@madarco/agentbox 0.6.0 → 0.7.0

package/runtime/docker/packages/sandbox-docker/scripts/agentbox-codex-hooks.json

@@ -0,0 +1,37 @@
+{
+  "SessionStart": [
+    {
+      "hooks": [
+        { "type": "command", "command": "agentbox-ctl codex-state idle >/dev/null 2>&1 &", "timeout": 3 }
+      ]
+    }
+  ],
+  "UserPromptSubmit": [
+    {
+      "hooks": [
+        { "type": "command", "command": "agentbox-ctl codex-state working >/dev/null 2>&1 &", "timeout": 3 }
+      ]
+    }
+  ],
+  "PreToolUse": [
+    {
+      "hooks": [
+        { "type": "command", "command": "agentbox-ctl codex-state working >/dev/null 2>&1 &", "timeout": 3 }
+      ]
+    }
+  ],
+  "PermissionRequest": [
+    {
+      "hooks": [
+        { "type": "command", "command": "agentbox-ctl codex-state waiting >/dev/null 2>&1 &", "timeout": 3 }
+      ]
+    }
+  ],
+  "Stop": [
+    {
+      "hooks": [
+        { "type": "command", "command": "agentbox-ctl codex-state idle >/dev/null 2>&1 &", "timeout": 3 }
+      ]
+    }
+  ]
+}

package/runtime/docker/packages/sandbox-docker/scripts/agentbox-open

@@ -1,14 +1,14 @@
 #!/usr/bin/env bash
-# Routes in-box URL opens to the *host's* default browser via the agentbox
-# relay. The box has no real browser of its own. This script is installed at
-# /usr/local/bin (earlier in PATH than xdg-utils' /usr/bin/xdg-open, which it
-# is also symlinked over) and is the box's $BROWSER, so `xdg-open`, Claude
-# Code's OAuth flow, `gh`, `git web--browse`, python's webbrowser, etc. all
-# land here.
+# Routes in-box URL opens to `agentbox-ctl open`, which opens the link in the
+# box's own Chromium (agent-browser, visible via `agentbox screen`) and asks
+# the host user — in the footer/dashboard — whether to also open it on the
+# host. This script is installed at /usr/local/bin (earlier in PATH than
+# xdg-utils' /usr/bin/xdg-open, which it is also symlinked over) and is the
+# box's $BROWSER, so `xdg-open`, Claude Code's OAuth flow, `gh`,
+# `git web--browse`, python's webbrowser, etc. all land here.
 #
-# Only http(s) URLs are forwarded to the host. Anything else (a file path,
-# another scheme) falls through to the real xdg-open, which resolves it
-# locally inside the box.
+# Only http(s) URLs are routed. Anything else (a file path, another scheme)
+# falls through to the real xdg-open, which resolves it locally in the box.
 
