@madarco/agentbox 0.14.0 → 0.15.0

package/runtime/relay/bin.cjs

@@ -18367,6 +18367,21 @@ var HostInitiatedTokens = class {
 var import_node_crypto2 = require("crypto");
 var PendingPrompts = class {
   entries = /* @__PURE__ */ new Map();
+  autoApprove = null;
+  /** Install the per-box auto-approve policy (relay server, once at startup). */
+  setAutoApprovePolicy(policy) {
+    this.autoApprove = policy;
+  }
+  /**
+   * True when this box opted into `box.autoApproveHostActions`. Records the
+   * bypass to the audit sink as a side effect so the caller short-circuits
+   * with a trail. Returns false when no policy is installed.
+   */
+  consumeAutoApprove(boxId, params) {
+    if (!this.autoApprove || !this.autoApprove.shouldAutoApprove(boxId)) return false;
+    this.autoApprove.audit(boxId, params);
+    return true;
+  }
   add(boxId, ev) {
     return new Promise((resolve2) => {
       this.entries.set(ev.id, {
@@ -18453,6 +18468,9 @@ async function askPrompt(prompts, subscribers, boxId, params, opts) {
   if (process.env.AGENTBOX_PROMPT === "off") {
     return { answer: "y" };
   }
+  if (prompts.consumeAutoApprove(boxId, params)) {
+    return { answer: "y" };
+  }
   const ev = { id: (0, import_node_crypto2.randomUUID)(), ...params };
   const promise = prompts.add(boxId, ev);
   subscribers.broadcast(boxId, "prompt-ask", ev);
@@ -19430,6 +19448,21 @@ function createRelayServer(opts) {
   const prompts = new PendingPrompts();
   const subscribers = new PromptSubscribers();
   const notices = new BoxNotices(subscribers);
+  prompts.setAutoApprovePolicy({
+    shouldAutoApprove: (boxId) => registry.get(boxId)?.autoApproveHostActions === true,
+    audit: (boxId, params) => {
+      events.append({
+        boxId,
+        type: "host-action-auto-approved",
+        payload: {
+          command: params.context?.command,
+          argv: params.context?.argv,
+          message: params.message
+        }
+      });
+      log(`auto-approved host action for ${boxId}: ${params.context?.command ?? params.message}`);
+    }
+  });
   const hostInitiatedTokens = new HostInitiatedTokens();
   let queuePoke = null;
   const host = opts.host ?? "0.0.0.0";
@@ -19617,11 +19650,22 @@ function createRelayServer(opts) {
           send(res, 400, { error: "cp.* requires {boxPath, hostPath} strings" });
           return;
         }
+        if (params.exclude !== void 0 && (!Array.isArray(params.exclude) || params.exclude.some((p) => typeof p !== "string"))) {
+          send(res, 400, { error: "cp.* exclude must be an array of strings" });
+          return;
+        }
         const direction = body.method === "cp.toHost" ? "box -> host" : "host -> box";
+        const pathDetail = body.method === "cp.toHost" ? `${params.boxPath} -> ${params.hostPath}` : `${params.hostPath} -> ${params.boxPath}`;
+        const detailParts = [pathDetail];
+        if (params.exclude && params.exclude.length > 0) {
+          detailParts.push(`exclude: ${params.exclude.join(", ")}`);
+        }
+        if (params.defaultExcludes === false) detailParts.push("(default excludes off)");
+        if (params.yes) detailParts.push("(over size limit \u2014 confirmed)");
         const verdict = await askPrompt(prompts, subscribers, reg.boxId, {
           kind: "confirm",
           message: `Allow cp (${direction}) on ${reg.name}?`,
-          detail: body.method === "cp.toHost" ? `${params.boxPath} -> ${params.hostPath}` : `${params.hostPath} -> ${params.boxPath}`,
