_BIN="$(ls /home/vscode/.cache/ms-playwright/chromium-*/chrome-linux*/chrome 2>/dev/null | sort | tail -1)" \
-    && test -n "$CHROME_BIN" \
-    && ln -sf "$CHROME_BIN" /tmp/chromium-link \
-    && test -x "$(readlink /tmp/chromium-link)"
-USER root
-RUN mv /tmp/chromium-link /usr/local/bin/chromium
+# /usr/local/bin/chromium is a resolver (not a baked binary): on first launch it
+# reuses the project's Playwright Chromium or installs one on demand, then execs
+# it. See the script header and the rationale in the browser-support note above.
+COPY packages/sandbox-docker/scripts/chromium-resolver /usr/local/bin/chromium
+RUN chmod +x /usr/local/bin/chromium
 
 ENV AGENT_BROWSER_EXECUTABLE_PATH=/usr/local/bin/chromium
 

package/runtime/docker/apps/cli/share/agentbox-setup/SKILL.md

@@ -48,7 +48,42 @@ Look at `/workspace`:
 - No cycles in `needs:`.
 - **Always generate a dependency-install task** and make it the root of the `needs:` graph (every service that needs deps gets `needs: [install, …]`). Future boxes start from a snapshot of the final filesystem so they won't need this, but updates or moving to a cloud provider might need to rebuild the container from scratch. The filesystem can be then later captured by `agentbox-ctl checkpoint --set-default`. The task must be **idempotent and self-healing**: `agentbox-ctl` re-runs pending tasks on every box stop/start (the daemon dies with the container and is relaunched), so a plain `rm -rf node_modules && install` would wipe + reinstall on every start. Guard the rebuild with a marker file *inside* `node_modules` (the `.agentbox-installed` convention AgentBox uses internally): rebuild only when the marker is absent (fresh box), and be a fast no-op once it exists. Detect the package manager from the lockfile — never hardcode `pnpm`. See the worked example below.
 - **Add a comment to the beginning** of the file to explain what you did and what issues you encountered, so that future run might use this information in case the project evolves and you need to update the agentbox.yaml file.
--
+
+### Stateful services: data persistence & re-seeding (read this for databases)
+
+**A checkpoint does NOT capture docker-in-docker data.** `agentbox checkpoint` is a `docker commit` of the box's writable filesystem (the system + `/workspace`). The in-box `dockerd` keeps its storage in a *separate* per-box volume (`/var/lib/docker`), which is **not** part of that image — it's fresh on every new box and wiped on `agentbox destroy`. So a database or cache you run as a **docker container** (e.g. `docker run … postgres`) starts **empty on every new box** created from a checkpoint (every `agentbox claude` / `agentbox create`), even though `/workspace` and any marker files you wrote were restored. (A DB run as a **native process** with its data dir on the box filesystem — e.g. `postgres -D /var/lib/postgresql/data` — *is* captured by the checkpoint, since it lives in the writable layer.)
+
+**Consequence for migrate/seed tasks of a containerized DB: do not gate them on a filesystem marker.** A marker like `node_modules/.agentbox-installed` is correct for deps (they live in `/workspace`, which the checkpoint captures), but **wrong** for DB data living in a docker volume: the marker is restored from the checkpoint while the DB is empty, so a marker-guarded seed wrongly skips and the app boots against an empty database. Instead, **gate on the actual data** — connect to the DB and check whether a sentinel table/row exists, and seed only when it's missing:
+
+```yaml
+  seed:
+    # Re-seed when the DB is empty. The postgres data lives in the in-box
+    # docker volume, which is NOT captured by `agentbox checkpoint` — so a box
+    # started from a checkpoint has the workspace warm but an empty DB. We can't
+    # use a filesystem marker here (it would be restored while the DB is blank);
+    # instead probe the DB and seed only if the data is absent. Fast no-op once
+    # the data is present.
+    command: |
+      set -e
+      export PGPASSWORD=postgres
+      # Probe for existing data. If the table is missing the query errors,
+      # stderr is suppressed, stdout is empty, the grep fails — so we seed.
+      if psql -h 127.0.0.1 -p 5432 -U postgres -d app -tAc \
+          "SELECT EXISTS (SELECT 1 FROM users LIMIT 1)" 2>/dev/null | grep -q t; then
+        echo "data present — skip seed"
+        exit 0
+      fi
+      pnpm db:seed
+    needs: [install, migrate]
+```
+
+**Lifecycle nuance (this is why the data check, not a marker, is right):**
+
+- **Box stop → start** (`agentbox stop`/`start`): the supervisor daemon dies with the container and is relaunched, so it **re-runs all tasks** from `pending`. The per-box docker volume *does* survive stop/start, so the DB still has data — the data check makes the seed a fast no-op.
+- **New box from a checkpoint** (`agentbox claude`/`create`): tasks run and the DB volume is empty → the check fails → the seed runs. Correct.
+- **Resume after pause** (`agentbox pause`/`unpause`): the daemon is frozen and thawed, **not** restarted, so tasks do **not** re-run at all — nothing to seed, the running DB is untouched.
+
+(Migrations are usually safe to re-run as-is: migration tools track applied migrations in their own table, which on a fresh box is empty, so they simply re-apply. Only the *data* seed needs the existence check.) Install the DB client the seed/migrate tasks need (e.g. `postgresql-client`) in the `install` task — don't `docker exec` the DB container for these checks (nested `docker exec` fails inside a box with a `setns` error); reach it over TCP with the client tools instead.
 
