@madarco/agentbox 0.12.0 → 0.14.0

package/dist/chunk-LDMYHWUS.js

@@ -0,0 +1,346 @@
+#!/usr/bin/env node
+import {
+  UserFacingError
+} from "./chunk-TCS5HXJX.js";
+import {
+  computeContextSha256,
+  hostOpenCommand,
+  preparedStatePathFor,
+  readPreparedStateRaw,
+  writePreparedStateRaw
+} from "./chunk-XKH7NTT7.js";
+
+// ../../packages/sandbox-e2b/dist/chunk-BC7TDU66.js
+import { existsSync, readFileSync } from "fs";
+import { homedir } from "os";
+import { resolve } from "path";
+import { Sandbox, Template } from "e2b";
+import {
+  chmodSync,
+  existsSync as existsSync2,
+  mkdirSync,
+  readFileSync as readFileSync2,
+  renameSync,
+  writeFileSync
+} from "fs";
+import { homedir as homedir2 } from "os";
+import { dirname, resolve as resolve2 } from "path";
+import {
+  confirm,
+  intro,
+  isCancel,
+  log,
+  note,
+  outro,
+  password
+} from "@clack/prompts";
+import { existsSync as existsSync3 } from "fs";
+import { dirname as dirname2, resolve as resolve3 } from "path";
+import { fileURLToPath } from "url";
+var E2B_KEYS = ["E2B_API_KEY", "E2B_DOMAIN"];
+var loaded = false;
+function ensureE2bEnvLoaded() {
+  if (loaded) return;
+  loaded = true;
+  importE2bFromFile(resolve(homedir(), ".agentbox", "secrets.env"), E2B_KEYS);
+}
+function reloadE2bEnv() {
+  loaded = false;
+  ensureE2bEnvLoaded();
+}
+function importE2bFromFile(path, keys) {
+  if (!existsSync(path)) return;
+  let body;
+  try {
+    body = readFileSync(path, "utf8");
+  } catch {
+    return;
+  }
+  const parsed = parseEnvFile(body);
+  for (const key of keys) {
+    if (process.env[key] !== void 0) continue;
+    const value = parsed[key];
+    if (typeof value === "string") {
+      process.env[key] = value;
+    }
+  }
+}
+function parseEnvFile(body) {
+  const out = {};
+  for (const rawLine of body.split(/\r?\n/)) {
+    const line = rawLine.trim();
+    if (line.length === 0 || line.startsWith("#")) continue;
+    const stripped = line.startsWith("export ") ? line.slice("export ".length) : line;
+    const eq = stripped.indexOf("=");
+    if (eq <= 0) continue;
+    const key = stripped.slice(0, eq).trim();
+    let value = stripped.slice(eq + 1).trim();
+    if (value.length >= 2 && (value.startsWith('"') && value.endsWith('"') || value.startsWith("'") && value.endsWith("'"))) {
+      value = value.slice(1, -1);
+    }
+    out[key] = value;
+  }
+  return out;
+}
+function resolveApiKey() {
+  ensureE2bEnvLoaded();
+  const k = process.env.E2B_API_KEY;
+  if (!k) {
+    throw new Error(
+      "E2B credentials not configured.\nRun `agentbox e2b login` to paste your API key (from https://e2b.dev/dashboard?tab=keys), or set E2B_API_KEY in the environment / ~/.agentbox/secrets.env."
+    );
+  }
+  return k;
+}
+function hasUsableCredentials() {
+  ensureE2bEnvLoaded();
+  return Boolean(process.env.E2B_API_KEY);
+}
+var DASHBOARD_KEYS_URL = "https://e2b.dev/dashboard?tab=keys";
+var MANAGED_KEYS = ["E2B_API_KEY"];
+async function ensureE2bCredentials(opts = {}) {
+  ensureE2bEnvLoaded();
+  if (!opts.force && hasUsableCredentials()) return;
+  if (!process.stdin.isTTY) return;
+  intro("E2B setup");
+  note(
+    `AgentBox needs an E2B API key to provision sandboxes.
+Get one from ${DASHBOARD_KEYS_URL} (free tier available), then paste it below.
+The key is stored in \`~/.agentbox/secrets.env\` (mode 0600) \u2014 no .env.local harvesting.`,
+    "Credentials required"
+  );
+  const openIt = await confirm({
+    message: `Open ${DASHBOARD_KEYS_URL} to create a key?`,
+    initialValue: true
+  });
+  if (isCancel(openIt)) {
+    log.warn("E2B setup cancelled.");
+    return;
+  }
+  if (openIt) openDashboard();
+  const key = await password({
+    message: "Paste your E2B API key",
+    validate: (v) => v && v.trim().length > 0 ? void 0 : "Cannot be empty"
+  });
+  if (isCancel(key)) {
+    log.warn("E2B setup cancelled.");
+    return;
+  }
+  persistCredentials({ apiKey: key.trim() });
+  reloadE2bEnv();
+  log.success(`E2B credentials saved to ${secretsPath()}`);
+  outro("Setup complete.");
+}
+function persistCredentials(creds) {
+  writeManaged({ E2B_API_KEY: creds.apiKey });
+}
+function writeManaged(record) {
+  for (const k of MANAGED_KEYS) delete process.env[k];
+  for (const [k, v] of Object.entries(record)) process.env[k] = v;
+  const path = secretsPath();
+  mkdirSync(dirname(path), { recursive: true });
+  let existing = "";
+  if (existsSync2(path)) {
+    try {
+      existing = readFileSync2(path, "utf8");
+    } catch {
+      existing = "";
+    }
+  }
+  const kept = existing.split(/\r?\n/).filter((line) => {
+    const stripped = line.startsWith("export ") ? line.slice("export ".length) : line;
+    const eq = stripped.indexOf("=");
+    if (eq <= 0) return true;
+    const key = stripped.slice(0, eq).trim();
+    return !MANAGED_KEYS.includes(key);
+  }).join("\n").replace(/\s+$/u, "");
+  const lines = Object.entries(record).map(([k, v]) => `${k}=${v}`);
+  const body = (kept ? `${kept}
+` : "") + lines.join("\n") + "\n";
+  const tmp = `${path}.tmp`;
+  writeFileSync(tmp, body, { mode: 384 });
+  try {
+    chmodSync(tmp, 384);
+  } catch {
+  }
+  renameSync(tmp, path);
+  try {
+    chmodSync(path, 384);
+  } catch {
+  }
+}
+function openDashboard() {
+  import("child_process").then(({ spawnSync }) => {
+    const r = spawnSync(hostOpenCommand(), [DASHBOARD_KEYS_URL], { stdio: "ignore" });
+    if (r.status !== 0) {
+      log.warn(`Could not auto-open the browser \u2014 visit ${DASHBOARD_KEYS_URL} manually.`);
+    }
+  }).catch(() => {
+    log.warn(`Could not auto-open the browser \u2014 visit ${DASHBOARD_KEYS_URL} manually.`);
+  });
+}
+function secretsPath() {
+  return resolve2(homedir2(), ".agentbox", "secrets.env");
+}
+function readE2bCredStatus() {
+  const shellHad = process.env.E2B_API_KEY !== void 0;
+  ensureE2bEnvLoaded();
+  const key = process.env.E2B_API_KEY;
+  if (!key) return { auth: "none", source: "none" };
+  return { auth: "key", token: key, source: shellHad ? "env" : "secrets.env" };
+}
+function maskKey(value) {
+  if (value.length <= 8) return "*".repeat(value.length);
