@madarco/agentbox 0.5.0 → 0.7.0

package/share/agentbox-setup/SKILL.md

@@ -7,16 +7,22 @@ description: Generate an agentbox.yaml for the current AgentBox workspace. Invok
 
 ## Box layout (what you're configuring against)
 
-Your user i `vscode` and you can use passwordless sudo to run commands as root.
+Your user i `vscode` and you can use `sudo` to run commands as root.
 
-`/workspace` is the box's plain writable filesystem — a per-box git worktree on a fresh `agentbox/<box-name>` branch (or a tar-piped copy of the host workspace for non-git projects). Anything you install or build into `/workspace` (incl. `node_modules`, `.next`, `target`, `.venv`) lives in the **container's writable layer** and is captured wholesale by `agentbox checkpoint` (`docker commit`) — so a setup task that runs the install once becomes a warm-start asset for every future box in the project. Everything is wiped on `agentbox destroy`.
+`/workspace` is where the user code lives, a per-box git worktree on a fresh `agentbox/<box-name>` branch (or a tar-piped copy of the host workspace for non-git projects).
+Run `agentbox checkpoint --set-default` (similar to `docker commit`) to save any changes make to the system and workspace so that new boxes will start from a warm state. Everything is wiped on `agentbox destroy`.
 
-Three bind mounts wire the box back to the host:
+Some special folders:
 
-- **Host main repo's `.git/`** — bind-mounted RW at its identical absolute host path. In-box commits land on the host's branch refs (visible to `git log` on the host immediately); the box itself carries no SSH/git creds, so `git push` goes through the host relay (`agentbox-ctl git push`). The host's **working tree is never written to** — only refs/objects under `.git/`.
-- **`~/.claude`** — a Docker named volume (`agentbox-claude-config`, shared across boxes by default) seeded from the host's `~/.claude` on each create so auth, skills, and plugins persist without leaking the host's home dir.
+- **Host main repo's `.git/`** — If the box bind-mounted RW at its identical absolute host path. In-box commits land on the host's branch refs (visible to `git log` on the host immediately); the box itself carries no SSH/git creds, so `git push` goes through the host relay (`agentbox-ctl git push`). The host's **working tree is never written to** — only refs/objects under `.git/`.
+- **`~/.claude`** — and similar home folders for coding agents are seeded from the host's `~/.claude` on each create so auth, skills, and plugins persist without leaking the host's home dir.
 - **`agentbox.yaml`** — read by `agentbox-ctl` from `/workspace`. Tasks and services declared here are what the supervisor will run.
 
+Exposed ports and services:
+- **portless** - every port with `expose:` setting in agentbox.yaml, will be exposed not only as a local port but also as a special domain name `https://<name>.localhost` (so on https) using `portless` cli and proxy. This will be also mapped to the host where also `portless` proxy is running so users can access the same service on the same looking url.
+- **vnc** - the webVNC server exposed on 6080 will be proxies to the host on a random port.
+- **vscode** - the vscode server is proxied to the host on a random port.
+
 ## Goal
 
 Produce a `/workspace/agentbox.yaml` that captures this project's services, tasks, and box defaults so the in-box supervisor (`agentbox-ctl`) can boot the workspace deterministically.
@@ -64,7 +70,7 @@ The box's primary web app (the dev server / Next.js / API the user opens in a br
       as: 80        # must be 80 — the container port AgentBox publishes
 ```
 
-At most **one** service may set `expose:`. AgentBox forwards container `:80` to `127.0.0.1:<port>` and publishes it on the host, so `agentbox list`/`status` show it as the box's main URL on every engine (no OrbStack dependency). Set this on the same service whose `ready_when:` you just wrote (a DB or worker should **not** get `expose:`).