 set -uo pipefail
 

package/runtime/hetzner/agentbox-checkpoint-cleanup

@@ -0,0 +1,52 @@
+#!/usr/bin/env bash
+# Pre-`docker commit` cleanup: strip ephemeral / disposable state so the
+# captured checkpoint image is closer to "warm project state, nothing else".
+#
+# Invoked by the host via `docker exec --user root <container>
+# /usr/local/bin/agentbox-checkpoint-cleanup` right before
+# `docker commit`. Best-effort: every step is allowed to fail (a checkpoint
+# capture should never block on cleanup hiccups).
+#
+# What we DELIBERATELY keep:
+#   - /workspace                  the actual point of the checkpoint
+#   - /home/vscode/.npm           warm npm cache (next install is fast)
+#   - /home/vscode/.cache         pnpm/yarn/Cargo/etc. caches
+#   - /var/lib/docker             in-box dockerd's data root
+#   - /home/vscode/.claude        the named volume is bind-mounted; image
+#                                 layer never sees it anyway
+set +e
+
+# apt: drop downloaded .deb cache and the package index. The index is ~50MB
+# and gets refreshed on the next `apt-get update`; the .deb cache is reusable
+# only if we don't change versions, which we usually do.
+apt-get clean 2>/dev/null
+rm -rf /var/lib/apt/lists/* 2>/dev/null
+
+# Throwaway scratch dirs. Preserve /tmp/claude-* — that is the live in-box
+# Claude Code session's working tree (its per-task stdout/stderr files). The
+# agent that triggered this checkpoint *is* that session; deleting its task
+# output mid-run makes its harness see ENOENT, treat the command as failed,
+# and retry the checkpoint (observed: 5 duplicate auto-named checkpoints).
+# Stale claude-* dirs baked into the image are tiny and Claude Code prunes
+# them itself on the next session start.
+find /tmp /var/tmp -mindepth 1 -maxdepth 1 ! -name 'claude-*' -exec rm -rf {} + 2>/dev/null
+
+# Logs: truncate (don't delete) so the original file modes / ownerships stay
+# intact for the next run. Targets common rotated archives too.
+find /var/log -type f \( -name '*.log' -o -name '*.gz' -o -name '*.1' \) \
+  -exec truncate -s0 {} + 2>/dev/null
+find /var/log/agentbox -type f -exec truncate -s0 {} + 2>/dev/null
+
+# Bash history (root + vscode). Re-assert vscode ownership: `: >` run as root
+# (re)creates the file root-owned 0644 when it didn't exist, which the uid-1000
+# vscode user cannot append to, silently dropping all shell history.
+: > /root/.bash_history 2>/dev/null
+: > /home/vscode/.bash_history 2>/dev/null
+chown vscode:vscode /home/vscode/.bash_history 2>/dev/null
+chmod 600 /home/vscode/.bash_history 2>/dev/null
+
+# Anthropic's installer writes a transient marker; redundant once the binary
+# is in place. Safe to wipe.
+rm -rf /home/vscode/.claude-installer 2>/dev/null
+
+exit 0

package/runtime/hetzner/agentbox-codex-hooks.json

@@ -0,0 +1,37 @@
+{
+  "SessionStart": [
+    {
+      "hooks": [
+        { "type": "command", "command": "agentbox-ctl codex-state idle >/dev/null 2>&1 &", "timeout": 3 }
+      ]
+    }
+  ],
+  "UserPromptSubmit": [
+    {
+      "hooks": [
+        { "type": "command", "command": "agentbox-ctl codex-state working >/dev/null 2>&1 &", "timeout": 3 }
+      ]
+    }
+  ],
+  "PreToolUse": [
+    {
+      "hooks": [
+        { "type": "command", "command": "agentbox-ctl codex-state working >/dev/null 2>&1 &", "timeout": 3 }
+      ]
+    }
+  ],
+  "PermissionRequest": [
+    {
+      "hooks": [
+        { "type": "command", "command": "agentbox-ctl codex-state waiting >/dev/null 2>&1 &", "timeout": 3 }
+      ]
+    }
+  ],
+  "Stop": [
+    {
+      "hooks": [
+        { "type": "command", "command": "agentbox-ctl codex-state idle >/dev/null 2>&1 &", "timeout": 3 }
+      ]
+    }
+  ]
+}