+  return `${value.slice(0, 4)}\u2026${"*".repeat(8)}${value.slice(-4)}`;
+}
+var SELF = dirname2(fileURLToPath(import.meta.url));
+function findStagedCliRuntimeRoot() {
+  const candidates = [resolve3(SELF, "..", "runtime"), resolve3(SELF, "..", "..", "runtime")];
+  for (const c of candidates) {
+    if (existsSync3(resolve3(c, "e2b", "scripts", "build-template.sh"))) return c;
+  }
+  return void 0;
+}
+var RUNTIME_ASSETS = [
+  { name: "build-template.sh", remotePath: "/tmp/agentbox-build-template.sh", remoteMode: 493 },
+  { name: "agentbox-ctl", remotePath: "/tmp/agentbox-ctl", remoteMode: 493 },
+  { name: "agentbox-vnc-start", remotePath: "/tmp/agentbox-vnc-start", remoteMode: 493 },
+  { name: "agentbox-checkpoint-cleanup", remotePath: "/tmp/agentbox-checkpoint-cleanup", remoteMode: 493 },
+  { name: "agentbox-open", remotePath: "/tmp/agentbox-open", remoteMode: 493 },
+  { name: "gh-shim", remotePath: "/tmp/agentbox-gh-shim", remoteMode: 493 },
+  { name: "git-shim", remotePath: "/tmp/agentbox-git-shim", remoteMode: 493 },
+  { name: "custom-system-CLAUDE.md", remotePath: "/tmp/agentbox-custom-CLAUDE.md", remoteMode: 420 },
+  { name: "claude-managed-settings.json", remotePath: "/tmp/agentbox-managed-settings.json", remoteMode: 420 },
+  { name: "agentbox-codex-hooks.json", remotePath: "/tmp/agentbox-codex-hooks.json", remoteMode: 420 },
+  { name: "agentbox-setup-skill.md", remotePath: "/tmp/agentbox-setup-skill.md", remoteMode: 420 }
+];
+function candidatesFor(name, opts = {}) {
+  const cliRoot = opts.cliRuntimeRoot;
+  const monorepo = opts.repoRoot ?? guessRepoRoot();
+  const monorepoRelative = {
+    "build-template.sh": ["packages/sandbox-e2b/scripts/build-template.sh"],
+    "agentbox-ctl": ["packages/ctl/dist/bin.cjs"],
+    "agentbox-vnc-start": ["packages/sandbox-docker/scripts/agentbox-vnc-start"],
+    "agentbox-checkpoint-cleanup": ["packages/sandbox-docker/scripts/agentbox-checkpoint-cleanup"],
+    "agentbox-open": ["packages/sandbox-docker/scripts/agentbox-open"],
+    "gh-shim": ["packages/sandbox-docker/scripts/gh-shim"],
+    "git-shim": ["packages/sandbox-docker/scripts/git-shim"],
+    "custom-system-CLAUDE.md": ["packages/sandbox-e2b/scripts/custom-system-CLAUDE.md"],
+    "claude-managed-settings.json": ["packages/sandbox-docker/scripts/claude-managed-settings.json"],
+    "agentbox-codex-hooks.json": ["packages/sandbox-docker/scripts/agentbox-codex-hooks.json"],
+    "agentbox-setup-skill.md": ["apps/cli/share/agentbox-setup/SKILL.md"]
+  };
+  const cliRelative = {
+    "build-template.sh": ["e2b/scripts/build-template.sh"],
+    "agentbox-ctl": ["e2b/ctl.cjs"],
+    "agentbox-vnc-start": ["e2b/agentbox-vnc-start", "docker/packages/sandbox-docker/scripts/agentbox-vnc-start"],
+    "agentbox-checkpoint-cleanup": ["e2b/agentbox-checkpoint-cleanup", "docker/packages/sandbox-docker/scripts/agentbox-checkpoint-cleanup"],
+    "agentbox-open": ["e2b/agentbox-open", "docker/packages/sandbox-docker/scripts/agentbox-open"],
+    "gh-shim": ["e2b/gh-shim", "docker/packages/sandbox-docker/scripts/gh-shim"],
+    "git-shim": ["e2b/git-shim", "docker/packages/sandbox-docker/scripts/git-shim"],
+    "custom-system-CLAUDE.md": ["e2b/custom-system-CLAUDE.md"],
+    "claude-managed-settings.json": ["e2b/claude-managed-settings.json", "docker/packages/sandbox-docker/scripts/claude-managed-settings.json"],
+    "agentbox-codex-hooks.json": ["e2b/agentbox-codex-hooks.json", "docker/packages/sandbox-docker/scripts/agentbox-codex-hooks.json"],
+    "agentbox-setup-skill.md": ["e2b/agentbox-setup-skill.md", "docker/apps/cli/share/agentbox-setup/SKILL.md"]
+  };
+  const out = [];
+  if (cliRoot) {
+    for (const rel of cliRelative[name] ?? []) out.push(resolve3(cliRoot, rel));
+  }
+  for (const rel of monorepoRelative[name] ?? []) out.push(resolve3(monorepo, rel));
+  return out;
+}
+function resolveRuntimeAssets(opts = {}) {
+  const out = [];
+  const missing = [];
+  for (const asset of RUNTIME_ASSETS) {
+    const cands = candidatesFor(asset.name, opts);
+    const hit = cands.find((p) => existsSync3(p));
+    if (!hit) {
+      missing.push({ name: asset.name, tried: cands });
+      continue;
+    }
+    out.push({ ...asset, localPath: hit });
+  }
+  if (missing.length > 0) {
+    const lines = missing.flatMap((m) => [`  - ${m.name}: tried`, ...m.tried.map((p) => `      ${p}`)]);
+    throw new Error(
+      `e2b: could not resolve runtime assets needed to bake the base template:
+` + lines.join("\n") + `
+
+If running from the monorepo, ensure \`pnpm -w build\` has run so packages/ctl/dist/bin.cjs exists.`
+    );
+  }
+  return out;
+}
+function guessRepoRoot() {
+  let cur = SELF;
+  for (let i = 0; i < 8; i++) {
+    if (existsSync3(resolve3(cur, "pnpm-workspace.yaml"))) return cur;
+    const parent = dirname2(cur);
+    if (parent === cur) break;
+    cur = parent;
+  }
+  return SELF;
+}
+var SCHEMA = 1;
+function preparedStatePath() {
+  return preparedStatePathFor("e2b");
+}
+function readPreparedState() {
+  const raw = readPreparedStateRaw("e2b");
+  if (raw === null || typeof raw !== "object") return { schema: SCHEMA };
+  const parsed = raw;
+  if (parsed.schema !== SCHEMA) {
+    return { schema: SCHEMA };
+  }
+  return { schema: SCHEMA, base: parsed.base };
+}
+function writePreparedState(state) {
+  writePreparedStateRaw("e2b", state);
+}
+function updatePreparedState(mutate) {
+  const s = readPreparedState();
+  mutate(s);
+  writePreparedState(s);
+}
+async function currentE2bBaseFingerprintLive() {
+  try {
+    const assets = resolveRuntimeAssets({ cliRuntimeRoot: findStagedCliRuntimeRoot() });
+    return await computeContextSha256(
+      assets.map((a) => ({ rel: a.name, abs: a.localPath }))
+    );
+  } catch {
+    return void 0;
+  }
+}
+function ensureE2bBaseTemplate() {
+  const state = readPreparedState();
+  if (state.base !== void 0) return;
+  throw new UserFacingError(
+    "no E2B base template found.\nRun `agentbox prepare --provider e2b` first \u2014 it bakes a custom template with the agentbox runtime (agentbox-ctl, vscode user, claude/codex/opencode, tmux) so per-box `create` boots ready in seconds."
