@madarco/agentbox 0.14.0 → 0.16.0

package/runtime/hetzner/linear-shim

@@ -0,0 +1,181 @@
+#!/usr/bin/env bash
+# agentbox `linear` shim — translates a strict subset of `linear`
+# (@schpet/linear-cli, v2) subcommands into `agentbox-ctl integration
+# linear <op>` so the host's authenticated `linear` runs the operation and
+# only the result crosses back into the box. The in-box agent never sees a
+# Linear API token.
+#
+# Installed at /usr/local/bin/linear (real `linear` is not in the box).
+#
+# This shim ships only what documented agent flows need; anything outside
+# the subset below is rejected with a clear error. Add ops deliberately —
+# the relay is gated by `integrations.linear.enabled` and an explicit op
+# allowlist in @agentbox/integrations.
+#
+# Three classes of upstream subcommand are EXPLICITLY rejected even though
+# they exist on the host CLI, because proxying them would defeat the
+# security model:
+#   - `auth token` PRINTS the raw API token to stdout — proxying it would
+#     hand the box the host's Linear credential. The only auth-family op
+#     we proxy is `auth whoami` (identity only), via `linear whoami`.
+#   - `auth login/logout/migrate/default` would mutate host auth state.
+#   - `issue delete` / `team delete` / `team create` are destructive and
+#     off-list (widen deliberately, as gated writes, only if needed).
+
+set -euo pipefail
+
+# Path is a constant in production; the env override exists purely to let
+# unit tests substitute a stub `agentbox-ctl` on PATH without rewriting the
+# shim. Mirrors gh-shim / git-shim / ntn-shim.
+CTL="${AGENTBOX_CTL_PATH:-/usr/local/bin/agentbox-ctl}"
+
+die() {
+  printf 'agentbox linear shim: %s\n' "$*" >&2
+  exit 2
+}
+
+handle_auth() {
+  local sub="${1-}"; shift || true
+  case "$sub" in
+    whoami)
+      exec "$CTL" integration linear whoami -- "$@"
+      ;;
+    token)
+      die "'auth token' leaks the raw API key — refused. Use 'linear whoami' for identity."
+      ;;
+    login|logout|migrate|default)
+      die "'auth $sub' is not proxied (the host owns auth; run it on the host)."
+      ;;
+    '')
+      die "missing subcommand for 'auth'. Supported: whoami"
+      ;;
+    *)
+      die "unsupported 'auth $sub' (allowed: whoami)"
+      ;;
+  esac
+}
+
+handle_issue_comment() {
+  local sub="${1-}"; shift || true
+  case "$sub" in
+    add)
+      exec "$CTL" integration linear issue.comment -- "$@"
+      ;;
+    '')
+      die "missing subcommand for 'issue comment'. Supported: add"
+      ;;
+    *)
+      die "unsupported 'issue comment $sub' (allowed: add)"
+      ;;
+  esac
+}
+
+handle_issue() {
+  local sub="${1-}"; shift || true
+  case "$sub" in
+    list)
+      exec "$CTL" integration linear issue.list -- "$@"
+      ;;
+    mine)
+      exec "$CTL" integration linear issue.mine -- "$@"
+      ;;
+    view)
+      exec "$CTL" integration linear issue.view -- "$@"
+      ;;
+    query)
+      exec "$CTL" integration linear issue.query -- "$@"
+      ;;
+    create)
+      exec "$CTL" integration linear issue.create -- "$@"