 ## 3. Wire readiness probes (services only)
 
@@ -184,6 +219,7 @@ Tell the user (verbatim):
 ## 9. Checkpoint the warm state - DON't SKIP THIS STEP
 
 Checkpoint (snapshot) this box writable layer: once the box is warmed up (deps installed, services ready), checkpoint it with `agentbox-ctl checkpoint --name setup --replace --set-default` so future boxes start ready.
+Remember the checkpoint captures the writable layer (`/workspace` + system), **not** docker-in-docker volumes — so a containerized DB's data does not carry into new boxes. That's expected; the data-existence-gated seed task from section 2 re-seeds those automatically. (If you need the data itself to persist into new boxes, run the DB as a native process with its data dir on the box filesystem, or bind a `/workspace` path as the container's data volume so it lands in the checkpoint.)
 Run this command exactly once. The `--name setup --replace` makes it idempotent — if it ever needs to run again it overwrites the existing `setup` checkpoint instead of stacking duplicates.
 On all providers except Vercel, this doesn't need to be confirmed by the user. It will pause the container for several seconds so warn the user about it and write Done when it's done.
 On Vercel: this actually STOPS the sandbox, so warn the user about it. Also the system will ask confirmation.

package/runtime/docker/packages/ctl/dist/bin.cjs

@@ -3344,15 +3344,15 @@ var require_windows = __commonJS({
       }
       return false;
     }
-    function checkStat(stat2, path6, options) {
-      if (!stat2.isSymbolicLink() && !stat2.isFile()) {
+    function checkStat(stat3, path6, options) {
+      if (!stat3.isSymbolicLink() && !stat3.isFile()) {
         return false;
       }
       return checkPathExt(path6, options);
     }
     function isexe(path6, options, cb) {
-      fs.stat(path6, function(er, stat2) {
-        cb(er, er ? false : checkStat(stat2, path6, options));
+      fs.stat(path6, function(er, stat3) {
+        cb(er, er ? false : checkStat(stat3, path6, options));
       });
     }
     function sync(path6, options) {
@@ -3369,20 +3369,20 @@ var require_mode = __commonJS({
     isexe.sync = sync;
     var fs = require("fs");
     function isexe(path6, options, cb) {
-      fs.stat(path6, function(er, stat2) {
-        cb(er, er ? false : checkStat(stat2, options));
+      fs.stat(path6, function(er, stat3) {
+        cb(er, er ? false : checkStat(stat3, options));
       });
     }
     function sync(path6, options) {
       return checkStat(fs.statSync(path6), options);
     }
-    function checkStat(stat2, options) {
-      return stat2.isFile() && checkMode(stat2, options);
+    function checkStat(stat3, options) {
+      return stat3.isFile() && checkMode(stat3, options);
     }
-    function checkMode(stat2, options) {
-      var mod = stat2.mode;
-      var uid = stat2.uid;
-      var gid = stat2.gid;
+    function checkMode(stat3, options) {
+      var mod = stat3.mode;
+      var uid = stat3.uid;
+      var gid = stat3.gid;
       var myUid = options.uid !== void 0 ? options.uid : process.getuid && process.getuid();
       var myGid = options.gid !== void 0 ? options.gid : process.getgid && process.getgid();
       var u2 = parseInt("100", 8);
@@ -12239,11 +12239,11 @@ var replacements = Object.entries(specialMainSymbols);
 // ../../node_modules/.pnpm/yoctocolors@2.1.2/node_modules/yoctocolors/base.js
 var import_node_tty = __toESM(require("tty"), 1);
 var hasColors = import_node_tty.default?.WriteStream?.prototype?.hasColors?.() ?? false;
-var format = (open, close) => {
+var format = (open2, close) => {
   if (!hasColors) {
     return (input) => input;
   }
-  const openCode = `\x1B[${open}m`;
+  const openCode = `\x1B[${open2}m`;
   const closeCode = `\x1B[${close}m`;
   return (input) => {
     const string = input + "";
@@ -18472,8 +18472,8 @@ var KEY_REGISTRY = [
   {
     key: "box.provider",
     type: "enum",
-    enumValues: ["docker", "daytona", "hetzner", "vercel"],
-    description: "Sandbox backend new boxes are created on: local Docker containers, Daytona Cloud sandboxes, Hetzner Cloud VPSes, or Vercel Sandboxes."
