@madarco/agentbox 0.5.0 → 0.7.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@madarco/agentbox",
-  "version": "0.5.0",
+  "version": "0.7.0",
   "description": "Launch Claude Code, Codex, and other coding agents in isolated sandboxes",
   "license": "MIT",
   "author": "Marco D'Alia",
@@ -41,6 +41,7 @@
   ],
   "dependencies": {
     "@clack/prompts": "^0.9.0",
+    "@daytonaio/sdk": "^0.179.0",
     "@xterm/headless": "^5.5.0",
     "commander": "^12.1.0",
     "execa": "^9.5.2",
@@ -56,10 +57,14 @@
     "typescript": "^5.7.2",
     "vitest": "^2.1.8",
     "@agentbox/core": "0.0.0",
-    "@agentbox/relay": "0.0.0",
-    "@agentbox/ctl": "0.0.0",
     "@agentbox/config": "0.0.0",
-    "@agentbox/sandbox-docker": "0.0.0"
+    "@agentbox/ctl": "0.0.0",
+    "@agentbox/relay": "0.0.0",
+    "@agentbox/sandbox-cloud": "0.0.0",
+    "@agentbox/sandbox-core": "0.0.0",
+    "@agentbox/sandbox-daytona": "0.0.0",
+    "@agentbox/sandbox-docker": "0.0.0",
+    "@agentbox/sandbox-hetzner": "0.0.0"
   },
   "scripts": {
     "build": "tsup",

package/runtime/docker/Dockerfile.box

@@ -5,9 +5,9 @@
 # Silicon hosts). /workspace is a plain dir in the image's writable layer:
 # `agentbox create` populates it via in-container `git worktree add` (or a
 # tar pipe for the no-git case). The old FUSE overlay over /host-src+/upper
-# is gone — but fuse3 + fuse-overlayfs stay because the in-box dockerd uses
-# fuse-overlayfs as its storage driver. Plus the "universal-ish" set of
-# language runtimes (Node.js 22 from NodeSource, Python 3 from apt). Heavier
+# is gone — but fuse3 + fuse-overlayfs stay as the in-box dockerd's fallback
+# storage driver (it prefers the kernel-native overlay2). Plus the "universal-ish" set of
+# language runtimes (Node.js 24 from NodeSource, Python 3 from apt). Heavier
 # tooling (Go, Java, Ruby, .NET, more browser tooling, vscode-server) goes in
 # a later iteration.
 #
@@ -57,7 +57,7 @@ ENV COLORTERM=truecolor \
 RUN apt-get update \
     && apt-get install -y --no-install-recommends \
         curl ca-certificates gnupg \
-    && curl -fsSL https://deb.nodesource.com/setup_22.x | bash - \
+    && curl -fsSL https://deb.nodesource.com/setup_24.x | bash - \
     && apt-get install -y --no-install-recommends \
         fuse3 \
         fuse-overlayfs \
@@ -87,7 +87,7 @@ RUN setcap cap_net_bind_service=+ep "$(readlink -f "$(command -v node)")"
 # Enable corepack (pnpm/yarn shims) at build time as root. Doing this here
 # rather than in the wizard's install task avoids two failures the runtime
 # `corepack enable` (run as non-root `vscode`) hits: it can't write shims into
-# the root-owned NodeSource bin dir (/usr/bin), and node 22's bundled corepack
+# the root-owned NodeSource bin dir (/usr/bin), and node 24's bundled corepack
 # resolves its dist path relative to the symlink dirname, so a
 # ~/.local/bin/pnpm symlink looks for ~/.local/dist/pnpm.js and breaks.
 # `corepack@latest` fixes the symlink resolution; baking the shims into
@@ -97,6 +97,13 @@ RUN setcap cap_net_bind_service=+ep "$(readlink -f "$(command -v node)")"
 RUN npm install -g corepack@latest \
     && corepack enable pnpm yarn
 