package/runtime/hetzner/agentbox-dockerd-start

@@ -0,0 +1,132 @@
+#!/usr/bin/env bash
+# Start the in-box dockerd. Launched by the host via
+# `docker exec -d --user root`. Idempotent — safe to call again on
+# `agentbox start`. The storage driver is selected at runtime (see
+# select_storage_driver below): the kernel-native `overlay2` when a probe
+# proves it works on the data-root filesystem, otherwise `fuse-overlayfs`.
+# The chosen driver is written to /etc/docker/daemon.json before launch.
+
+set -euo pipefail
+
+if pgrep -x dockerd >/dev/null; then
+  exit 0
+fi
+
+mkdir -p /var/lib/docker /var/run /var/log/agentbox
+
+# /var/run lives in the container's writable layer (not a volume), so files
+# written by the previous dockerd run survive `docker stop`/`start`. dockerd
+# refuses to start if `/var/run/docker.pid` exists with a PID in /proc — and
+# after restart, that PID number has been reassigned to (probably) the new
+# `sleep infinity`. Wipe both the pidfile and the stale socket here; pgrep
+# above already confirmed no real dockerd is running.
+rm -f /var/run/docker.pid /var/run/docker.sock
+
+# Cgroup v2 + unprivileged DinD on OrbStack/Docker Desktop: the outer
+# container has /sys/fs/cgroup and /proc/sys bind-mounted RO from the host
+# (Docker's standard hardening). We need both writable for dockerd to:
+#   * mkdir /sys/fs/cgroup/docker (its own cgroup slice for child containers)
+#   * write /proc/sys/net/ipv6/conf/<veth>/disable_ipv6 (default bridge setup)
+# Without these, `docker run` fails with EROFS or "failed to disable IPv6".
+# SYS_ADMIN + the private cgroup namespace let us remount these RW; the
+# writes only affect the box's own namespaces (not the host). Failure is
+# tolerable — some hosts already mount these RW.
+mount -o remount,rw /sys/fs/cgroup 2>/dev/null || true
+mount -o remount,rw /proc/sys 2>/dev/null || true
+
+# --- Storage-driver selection -------------------------------------------------
+# The inner dockerd's data root (/var/lib/docker, a Docker named volume) used
+# to be pinned to fuse-overlayfs. fuse-overlayfs is broken on recent kernels
+# (e.g. Docker Desktop's 6.x linuxkit kernel): inner `docker run` fails at
+# execve() with "exec ...: invalid argument". The kernel-native overlay2
+# driver works when the data-root filesystem can carry an overlay mount, which
+# the ext4 named volume can. We pick overlay2 when a probe proves it works,
+# else fall back to fuse-overlayfs.
+#
+# dockerd refuses to switch drivers once its data root is populated, so if the
+# data root is already initialized under one driver we reuse that driver and
+# skip the probe — a box created under one driver never switches.
+DOCKER_DATA_ROOT=/var/lib/docker
+DAEMON_JSON=/etc/docker/daemon.json
+
+probe_overlay2() {
+  # The kernel overlay filesystem has to exist at all.
+  grep -qw overlay /proc/filesystems 2>/dev/null || return 1
+
+  local probe lower upper work merged ok=1
+  # The probe dir MUST live inside the data root so the test overlay is mounted
+  # on the SAME filesystem the real graph will use. A probe under /tmp would
+  # test the container's overlayfs writable layer — the wrong filesystem.
+  probe="$(mktemp -d "$DOCKER_DATA_ROOT/.overlay2-probe.XXXXXX" 2>/dev/null)" || return 1
+  lower="$probe/lower"; upper="$probe/upper"; work="$probe/work"; merged="$probe/merged"
+  mkdir -p "$lower" "$upper" "$work" "$merged" || { rm -rf "$probe"; return 1; }
+
+  # Stage a known-good executable so the merged view exposes it.
+  cp /bin/true "$lower/probe-bin" 2>/dev/null || { rm -rf "$probe"; return 1; }
+  chmod 0755 "$lower/probe-bin" 2>/dev/null || true
+
+  if mount -t overlay overlay \
+       -o "lowerdir=$lower,upperdir=$upper,workdir=$work" "$merged" 2>/dev/null; then
+    # The actual fuse-overlayfs failure mode: execve from the merged dir. A
+    # successful mount is not enough — fuse-overlayfs mounts fine and only
+    # fails here.
+    "$merged/probe-bin" >/dev/null 2>&1 || ok=0
+    umount "$merged" 2>/dev/null || umount -l "$merged" 2>/dev/null || true
+  else
+    ok=0
+  fi
+  rm -rf "$probe"
+  [ "$ok" = 1 ]
+}
+
+select_storage_driver() {
+  # 1. Reuse an already-initialized data root's driver — dockerd cannot switch
+  #    a populated data root, and this script reruns on every `agentbox start`.
+  local has_overlay2=0 has_fuse=0
+  [ -d "$DOCKER_DATA_ROOT/overlay2" ] \
+    && [ -n "$(ls -A "$DOCKER_DATA_ROOT/overlay2" 2>/dev/null)" ] && has_overlay2=1
+  [ -d "$DOCKER_DATA_ROOT/fuse-overlayfs" ] \
+    && [ -n "$(ls -A "$DOCKER_DATA_ROOT/fuse-overlayfs" 2>/dev/null)" ] && has_fuse=1
+  if [ "$has_overlay2" = 1 ]; then echo "overlay2"; return 0; fi
+  if [ "$has_fuse" = 1 ]; then echo "fuse-overlayfs"; return 0; fi
+
+  # 2. Fresh data root: probe overlay2 against the data-root filesystem.
+  if probe_overlay2; then echo "overlay2"; return 0; fi
+  echo "fuse-overlayfs"
+}
+
+# Sweep any leaked probe dir from a hard-killed previous run (cosmetic; the
+# driver subdir checks above ignore it, and dockerd ignores non-driver dirs).
+rm -rf "$DOCKER_DATA_ROOT"/.overlay2-probe.* 2>/dev/null || true
+
+STORAGE_DRIVER="$(select_storage_driver)"
+
+# Write daemon.json with the resolved driver. `iptables: true` stays for inner
+# bridge networking. Rewritten every start, but the driver is stable (step 1
+# above), so this never causes a mid-life driver switch.
+mkdir -p /etc/docker
+printf '%s\n' \
+  "{ \"storage-driver\": \"$STORAGE_DRIVER\", \"iptables\": true }" \
+  > "$DAEMON_JSON"
+# Truncate dockerd.log fresh for this start, marker line first; dockerd appends.
+echo "agentbox-dockerd-start: storage-driver=$STORAGE_DRIVER" \
+  > /var/log/agentbox/dockerd.log
+# --- end storage-driver selection --------------------------------------------
+
+# nohup + & + disown lets us survive the `docker exec -d` returning. dockerd
+# reads /etc/docker/daemon.json on its own; no flags here keeps the start path
+# debuggable from inside the container (just edit the file and restart).
+nohup dockerd >>/var/log/agentbox/dockerd.log 2>&1 &
+
+# Wait for the socket to become accept()-able. Bound by ~30s — first start has
+# to initialize iptables chains and the storage graphdriver (fuse-overlayfs is
+# noticeably slower to initialize than overlay2).
+for _ in $(seq 1 300); do
+  if [ -S /var/run/docker.sock ] \
+     && docker -H unix:///var/run/docker.sock info >/dev/null 2>&1; then
+    break
+  fi
+  sleep 0.1
+done
+
+disown -a