+    enumValues: ["docker", "daytona", "hetzner", "vercel", "e2b"],
+    description: "Sandbox backend new boxes are created on: local Docker containers, Daytona Cloud sandboxes, Hetzner Cloud VPSes, Vercel Sandboxes, or E2B microVMs."
   },
   {
     key: "box.hostSnapshot",
@@ -18509,6 +18509,12 @@ var KEY_REGISTRY = [
     description: "Per-provider override of `box.defaultCheckpoint` for vercel. Wins over the global when set; set via `agentbox checkpoint set-default --provider vercel`.",
     advanced: true
   },
+  {
+    key: "box.defaultCheckpointE2b",
+    type: "string",
+    description: "Per-provider override of `box.defaultCheckpoint` for e2b. Wins over the global when set; set via `agentbox checkpoint set-default --provider e2b`.",
+    advanced: true
+  },
   {
     key: "box.size",
     type: "string",
@@ -18538,6 +18544,12 @@ var KEY_REGISTRY = [
     description: "Per-provider override of `box.size` for vercel. Reserved \u2014 vercel sizing is controlled via `box.vercelVcpus`.",
     advanced: true
   },
+  {
+    key: "box.sizeE2b",
+    type: "string",
+    description: "Per-provider override of `box.size` for e2b. Reserved \u2014 e2b sizing is template-level (set at `agentbox prepare --provider e2b` time via --vcpus / --memory).",
+    advanced: true
+  },
   {
     key: "checkpoint.maxLayers",
     type: "int",
@@ -18609,6 +18621,12 @@ var KEY_REGISTRY = [
     description: "Per-provider override of `box.image` for vercel (snapshot id, e.g. `snap_\u2026`). Written by `agentbox prepare --provider vercel`.",
     advanced: true
   },
+  {
+    key: "box.imageE2b",
+    type: "string",
+    description: "Per-provider override of `box.image` for e2b (template id or `name:tag`, e.g. `agentbox-base:latest`). Written by `agentbox prepare --provider e2b`.",
+    advanced: true
+  },
   {
     key: "box.imageRegistry",
     type: "string",
@@ -18690,7 +18708,12 @@ var KEY_REGISTRY = [
     key: "attach.openIn",
     type: "enum",
     enumValues: ["split", "window", "tab", "same"],
-    description: "Where `agentbox claude|codex|opencode` opens the attached session when run from tmux or iTerm2: `split` (tmux split-window / iTerm2 vertical split, default), `window` (tmux new-window / new iTerm2 window), `tab` (tmux new-window / new iTerm2 tab), or `same` (attach inline in the current terminal). Outside tmux/iTerm2 every value behaves like `same`."
+    description: "Where `agentbox claude|codex|opencode` opens the attached session when run from tmux, cmux, or iTerm2: `split` (tmux split-window / cmux new-split / iTerm2 vertical split, default \u2014 same workspace), `window` (tmux new-window / cmux new-workspace / new iTerm2 window), `tab` (tmux new-window / cmux new-surface tab in the current pane, same workspace / new iTerm2 tab), or `same` (attach inline in the current terminal). Outside tmux/cmux/iTerm2 every value behaves like `same`."
+  },
+  {
+    key: "attach.cmuxStatus",
+    type: "bool",
+    description: "When attached inside cmux, reflect the box agent's live activity on its cmux workspace (colour + description: blue=working, amber=needs input, idle clears; restored on detach) and, when the agent needs input, flag the box's own tab via a cmux notification (tab badge + reorder + desktop notification) so it stands out among sibling tabs. cmux only; no-op in other terminals."
   },
   {
     key: "code.ide",
@@ -19539,6 +19562,10 @@ async function resolveCloudBackend(name) {
     const pkg = "@agentbox/sandbox-vercel";
     return loadCloudBackend(pkg, async () => (await import(pkg)).vercelBackend);
   }
+  if (name === "e2b") {
+    const pkg = "@agentbox/sandbox-e2b";
+    return loadCloudBackend(pkg, async () => (await import(pkg)).e2bBackend);
+  }
   throw new Error(`no host executor for cloud backend '${name}'`);
 }
 async function loadCloudBackend(pkg, load2) {
@@ -21092,6 +21119,8 @@ async function startRelayServer(opts) {
   return handle;
 }
 var QUEUE_DIR = (0, import_path6.join)(STATE_DIR, "queue");
+var TERMINAL_RETENTION_MS = 60 * 60 * 1e3;
+var SWEEP_INTERVAL_MS = 60 * 1e3;
 var QUEUE_LOGS_DIR = (0, import_path6.join)(STATE_DIR, "logs");
 
