@madarco/agentbox 0.14.0 → 0.16.0

package/CHANGELOG.md

@@ -9,6 +9,114 @@ Entries are generated from the commit history with `/release-notes` and then
 hand-reviewed — they describe what changed for someone using the `agentbox`
 CLI, not the raw commits.
 
+## [0.16.0] - 2026-06-07
+
+### Added
+
+- **Notion integration.** A box can now call Notion through the host's
+  authenticated `ntn` CLI without the Notion token ever entering the box. The
+  in-box `ntn`/`notion` shim proxies to the host relay: reads pass straight
+  through, writes (`pages create`/`pages update`) prompt for host approval.
+  `ntn api` is read-only — GET to any endpoint plus the read-only POSTs
+  `v1/search`, `v1/databases/<id>/query`, and `v1/data_sources/<id>/query`
+  (full JSON bodies via `-d '<json>'`); every other method/endpoint is refused.
+  Off by default; enable per project with
+  `agentbox config set --project integrations.notion.enabled true`. Shows up in
+  `agentbox doctor`.
+- **Linear integration.** Same model for `@schpet/linear-cli`: read issues,
+  teams, and filtered queries plus a GraphQL **query** passthrough
+  (`linear api`); `mutation`/`subscription` are refused. `issue create`/
+  `update`/`comment add` prompt for host approval; `auth token` is hard-rejected
+  so the key stays on the host. Enable with `integrations.linear.enabled`.
+- **`run_once:` tasks** in `agentbox.yaml` (renamed from `idempotent:`): a task
+  that runs only on a cold box and is skipped on warm boots, tracked by a
+  durable marker.
+- **`agentbox.yaml` replacement engine** with an `{{AGENTBOX_AUTO_SECRET}}`
+  generator (stable per-project secret) and a new `agentbox render` command to
+  preview the resolved file. Replacements also apply to `carry:` targets.
+- **Docker `image:` services.** Sidecar containers declared under `image:` now
+  take their `ports`/`env` nested under `image:` as well, keeping all
+  image-level config in one place.
+- **Codex plugin marketplace.** AgentBox installs as a Codex plugin straight
+  from the repo (`codex plugin marketplace add madarco/agentbox`).
+
+### Fixed
+
+- `carry:` and `agentbox cp` copy files via `docker exec tar` instead of
+  `docker cp`, fixing "read/write on closed pipe" failures into the
+  bind-mounted workspace and relative-path targets (e.g. `./backups/...`).
+- `agentbox doctor` integration probes are time-bounded and stdin-isolated, so
+  doctor no longer hangs when a connector's auth check blocks; a timed-out
+  probe now reports a timeout rather than "not logged in".
+
+### Security
+
+- The Notion `ntn api` gate is fail-closed: it refuses any unrecognized flag
+  rather than ignoring it, closing a bypass where ntn's value-consuming global
+  flags (`--workers-config-file`, `--env`) could shift the real request
+  endpoint past the read classification. Host-file (`--file`/`--input`) bodies
+  and `.`/`..` path segments are refused.
+
+## [0.15.0] - 2026-06-05
+
+### Breaking
+
+- Carry and `cp` now share a single size cap. The `AGENTBOX_CARRY_MAX_BYTES`
+  env var is removed; both the `carry:` step and `agentbox cp` are governed by
+  the `box.cpMaxBytes` config key (default 100 MiB, up from carry's old 50 MiB).
+  Scripts that set `AGENTBOX_CARRY_MAX_BYTES` no longer have any effect — set
+  `box.cpMaxBytes` instead.
+
+### Added
+
+- `queue.openIn` config key: when a background `-i` job's box becomes ready,
+  optionally open an attached terminal onto it — `split`, `window`, or `tab`
+  (default `none`, the previous behavior). Fires only when you submit from
+  inside tmux, cmux, or iTerm2.
+- `agentbox cp` (and the `carry:` copy step) now stream the tar instead of
+  buffering it, so copies are no longer capped by Node's buffer limit (large
+  folders that silently failed with "tar: Write error" now work). Added a
+  repeatable `--exclude=<glob|name>` and `--no-default-excludes`; heavy
+  regenerable dirs (`.git`, `node_modules`, `dist`, `.next`, `target`, …) are
+  excluded by default. Copies larger than `box.cpMaxBytes` are blocked with a
+  du-style tree of the biggest folders and a suggested strategy unless `--yes`.
+- `agentbox agent approvals` / `agentbox agent approve`: inspect and answer
+  relay host-action confirmations (git push, `cp`, `gh` PR writes, checkpoint)
+  from a host orchestrator, instead of hand-curling the loopback endpoint.
+  Prompt ids are content-derived, so a prompt that changed since you listed it
+  is refused rather than mis-answered. Adds an opt-in per-box
+  `box.autoApproveHostActions` (default off, audited) for unattended runs.
+- The attach footer's `(...)` slot now shows aggregate box service status —
+  `starting N/M…` while services boot, `service error` on a crash/failed task,
+  `ready` once all are up (probe-aware: a `ready_when` service counts as up only
+  once its probe passes, so the footer no longer flashes `ready` early). Boxes
+  with no services fall back to the agent activity label.
+
+### Changed
+
+- `queue.openIn` under cmux: `split` and `tab` queued jobs now open in the
+  workspace you submitted from (split targets the original pane, falling back to
+  the parent workspace) instead of always spawning a new top-level workspace.
+  `window` still opens a separate workspace.
+- `agentbox config set queue.openIn` now warns that the feature only fires
+  inside tmux/cmux/iTerm2, and that cmux additionally needs `socketControlMode`
+  set to `automation`/`password` plus `cmux reload-config`.
+
+### Fixed
+
+- The `carry:` block is now documented in the published `agentbox.yaml` JSON
+  schema, so editors and in-box agents that fetch the schema no longer see it as
+  invalid or undiscoverable.
+- The stale default-checkpoint recreate prompt now fires for already-configured
+  projects too (it was skipped for them, silently booting old base layers), and
+  on recreate it reuses the existing `agentbox.yaml` instead of telling the agent
+  to regenerate a config that already exists.
+- `agentbox cp` now enforces `box.cpMaxBytes` on single-file uploads, not just
+  directories.
+- A supervisor screen-scrape safety net flips a stuck Claude `working` state to
+  `waiting` when its hooks miss a prompt (MCP dialogs, dropped notifications), so
+  `agent wait-for input-needed` reliably wakes.
+
 ## [0.14.0] - 2026-06-04
 