+      ;;
+    update)
+      exec "$CTL" integration linear issue.update -- "$@"
+      ;;
+    comment)
+      handle_issue_comment "$@"
+      ;;
+    delete)
+      die "'issue delete' is not proxied (destructive; off-list by default)."
+      ;;
+    '')
+      die "missing subcommand for 'issue'. Supported: list, mine, view, query, create, update, comment add"
+      ;;
+    *)
+      die "unsupported 'issue $sub' (allowed: list, mine, view, query, create, update, comment add)"
+      ;;
+  esac
+}
+
+handle_team() {
+  local sub="${1-}"; shift || true
+  case "$sub" in
+    list)
+      exec "$CTL" integration linear team.list -- "$@"
+      ;;
+    create|delete)
+      die "'team $sub' is not proxied (destructive; off-list by default)."
+      ;;
+    '')
+      die "missing subcommand for 'team'. Supported: list"
+      ;;
+    *)
+      die "unsupported 'team $sub' (allowed: list)"
+      ;;
+  esac
+}
+
+# Top-level dispatch. `linear`'s real subcommands are
+# `auth issue team project cycle milestone initiative label document api schema`;
+# we expose only the read-safe ones plus a few gated writes (no destructive
+# ops, no auth token).
+if [ $# -eq 0 ]; then
+  die "no subcommand. Supported: whoami, auth whoami, issue {list,mine,view,query,create,update,comment add}, team list, api <query>, --version"
+fi
+
+case "$1" in
+  --version|-v)
+    # Tools that sniff "linear --version" succeed with our shim line. The
+    # real version lives host-side and is reported by the relay's
+    # readiness probe (`assertIntegrationReady`).
+    printf 'linear version 0.0.0 (agentbox-shim)\n'
+    ;;
+  --help|-h)
+    printf 'agentbox linear shim — strict subset.\n' >&2
+    printf 'Supported: whoami, auth whoami, issue {list,mine,view,query,create,update,comment add}, team list, api <query>, --version\n' >&2
+    printf 'Anything else is rejected. Run host `linear --help` for full upstream docs.\n' >&2
+    ;;
+  whoami)
+    shift
+    exec "$CTL" integration linear whoami -- "$@"
+    ;;
+  auth)
+    shift
+    handle_auth "$@"
+    ;;
+  issue)
+    shift
+    handle_issue "$@"
+    ;;
+  team)
+    shift
+    handle_team "$@"
+    ;;
+  api)
+    shift
+    # `linear api` accepts pre-positional flags (`--variable`,
+    # `--variables-json`, `--paginate`, `--silent`) before the GraphQL
+    # query, so we don't require the FIRST arg to be a non-flag — only
+    # that some arg is present. The relay's refuseGraphqlNonQuery
+    # enforces query-only by rejecting any positional whose first
+    # keyword is `mutation`/`subscription` (and any `--variable
+    # key=@<path>` host-file load), so we don't duplicate that check
+    # here. Writes go through the dedicated issue.* ops.
+    if [ $# -eq 0 ]; then
+      die "'api' requires a positional <query> (e.g. '{ teams { id } }')"
+    fi
+    exec "$CTL" integration linear api -- "$@"
+    ;;
+  *)
+    die "'$1' is not proxied (supported: whoami, issue {list,mine,view,query,create,update,comment add}, team list, api <query>, --version)"
+    ;;
+esac