+  );
+}
+
+export {
+  ensureE2bEnvLoaded,
+  reloadE2bEnv,
+  Sandbox,
+  Template,
+  resolveApiKey,
+  ensureE2bCredentials,
+  secretsPath,
+  readE2bCredStatus,
+  maskKey,
+  findStagedCliRuntimeRoot,
+  RUNTIME_ASSETS,
+  candidatesFor,
+  resolveRuntimeAssets,
+  preparedStatePath,
+  readPreparedState,
+  writePreparedState,
+  updatePreparedState,
+  currentE2bBaseFingerprintLive,
+  ensureE2bBaseTemplate
+};
+//# sourceMappingURL=chunk-LDMYHWUS.js.map

package/dist/chunk-LDMYHWUS.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../packages/sandbox-e2b/src/env-loader.ts","../../../packages/sandbox-e2b/src/sdk.ts","../../../packages/sandbox-e2b/src/credentials.ts","../../../packages/sandbox-e2b/src/runtime-assets.ts","../../../packages/sandbox-e2b/src/prepared-state.ts"],"sourcesContent":["/**\n * E2B env auto-loader. The `e2b` SDK reads `E2B_API_KEY` (and optionally\n * `E2B_DOMAIN` for non-default deployments) from `process.env`. We seed those\n * from `~/.agentbox/secrets.env` (written by `agentbox e2b login`) so the SDK\n * Just Works after a one-time login — same pattern as the daytona / hetzner /\n * vercel env-loaders.\n *\n * Lookup order (first wins; process.env is never overwritten):\n *   1. `process.env` (already set in the shell).\n *   2. `~/.agentbox/secrets.env` — written by `agentbox e2b login`.\n *\n * Project-level `.env` / `.env.local` are intentionally NOT consulted: those\n * files belong to the app code being developed. Put host credentials in\n * `~/.agentbox/secrets.env` (or the shell env).\n *\n * Only E2B-prefixed keys are imported; the rest of the file is left alone.\n * Idempotent and side-effect-free after the first call.\n */\n\nimport { existsSync, readFileSync } from 'node:fs';\nimport { homedir } from 'node:os';\nimport { resolve } from 'node:path';\n\nconst E2B_KEYS = ['E2B_API_KEY', 'E2B_DOMAIN'] as const;\n\nlet loaded = false;\n\nexport function ensureE2bEnvLoaded(): void {\n  if (loaded) return;\n  loaded = true;\n  importE2bFromFile(resolve(homedir(), '.agentbox', 'secrets.env'), E2B_KEYS);\n}\n\n/**\n * Force a re-read of `~/.agentbox/secrets.env`. Used by the interactive\n * `agentbox e2b login` flow after it persists the API key, so the same process\n * can pick it up without a restart.\n */\nexport function reloadE2bEnv(): void {\n  loaded = false;\n  ensureE2bEnvLoaded();\n}\n\nfunction importE2bFromFile(path: string, keys: readonly string[]): void {\n  if (!existsSync(path)) return;\n  let body: string;\n  try {\n    body = readFileSync(path, 'utf8');\n  } catch {\n    return;\n  }\n  const parsed = parseEnvFile(body);\n  for (const key of keys) {\n    if (process.env[key] !== undefined) continue;\n    const value = parsed[key];\n    if (typeof value === 'string') {\n      process.env[key] = value;\n    }\n  }\n}\n\n/**\n * Minimal `.env` parser: handles `KEY=value`, `KEY=\"value\"`, `KEY='value'`,\n * `export KEY=value`, blank lines, and `#` comments. No variable interpolation\n * — predictable over feature-complete (matches the daytona / vercel loaders).\n */\nexport function parseEnvFile(body: string): Record<string, string> {\n  const out: Record<string, string> = {};\n  for (const rawLine of body.split(/\\r?\\n/)) {\n    const line = rawLine.trim();\n    if (line.length === 0 || line.startsWith('#')) continue;\n    const stripped = line.startsWith('export ') ? line.slice('export '.length) : line;\n    const eq = stripped.indexOf('=');\n    if (eq <= 0) continue;\n    const key = stripped.slice(0, eq).trim();\n    let value = stripped.slice(eq + 1).trim();\n    if (\n      value.length >= 2 &&\n      ((value.startsWith('\"') && value.endsWith('\"')) ||\n        (value.startsWith(\"'\") && value.endsWith(\"'\")))\n    ) {\n      value = value.slice(1, -1);\n    }\n    out[key] = value;\n  }\n  return out;\n}\n","/**\n * Thin wrapper around the `e2b` SDK. Resolves the API key once and re-exports\n * the SDK surface the rest of the package uses from a single place (so tests\n * can mock `./sdk.js` instead of the package).\n *\n * E2B only ships one auth mode for first-party use: a single API key. The SDK\n * already reads `process.env.E2B_API_KEY` on each call, but we still expose\n * `resolveApiKey()` so callers can fail loud with an actionable error before\n * the SDK throws a generic \"401 unauthorized\" deep inside an op.\n */\n\nimport { Sandbox, Template } from 'e2b';\nimport { ensureE2bEnvLoaded } from './env-loader.js';\n\nexport { Sandbox, Template };\nexport type { SandboxOpts, SandboxInfo, SandboxState, SandboxListOpts, LogEntry, BuildInfo } from 'e2b';\n\n/**\n * Return the configured E2B API key. Throws an actionable error when nothing\n * is configured. Idempotent — env-loader caches itself after first call.\n */\nexport function resolveApiKey(): string {\n  ensureE2bEnvLoaded();\n  const k = process.env.E2B_API_KEY;\n  if (!k) {\n    throw new Error(\n      'E2B credentials not configured.\\n' +\n        'Run `agentbox e2b login` to paste your API key (from https://e2b.dev/dashboard?tab=keys), ' +\n        'or set E2B_API_KEY in the environment / ~/.agentbox/secrets.env.',\n    );\n  }\n  return k;\n}\n\n/** True when an API key is configured. Used by the credential gate. */\nexport function hasUsableCredentials(): boolean {\n  ensureE2bEnvLoaded();\n  return Boolean(process.env.E2B_API_KEY);\n}\n","/**\n * Interactive E2B credential setup. Single mode — paste an API key from\n * https://e2b.dev/dashboard?tab=keys — much simpler than vercel's three-mode\n * flow. Persists to `~/.agentbox/secrets.env` (the canonical store, matching\n * daytona / hetzner / vercel).