 ### Added

package/dist/{_cloud-attach-GUBB5RH2.js → _cloud-attach-5KJWOASL.js}

@@ -3,13 +3,13 @@ import {
   buildCloudAttachInnerCommand,
   cloudAgentAttach,
   cloudAgentStartDetached
-} from "./chunk-BYCLD6D6.js";
-import "./chunk-TCS5HXJX.js";
-import "./chunk-XKH7NTT7.js";
+} from "./chunk-SB4QTF2T.js";
+import "./chunk-GXJNJUEV.js";
+import "./chunk-DBBUDKKB.js";
 import "./chunk-G3H2L3O2.js";
 export {
   buildCloudAttachInnerCommand,
   cloudAgentAttach,
   cloudAgentStartDetached
 };
-//# sourceMappingURL=_cloud-attach-GUBB5RH2.js.map
+//# sourceMappingURL=_cloud-attach-5KJWOASL.js.map

package/dist/{chunk-RSKG7AFU.js → chunk-3WCEB6RE.js}

@@ -7,7 +7,7 @@ import {
   readPreparedStateRaw,
   resolveContextFilesFrom,
   writePreparedStateRaw
-} from "./chunk-XKH7NTT7.js";
+} from "./chunk-DBBUDKKB.js";
 
 // ../../packages/sandbox-daytona/dist/chunk-35HJOOGT.js
 import { existsSync } from "fs";
@@ -830,4 +830,4 @@ export {
   writePreparedDaytonaState,
   preparedMatches
 };
-//# sourceMappingURL=chunk-RSKG7AFU.js.map
+//# sourceMappingURL=chunk-3WCEB6RE.js.map