+# Pre-create the corepack download cache owned by `vscode`. Without this,
+# the first corepack-driven install (e.g. the setup wizard's verification
+# step) hits ENOENT on /home/vscode/.cache/node/corepack/v1 because nothing
+# else creates ~/.cache for the runtime user.
+RUN mkdir -p /home/vscode/.cache/node/corepack \
+    && chown -R vscode:vscode /home/vscode/.cache
+
 # Host repos are bind-mounted in at their identical absolute path (worktree
 # pointer files contain absolute paths to <main>/.git/worktrees/<name>, so both
 # sides have to resolve the same path), and the host owns those `.git/` dirs.
@@ -105,14 +112,15 @@ RUN npm install -g corepack@latest \
 # bind-mount of ~/.gitconfig from the host.
 RUN git config --system --add safe.directory '*'
 
-# Docker-in-Docker. dockerd inside the box (storage-driver=fuse-overlayfs, set
-# in /etc/docker/daemon.json) lets the agent run `docker build`/`docker run`
-# in its own namespace without exposing the host daemon. fuse-overlayfs is
-# required because the kernel `overlay` driver isn't usable from an
-# unprivileged container — fuse3 + fuse-overlayfs are installed above
-# specifically for this (the outer /workspace overlay is gone, but the inner
-# dockerd still needs them). iptables is needed
-# for inner-container bridge networking. Adding `vscode` to the `docker` group
+# Docker-in-Docker. dockerd inside the box lets the agent run
+# `docker build`/`docker run` in its own namespace without exposing the host
+# daemon. The storage driver is NOT pinned here: agentbox-dockerd-start picks
+# it at runtime — the kernel-native overlay2 when a probe proves it works on
+# the data-root filesystem, else the fuse-overlayfs fallback (fuse3 +
+# fuse-overlayfs are installed above for that fallback). The baked daemon.json
+# only carries `iptables: true`; the script rewrites it with the resolved
+# `storage-driver` before launching dockerd. iptables is needed for
+# inner-container bridge networking. Adding `vscode` to the `docker` group
 # lets the agent invoke `docker` without sudo once dockerd creates the socket
 # at /var/run/docker.sock at runtime. The matching launch script is COPY'd in
 # below; the daemon is started by the host via `docker exec -d --user root`
@@ -123,7 +131,7 @@ RUN apt-get update \
         iptables \
     && rm -rf /var/lib/apt/lists/* \
     && mkdir -p /etc/docker \
-    && printf '%s\n' '{ "storage-driver": "fuse-overlayfs", "iptables": true }' > /etc/docker/daemon.json \
+    && printf '%s\n' '{ "iptables": true }' > /etc/docker/daemon.json \
     && usermod -aG docker vscode
 
 # agentbox-ctl: the in-container supervisor + CLI. Build context is the
@@ -160,6 +168,38 @@ RUN mkdir -p /home/vscode/.claude \
     && ln -s /home/vscode/.claude/_claude.json /home/vscode/.claude.json \
     && chown -h vscode:vscode /home/vscode/.claude.json
 
+# Cloud-provider credential pivot: ~/.agentbox-creds/<agent>/ is where the
+# per-org `agentbox-credentials` Daytona volume gets mounted at runtime (three
+# subpath mounts: claude/, codex/, opencode/). Three symlinks route the
+# agent-expected credential paths through to it so the in-box agent reads
+# tokens from the volume while the surrounding config sits on the snapshot-
+# baked sandbox FS.
+#
+# These symlinks are dangling at build time — their targets only resolve once
+# the volume is mounted. That's fine: ln succeeds, and the kernel resolves
+# symlinks lazily on open().
+#
+# The Docker provider is unaffected: its named `agentbox-{claude,codex,
+# opencode}-config` volumes mount *over* /home/vscode/.claude etc., obscuring
+# the symlinks; the volume content includes the credential files directly.
+RUN mkdir -p /home/vscode/.agentbox-creds/claude \
+             /home/vscode/.agentbox-creds/codex \
+             /home/vscode/.agentbox-creds/opencode \
+             /home/vscode/.codex \
+             /home/vscode/.local/share/opencode \
+    && ln -s /home/vscode/.agentbox-creds/claude/.credentials.json \
+             /home/vscode/.claude/.credentials.json \
+    && ln -s /home/vscode/.agentbox-creds/codex/auth.json \
+             /home/vscode/.codex/auth.json \
+    && ln -s /home/vscode/.agentbox-creds/opencode/auth.json \
+             /home/vscode/.local/share/opencode/auth.json \
+    && chown -R vscode:vscode /home/vscode/.agentbox-creds \
+                              /home/vscode/.codex \
+                              /home/vscode/.local \
+    && chown -h vscode:vscode /home/vscode/.claude/.credentials.json \
+                              /home/vscode/.codex/auth.json \
+                              /home/vscode/.local/share/opencode/auth.json
+
 # Prepare /home/vscode/.vscode-server and /home/vscode/.cursor-server (+ their
 # extensions subdirs) so the named volumes mounted at runtime — per-box
 # `agentbox-{vscode,cursor}-server-<id>` over the server dirs, then shared
@@ -183,6 +223,29 @@ USER vscode
 RUN curl -fsSL https://claude.ai/install.sh | bash -s stable
 USER root
 