+At most **one** service may set `expose:`. AgentBox forwards container `:80` to `127.0.0.1:<port>` and publishes it on the host with `portless` proxy to a <boxname>.localhost url, so `agentbox list`/`status` show it as the box's main URL on every engine (no OrbStack dependency). Set this on the same service whose `ready_when:` you just wrote (a DB or worker should **not** get `expose:`).
 
 ## 4. Restart + backoff
 
@@ -158,24 +164,33 @@ services:
 - A service with `restart: never` and an autostart dependency will block the dependent forever after one failed run — usually a mistake.
 - `command:` is either a shell string (run via `bash -c`) or an argv array. Use the argv form if you need to avoid shell quoting.
 
-## 8. Hand-off
+## 8. Checkpoint the warm state (do this at the very end)
+
+Checkpoint (snapshot) this box writable layer: once the box is warmed up (deps installed, services ready), checkpoint it with `agentbox-ctl checkpoint --name setup --replace --set-default` so future boxes start ready.
+Run this command exactly once. The `--name setup --replace` makes it idempotent — if it ever needs to run again it overwrites the existing `setup` checkpoint instead of stacking duplicates.
+This doesn't need to be confirmed by the user.
+It will pause the container for several seconds so warn the user about it and write Done when it's done.
+
+## 9. Hand-off
 
-1. Write the file to `/workspace/agentbox.yaml`.
-2. **Apply it live**: from inside the box run `agentbox-ctl reload`. The already-running supervisor re-reads the config and immediately runs the declared tasks and autostarts the services — no box restart needed. It prints the `added` / `removed` / `changed` diff. If it errors because the daemon isn't running, the config is still valid: the next `agentbox start` (or `agentbox create` in this workspace) picks it up automatically.
-3. Confirm with `agentbox-ctl status`: tasks should be `running` or `done`, autostart services `starting` or `ready`. If something failed, tail it with `agentbox-ctl logs <service>` and fix the config, then `agentbox-ctl reload` again.
-4. Checkpoint (snapshot) this box writable layer: once the box is warmed up (deps installed, services ready), checkpoint it with `agentbox-ctl checkpoint --set-default` so future boxes start ready.
+Tell the user (verbatim):
 
-5. Tell the user:
+   ```
+    █████╗  ██████╗ ███████╗███╗   ██╗████████╗██████╗  ██████╗ ██╗  ██╗
+   ██╔══██╗██╔════╝ ██╔════╝████╗  ██║╚══██╔══╝██╔══██╗██╔═══██╗╚██╗██╔╝
+   ███████║██║  ███╗█████╗  ██╔██╗ ██║   ██║   ██████╔╝██║   ██║ ╚███╔╝
+   ██╔══██║██║   ██║██╔══╝  ██║╚██╗██║   ██║   ██╔══██╗██║   ██║ ██╔██╗
+   ██║  ██║╚██████╔╝███████╗██║ ╚████║   ██║   ██████╔╝╚██████╔╝██╔╝ ██╗
+   ╚═╝  ╚═╝ ╚═════╝ ╚══════╝╚═╝  ╚═══╝   ╚═╝   ╚═════╝  ╚═════╝ ╚═╝  ╚═╝
+   ```
 
-   > I wrote `/workspace/agentbox.yaml` and ran `agentbox-ctl reload` so the supervisor is already running the declared tasks/services. To land the file on the host:
-   > - I've created a checkpoint of the warm box state so future boxes start ready in seconds, no reinstall.
-   > - commit it inside the box (`git add agentbox.yaml && git commit -m 'add agentbox config'`) — the box's `.git/` is bind-mounted, so the commit shows up on the host immediately; or
-   > - on the host, tell the user to run `agentbox download config` to update their original host workspace.
+   your box is ready, you can start more sessions with `agentbox claude`
+   you can access the web app at https://<boxname>.localhost
 
-## 9. Known issues
+## 10. Known issues
 
 - For Nextjs/Vite/Tasnstack projects, makes sure to forward also websocket for hot reload.