\n *\n * Non-interactive callers (no TTY): silent no-op, so scripted/CI runs surface\n * the SDK's own \"not configured\" error instead of hanging on a prompt.\n */\n\nimport {\n  chmodSync,\n  existsSync,\n  mkdirSync,\n  readFileSync,\n  renameSync,\n  writeFileSync,\n} from 'node:fs';\nimport { homedir } from 'node:os';\nimport { dirname, resolve } from 'node:path';\nimport { hostOpenCommand } from '@agentbox/sandbox-core';\nimport {\n  confirm,\n  intro,\n  isCancel,\n  log,\n  note,\n  outro,\n  password,\n} from '@clack/prompts';\nimport { ensureE2bEnvLoaded, reloadE2bEnv } from './env-loader.js';\nimport { hasUsableCredentials } from './sdk.js';\n\nconst DASHBOARD_KEYS_URL = 'https://e2b.dev/dashboard?tab=keys';\n\n/**\n * Keys we manage in `~/.agentbox/secrets.env`. On reconfigure we strip prior\n * values for these before appending so the file never accumulates duplicates.\n */\nconst MANAGED_KEYS = ['E2B_API_KEY'] as const;\n\nexport interface EnsureE2bCredentialsOptions {\n  /** Re-prompt even when valid credentials are already present (`agentbox e2b login`). */\n  force?: boolean;\n}\n\nexport async function ensureE2bCredentials(\n  opts: EnsureE2bCredentialsOptions = {},\n): Promise<void> {\n  ensureE2bEnvLoaded();\n\n  if (!opts.force && hasUsableCredentials()) return;\n  if (!process.stdin.isTTY) return;\n\n  intro('E2B setup');\n  note(\n    `AgentBox needs an E2B API key to provision sandboxes.\\n` +\n      `Get one from ${DASHBOARD_KEYS_URL} (free tier available), then paste it below.\\n` +\n      `The key is stored in \\`~/.agentbox/secrets.env\\` (mode 0600) — no .env.local harvesting.`,\n    'Credentials required',\n  );\n\n  const openIt = await confirm({\n    message: `Open ${DASHBOARD_KEYS_URL} to create a key?`,\n    initialValue: true,\n  });\n  if (isCancel(openIt)) {\n    log.warn('E2B setup cancelled.');\n    return;\n  }\n  if (openIt) openDashboard();\n\n  const key = await password({\n    message: 'Paste your E2B API key',\n    validate: (v) => (v && v.trim().length > 0 ? undefined : 'Cannot be empty'),\n  });\n  if (isCancel(key)) {\n    log.warn('E2B setup cancelled.');\n    return;\n  }\n\n  persistCredentials({ apiKey: key.trim() });\n  reloadE2bEnv();\n  log.success(`E2B credentials saved to ${secretsPath()}`);\n  outro('Setup complete.');\n}\n\nfunction persistCredentials(creds: { apiKey: string }): void {\n  writeManaged({ E2B_API_KEY: creds.apiKey });\n}\n\n/**\n * Atomically rewrite the managed E2B keys in `~/.agentbox/secrets.env`:\n * strip every prior value for a `MANAGED_KEYS` entry, then append exactly the\n * keys in `record` (mode 0600, temp-file + rename). Also mirrors the record\n * into `process.env` so the current run uses the new values immediately.\n */\nfunction writeManaged(record: Record<string, string>): void {\n  for (const k of MANAGED_KEYS) delete process.env[k];\n  for (const [k, v] of Object.entries(record)) process.env[k] = v;\n\n  const path = secretsPath();\n  mkdirSync(dirname(path), { recursive: true });\n\n  let existing = '';\n  if (existsSync(path)) {\n    try {\n      existing = readFileSync(path, 'utf8');\n    } catch {\n      existing = '';\n    }\n  }\n  const kept = existing\n    .split(/\\r?\\n/)\n    .filter((line) => {\n      const stripped = line.startsWith('export ') ? line.slice('export '.length) : line;\n      const eq = stripped.indexOf('=');\n      if (eq <= 0) return true;\n      const key = stripped.slice(0, eq).trim();\n      return !(MANAGED_KEYS as readonly string[]).includes(key);\n    })\n    .join('\\n')\n    .replace(/\\s+$/u, '');\n\n  const lines = Object.entries(record).map(([k, v]) => `${k}=${v}`);\n  const body = (kept ? `${kept}\\n` : '') + lines.join('\\n') + '\\n';\n\n  const tmp = `${path}.tmp`;\n  writeFileSync(tmp, body, { mode: 0o600 });\n  try {\n    chmodSync(tmp, 0o600);\n  } catch {\n    // chmod best-effort; writeFileSync mode already covers most filesystems.\n  }\n  renameSync(tmp, path);\n  try {\n    chmodSync(path, 0o600);\n  } catch {\n    // ignore — already attempted above\n  }\n}\n\nfunction openDashboard(): void {\n  import('node:child_process')\n    .then(({ spawnSync }) => {\n      const r = spawnSync(hostOpenCommand(), [DASHBOARD_KEYS_URL], { stdio: 'ignore' });\n      if (r.status !== 0) {\n        log.warn(`Could not auto-open the browser — visit ${DASHBOARD_KEYS_URL} manually.`);\n      }\n    })\n    .catch(() => {\n      log.warn(`Could not auto-open the browser — visit ${DASHBOARD_KEYS_URL} manually.`);\n    });\n}\n\nexport function secretsPath(): string {\n  return resolve(homedir(), '.agentbox', 'secrets.env');\n}\n\nexport interface E2bCredStatus {\n  auth: 'key' | 'none';\n  token?: string;\n  source: 'env' | 'secrets.env' | 'none';\n}\n\nexport function readE2bCredStatus(): E2bCredStatus {\n  const shellHad = process.env.E2B_API_KEY !== undefined;\n  ensureE2bEnvLoaded();\n  const key = process.env.E2B_API_KEY;\n  if (!key) return { auth: 'none', source: 'none' };\n  return { auth: 'key', token: key, source: shellHad ? 'env' : 'secrets.env' };\n}\n\nexport function maskKey(value: string): string {\n  if (value.length <= 8) return '*'.repeat(value.length);\n  return `${value.slice(0, 4)}…${'*'.repeat(8)}${value.slice(-4)}`;\n}\n","/**\n * Resolver for the runtime payload baked into the E2B base template during\n * `prepareE2b()`. Same idea as the vercel resolver: a flat list of files to\n * `template.copy` into the build context, each resolved from either the\n * staged CLI runtime tree or the monorepo source tree.