 // src/config.ts

package/runtime/docker/packages/sandbox-docker/scripts/agentbox-vnc-start

@@ -23,10 +23,22 @@ mkdir -p "$HOME/.vnc"
 # VncAuth truncates >8 chars at compare time, which is fine — the host writes
 # an 8-char password. Write to a temp file + rename so a failure (e.g.,
 # vncpasswd missing) doesn't leave an empty file that Xvnc would then reject.
-TMP_PASSWD="$(mktemp "$HOME/.vnc/passwd.XXXXXX")"
-printf '%s\n' "$PASS" | vncpasswd -f > "$TMP_PASSWD"
-chmod 600 "$TMP_PASSWD"
-mv "$TMP_PASSWD" "$HOME/.vnc/passwd"
+#
+# Debian 12 (E2B base) doesn't package vncpasswd at all — tigervnc-tools is
+# Ubuntu-only. When vncpasswd is missing, fall back to `-SecurityTypes None`
+# and rely on the cloud provider's signed preview URL as the access boundary
+# (same effective model: holding the URL = holding the credential). Other
+# providers (docker, hetzner, daytona, vercel) keep VncAuth.
+VNC_SECURITY_ARGS=(-SecurityTypes VncAuth -PasswordFile "$HOME/.vnc/passwd")
+if command -v vncpasswd >/dev/null 2>&1; then
+  TMP_PASSWD="$(mktemp "$HOME/.vnc/passwd.XXXXXX")"
+  printf '%s\n' "$PASS" | vncpasswd -f > "$TMP_PASSWD"
+  chmod 600 "$TMP_PASSWD"
+  mv "$TMP_PASSWD" "$HOME/.vnc/passwd"
+else
+  echo "agentbox-vnc-start: vncpasswd not installed; starting Xvnc with -SecurityTypes None (preview URL is the access boundary)" >&2
+  VNC_SECURITY_ARGS=(-SecurityTypes None)
+fi
 
 mkdir -p /var/log/agentbox 2>/dev/null || true
 
@@ -37,8 +49,7 @@ mkdir -p /var/log/agentbox 2>/dev/null || true
 # accept cut-text from noVNC, set both the X CLIPBOARD and PRIMARY selections.
 Xvnc :1 \
   -localhost \
-  -SecurityTypes VncAuth \
-  -PasswordFile "$HOME/.vnc/passwd" \
+  "${VNC_SECURITY_ARGS[@]}" \
   -geometry 1280x800 \
   -depth 24 \
   -AlwaysShared \