+# OpenAI Codex CLI. The @openai/codex npm package ships platform-native
+# prebuilds for linux arm64/amd64, so a plain global install is enough.
+# Parallel to the Claude Code install above: `agentbox codex` launches it in a
+# tmux session and the box mounts a synced `agentbox-codex-config` volume at
+# ~/.codex for auth/config (see packages/sandbox-docker/src/codex.ts).
+#
+# `bubblewrap` (bwrap) is Codex's command-sandbox backend; without it on PATH
+# Codex falls back to a bundled copy and prints a warning on every run. It
+# works nested because the agentbox container already runs with --cap-add
+# SYS_ADMIN + apparmor:unconfined.
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends bubblewrap \
+    && rm -rf /var/lib/apt/lists/* \
+    && npm install -g @openai/codex
+
+# OpenCode CLI (sst/opencode) — the multi-provider terminal coding agent.
+# Parallel to the Claude/Codex installs: `agentbox opencode` launches it in a
+# tmux session and the box mounts a synced `agentbox-opencode-config` volume
+# (see packages/sandbox-docker/src/opencode.ts). OpenCode splits its state
+# across ~/.config/opencode (config) and ~/.local/share/opencode (data + auth);
+# the volume holds both, with the config dir relocated via OPENCODE_CONFIG_DIR.
+RUN npm install -g opencode-ai
+
 # Browser support for in-box agents: Vercel's agent-browser drives Chrome via
 # CDP. Two things have to happen here:
 #
@@ -216,15 +279,26 @@ RUN apt-get update \
 
 RUN npm install -g agent-browser playwright
 
+# Portless CLI (https://portless.sh). Only the client — the box never runs the
+# proxy; that's a host process. With `portless.enabled`, createBox bind-mounts
+# the host's Portless state dir into the box and sets PORTLESS_STATE_DIR, so
+# the in-box `portless list`/`get` share the host's route registry (discovery).
+# Requires Node 24+ — hence the setup_24.x bump above.
+RUN npm install -g portless
+
 # Download Chromium as `vscode` so the ms-playwright cache lands in vscode's
 # home (the user agent-browser runs as). The downloaded binary lives at
-# `chromium-XXXX/chrome-linux/chrome`, where XXXX is a Playwright-internal
-# revision number that changes between releases — we resolve it once here and
-# write the result to a stable symlink so AGENT_BROWSER_EXECUTABLE_PATH can
-# point at something predictable.
+# `chromium-XXXX/chrome-linux*/chrome`, where XXXX is a Playwright-internal
+# revision number that changes between releases — and the inner dir is
+# `chrome-linux` for old releases and `chrome-linux64` (or `chrome-linux/arm64`)
+# for current Chrome-for-Testing builds. Glob both. We resolve once and write
+# a stable symlink so AGENT_BROWSER_EXECUTABLE_PATH can point at something
+# predictable.
 USER vscode
 RUN playwright install chromium \
-    && ln -sf "$(ls /home/vscode/.cache/ms-playwright/chromium-*/chrome-linux/chrome | sort | tail -1)" /tmp/chromium-link \
+    && CHROME_BIN="$(ls /home/vscode/.cache/ms-playwright/chromium-*/chrome-linux*/chrome 2>/dev/null | sort | tail -1)" \
+    && test -n "$CHROME_BIN" \
+    && ln -sf "$CHROME_BIN" /tmp/chromium-link \
     && test -x "$(readlink /tmp/chromium-link)"
 USER root
 RUN mv /tmp/chromium-link /usr/local/bin/chromium
@@ -284,6 +358,17 @@ RUN chmod +x /usr/local/bin/agentbox-dockerd-start
 COPY packages/sandbox-docker/scripts/agentbox-checkpoint-cleanup /usr/local/bin/agentbox-checkpoint-cleanup
 RUN chmod +x /usr/local/bin/agentbox-checkpoint-cleanup
 