package/runtime/hetzner/agentbox-open

@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+# Routes in-box URL opens to `agentbox-ctl open`, which opens the link in the
+# box's own Chromium (agent-browser, visible via `agentbox screen`) and asks
+# the host user — in the footer/dashboard — whether to also open it on the
+# host. This script is installed at /usr/local/bin (earlier in PATH than
+# xdg-utils' /usr/bin/xdg-open, which it is also symlinked over) and is the
+# box's $BROWSER, so `xdg-open`, Claude Code's OAuth flow, `gh`,
+# `git web--browse`, python's webbrowser, etc. all land here.
+#
+# Only http(s) URLs are routed. Anything else (a file path, another scheme)
+# falls through to the real xdg-open, which resolves it locally in the box.
+
+set -uo pipefail
+
+target="${1:-}"
+
+case "$target" in
+  http://* | https://*)
+    exec agentbox-ctl open "$target"
+    ;;
+  *)
+    if [[ -x /usr/bin/xdg-open ]]; then
+      exec /usr/bin/xdg-open "$@"
+    fi
+    echo "agentbox-open: not an http(s) URL: $target" >&2
+    exit 1
+    ;;
+esac

package/runtime/hetzner/agentbox-setup-skill.md

@@ -0,0 +1,196 @@
+---
+name: agentbox-setup
+description: Generate an agentbox.yaml for the current AgentBox workspace. Invoke when the user opens a sandbox without an agentbox.yaml or asks to (re)configure one.
+---
+
+# /agentbox-setup
+
+## Box layout (what you're configuring against)
+
+Your user i `vscode` and you can use `sudo` to run commands as root.
+
+`/workspace` is where the user code lives, a per-box git worktree on a fresh `agentbox/<box-name>` branch (or a tar-piped copy of the host workspace for non-git projects).
+Run `agentbox checkpoint --set-default` (similar to `docker commit`) to save any changes make to the system and workspace so that new boxes will start from a warm state. Everything is wiped on `agentbox destroy`.
+
+Some special folders:
+
+- **Host main repo's `.git/`** — If the box bind-mounted RW at its identical absolute host path. In-box commits land on the host's branch refs (visible to `git log` on the host immediately); the box itself carries no SSH/git creds, so `git push` goes through the host relay (`agentbox-ctl git push`). The host's **working tree is never written to** — only refs/objects under `.git/`.
+- **`~/.claude`** — and similar home folders for coding agents are seeded from the host's `~/.claude` on each create so auth, skills, and plugins persist without leaking the host's home dir.
+- **`agentbox.yaml`** — read by `agentbox-ctl` from `/workspace`. Tasks and services declared here are what the supervisor will run.
+
+Exposed ports and services:
+- **portless** - every port with `expose:` setting in agentbox.yaml, will be exposed not only as a local port but also as a special domain name `https://<name>.localhost` (so on https) using `portless` cli and proxy. This will be also mapped to the host where also `portless` proxy is running so users can access the same service on the same looking url.
+- **vnc** - the webVNC server exposed on 6080 will be proxies to the host on a random port.
+- **vscode** - the vscode server is proxied to the host on a random port.
+
+## Goal
+
+Produce a `/workspace/agentbox.yaml` that captures this project's services, tasks, and box defaults so the in-box supervisor (`agentbox-ctl`) can boot the workspace deterministically.
+
+`agentbox.yaml` is **declarative**. The supervisor reads it on box start, but you don't have to restart the box: after you write the file, `agentbox-ctl reload` (run from inside the box) makes the already-running supervisor re-read it and immediately run the declared tasks and autostart the services. See step 8.
+
+## 1. Discover the project
+
+Look at `/workspace`:
+
+- Top-level manifests: `package.json`, `pyproject.toml` / `requirements.txt`, `Cargo.toml`, `go.mod`, `Gemfile`, `composer.json`, `mix.exs`, etc. — these tell you the runtime.
+- `docker-compose.yaml` / `docker-compose.yml` — often lists the real services the project expects.
+- `package.json` → `scripts`: look for `dev`, `start`, `build`, `test`, `migrate`, `seed`.
+- `Makefile` / `justfile` / `Taskfile.yaml` — alternative task runners.
+- Listening ports: grep for `listen(`, `PORT=`, framework defaults (3000 for Next.js / Nuxt, 5173 for Vite, 8000 for Django, 8080 for Spring, etc.).