package/runtime/docker/packages/sandbox-docker/scripts/chromium-resolver

@@ -0,0 +1,57 @@
+#!/usr/bin/env bash
+# agentbox: resolve the Chromium that agent-browser drives.
+#
+# We deliberately do NOT bake a Chromium into the box image. Playwright pins an
+# exact Chromium build per playwright version, so a baked browser goes stale the
+# moment a project pins a different Playwright — the project's `playwright
+# install` then fetches a *different* build, and anything waiting on the baked
+# one (a hard-coded ms-playwright path) hangs forever. Instead we reuse the
+# *project's* Playwright Chromium — the exact build its own tests use — so
+# agent-browser and Playwright share a single binary that is always correct.
+#
+# `AGENT_BROWSER_EXECUTABLE_PATH=/usr/local/bin/chromium` points at this script,
+# so every agent-browser launch runs it. Resolution is effectively cached: once
+# a build exists the hot path is just an `ls` + `exec` (no download).
+#
+#   1. newest installed Playwright Chromium under ~/.cache/ms-playwright; else
+#   2. install one with the project's pinned Playwright (matching build), or the
+#      box's global Playwright as a fallback when the project has none; then
+#   3. exec the real binary with the args agent-browser passed.
+#
+# Chrome-for-Testing has no linux/arm64 build and Noble's chromium apt package
+# is a snap stub, so Playwright's downloader stays the only reliable cross-arch
+# source — we just invoke it lazily, with the project's version, instead of
+# baking a fixed one.
+
+newest_chrome() {
+  ls -d "$HOME"/.cache/ms-playwright/chromium-*/chrome-linux*/chrome 2>/dev/null | sort -V | tail -1
+}
+
+real="$(newest_chrome)"
+if [ -z "$real" ]; then
+  echo "agentbox: no Chromium yet; installing via Playwright (one-time)..." >&2
+  # Serialize concurrent first-launches: without a lock, two simultaneous
+  # agent-browser launches would both run `playwright install` into the same
+  # ~/.cache/ms-playwright, and one could exec a half-extracted binary. flock
+  # makes the second waiter re-check the cache and skip the redundant install.
+  mkdir -p "$HOME/.cache" 2>/dev/null
+  exec 9>"$HOME/.cache/agentbox-chromium-install.lock"
+  flock 9
+  real="$(newest_chrome)" # another launch may have installed it while we waited
+  if [ -z "$real" ]; then
+    if [ -x /workspace/node_modules/.bin/playwright ]; then
+      ( cd /workspace && ./node_modules/.bin/playwright install chromium ) >&2
+    else
+      playwright install chromium >&2
+    fi
+    real="$(newest_chrome)"
+  fi
+  flock -u 9
+fi
+
+if [ -z "$real" ] || [ ! -x "$real" ]; then
+  echo "agentbox: could not resolve a Chromium binary (Playwright install failed?)." >&2
+  exit 127
+fi
+
+exec "$real" "$@"

package/runtime/docker/packages/sandbox-docker/scripts/claude-managed-settings.json