 
-- The `install` task is intentionally a no-op once `node_modules/.agentbox-installed` exists. Do **not** remove the marker guard to "force a fresh install" — that reinstalls on every box start. To force a one-off rebuild, delete `node_modules` (or just the marker) then run `agentbox-ctl reload`.
+- Service like flask, nextjs, BETTER_AUTH_URL, NEXT_PUBLIC_APP_URL should use the <boxname>.localhost url for the local development so that on the host it will use the same url as the box.
 
-- Host-only CLI wrappers (portless, etc.) must be bypassed, eg some projects wrap the dev server with a host-side proxy (here: `portless projectname next dev --turbopack`). Override the service command: to call the underlying tool directly (`next dev --turbopack`)
+- The `install` task is intentionally a no-op once `node_modules/.agentbox-installed` exists. Do **not** remove the marker guard to "force a fresh install" — that reinstalls on every box start. To force a one-off rebuild, delete `node_modules` (or just the marker) then run `agentbox-ctl reload`.

package/dist/chunk-6VTAPD4H.js

@@ -1,507 +0,0 @@
-#!/usr/bin/env node
-import {
-  ConfigError,
-  VNC_CONTAINER_PORT,
-  WEB_CONTAINER_PORT,
-  bindWorktrees,
-  buildClaudeMounts,
-  buildIdeMounts,
-  chownGitBindParents,
-  collectRepoCarryOver,
-  createSnapshot,
-  cursorServerVolumeName,
-  detectGitRepos,
-  dockerVolumeName,
-  ensureClaudeVolume,
-  ensureIdeVolumes,
-  ensureRelay,
-  generateRelayToken,
-  generateVncPassword,
-  gitWorktreePathFor,
-  launchCtlDaemon,
-  launchDockerdDaemon,
-  launchVncDaemon,
-  loadConfig,
-  pickFreshBranch,
-  registerBoxWithRelay,
-  rehydrateRelayRegistry,
-  repairIdeOwnership,
-  resolveClaudeVolume,
-  seedSetupSkillIntoVolume,
-  seedWorkspace,
-  seedWorkspaceFromDir,
-  snapshotPathFor,
-  vscodeServerVolumeName
-} from "./chunk-PXUBE5KS.js";
-import {
-  allocateProjectIndex,
-  readState,
-  recordBox
-} from "./chunk-HPZMD5DE.js";
-import {
-  CONTAINER_EXPORT_MERGED,
-  DEFAULT_BOX_IMAGE,
-  DEFAULT_ENV_PATTERNS,
-  boxRunDirFor,
-  containerExists,
-  copyHostEnvFilesToBox,
-  copyHostFilesToBox,
-  dockerInfo,
-  dockerStorageDriver,
-  ensureImage,
-  ensureVolume,
-  publishedHostPort,
-  resolveCheckpoint,
-  runBox
-} from "./chunk-RFC5F5HR.js";
-
-// ../../packages/sandbox-docker/dist/chunk-NCSJPHDB.js
-import { randomBytes } from "crypto";
-import { mkdir, stat } from "fs/promises";
-import { homedir } from "os";
-import { basename, join, resolve } from "path";
-import { execa as execa2 } from "execa";
-import { execa } from "execa";
-async function writeBoxEnvFile(container, env) {
-  const body = formatBoxEnvBody(env);
-  const result = await execa(
-    "docker",
-    ["exec", "--user", "root", "-i", container, "sh", "-c", "umask 022 && cat > /etc/agentbox/box.env"],
-    { input: body, reject: false }
-  );
-  if (result.exitCode !== 0) {
-    return {
-      ok: false,
-      reason: `docker exec failed (exit ${String(result.exitCode)}): ${(result.stderr ?? "").toString().slice(0, 400)}`
-    };
-  }
-  return { ok: true };
-}