+- Database / cache deps to spin up locally (Postgres, Redis, …) — declare them as services if the project doesn't expect them to be external.
+
+## 2. Pick services and tasks
+
+- **Services** = long-running. Web servers, watchers, queue workers, databases. `restart: on-failure` by default.
+- **Tasks** = one-shot. `pnpm install`, DB migrations, codegen, fixture loaders, install apt packages. Wire dependent services with `needs:` so they wait for the task to finish successfully.
+- Names: must match `[A-Za-z0-9_-]+`. Task names and service names share a namespace — no collisions.
+- No cycles in `needs:`.
+- **Always generate a dependency-install task** and make it the root of the `needs:` graph (every service that needs deps gets `needs: [install, …]`). Future boxes start from a snapshot of the final filesystem so they won't need this, but updates or moving to a cloud provider might need to rebuild the container from scratch. The filesystem can be then later captured by `agentbox-ctl checkpoint --set-default`. The task must be **idempotent and self-healing**: `agentbox-ctl` re-runs pending tasks on every box stop/start (the daemon dies with the container and is relaunched), so a plain `rm -rf node_modules && install` would wipe + reinstall on every start. Guard the rebuild with a marker file *inside* `node_modules` (the `.agentbox-installed` convention AgentBox uses internally): rebuild only when the marker is absent (fresh box), and be a fast no-op once it exists. Detect the package manager from the lockfile — never hardcode `pnpm`. See the worked example below.
+- **Add a comment to the beginning** of the file to explain what you did and what issues you encountered, so that future run might use this information in case the project evolves and you need to update the agentbox.yaml file.
+-
+
+## 3. Wire readiness probes (services only)
+
+`ready_when:` lets the supervisor decide when a service is "ready" (vs. just "running"). Exactly one of these must be present:
+
+- `port: 3000` — TCP connect (default host `127.0.0.1`; override with `host:`).
+- `log_match: "Listening on"` — regex matched against stdout/stderr. First match flips the service to ready.
+- `http: "http://127.0.0.1:3000/health"` — GET probe. Optional `expect_status: 200` (default: any 2xx).
+
+Tunables: `interval_ms` (default 500), `initial_delay_ms` (default 0), `timeout_ms` (default 60000), `on_timeout: kill | mark_unhealthy` (default `kill` — re-enters the restart policy).
+
+### Mark the web service with `expose:`
+
+The box's primary web app (the dev server / Next.js / API the user opens in a browser) should declare:
+
+```yaml
+    expose:
+      port: 3000   # the port this service listens on inside the box
+      as: 80        # must be 80 — the container port AgentBox publishes
+```
+
+At most **one** service may set `expose:`. AgentBox forwards container `:80` to `127.0.0.1:<port>` and publishes it on the host with `portless` proxy to a <boxname>.localhost url, so `agentbox list`/`status` show it as the box's main URL on every engine (no OrbStack dependency). Set this on the same service whose `ready_when:` you just wrote (a DB or worker should **not** get `expose:`).
+
+## 4. Restart + backoff
+
+Per service:
+
+- `restart: always | on-failure | never` (default `on-failure`).
+- `backoff:` — `initial_ms` (default 500), `max_ms` (default 30000; must be `>= initial_ms`), `factor` (default 2).
+
+## 5. (Optional) `defaults:` block
+
+Sets per-project defaults for `agentbox create`/`claude`/`code`/`shell` — same shape as `~/.agentbox/config.yaml`. CLI flags still override. Common keys:
+
+- `box.hostSnapshot` (bool) — APFS-clone the *host* workspace into a per-box scratch dir before seeding `/workspace` (stabilizes the tar-pipe source).
+- `box.defaultCheckpoint` (string) — checkpoint new boxes start from (normally you set this via `agentbox-ctl checkpoint --set-default` at the end of setup — see section 9, not by hand).
+- `box.withPlaywright` (bool) — install `@playwright/cli` globally inside the box.
+- `box.vnc` (bool) — run Xvnc + noVNC on container port 6080.
+- `box.isolateClaudeConfig` (bool) — per-box `~/.claude` volume instead of the shared one.
+- `code.ide` — `vscode | cursor | auto`.
+- `code.autoTerminals` (bool) — auto-generate `.vscode/tasks.json` with per-service tails.