@@ -1,5 +1,6 @@
 {
-  "$comment": "AgentBox enterprise-managed Claude Code settings, baked into the box image at /etc/claude-code/managed-settings.json. Highest precedence and NOT synced from the host ~/.claude, so claude-hooks-filter.ts never touches it; per Claude Code, hook arrays MERGE across settings sources, so the user's own hooks still run. These hooks report Claude's activity to the box supervisor (agentbox-ctl claude-state -> ctl socket -> relay -> ~/.agentbox/boxes/<id>/status.json) so `agentbox status/list/inspect` can show it even when the box is paused. Each command is exit-0 fast and shell-backgrounded so a hook can never block or fail a Claude turn. The ExitPlanMode / AskUserQuestion entries run SYNCHRONOUSLY (no &) because they consume the hook's stdin payload; the catchall PreToolUse 'working' hook races with them, but the supervisor's sticky-state semantics swallow that race (a 'working' set while in end-plan/question is ignored unless --clear-pending is set, which only the matching PostToolUse hook passes).",
+  "$comment": "AgentBox enterprise-managed Claude Code settings, baked into the box image at /etc/claude-code/managed-settings.json. Highest precedence and NOT synced from the host ~/.claude, so claude-hooks-filter.ts never touches it; per Claude Code, hook arrays MERGE across settings sources, so the user's own hooks still run. These hooks report Claude's activity to the box supervisor (agentbox-ctl claude-state -> ctl socket -> relay -> ~/.agentbox/boxes/<id>/status.json) so `agentbox status/list/inspect` can show it even when the box is paused. Each command is exit-0 fast and shell-backgrounded so a hook can never block or fail a Claude turn. The ExitPlanMode / AskUserQuestion entries run SYNCHRONOUSLY (no &) because they consume the hook's stdin payload; the catchall PreToolUse 'working' hook races with them, but the supervisor's sticky-state semantics swallow that race (a 'working' set while in end-plan/question is ignored unless --clear-pending is set, which only the matching PostToolUse hook passes). skipDangerousModePermissionPrompt pre-accepts the bypass-permissions disclaimer at policy precedence — AgentBox boxes are isolated, and `agentbox claude` defaults to --dangerously-skip-permissions, so the one-time accept gate would just trap every fresh box.",
+  "skipDangerousModePermissionPrompt": true,
   "hooks": {
     "UserPromptSubmit": [
       {

package/runtime/e2b/agentbox-checkpoint-cleanup

@@ -0,0 +1,52 @@
+#!/usr/bin/env bash
+# Pre-`docker commit` cleanup: strip ephemeral / disposable state so the
+# captured checkpoint image is closer to "warm project state, nothing else".
+#
+# Invoked by the host via `docker exec --user root <container>
+# /usr/local/bin/agentbox-checkpoint-cleanup` right before
+# `docker commit`. Best-effort: every step is allowed to fail (a checkpoint
+# capture should never block on cleanup hiccups).
+#
+# What we DELIBERATELY keep:
+#   - /workspace                  the actual point of the checkpoint
+#   - /home/vscode/.npm           warm npm cache (next install is fast)
+#   - /home/vscode/.cache         pnpm/yarn/Cargo/etc. caches
+#   - /var/lib/docker             in-box dockerd's data root
+#   - /home/vscode/.claude        the named volume is bind-mounted; image
+#                                 layer never sees it anyway
+set +e
+
+# apt: drop downloaded .deb cache and the package index. The index is ~50MB
+# and gets refreshed on the next `apt-get update`; the .deb cache is reusable
+# only if we don't change versions, which we usually do.
+apt-get clean 2>/dev/null
+rm -rf /var/lib/apt/lists/* 2>/dev/null
+
+# Throwaway scratch dirs. Preserve /tmp/claude-* — that is the live in-box
+# Claude Code session's working tree (its per-task stdout/stderr files). The
+# agent that triggered this checkpoint *is* that session; deleting its task
+# output mid-run makes its harness see ENOENT, treat the command as failed,
+# and retry the checkpoint (observed: 5 duplicate auto-named checkpoints).
+# Stale claude-* dirs baked into the image are tiny and Claude Code prunes
+# them itself on the next session start.
+find /tmp /var/tmp -mindepth 1 -maxdepth 1 ! -name 'claude-*' -exec rm -rf {} + 2>/dev/null
+
+# Logs: truncate (don't delete) so the original file modes / ownerships stay
+# intact for the next run. Targets common rotated archives too.
+find /var/log -type f \( -name '*.log' -o -name '*.gz' -o -name '*.1' \) \
+  -exec truncate -s0 {} + 2>/dev/null
+find /var/log/agentbox -type f -exec truncate -s0 {} + 2>/dev/null
+
+# Bash history (root + vscode). Re-assert vscode ownership: `: >` run as root
+# (re)creates the file root-owned 0644 when it didn't exist, which the uid-1000
+# vscode user cannot append to, silently dropping all shell history.
+: > /root/.bash_history 2>/dev/null
+: > /home/vscode/.bash_history 2>/dev/null
+chown vscode:vscode /home/vscode/.bash_history 2>/dev/null
+chmod 600 /home/vscode/.bash_history 2>/dev/null
+
+# Anthropic's installer writes a transient marker; redundant once the binary
+# is in place. Safe to wipe.
+rm -rf /home/vscode/.claude-installer 2>/dev/null
+
+exit 0