\n *\n * Lookup order per file:\n *   1. The CLI's staged runtime tree: `<cliRoot>/e2b/...`.\n *   2. The monorepo source tree (dev fallback) under `packages/`.\n *\n * Any missing file throws a clear error naming the paths tried. Note: no\n * dockerd helper — E2B microVMs can't run nested containers.\n */\n\nimport { existsSync } from 'node:fs';\nimport { dirname, resolve } from 'node:path';\nimport { fileURLToPath } from 'node:url';\n\nconst SELF = dirname(fileURLToPath(import.meta.url));\n\nexport function findStagedCliRuntimeRoot(): string | undefined {\n  const candidates = [resolve(SELF, '..', 'runtime'), resolve(SELF, '..', '..', 'runtime')];\n  for (const c of candidates) {\n    if (existsSync(resolve(c, 'e2b', 'scripts', 'build-template.sh'))) return c;\n  }\n  return undefined;\n}\n\nexport interface RuntimeAsset {\n  /** Logical name (used in error messages + log lines). */\n  name: string;\n  /** Absolute path inside the template's build filesystem (Template.copy target). */\n  remotePath: string;\n  /** File mode to apply after upload. */\n  remoteMode: number;\n}\n\n/**\n * Where each asset lands inside the sandbox during template build. build-template.sh\n * reads them from these fixed paths. The agent/runtime helpers go straight to\n * /usr/local/bin via the script; baked config files to /tmp for the script to\n * `install` into place.\n */\nexport const RUNTIME_ASSETS: readonly RuntimeAsset[] = [\n  { name: 'build-template.sh', remotePath: '/tmp/agentbox-build-template.sh', remoteMode: 0o755 },\n  { name: 'agentbox-ctl', remotePath: '/tmp/agentbox-ctl', remoteMode: 0o755 },\n  { name: 'agentbox-vnc-start', remotePath: '/tmp/agentbox-vnc-start', remoteMode: 0o755 },\n  { name: 'agentbox-checkpoint-cleanup', remotePath: '/tmp/agentbox-checkpoint-cleanup', remoteMode: 0o755 },\n  { name: 'agentbox-open', remotePath: '/tmp/agentbox-open', remoteMode: 0o755 },\n  { name: 'gh-shim', remotePath: '/tmp/agentbox-gh-shim', remoteMode: 0o755 },\n  { name: 'git-shim', remotePath: '/tmp/agentbox-git-shim', remoteMode: 0o755 },\n  { name: 'custom-system-CLAUDE.md', remotePath: '/tmp/agentbox-custom-CLAUDE.md', remoteMode: 0o644 },\n  { name: 'claude-managed-settings.json', remotePath: '/tmp/agentbox-managed-settings.json', remoteMode: 0o644 },\n  { name: 'agentbox-codex-hooks.json', remotePath: '/tmp/agentbox-codex-hooks.json', remoteMode: 0o644 },\n  { name: 'agentbox-setup-skill.md', remotePath: '/tmp/agentbox-setup-skill.md', remoteMode: 0o644 },\n] as const;\n\nexport interface ResolvedAsset extends RuntimeAsset {\n  localPath: string;\n}\n\nexport function candidatesFor(\n  name: string,\n  opts: { cliRuntimeRoot?: string; repoRoot?: string } = {},\n): string[] {\n  const cliRoot = opts.cliRuntimeRoot;\n  const monorepo = opts.repoRoot ?? guessRepoRoot();\n\n  const monorepoRelative: Record<string, string[]> = {\n    'build-template.sh': ['packages/sandbox-e2b/scripts/build-template.sh'],\n    'agentbox-ctl': ['packages/ctl/dist/bin.cjs'],\n    'agentbox-vnc-start': ['packages/sandbox-docker/scripts/agentbox-vnc-start'],\n    'agentbox-checkpoint-cleanup': ['packages/sandbox-docker/scripts/agentbox-checkpoint-cleanup'],\n    'agentbox-open': ['packages/sandbox-docker/scripts/agentbox-open'],\n    'gh-shim': ['packages/sandbox-docker/scripts/gh-shim'],\n    'git-shim': ['packages/sandbox-docker/scripts/git-shim'],\n    'custom-system-CLAUDE.md': ['packages/sandbox-e2b/scripts/custom-system-CLAUDE.md'],\n    'claude-managed-settings.json': ['packages/sandbox-docker/scripts/claude-managed-settings.json'],\n    'agentbox-codex-hooks.json': ['packages/sandbox-docker/scripts/agentbox-codex-hooks.json'],\n    'agentbox-setup-skill.md': ['apps/cli/share/agentbox-setup/SKILL.md'],\n  };\n\n  const cliRelative: Record<string, string[]> = {\n    'build-template.sh': ['e2b/scripts/build-template.sh'],\n    'agentbox-ctl': ['e2b/ctl.cjs'],\n    'agentbox-vnc-start': ['e2b/agentbox-vnc-start', 'docker/packages/sandbox-docker/scripts/agentbox-vnc-start'],\n    'agentbox-checkpoint-cleanup': ['e2b/agentbox-checkpoint-cleanup', 'docker/packages/sandbox-docker/scripts/agentbox-checkpoint-cleanup'],\n    'agentbox-open': ['e2b/agentbox-open', 'docker/packages/sandbox-docker/scripts/agentbox-open'],\n    'gh-shim': ['e2b/gh-shim', 'docker/packages/sandbox-docker/scripts/gh-shim'],\n    'git-shim': ['e2b/git-shim', 'docker/packages/sandbox-docker/scripts/git-shim'],\n    'custom-system-CLAUDE.md': ['e2b/custom-system-CLAUDE.md'],\n    'claude-managed-settings.json': ['e2b/claude-managed-settings.json', 'docker/packages/sandbox-docker/scripts/claude-managed-settings.json'],\n    'agentbox-codex-hooks.json': ['e2b/agentbox-codex-hooks.json', 'docker/packages/sandbox-docker/scripts/agentbox-codex-hooks.json'],\n    'agentbox-setup-skill.md': ['e2b/agentbox-setup-skill.md', 'docker/apps/cli/share/agentbox-setup/SKILL.md'],\n  };\n\n  const out: string[] = [];\n  if (cliRoot) {\n    for (const rel of cliRelative[name] ?? []) out.push(resolve(cliRoot, rel));\n  }\n  for (const rel of monorepoRelative[name] ?? []) out.push(resolve(monorepo, rel));\n  return out;\n}\n\nexport function resolveRuntimeAssets(\n  opts: { cliRuntimeRoot?: string; repoRoot?: string } = {},\n): ResolvedAsset[] {\n  const out: ResolvedAsset[] = [];\n  const missing: Array<{ name: string; tried: string[] }> = [];\n  for (const asset of RUNTIME_ASSETS) {\n    const cands = candidatesFor(asset.name, opts);\n    const hit = cands.find((p) => existsSync(p));\n    if (!hit) {\n      missing.push({ name: asset.name, tried: cands });\n      continue;\n    }\n    out.push({ ...asset, localPath: hit });\n  }\n  if (missing.length > 0) {\n    const lines = missing.flatMap((m) => [`  - ${m.name}: tried`, ...m.tried.map((p) => `      ${p}`)]);\n    throw new Error(\n      `e2b: could not resolve runtime assets needed to bake the base template:\\n` +\n        lines.join('\\n') +\n        `\\n\\nIf running from the monorepo, ensure \\`pnpm -w build\\` has run so packages/ctl/dist/bin.cjs exists.