-function formatBoxEnvBody(env) {
-  const lines = [];
-  for (const [k, v] of Object.entries(env)) {
-    lines.push(`${k}=${shellSingleQuote(v)}`);
-  }
-  return lines.join("\n") + "\n";
-}
-function shellSingleQuote(s) {
-  return `'${s.replace(/'/g, `'\\''`)}'`;
-}
-function persistableLimits(lim) {
-  if (!lim) return void 0;
-  const out = {};
-  if (lim.memoryBytes && lim.memoryBytes > 0) out.memoryBytes = Math.floor(lim.memoryBytes);
-  if (lim.cpus && lim.cpus > 0) out.cpus = lim.cpus;
-  if (lim.pidsLimit && lim.pidsLimit > 0) out.pidsLimit = Math.floor(lim.pidsLimit);
-  if (lim.disk) out.disk = lim.disk;
-  return Object.keys(out).length > 0 ? out : void 0;
-}
-function generateBoxId() {
-  return randomBytes(4).toString("hex");
-}
-function sanitizeBasename(workspacePath) {
-  const raw = basename(resolve(workspacePath));
-  return raw.toLowerCase().replace(/[^a-z0-9._-]+/g, "-").replace(/-+/g, "-").replace(/^[-._]+|[-._]+$/g, "").slice(0, 30).replace(/[-._]+$/, "");
-}
-function defaultBoxName(workspacePath, id) {
-  const base = sanitizeBasename(workspacePath);
-  return base.length > 0 ? `${base}-${id}` : id;
-}
-async function pathExists(p) {
-  try {
-    await stat(p);
-    return true;
-  } catch {
-    return false;
-  }
-}
-async function buildIdentityMounts() {
-  const home = homedir();
-  const candidates = [
-    { src: join(home, ".codex"), dst: "/home/vscode/.codex", readOnly: false },
-    { src: join(home, ".gitconfig"), dst: "/home/vscode/.gitconfig", readOnly: true }
-  ];
-  const out = [];
-  for (const c of candidates) {
-    if (await pathExists(c.src)) {
-      out.push(`${c.src}:${c.dst}${c.readOnly ? ":ro" : ""}`);
-    }
-  }
-  return out;
-}
-async function createBox(opts) {
-  const log = opts.onLog ?? (() => {
-  });
-  const workspace = resolve(opts.workspacePath);
-  if (!await pathExists(workspace)) {
-    throw new Error(`workspace does not exist: ${workspace}`);
-  }
-  const cfgPath = join(workspace, "agentbox.yaml");
-  if (await pathExists(cfgPath)) {
-    try {
-      const cfg = await loadConfig(cfgPath);
-      log(`agentbox.yaml validated (${String(cfg.services.length)} service(s))`);
-    } catch (err) {
-      if (err instanceof ConfigError) {
-        throw new Error(`agentbox.yaml validation failed:
-  ${err.message}`);
-      }
-      throw err;
-    }
-  }
-  await dockerInfo();
-  log("docker daemon reachable");
-  let checkpointImage;
-  let checkpointSource;
-  let restoredWorktrees;
-  if (opts.checkpointRef) {
-    const projectRootForCkpt = opts.projectRoot ?? workspace;
-    const head = await resolveCheckpoint(projectRootForCkpt, opts.checkpointRef);
-    if (!head) {
-      throw new Error(`checkpoint not found: ${opts.checkpointRef}`);
-    }
-    checkpointImage = head.manifest.image;
-    const chain = [head.name, ...head.manifest.parents];
-    checkpointSource = { ref: opts.checkpointRef, type: head.manifest.type, chain };
-    restoredWorktrees = head.manifest.worktrees;
-    log(
-      `starting from checkpoint ${opts.checkpointRef} (${head.manifest.type}, ${String(chain.length)} layer(s), image ${head.manifest.image})`