+- `browser.default` — `agent-browser | playwright | both`.
+
+Full key list (run on the host): `agentbox config list --keys`.
+
+## 6. Worked example
+
+```yaml
+# yaml-language-server: $schema=https://agentbox.dev/schema/agentbox.schema.json
+# This agentbox.yaml setup this Next.js project, and includes:
+# - a postgres database because it's used in the project
+# - an inngest server for queues
+# - a fix to move .turbo/cache folder to the workspace to avoid a permission error during setup
+# - ...
+defaults:
+  box:
+    withPlaywright: true
+  code:
+    ide: cursor
+
+tasks:
+  # Idempotent install. /workspace is the container's writable filesystem, so
+  # node_modules persists across pause/stop/start and is captured by
+  # `agentbox checkpoint`. The host's node_modules is macOS-native and is
+  # never copied in, so force a clean Linux build the first time — but skip
+  # on every subsequent box start (agentbox-ctl re-runs pending tasks after
+  # stop/start). Adjust the lockfile detection to the project's package
+  # manager.
+  install:
+    command: |
+      set -e
+      MARKER=node_modules/.agentbox-installed
+      [ -f "$MARKER" ] && { echo "deps installed (marker present) — skip"; exit 0; }
+      apt-get update && apt-get install -y postgresql-client
+      rm -rf node_modules
+      if [ -f pnpm-lock.yaml ]; then
+        corepack enable >/dev/null 2>&1 || true
+        pnpm install --frozen-lockfile || pnpm install
+      fi
+      touch "$MARKER"
+
+  migrate:
+    command: pnpm db:migrate
+    needs: [install]
+
+services:
+  postgres:
+    command: postgres -D /var/lib/postgresql/data
+    ready_when:
+      port: 5432
+    restart: always
+
+  dev:
+    command: pnpm dev
+    needs: [install, migrate, postgres]
+    ready_when:
+      port: 3000
+      timeout_ms: 120000
+    expose:
+      port: 3000
+      as: 80
+    restart: on-failure
+    backoff:
+      initial_ms: 500
+      max_ms: 5000
+      factor: 2
+```
+
+## 7. Validate before handing off
+
+- check with `agentbox-ctl reload` and then `agentbox-ctl status` that everything is running as expected.
+- Every name in `needs:` must reference an existing task or service.
+- A service with `restart: never` and an autostart dependency will block the dependent forever after one failed run — usually a mistake.
+- `command:` is either a shell string (run via `bash -c`) or an argv array. Use the argv form if you need to avoid shell quoting.
+
+## 8. Checkpoint the warm state (do this at the very end)
+
+Checkpoint (snapshot) this box writable layer: once the box is warmed up (deps installed, services ready), checkpoint it with `agentbox-ctl checkpoint --name setup --replace --set-default` so future boxes start ready.
+Run this command exactly once. The `--name setup --replace` makes it idempotent — if it ever needs to run again it overwrites the existing `setup` checkpoint instead of stacking duplicates.
+This doesn't need to be confirmed by the user.
+It will pause the container for several seconds so warn the user about it and write Done when it's done.
+
+## 9. Hand-off
+
+Tell the user (verbatim):
+
+   ```
+    █████╗  ██████╗ ███████╗███╗   ██╗████████╗██████╗  ██████╗ ██╗  ██╗
+   ██╔══██╗██╔════╝ ██╔════╝████╗  ██║╚══██╔══╝██╔══██╗██╔═══██╗╚██╗██╔╝
+   ███████║██║  ███╗█████╗  ██╔██╗ ██║   ██║   ██████╔╝██║   ██║ ╚███╔╝
+   ██╔══██║██║   ██║██╔══╝  ██║╚██╗██║   ██║   ██╔══██╗██║   ██║ ██╔██╗
+   ██║  ██║╚██████╔╝███████╗██║ ╚████║   ██║   ██████╔╝╚██████╔╝██╔╝ ██╗
+   ╚═╝  ╚═╝ ╚═════╝ ╚══════╝╚═╝  ╚═══╝   ╚═╝   ╚═════╝  ╚═════╝ ╚═╝  ╚═╝
+   ```
+
+   your box is ready, you can start more sessions with `agentbox claude`
+   you can access the web app at https://<boxname>.localhost
+
+## 10. Known issues
+
+- For Nextjs/Vite/Tasnstack projects, makes sure to forward also websocket for hot reload.
+
+- Service like flask, nextjs, BETTER_AUTH_URL, NEXT_PUBLIC_APP_URL should use the <boxname>.localhost url for the local development so that on the host it will use the same url as the box.
+
+- The `install` task is intentionally a no-op once `node_modules/.agentbox-installed` exists. Do **not** remove the marker guard to "force a fresh install" — that reinstalls on every box start. To force a one-off rebuild, delete `node_modules` (or just the marker) then run `agentbox-ctl reload`.