package/runtime/e2b/agentbox-codex-hooks.json

@@ -0,0 +1,68 @@
+{
+  "$comment": "Codex 0.134.0 expects `~/.codex/hooks.json` to be `{ hooks: { Event: [...] } }` (matching the `HooksFile` Rust struct), NOT a top-level event map. The `hooks` feature flag must also be enabled (`codex --enable hooks`) and hook trust must be either persisted via the in-TUI dialog or bypassed at launch (`--dangerously-bypass-hook-trust`). startCodexSession() does both. In practice the hook firing on the JSON-config path is still unreliable in 0.134.0 (TUI mode skips them on at least some startup paths) — the real mechanism that lights up state in production is the tmux-pane scraper in packages/ctl/src/codex-scraper.ts. These hooks remain as a defense-in-depth seed so any future codex build that fixes the firing also lights up state without further work.",
+  "hooks": {
+    "SessionStart": [
+      {
+        "hooks": [
+          { "type": "command", "command": "agentbox-ctl codex-state idle >/dev/null 2>&1 &", "timeout": 3 }
+        ]
+      }
+    ],
+    "UserPromptSubmit": [
+      {
+        "hooks": [
+          { "type": "command", "command": "agentbox-ctl codex-state working >/dev/null 2>&1 &", "timeout": 3 }
+        ]
+      }
+    ],
+    "PreToolUse": [
+      {
+        "hooks": [
+          { "type": "command", "command": "agentbox-ctl codex-state working >/dev/null 2>&1 &", "timeout": 3 }
+        ]
+      }
+    ],
+    "PermissionRequest": [
+      {
+        "hooks": [
+          { "type": "command", "command": "agentbox-ctl codex-state waiting >/dev/null 2>&1 &", "timeout": 3 }
+        ]
+      }
+    ],
+    "PreCompact": [
+      {
+        "hooks": [
+          { "type": "command", "command": "agentbox-ctl codex-state compacting >/dev/null 2>&1 &", "timeout": 3 }
+        ]
+      }
+    ],
+    "PostCompact": [
+      {
+        "hooks": [
+          { "type": "command", "command": "agentbox-ctl codex-state working >/dev/null 2>&1 &", "timeout": 3 }
+        ]
+      }
+    ],
+    "SubagentStart": [
+      {
+        "hooks": [
+          { "type": "command", "command": "agentbox-ctl codex-state working >/dev/null 2>&1 &", "timeout": 3 }
+        ]
+      }
+    ],
+    "SubagentStop": [
+      {
+        "hooks": [
+          { "type": "command", "command": "agentbox-ctl codex-state working >/dev/null 2>&1 &", "timeout": 3 }
+        ]
+      }
+    ],
+    "Stop": [
+      {
+        "hooks": [
+          { "type": "command", "command": "agentbox-ctl codex-state idle >/dev/null 2>&1 &", "timeout": 3 }
+        ]
+      }
+    ]
+  }
+}

package/runtime/e2b/agentbox-open

@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+# Routes in-box URL opens to `agentbox-ctl open`, which opens the link in the
+# box's own Chromium (agent-browser, visible via `agentbox screen`) and asks
+# the host user — in the footer/dashboard — whether to also open it on the
+# host. This script is installed at /usr/local/bin (earlier in PATH than
+# xdg-utils' /usr/bin/xdg-open, which it is also symlinked over) and is the
+# box's $BROWSER, so `xdg-open`, Claude Code's OAuth flow, `gh`,
+# `git web--browse`, python's webbrowser, etc. all land here.
+#
+# Only http(s) URLs are routed. Anything else (a file path, another scheme)
+# falls through to the real xdg-open, which resolves it locally in the box.
+
+set -uo pipefail
+
+target="${1:-}"
+
+case "$target" in
+  http://* | https://*)
+    exec agentbox-ctl open "$target"
+    ;;
+  *)
+    if [[ -x /usr/bin/xdg-open ]]; then
+      exec /usr/bin/xdg-open "$@"
+    fi
+    echo "agentbox-open: not an http(s) URL: $target" >&2
+    exit 1
+    ;;
+esac