-    );
-  }
-  const imageRef = checkpointImage ?? opts.image ?? DEFAULT_BOX_IMAGE;
-  const ensureRef = checkpointImage ? opts.image ?? DEFAULT_BOX_IMAGE : imageRef;
-  const { built } = await ensureImage(ensureRef, {
-    onProgress: (line) => log(`[image] ${line}`)
-  });
-  log(built ? `built image ${ensureRef}` : `using cached image ${imageRef}`);
-  let relayUp = false;
-  try {
-    await ensureRelay({ onLog: log });
-    const existing = await readState();
-    await rehydrateRelayRegistry(existing.boxes);
-    relayUp = true;
-  } catch (err) {
-    log(`relay unavailable: ${err instanceof Error ? err.message : String(err)}`);
-  }
-  const id = generateBoxId();
-  const name = opts.name ?? defaultBoxName(workspace, id);
-  const containerName = `agentbox-${name}`;
-  const createdAt = (/* @__PURE__ */ new Date()).toISOString();
-  if (await containerExists(containerName)) {
-    throw new Error(`container ${containerName} already exists; remove it first`);
-  }
-  let projectIndex;
-  if (opts.projectRoot) {
-    projectIndex = allocateProjectIndex(await readState(), opts.projectRoot);
-  }
-  const repoCarryOvers = [];
-  const gitWorktreeRecords = [];
-  if (checkpointImage && restoredWorktrees && restoredWorktrees.length > 0) {
-    gitWorktreeRecords.push(...restoredWorktrees);
-  }
-  if (!checkpointImage) {
-    const repos = await detectGitRepos(workspace);
-    if (repos.length > 0) {
-      log(
-        `detected ${String(repos.length)} git repo(s): ` + repos.map((r) => `${r.kind}${r.relPathFromWorkspace ? "@" + r.relPathFromWorkspace : ""}`).join(", ")
-      );
-    }
-    for (const r of repos) {
-      const branchBase = r.kind === "root" ? `agentbox/${name}` : `agentbox/${name}--${r.relPathFromWorkspace.replace(/[^A-Za-z0-9._-]+/g, "_")}`;
-      const branch = await pickFreshBranch(r.hostMainRepo, branchBase);
-      const containerPath = r.kind === "root" ? "/workspace" : `/workspace/${r.relPathFromWorkspace}`;
-      const gitWorktreePath = gitWorktreePathFor(branch);
-      const carry = await collectRepoCarryOver(r, branch, containerPath, gitWorktreePath);
-      repoCarryOvers.push(carry);
-      gitWorktreeRecords.push({
-        kind: r.kind,
-        hostMainRepo: r.hostMainRepo,
-        containerPath,
-        gitWorktreePath,
-        branch,
-        relPathFromWorkspace: r.relPathFromWorkspace
-      });
-    }
-  }
-  let snapshotDir = null;
-  const snapshotIsUseful = !checkpointImage && repoCarryOvers.length === 0;
-  if (opts.useSnapshot && snapshotIsUseful) {
-    snapshotDir = snapshotPathFor({ id, name, projectIndex });
-    log(`cloning workspace to ${snapshotDir} (APFS clone where available)`);
-    const snap = await createSnapshot({ source: workspace, destination: snapshotDir });
-    log(`pruned ${snap.prunedPaths.length} platform-dependent dirs from snapshot`);
-  } else if (opts.useSnapshot && !checkpointImage) {
-    log("skipping --host-snapshot: git worktree path reads content from .git, not from a workspace clone");
-  }