package/runtime/hetzner/ntn-shim

@@ -0,0 +1,95 @@
+#!/usr/bin/env bash
+# agentbox `ntn` shim — translates a strict subset of `ntn` (the official
+# Notion CLI) subcommands into `agentbox-ctl integration notion <op>` so the
+# host's authenticated `ntn` runs the operation and only the result crosses
+# back into the box. The in-box agent never sees a Notion token.
+#
+# Installed at /usr/local/bin/ntn (real `ntn` is not in the box). The same
+# shim is symlinked as /usr/local/bin/notion — the per-service surface name
+# from docs/integrations_backlog.md — both invocations behave identically.
+#
+# This shim ships only what documented agent flows need; anything outside
+# the subset below is rejected with a clear error. Add ops deliberately —
+# the relay is gated by `integrations.notion.enabled` and an explicit op
+# allowlist in @agentbox/integrations.
+
+set -euo pipefail
+
+# Path is a constant in production; the env override exists purely to let
+# unit tests substitute a stub `agentbox-ctl` on PATH without rewriting the
+# shim. Mirrors gh-shim / git-shim.
+CTL="${AGENTBOX_CTL_PATH:-/usr/local/bin/agentbox-ctl}"
+
+die() {
+  printf 'agentbox notion shim: %s\n' "$*" >&2
+  exit 2
+}
+
+handle_pages() {
+  local op="${1-}"; shift || true
+  case "$op" in
+    create)
+      exec "$CTL" integration notion page.create -- "$@"
+      ;;
+    update)
+      exec "$CTL" integration notion page.update -- "$@"
+      ;;
+    '')
+      die "missing subcommand for 'pages'. Supported: create, update"
+      ;;
+    *)
+      die "unsupported 'pages $op' (allowed: create, update)"
+      ;;
+  esac
+}
+
+# Top-level dispatch. `ntn`'s real subcommands are
+# `api datasources files pages login logout whoami workers`; we expose only
+# the read-safe ones plus `pages {create,update}`.
+if [ $# -eq 0 ]; then
+  die "no subcommand. Supported: whoami, api <endpoint>, pages {create,update}, --version"
+fi
+
+case "$1" in
+  --version|-v)
+    # Tools that sniff "ntn version" succeed with our shim line. The real
+    # version lives host-side and is reported by the relay's readiness probe
+    # (`assertIntegrationReady`).
+    printf 'ntn version 0.0.0 (agentbox-shim)\n'
+    ;;
+  --help|-h)
+    printf 'agentbox notion shim — strict subset.\n' >&2
+    printf 'Supported: whoami, api <path> [inputs] [-d JSON], pages {create, update}, --version\n' >&2
+    printf 'api is read-only: GET to any endpoint; POST only to v1/search and\n' >&2
+    printf 'v1/{databases,data_sources}/{id}/query. Writes go through `pages`.\n' >&2
+    printf 'Anything else is rejected. Run host `ntn --help` for full upstream docs.\n' >&2
+    ;;
+  whoami)
+    shift
+    exec "$CTL" integration notion whoami -- "$@"
+    ;;
+  api)
+    shift
+    # Forward verbatim to mirror real `ntn api` (options may precede the path;
+    # `ls`/`help`/`--spec`/`--docs` and `-d <JSON>` bodies are all valid). The
+    # relay's refuseUnsafeApiCall is the security boundary: GET to any endpoint,
+    # POST only to read endpoints (v1/search, v1/databases/{id}/query,
+    # v1/data_sources/{id}/query); every other method/endpoint is refused.
+    # Writes go through the dedicated `pages create/update` ops.
+    exec "$CTL" integration notion api -- "$@"
+    ;;
+  pages)
+    shift
+    handle_pages "$@"
+    ;;
+  comment|comments)
+    # The T1 connector intentionally has no comment op — `ntn` exposes no
+    # top-level `comment` subcommand and Notion's REST POST /v1/comments
+    # takes a structured JSON body that doesn't trivially map from CLI
+    # flags. Tracked as a focused follow-up in docs/notion_backlog.md.
+    die "comment ops not supported yet (deferred from T2; see docs/notion_backlog.md)"
+    ;;
+  *)
+    die "'$1' is not proxied (supported: whoami, api <endpoint>, pages {create,update}, --version)"
+    ;;
+esac

package/runtime/hetzner/scripts/install-box.sh

@@ -15,6 +15,8 @@
 #   /tmp/agentbox-open                 -- in-box xdg-open shim
 #   /tmp/agentbox-gh-shim              -- in-box `gh` shim (routes to host gh via relay)
 #   /tmp/agentbox-git-shim             -- in-box `git` shim (routes push/pull/fetch/clone via relay)
+#   /tmp/agentbox-ntn-shim             -- in-box `ntn`/`notion` shim (routes Notion CLI to host ntn via relay)
+#   /tmp/agentbox-linear-shim          -- in-box `linear` shim (routes @schpet/linear-cli to host linear via relay; rejects `auth token`)
 #   /tmp/agentbox-custom-CLAUDE.md     -- /etc/claude-code/CLAUDE.md content
 #   /tmp/agentbox-managed-settings.json -- /etc/claude-code/managed-settings.json
 #   /tmp/agentbox-codex-hooks.json     -- /usr/local/share/agentbox/codex-hooks.json
@@ -108,10 +110,10 @@ chmod 0440 /etc/sudoers.d/90-agentbox-vscode
 done_ "vscode user (UID 1000) + sudoers"
 