package/dist/{chunk-XKH7NTT7.js → chunk-DBBUDKKB.js}

@@ -1,5 +1,195 @@
 #!/usr/bin/env node
 
+// ../../packages/core/dist/index.js
+import { randomBytes } from "crypto";
+var claudeCodeLauncher = {
+  kind: "claude-code",
+  // claude treats its first positional argument as the seed user turn in
+  // interactive mode (`claude "<message>"`), so we slot the initial message
+  // ahead of any user-passed flags.
+  buildArgs(initialMessage, userArgs) {
+    if (!initialMessage) return [...userArgs];
+    return [initialMessage, ...userArgs];
+  }
+};
+var codexLauncher = {
+  kind: "codex",
+  buildArgs(initialMessage, userArgs) {
+    if (!initialMessage) return [...userArgs];
+    return [initialMessage, ...userArgs];
+  }
+};
+var opencodeLauncher = {
+  kind: "opencode",
+  buildArgs(initialMessage, userArgs) {
+    if (!initialMessage) return [...userArgs];
+    return [initialMessage, ...userArgs];
+  }
+};
+function resolveAgentLauncher(kind) {
+  if (kind === "claude-code") return claudeCodeLauncher;
+  if (kind === "codex") return codexLauncher;
+  if (kind === "opencode") return opencodeLauncher;
+  throw new Error(`unknown agent kind: ${String(kind)}`);
+}
+var PLACEHOLDER_KEYS = [
+  "AGENTBOX_BOX_NAME",
+  "AGENTBOX_BOX_ID",
+  "AGENTBOX_BOX_KIND",
+  "AGENTBOX_HOST_WORKSPACE",
+  "AGENTBOX_PROJECT_ROOT",
+  // Convenience: the portless host this box publishes (`<box-name>.localhost`).
+  // Derived from AGENTBOX_BOX_NAME when not set explicitly.
+  "AGENTBOX_BOX_HOST"
+];
+var PLACEHOLDER_SET = new Set(PLACEHOLDER_KEYS);
+var ReplaceError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "ReplaceError";
+  }
+};
+var PLACEHOLDER_RE = /\{\{\s*([A-Z0-9_]+)\s*\}\}/g;
+function substitutePlaceholders(text, context, onWarn) {
+  return text.replace(PLACEHOLDER_RE, (match, name) => {
+    if (!PLACEHOLDER_SET.has(name)) return match;
+    const value = context[name];
+    if (value === void 0) {
+      onWarn?.(`placeholder {{${name}}} has no value in this context \u2014 left untouched`);
+      return match;
+    }
+    return value;
+  });
+}
+function applyReplacements(content, opts) {
+  let out = content;
+  if (opts.env) {
+    out = substitutePlaceholders(out, opts.context, opts.onWarn);
+  }
+  for (const rule of opts.rules ?? []) {
+    const to = substitutePlaceholders(rule.to, opts.context, opts.onWarn);
+    if (rule.regex) {
+      let re;
+      try {
+        re = new RegExp(rule.from, rule.flags ?? "g");
+      } catch (err) {
+        throw new ReplaceError(
+          `invalid regex "${rule.from}": ${err instanceof Error ? err.message : String(err)}`
+        );
+      }
+      out = out.replace(re, to);
+    } else {
+      out = out.split(rule.from).join(to);
+    }
+  }
+  return out;
+}
+function deriveBoxHost(ctx) {
+  if (ctx.AGENTBOX_BOX_HOST === void 0 && ctx.AGENTBOX_BOX_NAME !== void 0) {
+    ctx.AGENTBOX_BOX_HOST = `${ctx.AGENTBOX_BOX_NAME}.localhost`;
+  }
+  return ctx;
+}
+function isPlainObject(v) {
+  return typeof v === "object" && v !== null && !Array.isArray(v);
+}
+var RULE_KEYS = /* @__PURE__ */ new Set(["from", "to", "regex", "flags"]);
+function parseReplaceRule(raw, where) {
+  if (!isPlainObject(raw)) {
+    throw new ReplaceError(`${where} must be a mapping with at least { from, to }`);
+  }
+  for (const key of Object.keys(raw)) {
+    if (!RULE_KEYS.has(key)) throw new ReplaceError(`${where} has unknown key "${key}"`);
+  }
+  if (typeof raw.from !== "string" || raw.from.length === 0) {
+    throw new ReplaceError(`${where}.from must be a non-empty string`);
+  }
+  if (typeof raw.to !== "string") {
+    throw new ReplaceError(`${where}.to must be a string`);
+  }
+  const rule = { from: raw.from, to: raw.to };
+  if (raw.regex !== void 0 && raw.regex !== null) {