-  await ensureIdeVolumes(id);
-  const dockerCacheShared = opts.docker?.sharedCache === true;
-  const dockerVolume = dockerVolumeName(id, dockerCacheShared);
-  await ensureVolume(dockerVolume);
-  log(`prepared volumes ${vscodeServerVolumeName(id)}, ${cursorServerVolumeName(id)}, ${dockerVolume}`);
-  const ide = buildIdeMounts(id);
-  const claudeSpec = resolveClaudeVolume({
-    isolate: opts.claudeConfig?.isolate ?? false,
-    boxId: id
-  });
-  const claudeEnsured = await ensureClaudeVolume(claudeSpec, {
-    syncFromHost: true,
-    image: ensureRef,
-    hostWorkspace: workspace
-  });
-  if (claudeEnsured.synced) {
-    log(`synced ${claudeSpec.volume} from ~/.claude`);
-    if ((claudeEnsured.filteredHookCount ?? 0) > 0) {
-      log(
-        `filtered ${String(claudeEnsured.filteredHookCount)} host-path hook(s) (paths under ~/)`
-      );
-    }
-    if (claudeEnsured.clearedInstallMethod) {
-      log("cleared host's installMethod from synced .claude.json (box uses the native installer)");
-    }
-    if (claudeEnsured.aliasedProjectKey) {
-      log(`aliased project state for ${workspace} -> /workspace in synced .claude.json`);
-    }
-  } else if (claudeEnsured.created) {
-    log(`created empty volume ${claudeSpec.volume} (no host ~/.claude to sync)`);
-  } else {
-    log(`reusing volume ${claudeSpec.volume} (no host ~/.claude to sync)`);
-  }
-  const seeded = await seedSetupSkillIntoVolume(claudeSpec.volume, ensureRef);
-  if (seeded.seeded) log(`seeded /agentbox-setup skill into ${claudeSpec.volume}`);
-  const claudeMounts = buildClaudeMounts(claudeSpec, process.env);
-  const boxDir = boxRunDirFor({ id, name, projectIndex });
-  const socketDir = join(boxDir, "run");
-  const socketPath = join(socketDir, "ctl.sock");
-  const mergedExportDir = join(boxDir, "workspace");
-  await mkdir(socketDir, { recursive: true });
-  await mkdir(mergedExportDir, { recursive: true });
-  const extraVolumes = await buildIdentityMounts();
-  extraVolumes.push(...claudeMounts.extraVolumes);
-  extraVolumes.push(...ide.extraVolumes);
-  extraVolumes.push(`${socketDir}:/run/agentbox`);
-  extraVolumes.push(`${mergedExportDir}:${CONTAINER_EXPORT_MERGED}`);
-  extraVolumes.push(`${dockerVolume}:/var/lib/docker`);
-  for (const w of gitWorktreeRecords) {
-    extraVolumes.push(`${w.hostMainRepo}/.git:${w.hostMainRepo}/.git`);
-  }
-  for (const v of extraVolumes) log(`mounting agent dir: ${v}`);
-  const relayToken = generateRelayToken();
-  if (relayUp) {
-    try {
-      await registerBoxWithRelay({
-        boxId: id,
-        token: relayToken,
-        name,
-        containerName,
-        createdAt,
-        projectIndex,
-        worktrees: gitWorktreeRecords
-      });
-      log(`registered box token with relay`);
-    } catch (err) {
-      log(`relay register failed: ${err instanceof Error ? err.message : String(err)}`);
-      relayUp = false;
-    }
-  }
-  const relayEnv = relayUp ? {
-    // host.docker.internal resolves to the host (where the relay node
-    // process is running). The matching `--add-host` is set in runBox.