+# In-box link opener. This wrapper routes http(s) URLs to `agentbox-ctl open`,
+# which opens the link in the box's own Chromium (agent-browser) and notifies
+# the relay so the host user can be offered to also open it on the host. It
+# shadows xdg-utils' /usr/bin/xdg-open (the symlink lands earlier in PATH) and
+# is set as $BROWSER so any tool that opens a link — Claude Code's OAuth flow,
+# `gh`, `git web--browse`, python's webbrowser — routes through it.
+COPY packages/sandbox-docker/scripts/agentbox-open /usr/local/bin/agentbox-open
+RUN chmod +x /usr/local/bin/agentbox-open \
+    && ln -sf /usr/local/bin/agentbox-open /usr/local/bin/xdg-open
+ENV BROWSER=/usr/local/bin/agentbox-open
+
 # tmux config so Claude's true-color output and OSC 8 hyperlinks survive the
 # in-container tmux. `terminal-features` is a no-op on tmux < 3.4. Without
 # this, claude renders without 24-bit color (logo invisible) and hyperlinks
@@ -297,6 +382,10 @@ RUN printf '%s\n' \
         'set -as terminal-overrides ",*:RGB"' \
         'set -as terminal-features ",*:hyperlinks"' \
         'set -as terminal-features ",*:RGB"' \
+        'set -g allow-passthrough on' \
+        'set -g set-clipboard on' \
+        'set -g extended-keys on' \
+        'set -as terminal-features ",*:extkeys"' \
         'set -g mouse on' \
         'bind -T copy-mode    WheelUpPane   send -N2 -X scroll-up' \
         'bind -T copy-mode    WheelDownPane send -N2 -X scroll-down' \
@@ -325,6 +414,13 @@ RUN chmod 0644 /etc/claude-code/CLAUDE.md
 COPY packages/sandbox-docker/scripts/claude-managed-settings.json /etc/claude-code/managed-settings.json
 RUN chmod 0644 /etc/claude-code/managed-settings.json
 
+# Codex activity-reporting hooks. Unlike Claude's managed-settings (an /etc
+# enterprise path), Codex discovers hooks at ~/.codex/hooks.json — so this is
+# staged in the image and seeded into the codex-config volume by
+# seedCodexHooks() at create/start time. See packages/sandbox-docker/src/codex.ts.
+COPY packages/sandbox-docker/scripts/agentbox-codex-hooks.json /usr/local/share/agentbox/codex-hooks.json
+RUN chmod 0644 /usr/local/share/agentbox/codex-hooks.json
+
 # /etc/agentbox/ holds runtime-injected box.env (written by `agentbox create`
 # via docker exec). Pre-created here so the writable layer starts with the
 # right perms; the file itself appears at create time.

package/runtime/docker/apps/cli/share/agentbox-setup/SKILL.md

@@ -7,16 +7,22 @@ description: Generate an agentbox.yaml for the current AgentBox workspace. Invok
 
 ## Box layout (what you're configuring against)
 
-Your user i `vscode` and you can use passwordless sudo to run commands as root.
+Your user i `vscode` and you can use `sudo` to run commands as root.
 