 step "agentbox base dirs + /workspace ownership"
-mkdir -p /workspace /run/agentbox /var/log/agentbox /etc/agentbox /etc/claude-code \
+mkdir -p /workspace /run/agentbox /var/log/agentbox /var/lib/agentbox /etc/agentbox /etc/claude-code \
          /usr/local/share/agentbox
 chmod 755 /workspace
-chown vscode:vscode /workspace /run/agentbox /var/log/agentbox
+chown vscode:vscode /workspace /run/agentbox /var/log/agentbox /var/lib/agentbox
 done_ "agentbox base dirs + /workspace ownership"
 
 step "node setcap (port <1024 bind without root)"
@@ -161,19 +163,26 @@ done_ "agentbox-ctl install"
 # *before* Chromium sidesteps the issue and keeps the snapshot complete.
 # Tracked as Phase-7 follow-up in docs/hertzner_backlog.md.
 
-step "baked helper scripts (vnc / dockerd / cleanup / xdg-open / gh + git shims)"
+step "baked helper scripts (vnc / dockerd / cleanup / xdg-open / gh + git + ntn + linear shims)"
 install -m 0755 /tmp/agentbox-vnc-start          /usr/local/bin/agentbox-vnc-start
 install -m 0755 /tmp/agentbox-dockerd-start      /usr/local/bin/agentbox-dockerd-start
 install -m 0755 /tmp/agentbox-checkpoint-cleanup /usr/local/bin/agentbox-checkpoint-cleanup
 install -m 0755 /tmp/agentbox-open               /usr/local/bin/agentbox-open
 ln -sf /usr/local/bin/agentbox-open /usr/local/bin/xdg-open
-# gh + git shims — same files baked by Dockerfile.box for the docker provider.
-# The shim wins on PATH (default /usr/local/bin precedes /usr/bin) so any agent
-# call to `gh ...` / `git push|pull|fetch|clone` routes through the relay; the
-# git shim execs /usr/bin/git for everything else, no overhead.
+# gh + git + ntn + linear shims — same files baked by Dockerfile.box for the
+# docker provider. The shim wins on PATH (default /usr/local/bin precedes
+# /usr/bin) so any agent call to `gh ...` / `git push|pull|fetch|clone` /
+# `ntn ...` / `notion ...` / `linear ...` routes through the relay; the git
+# shim execs /usr/bin/git for everything else, no overhead. `notion` is a
+# symlink to `ntn` — same shim, per-service surface naming from
+# docs/integrations_backlog.md. The linear shim explicitly rejects
+# `linear auth token` (which would print the raw API key).
 install -m 0755 /tmp/agentbox-gh-shim            /usr/local/bin/gh
 install -m 0755 /tmp/agentbox-git-shim           /usr/local/bin/git
-done_ "baked helper scripts (vnc / dockerd / cleanup / xdg-open / gh + git shims)"
+install -m 0755 /tmp/agentbox-ntn-shim           /usr/local/bin/ntn
+ln -sf /usr/local/bin/ntn /usr/local/bin/notion
+install -m 0755 /tmp/agentbox-linear-shim        /usr/local/bin/linear
+done_ "baked helper scripts (vnc / dockerd / cleanup / xdg-open / gh + git + ntn + linear shims)"
 
 step "baked config files (claude / codex / setup guide / tmux.conf)"
 install -m 0644 /tmp/agentbox-custom-CLAUDE.md      /etc/claude-code/CLAUDE.md
@@ -364,7 +373,8 @@ step "trim /tmp/agentbox-*"
 # re-read which lines actually executed against which source.
 rm -f /tmp/agentbox-ctl /tmp/agentbox-vnc-start /tmp/agentbox-dockerd-start \
       /tmp/agentbox-checkpoint-cleanup /tmp/agentbox-open \
-      /tmp/agentbox-gh-shim /tmp/agentbox-git-shim \
+      /tmp/agentbox-gh-shim /tmp/agentbox-git-shim /tmp/agentbox-ntn-shim \
+      /tmp/agentbox-linear-shim \
       /tmp/agentbox-custom-CLAUDE.md /tmp/agentbox-managed-settings.json \
       /tmp/agentbox-codex-hooks.json /tmp/agentbox-setup-skill.md
 # Move install-box.sh into the persistent location for diagnostics.