-    AGENTBOX_RELAY_URL: `http://host.docker.internal:8787`,
-    AGENTBOX_RELAY_TOKEN: relayToken
-  } : {};
-  const vncEnabled = opts.vnc?.enabled !== false;
-  const vncPassword = vncEnabled ? generateVncPassword() : void 0;
-  const vncEnv = vncEnabled && vncPassword ? { AGENTBOX_VNC_PASSWORD: vncPassword } : {};
-  const vncPortMappings = vncEnabled ? [{ hostPort: 0, containerPort: VNC_CONTAINER_PORT, hostIp: "127.0.0.1" }] : [];
-  const webPortMappings = [
-    { hostPort: 0, containerPort: WEB_CONTAINER_PORT, hostIp: "127.0.0.1" }
-  ];
-  const agentboxEnv = {
-    AGENTBOX: "1",
-    AGENTBOX_BOX_NAME: name,
-    AGENTBOX_HOST_WORKSPACE: workspace,
-    ...opts.projectRoot ? { AGENTBOX_PROJECT_ROOT: opts.projectRoot } : {},
-    ...projectIndex !== void 0 ? { AGENTBOX_PROJECT_INDEX: String(projectIndex) } : {}
-  };
-  const boxEnvForFile = {
-    AGENTBOX_BOX_ID: id,
-    ...agentboxEnv
-  };
-  const appliedLimits = opts.limits;
-  let effectiveLimits = appliedLimits;
-  if (appliedLimits?.disk) {
-    const driver = await dockerStorageDriver();
-    if (!/^(devicemapper|btrfs|zfs|windowsfilter)$/.test(driver)) {
-      log(
-        `warning: --disk/box.disk is a no-op on this engine (storage-driver=${driver || "unknown"}); ignoring`
-      );
-      effectiveLimits = { ...appliedLimits, disk: null };
-    }
-  }
-  await runBox({
-    name: containerName,
-    image: imageRef,
-    extraVolumes,
-    limits: effectiveLimits,
-    portMappings: [...vncPortMappings, ...webPortMappings],
-    env: {
-      AGENTBOX_BOX_ID: id,
-      ...agentboxEnv,
-      ...claudeMounts.env,
-      ...relayEnv,
-      ...vncEnv,
-      ...opts.claudeEnv ?? {}
-    }
-  });
-  log(`container ${containerName} started`);
-  if (gitWorktreeRecords.length > 0) {
-    await chownGitBindParents({
-      container: containerName,
-      hostMainRepos: gitWorktreeRecords.map((w) => w.hostMainRepo),
-      onLog: log
-    });
-  }
-  const boxEnv = await writeBoxEnvFile(containerName, boxEnvForFile);
-  if (boxEnv.ok) log("wrote /etc/agentbox/box.env");
-  else log(`writing /etc/agentbox/box.env failed: ${boxEnv.reason}`);
-  if (!checkpointImage) {
-    if (repoCarryOvers.length > 0) {
-      try {
-        await seedWorkspace({ container: containerName, repos: repoCarryOvers, onLog: log });
-        log("seeded /workspace from in-container git worktree(s)");
-      } catch (err) {
-        log(
-          `seedWorkspace failed; leaving ${containerName} running so you can inspect it`
-        );
-        throw err;
-      }
-    } else {
-      const source = snapshotDir ?? workspace;
-      await seedWorkspaceFromDir({ container: containerName, hostSource: source, onLog: log });
-    }
-  } else if (restoredWorktrees && restoredWorktrees.length > 0) {
-    await bindWorktrees(
-      containerName,
-      restoredWorktrees.map((w) => ({
-        kind: w.kind,
-        containerPath: w.containerPath,
-        gitWorktreePath: w.gitWorktreePath
-      })),
-      log
-    );
-    log("re-bound /workspace from checkpoint image");
-  } else {
-    log("using /workspace from checkpoint image (no worktrees recorded; no rebind)");
-  }
-  await repairIdeOwnership(containerName);
-  log(".vscode-server + .cursor-server ownership verified");
-  const ctl = await launchCtlDaemon(containerName, socketPath);
-  if (ctl.up) log("agentbox-ctl daemon up");
-  else log(`agentbox-ctl daemon did not become reachable: ${ctl.reason}`);
-  const dockerd = await launchDockerdDaemon(containerName);
-  if (dockerd.up) {
-    log(`dockerd up (storage-driver=fuse-overlayfs, data root=${dockerVolume})`);