-`/workspace` is the box's plain writable filesystem — a per-box git worktree on a fresh `agentbox/<box-name>` branch (or a tar-piped copy of the host workspace for non-git projects). Anything you install or build into `/workspace` (incl. `node_modules`, `.next`, `target`, `.venv`) lives in the **container's writable layer** and is captured wholesale by `agentbox checkpoint` (`docker commit`) — so a setup task that runs the install once becomes a warm-start asset for every future box in the project. Everything is wiped on `agentbox destroy`.
+`/workspace` is where the user code lives, a per-box git worktree on a fresh `agentbox/<box-name>` branch (or a tar-piped copy of the host workspace for non-git projects).
+Run `agentbox checkpoint --set-default` (similar to `docker commit`) to save any changes make to the system and workspace so that new boxes will start from a warm state. Everything is wiped on `agentbox destroy`.
 
-Three bind mounts wire the box back to the host:
+Some special folders:
 
-- **Host main repo's `.git/`** — bind-mounted RW at its identical absolute host path. In-box commits land on the host's branch refs (visible to `git log` on the host immediately); the box itself carries no SSH/git creds, so `git push` goes through the host relay (`agentbox-ctl git push`). The host's **working tree is never written to** — only refs/objects under `.git/`.
-- **`~/.claude`** — a Docker named volume (`agentbox-claude-config`, shared across boxes by default) seeded from the host's `~/.claude` on each create so auth, skills, and plugins persist without leaking the host's home dir.
+- **Host main repo's `.git/`** — If the box bind-mounted RW at its identical absolute host path. In-box commits land on the host's branch refs (visible to `git log` on the host immediately); the box itself carries no SSH/git creds, so `git push` goes through the host relay (`agentbox-ctl git push`). The host's **working tree is never written to** — only refs/objects under `.git/`.
+- **`~/.claude`** — and similar home folders for coding agents are seeded from the host's `~/.claude` on each create so auth, skills, and plugins persist without leaking the host's home dir.
 - **`agentbox.yaml`** — read by `agentbox-ctl` from `/workspace`. Tasks and services declared here are what the supervisor will run.
 
+Exposed ports and services:
+- **portless** - every port with `expose:` setting in agentbox.yaml, will be exposed not only as a local port but also as a special domain name `https://<name>.localhost` (so on https) using `portless` cli and proxy. This will be also mapped to the host where also `portless` proxy is running so users can access the same service on the same looking url.
+- **vnc** - the webVNC server exposed on 6080 will be proxies to the host on a random port.
+- **vscode** - the vscode server is proxied to the host on a random port.
+
 ## Goal
 