`,\n    );\n  }\n  return out;\n}\n\nfunction guessRepoRoot(): string {\n  let cur = SELF;\n  for (let i = 0; i < 8; i++) {\n    if (existsSync(resolve(cur, 'pnpm-workspace.yaml'))) return cur;\n    const parent = dirname(cur);\n    if (parent === cur) break;\n    cur = parent;\n  }\n  return SELF;\n}\n","/**\n * Persisted record of what `agentbox prepare --provider e2b` has built.\n * Lives at `~/.agentbox/e2b-prepared.json` so the auto-prepare gate\n * (`ensureE2bBaseTemplate()`) and `backend.provision` can resolve the base\n * template every box boots from.\n *\n * Single tier for now — the shared base template (Debian + agentbox-ctl +\n * agents). Templates on E2B are id+tag-addressed reusable resources, so unlike\n * Vercel snapshots we don't worry about per-box snapshot eviction; one template\n * is reused for every create.\n *\n * Schema versioned so future shape changes can migrate; only `schema: 1` is\n * accepted today.\n */\n\nimport { computeContextSha256, readPreparedStateRaw, writePreparedStateRaw, preparedStatePathFor } from '@agentbox/sandbox-core';\nimport { UserFacingError } from '@agentbox/core';\nimport { findStagedCliRuntimeRoot, resolveRuntimeAssets } from './runtime-assets.js';\n\nconst SCHEMA = 1 as const;\n\nexport interface PreparedE2bBase {\n  /** Opaque E2B template id (e.g. `tmpl_xxxx` or `name:tag`). Sandbox.create({ template }) boots from this. */\n  templateId: string;\n  /** Human-friendly template name passed to Template.build (e.g. `agentbox-base:latest`). */\n  templateName?: string;\n  /** Deterministic SHA-256 of the build context (build script + assets). */\n  contextSha256?: string;\n  /** CLI version that produced this template (informational). */\n  cliVersion?: string;\n  /** Git short SHA of the CLI build (informational). */\n  cliCommit?: string;\n  /** ISO timestamp of bake completion. */\n  createdAt: string;\n}\n\nexport interface PreparedE2bState {\n  schema: typeof SCHEMA;\n  /** The shared base template. Absent until first `agentbox prepare`. */\n  base?: PreparedE2bBase;\n}\n\nexport function preparedStatePath(): string {\n  return preparedStatePathFor('e2b');\n}\n\nexport function readPreparedState(): PreparedE2bState {\n  const raw = readPreparedStateRaw('e2b');\n  if (raw === null || typeof raw !== 'object') return { schema: SCHEMA };\n  const parsed = raw as Partial<PreparedE2bState>;\n  if (parsed.schema !== SCHEMA) {\n    // Unknown/missing schema: refuse to read — the next prepare overwrites it.\n    return { schema: SCHEMA };\n  }\n  return { schema: SCHEMA, base: parsed.base };\n}\n\nexport function writePreparedState(state: PreparedE2bState): void {\n  writePreparedStateRaw('e2b', state);\n}\n\n/** Update one field of the state without forcing callers to read/merge/write. */\nexport function updatePreparedState(mutate: (s: PreparedE2bState) => void): void {\n  const s = readPreparedState();\n  mutate(s);\n  writePreparedState(s);\n}\n\n/**\n * Compute the CURRENT build-context fingerprint for the e2b base template\n * (the SHA over every file `prepare` would copy into the Template build).\n * Side-effect-free — never builds. Returns `undefined` when the runtime\n * assets can't be resolved (dev tree without `pnpm -w build`) so the CLI\n * can degrade to \"can't tell, don't nag\" rather than flag a false stale.\n *\n * Used by `evaluateBaseFreshness` to compare against the stored value in\n * `e2b-prepared.json.base.contextSha256`. Must produce a byte-identical\n * hash to the one `prepare` writes — both go through the same\n * `resolveRuntimeAssets` + `computeContextSha256` chain.\n */\nexport async function currentE2bBaseFingerprintLive(): Promise<string | undefined> {\n  try {\n    const assets = resolveRuntimeAssets({ cliRuntimeRoot: findStagedCliRuntimeRoot() });\n    return await computeContextSha256(\n      assets.map((a) => ({ rel: a.name, abs: a.localPath })),\n    );\n  } catch {\n    return undefined;\n  }\n}\n\n/**\n * First-use gate. If no base template is recorded, throw an actionable error\n * pointing at `agentbox prepare --provider e2b`. Called by `backend.provision`\n * (so `create` / `claude` trip it but `prepare` itself does not — same shape\n * as the hetzner/vercel gates).\n */\nexport function ensureE2bBaseTemplate(): void {\n  const state = readPreparedState();\n  if (state.base !== undefined) return;\n  throw new UserFacingError(\n    'no E2B base template found.