+          detail: detailParts.join("\n"),
           defaultAnswer: "n",
           context: {
             command: body.method,
@@ -19787,7 +19831,8 @@ function createRelayServer(opts) {
         worktrees,
         previewUrl: typeof body.previewUrl === "string" && body.previewUrl.length > 0 ? body.previewUrl : void 0,
         previewToken: typeof body.previewToken === "string" && body.previewToken.length > 0 ? body.previewToken : void 0,
-        bridgeToken: typeof body.bridgeToken === "string" && body.bridgeToken.length > 0 ? body.bridgeToken : void 0
+        bridgeToken: typeof body.bridgeToken === "string" && body.bridgeToken.length > 0 ? body.bridgeToken : void 0,
+        autoApproveHostActions: body.autoApproveHostActions === true
       };
       registry.register(reg);
       log(
@@ -19895,6 +19940,15 @@ function createRelayServer(opts) {
       send(res, 200, { boxes: redacted });
       return;
     }
+    if (route === "GET /admin/prompts") {
+      const boxId = url.searchParams.get("boxId") ?? "";
+      if (boxId.length === 0) {
+        send(res, 400, { error: "missing boxId query param" });
+        return;
+      }
+      send(res, 200, { prompts: prompts.forBox(boxId) });
+      return;
+    }
     if (route === "GET /admin/prompts/stream") {
       const boxId = url.searchParams.get("boxId") ?? "";
       if (boxId.length === 0) {
@@ -20212,7 +20266,11 @@ async function handleCpRpc(reg, method, params) {
     };
   }
   const boxRef = `${reg.name}:${params.boxPath}`;
-  const argv = method === "cp.toHost" ? [process.execPath, entry, "cp", boxRef, params.hostPath] : [process.execPath, entry, "cp", params.hostPath, boxRef];
+  const flags = [];
+  for (const pat of params.exclude ?? []) flags.push("--exclude", pat);
+  if (params.defaultExcludes === false) flags.push("--no-default-excludes");
+  if (params.yes) flags.push("--yes");
+  const argv = method === "cp.toHost" ? [process.execPath, entry, "cp", boxRef, params.hostPath, ...flags] : [process.execPath, entry, "cp", params.hostPath, boxRef, ...flags];
   return runHostCommand(argv, CP_RPC_TIMEOUT_MS);
 }
 async function handleDownloadRpc(reg, kind) {
@@ -20340,6 +20398,7 @@ var BUILT_IN_DEFAULTS = {
     withEnv: false,
     resyncOnStart: true,
     vnc: true,
+    autoApproveHostActions: false,
     isolateClaudeConfig: false,
     isolateCodexConfig: false,
     isolateOpencodeConfig: false,
@@ -20360,7 +20419,8 @@ var BUILT_IN_DEFAULTS = {
     bundleDepth: void 0,
     vercelVcpus: 2,
     vercelTimeoutMs: 27e5,
-    vercelNetworkPolicy: ""
+    vercelNetworkPolicy: "",
+    cpMaxBytes: 100 * 1024 * 1024
   },
   checkpoint: {
     maxLayers: 3
@@ -20416,7 +20476,8 @@ var BUILT_IN_DEFAULTS = {
     enabled: true,
     maxConcurrent: 5,
     maxWorking: 0,
-    idleGraceSeconds: 15
+    idleGraceSeconds: 15,
+    openIn: "none"
   },
   cloud: {
     useCurrentBranch: false
@@ -20534,6 +20595,11 @@ var KEY_REGISTRY = [
     type: "bool",
     description: "Run the per-box Xvnc + noVNC stack."
   },
+  {
+    key: "box.autoApproveHostActions",
+    type: "bool",
+    description: "Auto-approve host-action confirmations (git push, cp host<->box, gh PR writes, checkpoint) for this box without an interactive prompt. Off by default; intended for unattended orchestration of trusted boxes. Each auto-approval is recorded as a relay event (visible in `agentbox agent` / the dashboard)."