+    if (typeof raw.regex !== "boolean") throw new ReplaceError(`${where}.regex must be a boolean`);
+    rule.regex = raw.regex;
+  }
+  if (raw.flags !== void 0 && raw.flags !== null) {
+    if (typeof raw.flags !== "string") throw new ReplaceError(`${where}.flags must be a string`);
+    rule.flags = raw.flags;
+  }
+  if (rule.regex) {
+    try {
+      new RegExp(rule.from, rule.flags ?? "g");
+    } catch (err) {
+      throw new ReplaceError(
+        `${where}.from is not a valid regex: ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
+  }
+  return rule;
+}
+function parseReplaceRules(raw, where) {
+  if (raw === void 0 || raw === null) return [];
+  if (!Array.isArray(raw)) throw new ReplaceError(`${where} must be a list of rules`);
+  return raw.map((r, i) => parseReplaceRule(r, `${where}[${String(i)}]`));
+}
+function parseReplacements(raw) {
+  if (raw === void 0 || raw === null) return {};
+  if (!isPlainObject(raw)) {
+    throw new ReplaceError("replacements must be a mapping of name \u2192 rule list");
+  }
+  const out = {};
+  for (const [name, rules] of Object.entries(raw)) {
+    if (!/^[A-Za-z0-9_-]+$/.test(name)) {
+      throw new ReplaceError(`replacements.${name}: name must match [A-Za-z0-9_-]+`);
+    }
+    out[name] = parseReplaceRules(rules, `replacements.${name}`);
+  }
+  return out;
+}
+function resolveRuleRefs(refs, replacements, where) {
+  const out = [];
+  for (const name of refs) {
+    const set = replacements[name];
+    if (set === void 0) {
+      const known = Object.keys(replacements);
+      throw new ReplaceError(
+        `${where}: unknown replacements rule-set "${name}"` + (known.length > 0 ? ` (known: ${known.join(", ")})` : " (none declared)")
+      );
+    }
+    out.push(...set);
+  }
+  return out;
+}
+var UserFacingError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "UserFacingError";
+  }
+};
+var BoxNotFoundError = class extends Error {
+  constructor(query) {
+    super(`no agentbox matches "${query}"`);
+    this.query = query;
+    this.name = "BoxNotFoundError";
+  }
+  query;
+};
+var AmbiguousBoxError = class extends Error {
+  constructor(query, matches) {
+    const ids = matches.map((m) => m.id).join(", ");
+    super(`"${query}" matches multiple boxes: ${ids}`);
+    this.query = query;
+    this.matches = matches;
+    this.name = "AmbiguousBoxError";
+  }
+  query;
+  matches;
+};
+var BOX_ID_PREFIX = "b";
+function generateBoxId() {
+  return `${BOX_ID_PREFIX}${randomBytes(4).toString("hex")}`;
+}
+
 // ../../packages/sandbox-core/dist/index.js
 import { mkdir, open, readFile, rename, rm, stat, writeFile } from "fs/promises";
 import { homedir } from "os";
@@ -8,9 +198,12 @@ import { setTimeout as delay } from "timers/promises";
 import { execa } from "execa";
 import { readdir, stat as stat2 } from "fs/promises";
 import { join as join2 } from "path";
+import { mkdtemp, readFile as readFile2, writeFile as writeFile2 } from "fs/promises";
+import { tmpdir } from "os";
+import { basename, join as join3 } from "path";
 import { createHash } from "crypto";
 import { existsSync, mkdirSync, readFileSync, renameSync, writeFileSync } from "fs";
-import { readFile as readFile2 } from "fs/promises";
+import { readFile as readFile3 } from "fs/promises";
 import { homedir as homedir2 } from "os";
 import { dirname as dirname2, resolve as pathResolve } from "path";
 var STATE_DIR = join(homedir(), ".agentbox");
@@ -238,6 +431,46 @@ var GitWorktreeError = class extends Error {
 function hostOpenCommand() {
   return process.platform === "linux" ? "xdg-open" : "open";
 }
+function carryPlaceholderContext(ctx) {
+  const out = {};
+  if (ctx.name) out.AGENTBOX_BOX_NAME = ctx.name;
+  if (ctx.id) out.AGENTBOX_BOX_ID = ctx.id;