-  } else {
-    log(`dockerd did not become ready: ${dockerd.reason}`);
-  }
-  if (opts.withPlaywright) {
-    log("installing @playwright/cli@latest (--with-playwright)");
-    const result = await execa2(
-      "docker",
-      [
-        "exec",
-        "--user",
-        "root",
-        containerName,
-        "bash",
-        "-lc",
-        "npm install -g @playwright/cli@latest 2>&1"
-      ],
-      { reject: false }
-    );
-    for (const line of (result.stdout ?? "").split("\n")) {
-      if (line.trim().length > 0) log(`[playwright] ${line}`);
-    }
-    if (result.exitCode !== 0) {
-      throw new Error(
-        `failed to install @playwright/cli (exit ${String(result.exitCode)}): ${(result.stderr ?? "").toString().slice(0, 400)}`
-      );
-    }
-    log("@playwright/cli installed");
-  }
-  if (opts.withEnv) {
-    log("copying host env/config files into /workspace (--with-env)");
-    const { copied } = await copyHostEnvFilesToBox({
-      container: containerName,
-      workspaceDir: workspace,
-      patterns: DEFAULT_ENV_PATTERNS,
-      onLog: log
-    });
-    log(copied > 0 ? `copied ${String(copied)} env/config file(s)` : "no env/config files found");
-  }
-  if (opts.envFilesToImport && opts.envFilesToImport.length > 0) {
-    log(`copying ${String(opts.envFilesToImport.length)} selected env/config file(s) into /workspace`);
-    const { copied } = await copyHostFilesToBox({
-      container: containerName,
-      workspaceDir: workspace,
-      files: opts.envFilesToImport,
-      onLog: log
-    });
-    if (copied !== opts.envFilesToImport.length) {
-      log(`copied ${String(copied)}/${String(opts.envFilesToImport.length)} selected env/config file(s)`);
-    }
-  }
-  let vncHostPort = null;
-  if (vncEnabled) {
-    const vnc = await launchVncDaemon(containerName);
-    if (vnc.up) log("vnc stack up (Xvnc + websockify + noVNC)");
-    else log(`vnc stack did not become reachable: ${vnc.reason}`);
-    vncHostPort = await publishedHostPort(containerName, VNC_CONTAINER_PORT);
-    if (vncHostPort) log(`vnc web on host 127.0.0.1:${String(vncHostPort)}`);
-  }
-  const webHostPort = await publishedHostPort(containerName, WEB_CONTAINER_PORT);
-  if (webHostPort) {
-    log(
-      `web port reserved on host 127.0.0.1:${String(webHostPort)} (forwards to the web service once agentbox.yaml sets a service expose:)`
-    );
-  }
-  const record = {
-    id,
-    name,
-    container: containerName,
-    image: imageRef,
-    workspacePath: workspace,
-    snapshotDir,
-    socketPath,
-    claudeConfigVolume: claudeSpec.volume,
-    vscodeServerVolume: vscodeServerVolumeName(id),
-    cursorServerVolume: cursorServerVolumeName(id),
-    relayToken: relayUp ? relayToken : void 0,
-    gitWorktrees: gitWorktreeRecords.length > 0 ? gitWorktreeRecords : void 0,
-    withPlaywright: opts.withPlaywright ? true : void 0,
-    withEnv: opts.withEnv ? true : void 0,
-    vncEnabled: vncEnabled ? true : void 0,
-    vncContainerPort: vncEnabled ? VNC_CONTAINER_PORT : void 0,
-    vncHostPort: vncHostPort ?? void 0,
-    vncPassword,
-    webContainerPort: WEB_CONTAINER_PORT,
-    webHostPort: webHostPort ?? void 0,
-    dockerVolume,
-    dockerCacheShared: dockerCacheShared || void 0,
-    projectRoot: opts.projectRoot,
-    projectIndex,
-    checkpointImage,
-    checkpointSource,
-    resourceLimits: persistableLimits(effectiveLimits),
-    createdAt
-  };
-  await recordBox(record);
-  return { record, imageBuilt: built };
-}
-
-export {
-  sanitizeBasename,
-  defaultBoxName,
-  createBox
-};
-//# sourceMappingURL=chunk-6VTAPD4H.js.map