\\n' +\n      'Run `agentbox prepare --provider e2b` first — it bakes a custom template ' +\n      'with the agentbox runtime (agentbox-ctl, vscode user, claude/codex/opencode, tmux) ' +\n      'so per-box `create` boots ready in seconds.',\n  );\n}\n"],"mappings":";;;;;;;;;;;;;AAmBA,SAAS,YAAY,oBAAoB;AACzC,SAAS,eAAe;AACxB,SAAS,eAAe;ACVxB,SAAS,SAAS,gBAAgB;ACDlC;EACE;EACA,cAAAA;EACA;EACA,gBAAAC;EACA;EACA;OACK;AACP,SAAS,WAAAC,gBAAe;AACxB,SAAS,SAAS,WAAAC,gBAAe;AAEjC;EACE;EACA;EACA;EACA;EACA;EACA;EACA;OACK;ACfP,SAAS,cAAAC,mBAAkB;AAC3B,SAAS,WAAAC,UAAS,WAAAC,gBAAe;AACjC,SAAS,qBAAqB;AHO9B,IAAM,WAAW,CAAC,eAAe,YAAY;AAE7C,IAAI,SAAS;AAEN,SAAS,qBAA2B;AACzC,MAAI,OAAQ;AACZ,WAAS;AACT,oBAAkB,QAAQ,QAAQ,GAAG,aAAa,aAAa,GAAG,QAAQ;AAC5E;AAOO,SAAS,eAAqB;AACnC,WAAS;AACT,qBAAmB;AACrB;AAEA,SAAS,kBAAkB,MAAc,MAA+B;AACtE,MAAI,CAAC,WAAW,IAAI,EAAG;AACvB,MAAI;AACJ,MAAI;AACF,WAAO,aAAa,MAAM,MAAM;EAClC,QAAQ;AACN;EACF;AACA,QAAM,SAAS,aAAa,IAAI;AAChC,aAAW,OAAO,MAAM;AACtB,QAAI,QAAQ,IAAI,GAAG,MAAM,OAAW;AACpC,UAAM,QAAQ,OAAO,GAAG;AACxB,QAAI,OAAO,UAAU,UAAU;AAC7B,cAAQ,IAAI,GAAG,IAAI;IACrB;EACF;AACF;AAOO,SAAS,aAAa,MAAsC;AACjE,QAAM,MAA8B,CAAC;AACrC,aAAW,WAAW,KAAK,MAAM,OAAO,GAAG;AACzC,UAAM,OAAO,QAAQ,KAAK;AAC1B,QAAI,KAAK,WAAW,KAAK,KAAK,WAAW,GAAG,EAAG;AAC/C,UAAM,WAAW,KAAK,WAAW,SAAS,IAAI,KAAK,MAAM,UAAU,MAAM,IAAI;AAC7E,UAAM,KAAK,SAAS,QAAQ,GAAG;AAC/B,QAAI,MAAM,EAAG;AACb,UAAM,MAAM,SAAS,MAAM,GAAG,EAAE,EAAE,KAAK;AACvC,QAAI,QAAQ,SAAS,MAAM,KAAK,CAAC,EAAE,KAAK;AACxC,QACE,MAAM,UAAU,MACd,MAAM,WAAW,GAAG,KAAK,MAAM,SAAS,GAAG,KAC1C,MAAM,WAAW,GAAG,KAAK,MAAM,SAAS,GAAG,IAC9C;AACA,cAAQ,MAAM,MAAM,GAAG,EAAE;IAC3B;AACA,QAAI,GAAG,IAAI;EACb;AACA,SAAO;AACT;ACjEO,SAAS,gBAAwB;AACtC,qBAAmB;AACnB,QAAM,IAAI,QAAQ,IAAI;AACtB,MAAI,CAAC,GAAG;AACN,UAAM,IAAI;MACR;IAGF;EACF;AACA,SAAO;AACT;AAGO,SAAS,uBAAgC;AAC9C,qBAAmB;AACnB,SAAO,QAAQ,QAAQ,IAAI,WAAW;AACxC;ACLA,IAAM,qBAAqB;AAM3B,IAAM,eAAe,CAAC,aAAa;AAOnC,eAAsB,qBACpB,OAAoC,CAAC,GACtB;AACf,qBAAmB;AAEnB,MAAI,CAAC,KAAK,SAAS,qBAAqB,EAAG;AAC3C,MAAI,CAAC,QAAQ,MAAM,MAAO;AAE1B,QAAM,WAAW;AACjB;IACE;eACkB,kBAAkB;;IAEpC;EACF;AAEA,QAAM,SAAS,MAAM,QAAQ;IAC3B,SAAS,QAAQ,kBAAkB;IACnC,cAAc;EAChB,CAAC;AACD,MAAI,SAAS,MAAM,GAAG;AACpB,QAAI,KAAK,sBAAsB;AAC/B;EACF;AACA,MAAI,OAAQ,eAAc;AAE1B,QAAM,MAAM,MAAM,SAAS;IACzB,SAAS;IACT,UAAU,CAAC,MAAO,KAAK,EAAE,KAAK,EAAE,SAAS,IAAI,SAAY;EAC3D,CAAC;AACD,MAAI,SAAS,GAAG,GAAG;AACjB,QAAI,KAAK,sBAAsB;AAC/B;EACF;AAEA,qBAAmB,EAAE,QAAQ,IAAI,KAAK,EAAE,CAAC;AACzC,eAAa;AACb,MAAI,QAAQ,4BAA4B,YAAY,CAAC,EAAE;AACvD,QAAM,iBAAiB;AACzB;AAEA,SAAS,mBAAmB,OAAiC;AAC3D,eAAa,EAAE,aAAa,MAAM,OAAO,CAAC;AAC5C;AAQA,SAAS,aAAa,QAAsC;AAC1D,aAAW,KAAK,aAAc,QAAO,QAAQ,IAAI,CAAC;AAClD,aAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,MAAM,EAAG,SAAQ,IAAI,CAAC,IAAI;AAE9D,QAAM,OAAO,YAAY;AACzB,YAAU,QAAQ,IAAI,GAAG,EAAE,WAAW,KAAK,CAAC;AAE5C,MAAI,WAAW;AACf,MAAIC,YAAW,IAAI,GAAG;AACpB,QAAI;AACF,iBAAWC,cAAa,MAAM,MAAM;IACtC,QAAQ;AACN,iBAAW;IACb;EACF;AACA,QAAM,OAAO,SACV,MAAM,OAAO,EACb,OAAO,CAAC,SAAS;AAChB,UAAM,WAAW,KAAK,WAAW,SAAS,IAAI,KAAK,MAAM,UAAU,MAAM,IAAI;AAC7E,UAAM,KAAK,SAAS,QAAQ,GAAG;AAC/B,QAAI,MAAM,EAAG,QAAO;AACpB,UAAM,MAAM,SAAS,MAAM,GAAG,EAAE,EAAE,KAAK;AACvC,WAAO,CAAE,aAAmC,SAAS,GAAG;EAC1D,CAAC,EACA,KAAK,IAAI,EACT,QAAQ,SAAS,EAAE;AAEtB,QAAM,QAAQ,OAAO,QAAQ,MAAM,EAAE,IAAI,CAAC,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,EAAE;AAChE,QAAM,QAAQ,OAAO,GAAG,IAAI;IAAO,MAAM,MAAM,KAAK,IAAI,IAAI;AAE5D,QAAM,MAAM,GAAG,IAAI;AACnB,gBAAc,KAAK,MAAM,EAAE,MAAM,IAAM,CAAC;AACxC,MAAI;AACF,cAAU,KAAK,GAAK;EACtB,QAAQ;EAER;AACA,aAAW,KAAK,IAAI;AACpB,MAAI;AACF,cAAU,MAAM,GAAK;EACvB,QAAQ;EAER;AACF;AAEA,SAAS,gBAAsB;AAC7B,SAAO,eAAoB,EACxB,KAAK,CAAC,EAAE,UAAU,MAAM;AACvB,UAAM,IAAI,UAAU,gBAAgB,GAAG,CAAC,kBAAkB,GAAG,EAAE,OAAO,SAAS,CAAC;AAChF,QAAI,EAAE,WAAW,GAAG;AAClB,UAAI,KAAK,gDAA2C,kBAAkB,YAAY;IACpF;EACF,CAAC,EACA,MAAM,MAAM;AACX,QAAI,KAAK,gDAA2C,kBAAkB,YAAY;EACpF,CAAC;AACL;AAEO,SAAS,cAAsB;AACpC,SAAOC,SAAQC,SAAQ,GAAG,aAAa,aAAa;AACtD;AAQO,SAAS,oBAAmC;AACjD,QAAM,WAAW,QAAQ,IAAI,gBAAgB;AAC7C,qBAAmB;AACnB,QAAM,MAAM,QAAQ,IAAI;AACxB,MAAI,CAAC,IAAK,QAAO,EAAE,MAAM,QAAQ,QAAQ,OAAO;AAChD,SAAO,EAAE,MAAM,OAAO,OAAO,KAAK,QAAQ,WAAW,QAAQ,cAAc;AAC7E;AAEO,SAAS,QAAQ,OAAuB;AAC7C,MAAI,MAAM,UAAU,EAAG,QAAO,IAAI,OAAO,MAAM,MAAM;AACrD,SAAO,GAAG,MAAM,MAAM,GAAG,CAAC,CAAC,SAAI,IAAI,OAAO,CAAC,CAAC,GAAG,MAAM,MAAM,EAAE,CAAC;AAChE;AC9JA,IAAM,OAAOC,SAAQ,cAAc,YAAY,GAAG,CAAC;AAE5C,SAAS,2BAA+C;AAC7D,QAAM,aAAa,CAACF,SAAQ,MAAM,MAAM,SAAS,GAAGA,SAAQ,MAAM,MAAM,MAAM,SAAS,CAAC;AACxF,aAAW,KAAK,YAAY;AAC1B,QAAIF,YAAWE,SAAQ,GAAG,OAAO,WAAW,mBAAmB,CAAC,EAAG,QAAO;EAC5E;AACA,SAAO;AACT;AAiBO,IAAM,iBAA0C;EACrD,EAAE,MAAM,qBAAqB,YAAY,mCAAmC,YAAY,IAAM;EAC9F,EAAE,MAAM,gBAAgB,YAAY,qBAAqB,YAAY,IAAM;EAC3E,EAAE,MAAM,sBAAsB,YAAY,2BAA2B,YAAY,IAAM;EACvF,EAAE,MAAM,+BAA+B,YAAY,oCAAoC,YAAY,IAAM;EACzG,EAAE,MAAM,iBAAiB,YAAY,sBAAsB,YAAY,IAAM;EAC7E,EAAE,MAAM,WAAW,YAAY,yBAAyB,YAAY,IAAM;EAC1E,EAAE,MAAM,YAAY,YAAY,0BAA0B,YAAY,IAAM;EAC5E,EAAE,MAAM,2BAA2B,YAAY,kCAAkC,YAAY,IAAM;EACnG,EAAE,MAAM,gCAAgC,YAAY,uCAAuC,YAAY,IAAM;EAC7G,EAAE,MAAM,6BAA6B,YAAY,kCAAkC,YAAY,IAAM;EACrG,EAAE,MAAM,2BAA2B,YAAY,gCAAgC,YAAY,IAAM;AACnG;AAMO,SAAS,cACd,MACA,OAAuD,CAAC,GAC9C;AACV,QAAM,UAAU,KAAK;AACrB,QAAM,WAAW,KAAK,YAAY,cAAc;AAEhD,QAAM,mBAA6C;IACjD,qBAAqB,CAAC,gDAAgD;IACtE,gBAAgB,CAAC,2BAA2B;IAC5C,sBAAsB,CAAC,oDAAoD;IAC3E,+BAA+B,CAAC,6DAA6D;IAC7F,iBAAiB,CAAC,+CAA+C;IACjE,WAAW,CAAC,yCAAyC;IACrD,YAAY,CAAC,0CAA0C;IACvD,2BAA2B,CAAC,sDAAsD;IAClF,gCAAgC,CAAC,8DAA8D;IAC/F,6BAA6B,CAAC,2DAA2D;IACzF,2BAA2B,CAAC,wCAAwC;EACtE;AAEA,QAAM,cAAwC;IAC5C,qBAAqB,CAAC,+BAA+B;IACrD,gBAAgB,CAAC,aAAa;IAC9B,sBAAsB,CAAC,0BAA0B,2DAA2D;IAC5G,+BAA+B,CAAC,mCAAmC,oEAAoE;IACvI,iBAAiB,CAAC,qBAAqB,sDAAsD;IAC7F,WAAW,CAAC,eAAe,gDAAgD;IAC3E,YAAY,CAAC,gBAAgB,iDAAiD;IAC9E,2BAA2B,CAAC,6BAA6B;IACzD,gCAAgC,CAAC,oCAAoC,qEAAqE;IAC1I,6BAA6B,CAAC,iCAAiC,kEAAkE;IACjI,2BAA2B,CAAC,+BAA+B,+CAA+C;EAC5G;AAEA,QAAM,MAAgB,CAAC;AACvB,MAAI,SAAS;AACX,eAAW,OAAO,YAAY,IAAI,KAAK,CAAC,EAAG,KAAI,KAAKA,SAAQ,SAAS,GAAG,CAAC;EAC3E;AACA,aAAW,OAAO,iBAAiB,IAAI,KAAK,CAAC,EAAG,KAAI,KAAKA,SAAQ,UAAU,GAAG,CAAC;AAC/E,SAAO;AACT;AAEO,SAAS,qBACd,OAAuD,CAAC,GACvC;AACjB,QAAM,MAAuB,CAAC;AAC9B,QAAM,UAAoD,CAAC;AAC3D,aAAW,SAAS,gBAAgB;AAClC,UAAM,QAAQ,cAAc,MAAM,MAAM,IAAI;AAC5C,UAAM,MAAM,MAAM,KAAK,CAAC,MAAMF,YAAW,CAAC,CAAC;AAC3C,QAAI,CAAC,KAAK;AACR,cAAQ,KAAK,EAAE,MAAM,MAAM,MAAM,OAAO,MAAM,CAAC;AAC/C;IACF;AACA,QAAI,KAAK,EAAE,GAAG,OAAO,WAAW,IAAI,CAAC;EACvC;AACA,MAAI,QAAQ,SAAS,GAAG;AACtB,UAAM,QAAQ,QAAQ,QAAQ,CAAC,MAAM,CAAC,OAAO,EAAE,IAAI,WAAW,GAAG,EAAE,MAAM,IAAI,CAAC,MAAM,SAAS,CAAC,EAAE,CAAC,CAAC;AAClG,UAAM,IAAI;MACR;IACE,MAAM,KAAK,IAAI,IACf;;;IACJ;EACF;AACA,SAAO;AACT;AAEA,SAAS,gBAAwB;AAC/B,MAAI,MAAM;AACV,WAAS,IAAI,GAAG,IAAI,GAAG,KAAK;AAC1B,QAAIA,YAAWE,SAAQ,KAAK,qBAAqB,CAAC,EAAG,QAAO;AAC5D,UAAM,SAASE,SAAQ,GAAG;AAC1B,QAAI,WAAW,IAAK;AACpB,UAAM;EACR;AACA,SAAO;AACT;ACvHA,IAAM,SAAS;AAuBR,SAAS,oBAA4B;AAC1C,SAAO,qBAAqB,KAAK;AACnC;AAEO,SAAS,oBAAsC;AACpD,QAAM,MAAM,qBAAqB,KAAK;AACtC,MAAI,QAAQ,QAAQ,OAAO,QAAQ,SAAU,QAAO,EAAE,QAAQ,OAAO;AACrE,QAAM,SAAS;AACf,MAAI,OAAO,WAAW,QAAQ;AAE5B,WAAO,EAAE,QAAQ,OAAO;EAC1B;AACA,SAAO,EAAE,QAAQ,QAAQ,MAAM,OAAO,KAAK;AAC7C;AAEO,SAAS,mBAAmB,OAA+B;AAChE,wBAAsB,OAAO,KAAK;AACpC;AAGO,SAAS,oBAAoB,QAA6C;AAC/E,QAAM,IAAI,kBAAkB;AAC5B,SAAO,CAAC;AACR,qBAAmB,CAAC;AACtB;AAcA,eAAsB,gCAA6D;AACjF,MAAI;AACF,UAAM,SAAS,qBAAqB,EAAE,gBAAgB,yBAAyB,EAAE,CAAC;AAClF,WAAO,MAAM;MACX,OAAO,IAAI,CAAC,OAAO,EAAE,KAAK,EAAE,MAAM,KAAK,EAAE,UAAU,EAAE;IACvD;EACF,QAAQ;AACN,WAAO;EACT;AACF;AAQO,SAAS,wBAA8B;AAC5C,QAAM,QAAQ,kBAAkB;AAChC,MAAI,MAAM,SAAS,OAAW;AAC9B,QAAM,IAAI;IACR;EAIF;AACF;","names":["existsSync","readFileSync","homedir","resolve","existsSync","dirname","resolve","existsSync","readFileSync","resolve","homedir","dirname"]}

package/dist/{chunk-2LF5YILI.js → chunk-RSKG7AFU.js}

@@ -1,9 +1,15 @@
 #!/usr/bin/env node
 import {
-  hostOpenCommand
-} from "./chunk-SNTHHWKY.js";
+  DOCKER_CONTEXT_FILE_MAP,
+  computeContextSha256,
+  hostOpenCommand,
+  readCliStamp,
+  readPreparedStateRaw,
+  resolveContextFilesFrom,
+  writePreparedStateRaw
+} from "./chunk-XKH7NTT7.js";
 
-// ../../packages/sandbox-daytona/dist/chunk-MLQU4RFU.js
+// ../../packages/sandbox-daytona/dist/chunk-35HJOOGT.js
 import { existsSync } from "fs";
 import { dirname, resolve } from "path";
 import { fileURLToPath } from "url";
@@ -34,6 +40,9 @@ import {
 import { homedir as homedir2 } from "os";
 import { dirname as dirname2, resolve as resolve3 } from "path";
 import { confirm, isCancel, intro, log, note, outro, password, spinner, text } from "@clack/prompts";
+import { existsSync as existsSync4 } from "fs";
+import { dirname as dirname3, resolve as resolve4 } from "path";
+import { fileURLToPath as fileURLToPath2 } from "url";
 function resolveDockerfileContext() {
   const override = process.env.AGENTBOX_DOCKER_CONTEXT;
   if (override && existsSync(resolve(override, "Dockerfile.box"))) {
@@ -174,7 +183,7 @@ function defaultRetryLog(line) {
 `);
 }
 function sleep(ms) {
-  return new Promise((resolve4) => setTimeout(resolve4, ms));
+  return new Promise((resolve5) => setTimeout(resolve5, ms));
 }
 async function raceTimeout(p, ms, method) {
   let timer;
@@ -743,6 +752,66 @@ function maskKey(value) {
   if (value.length <= 8) return "*".repeat(value.length);
   return `${value.slice(0, 4)}\u2026${"*".repeat(8)}${value.slice(-4)}`;
 }
+var SCHEMA = 1;
+function resolveDaytonaContextFiles() {
+  const ctx = resolveDockerfileContext();
+  if (!ctx) return null;
+  const here = dirname3(fileURLToPath2(import.meta.url));
+  const packageRoot = resolve4(here, "..");
+  const monorepoRoot = resolve4(here, "..", "..", "..");
+  const dockerPackageRoot = resolve4(monorepoRoot, "packages", "sandbox-docker");
+  const docker = resolveContextFilesFrom(DOCKER_CONTEXT_FILE_MAP, {
+    contextDir: ctx.context,
+    devRoot: existsSync4(dockerPackageRoot) ? dockerPackageRoot : packageRoot
+  });
+  if (!docker) return null;
+  const overlay = resolveDaytonaCustomClaudeMd();
+  if (!overlay) return null;
+  return [
+    ...docker,
+    // Daytona-specific overlay: separate logical name so a docker/daytona
+    // CLAUDE.md drift produces different fingerprints (the daytona snapshot
+    // contains both files in distinct locations).
+    { rel: "daytona/custom-system-CLAUDE.md", abs: overlay }
+  ];
+}
+async function computeDaytonaContextFingerprint() {
+  const files = resolveDaytonaContextFiles();
+  if (!files) return null;
+  return { contextSha256: await computeContextSha256(files), files };
+}
+async function currentDaytonaBaseFingerprintLive() {
+  try {
+    const fp = await computeDaytonaContextFingerprint();
+    return fp?.contextSha256;
+  } catch {
+    return void 0;
+  }
+}
+function readPreparedDaytonaState() {
+  const raw = readPreparedStateRaw("daytona");
+  if (raw === null || typeof raw !== "object") return null;
+  const parsed = raw;
+  if (parsed.schema !== SCHEMA) return null;
+  return { schema: SCHEMA, base: parsed.base };
+}
+function writePreparedDaytonaState(opts) {
+  const stamp = readCliStamp();
+  const state = {
+    schema: SCHEMA,
+    base: {
+      imageRef: opts.snapshotName,
+      contextSha256: opts.contextSha256,
+      cliVersion: stamp.cliVersion,
+      cliCommit: stamp.cliCommit,
+      createdAt: (/* @__PURE__ */ new Date()).toISOString()
+    }
+  };
+  writePreparedStateRaw("daytona", state);
+}
+function preparedMatches(state, current) {
+  return state?.base?.contextSha256 === current;
+}
 
 export {
   resolveDockerfileContext,
@@ -754,6 +823,11 @@ export {
   ensureDaytonaCredentials,
   secretsPath,
   readDaytonaCredStatus,
-  maskKey
+  maskKey,
+  computeDaytonaContextFingerprint,
+  currentDaytonaBaseFingerprintLive,
+  readPreparedDaytonaState,
+  writePreparedDaytonaState,
+  preparedMatches
 };
-//# sourceMappingURL=chunk-2LF5YILI.js.map
+//# sourceMappingURL=chunk-RSKG7AFU.js.map