+  if (ctx.kind) out.AGENTBOX_BOX_KIND = ctx.kind;
+  if (ctx.hostWorkspace) out.AGENTBOX_HOST_WORKSPACE = ctx.hostWorkspace;
+  if (ctx.projectRoot) out.AGENTBOX_PROJECT_ROOT = ctx.projectRoot;
+  return deriveBoxHost(out);
+}
+function wantsRender(e) {
+  return e.kind === "file" && (!!e.replaceEnvs || (e.replace?.length ?? 0) > 0);
+}
+async function renderCarryEntries(entries, ctx, onLog) {
+  if (!entries.some(wantsRender)) return entries;
+  const context = carryPlaceholderContext(ctx);
+  const stage = await mkdtemp(join3(tmpdir(), "agentbox-carry-render-"));
+  const out = [];
+  for (const [i, entry] of entries.entries()) {
+    if (!wantsRender(entry)) {
+      out.push(entry);
+      continue;
+    }
+    const content = await readFile2(entry.absSrc, "utf8");
+    const rendered = applyReplacements(content, {
+      env: entry.replaceEnvs,
+      rules: entry.replace,
+      context,
+      onWarn: (msg) => onLog?.(`carry: ${entry.rawSrc}: ${msg}`)
+    });
+    const tmp = join3(stage, `${String(i)}-${basename(entry.absSrc)}`);
+    await writeFile2(tmp, rendered, "utf8");
+    out.push({ ...entry, absSrc: tmp, bytes: Buffer.byteLength(rendered) });
+    const what = [
+      ...entry.replaceEnvs ? ["env"] : [],
+      ...entry.replace?.length ? [`${String(entry.replace.length)} rule(s)`] : []
+    ].join("+");
+    onLog?.(`carry: rendered ${entry.rawSrc} (${what})`);
+  }
+  return out;
+}
 function preparedStatePathFor(provider) {
   return pathResolve(homedir2(), ".agentbox", `${provider}-prepared.json`);
 }
@@ -259,7 +492,7 @@ function writePreparedStateRaw(provider, state) {
   renameSync(tmp, path);
 }
 async function sha256OfFile(path) {
-  const buf = await readFile2(path);
+  const buf = await readFile3(path);
   return createHash("sha256").update(buf).digest("hex");
 }
 async function computeContextSha256(files) {
@@ -430,7 +663,7 @@ async function buildImage(opts = {}) {
   return ref;
 }
 async function pullOrBuild(ref, fingerprint, opts = {}) {
-  const { writePreparedDockerState: writePreparedDockerState2 } = await import("./prepared-state-MQHD3M5F-Q27AZU53.js");
+  const { writePreparedDockerState: writePreparedDockerState2 } = await import("./prepared-state-MQHD3M5F-2LANTRL7.js");
   const registry = opts.registry ?? BOX_IMAGE_REGISTRY;
   const allowPull = opts.allowPull !== false;
   if (allowPull && registry && fingerprint) {
@@ -456,7 +689,7 @@ async function pullOrBuild(ref, fingerprint, opts = {}) {
   return { source: "built" };
 }
 async function ensureImage(ref = DEFAULT_BOX_IMAGE, opts = {}) {
-  const { computeDockerContextFingerprint: computeDockerContextFingerprint2, readPreparedDockerState: readPreparedDockerState2, preparedMatches: preparedMatches2 } = await import("./prepared-state-MQHD3M5F-Q27AZU53.js");
+  const { computeDockerContextFingerprint: computeDockerContextFingerprint2, readPreparedDockerState: readPreparedDockerState2, preparedMatches: preparedMatches2 } = await import("./prepared-state-MQHD3M5F-2LANTRL7.js");
   const fingerprint = await computeDockerContextFingerprint2({
     contextDir: opts.contextDir
   });
@@ -526,6 +759,15 @@ function preparedMatches(state, current) {
 }
 
 export {
+  resolveAgentLauncher,
+  ReplaceError,
+  parseReplaceRules,
+  parseReplacements,
+  resolveRuleRefs,
+  UserFacingError,
+  BoxNotFoundError,
+  AmbiguousBoxError,
+  generateBoxId,
   STATE_DIR,
   STATE_FILE,
   readState,
@@ -540,6 +782,7 @@ export {
   pickFreshBranch,
   GitWorktreeError,
   hostOpenCommand,
+  renderCarryEntries,
   preparedStatePathFor,
   readPreparedStateRaw,
   writePreparedStateRaw,
@@ -563,4 +806,4 @@ export {
   writePreparedDockerState,
   preparedMatches
 };
-//# sourceMappingURL=chunk-XKH7NTT7.js.map
+//# sourceMappingURL=chunk-DBBUDKKB.js.map