 Produce a `/workspace/agentbox.yaml` that captures this project's services, tasks, and box defaults so the in-box supervisor (`agentbox-ctl`) can boot the workspace deterministically.
@@ -64,7 +70,7 @@ The box's primary web app (the dev server / Next.js / API the user opens in a br
       as: 80        # must be 80 — the container port AgentBox publishes
 ```
 
-At most **one** service may set `expose:`. AgentBox forwards container `:80` to `127.0.0.1:<port>` and publishes it on the host, so `agentbox list`/`status` show it as the box's main URL on every engine (no OrbStack dependency). Set this on the same service whose `ready_when:` you just wrote (a DB or worker should **not** get `expose:`).
+At most **one** service may set `expose:`. AgentBox forwards container `:80` to `127.0.0.1:<port>` and publishes it on the host with `portless` proxy to a <boxname>.localhost url, so `agentbox list`/`status` show it as the box's main URL on every engine (no OrbStack dependency). Set this on the same service whose `ready_when:` you just wrote (a DB or worker should **not** get `expose:`).
 
 ## 4. Restart + backoff
 
@@ -158,24 +164,33 @@ services:
 - A service with `restart: never` and an autostart dependency will block the dependent forever after one failed run — usually a mistake.
 - `command:` is either a shell string (run via `bash -c`) or an argv array. Use the argv form if you need to avoid shell quoting.
 
-## 8. Hand-off
+## 8. Checkpoint the warm state (do this at the very end)
+
+Checkpoint (snapshot) this box writable layer: once the box is warmed up (deps installed, services ready), checkpoint it with `agentbox-ctl checkpoint --name setup --replace --set-default` so future boxes start ready.
+Run this command exactly once. The `--name setup --replace` makes it idempotent — if it ever needs to run again it overwrites the existing `setup` checkpoint instead of stacking duplicates.
+This doesn't need to be confirmed by the user.
+It will pause the container for several seconds so warn the user about it and write Done when it's done.
+
+## 9. Hand-off
 
-1. Write the file to `/workspace/agentbox.yaml`.
-2. **Apply it live**: from inside the box run `agentbox-ctl reload`. The already-running supervisor re-reads the config and immediately runs the declared tasks and autostarts the services — no box restart needed. It prints the `added` / `removed` / `changed` diff. If it errors because the daemon isn't running, the config is still valid: the next `agentbox start` (or `agentbox create` in this workspace) picks it up automatically.
-3. Confirm with `agentbox-ctl status`: tasks should be `running` or `done`, autostart services `starting` or `ready`. If something failed, tail it with `agentbox-ctl logs <service>` and fix the config, then `agentbox-ctl reload` again.
-4. Checkpoint (snapshot) this box writable layer: once the box is warmed up (deps installed, services ready), checkpoint it with `agentbox-ctl checkpoint --set-default` so future boxes start ready.
+Tell the user (verbatim):
 
-5. Tell the user:
+   ```
+    █████╗  ██████╗ ███████╗███╗   ██╗████████╗██████╗  ██████╗ ██╗  ██╗
+   ██╔══██╗██╔════╝ ██╔════╝████╗  ██║╚══██╔══╝██╔══██╗██╔═══██╗╚██╗██╔╝
+   ███████║██║  ███╗█████╗  ██╔██╗ ██║   ██║   ██████╔╝██║   ██║ ╚███╔╝
+   ██╔══██║██║   ██║██╔══╝  ██║╚██╗██║   ██║   ██╔══██╗██║   ██║ ██╔██╗
+   ██║  ██║╚██████╔╝███████╗██║ ╚████║   ██║   ██████╔╝╚██████╔╝██╔╝ ██╗
+   ╚═╝  ╚═╝ ╚═════╝ ╚══════╝╚═╝  ╚═══╝   ╚═╝   ╚═════╝  ╚═════╝ ╚═╝  ╚═╝
+   ```
 
-   > I wrote `/workspace/agentbox.yaml` and ran `agentbox-ctl reload` so the supervisor is already running the declared tasks/services. To land the file on the host:
-   > - I've created a checkpoint of the warm box state so future boxes start ready in seconds, no reinstall.
-   > - commit it inside the box (`git add agentbox.yaml && git commit -m 'add agentbox config'`) — the box's `.git/` is bind-mounted, so the commit shows up on the host immediately; or
-   > - on the host, tell the user to run `agentbox download config` to update their original host workspace.
+   your box is ready, you can start more sessions with `agentbox claude`
+   you can access the web app at https://<boxname>.localhost
 
-## 9. Known issues
+## 10. Known issues
 
 - For Nextjs/Vite/Tasnstack projects, makes sure to forward also websocket for hot reload.
 
-- The `install` task is intentionally a no-op once `node_modules/.agentbox-installed` exists. Do **not** remove the marker guard to "force a fresh install" — that reinstalls on every box start. To force a one-off rebuild, delete `node_modules` (or just the marker) then run `agentbox-ctl reload`.
+- Service like flask, nextjs, BETTER_AUTH_URL, NEXT_PUBLIC_APP_URL should use the <boxname>.localhost url for the local development so that on the host it will use the same url as the box.
 
-- Host-only CLI wrappers (portless, etc.) must be bypassed, eg some projects wrap the dev server with a host-side proxy (here: `portless projectname next dev --turbopack`). Override the service command: to call the underlying tool directly (`next dev --turbopack`)
+- The `install` task is intentionally a no-op once `node_modules/.agentbox-installed` exists. Do **not** remove the marker guard to "force a fresh install" — that reinstalls on every box start. To force a one-off rebuild, delete `node_modules` (or just the marker) then run `agentbox-ctl reload`.