+  },
   {
     key: "box.isolateClaudeConfig",
     type: "bool",
@@ -20632,6 +20698,12 @@ var KEY_REGISTRY = [
     type: "int",
     description: "Max session length (ms) for new --provider vercel boxes before the VM auto-snapshots; persistent mode auto-resumes on the next call. Default 2700000 (45 min, the Hobby ceiling). Vercel-only."
   },
+  {
+    key: "box.cpMaxBytes",
+    type: "int",
+    description: "Max bytes a single host\u2192box copy may transfer after excludes, shared by `agentbox cp` (blocked with a size breakdown unless --yes) and each `carry:` entry (rejected at resolve time). Default 104857600 (100 MiB).",
+    advanced: true
+  },
   {
     key: "box.vercelNetworkPolicy",
     type: "string",
@@ -20779,6 +20851,12 @@ var KEY_REGISTRY = [
     type: "int",
     description: "Seconds an agent must stay non-working before it frees its working slot (debounce against brief idle flaps between turns). Only used when queue.maxWorking > 0."
   },
+  {
+    key: "queue.openIn",
+    type: "enum",
+    enumValues: ["none", "split", "window", "tab"],
+    description: "When a background `-i` job finishes creating its box, where the host relay opens an attached terminal onto it: `none` (default \u2014 open nothing, just queue), `split`, `window`, or `tab`. Honored only when the submitting shell runs inside tmux, cmux, or iTerm2 (the targeting is captured at submit time). Under cmux, `split` splits the pane you submitted from (falling back to the parent workspace, then a new workspace), `tab` adds a tab in the parent workspace, and `window` opens a separate workspace; iTerm2 opens relative to the frontmost window. Unlike `attach.openIn` there is no `same` mode \u2014 the box is created asynchronously, so it is always a fresh terminal."
+  },
   {
     key: "cloud.useCurrentBranch",
     type: "bool",

package/runtime/vercel/agentbox-setup-skill.md

@@ -192,6 +192,36 @@ services:
       factor: 2
 ```
 
+## 6b. Bringing extra host files/folders into the box
+
+Two ways to copy host files in (both COPY — never a live mount, so the box can't
+write back to the host):
+
+- **`carry:` block** (declarative, in `agentbox.yaml`) — for files/dirs every box
+  should get at create time. Each entry is `{ src, dest }` with optional `mode`,
+  `user`, `optional`, and `exclude:` (a list of tar globs / bare dir names to drop
+  when copying a directory). Heavy regenerable dirs (`.git`, `node_modules`, `bin`,
+  `obj`, `packages`, `dist`, `.next`, `target`) are dropped by default; `exclude:`
+  is additive. Each carry entry is capped at `box.cpMaxBytes` (default 100 MiB
+  after excludes) — the same limit `agentbox cp` enforces.
+- **`agentbox-ctl cp fromHost <hostPath> <boxPath>`** (ad-hoc, from inside the box)
+  — for a one-off copy. Prompts the user on the host to approve.
+
+**The per-copy size limit (important for large/legacy folders).** A single copy is
+blocked above `box.cpMaxBytes` (default **100 MB**) *after* default excludes, so it
+fails loud instead of silently hanging. When blocked you get a `du`-style tree of
+the biggest remaining folders/subfolders. To get under the limit, EITHER:
+
+- **drop what the box can regenerate** (the default excludes already remove
+  `node_modules`/`.git`/build output; add more with `--exclude=<glob-or-name>`), OR
+- **copy the heavy folders one at a time** so each copy is under the limit, OR
+- pass `--yes` to copy the whole thing anyway (only when you really need it all).
+
+Example: a 2.4 GB legacy folder is mostly `packages/` (NuGet) + `.git`; those are
+excluded by default, and what's left can be split:
+`agentbox-ctl cp fromHost ../legacy/src /workspace/legacy/src` then
+`... cp fromHost ../legacy/Database /workspace/legacy/Database`.
+
 ## 7. Validate before handing off
 
 - check with `agentbox-ctl reload` and then `agentbox-ctl status` that everything is running as expected.