package/runtime/hetzner/agentbox-vnc-start

@@ -0,0 +1,77 @@
+#!/usr/bin/env bash
+# Start the per-box VNC stack: Xvnc on :1 (loopback inside container) +
+# websockify on 0.0.0.0:6080 serving noVNC's HTML5 client and proxying RFB.
+# Launched by the host via `docker exec -d --user vscode` after the container
+# is up. Idempotent — re-running while the daemons are alive is a no-op, so
+# `agentbox start` can blindly call us again.
+
+set -euo pipefail
+
+PASS="${AGENTBOX_VNC_PASSWORD:-}"
+if [[ -z "$PASS" ]]; then
+  echo "agentbox-vnc-start: AGENTBOX_VNC_PASSWORD is not set" >&2
+  exit 64
+fi
+
+if pgrep -u "$(id -u)" -x Xvnc >/dev/null \
+   && pgrep -u "$(id -u)" -f "websockify.*6080" >/dev/null; then
+  exit 0
+fi
+
+mkdir -p "$HOME/.vnc"
+# vncpasswd's -f mode reads plaintext on stdin, writes the DES blob to stdout.
+# VncAuth truncates >8 chars at compare time, which is fine — the host writes
+# an 8-char password. Write to a temp file + rename so a failure (e.g.,
+# vncpasswd missing) doesn't leave an empty file that Xvnc would then reject.
+TMP_PASSWD="$(mktemp "$HOME/.vnc/passwd.XXXXXX")"
+printf '%s\n' "$PASS" | vncpasswd -f > "$TMP_PASSWD"
+chmod 600 "$TMP_PASSWD"
+mv "$TMP_PASSWD" "$HOME/.vnc/passwd"
+
+mkdir -p /var/log/agentbox 2>/dev/null || true
+
+# Xvnc on display :1, loopback-only (websockify is the only public ingress).
+# 1280x800x24 is a sensible laptop-browser viewport.
+# The clipboard params are on-by-default in TigerVNC 1.13 but pinned here so a
+# base-image bump can't silently break host->box paste, and to document intent:
+# accept cut-text from noVNC, set both the X CLIPBOARD and PRIMARY selections.
+Xvnc :1 \
+  -localhost \
+  -SecurityTypes VncAuth \
+  -PasswordFile "$HOME/.vnc/passwd" \
+  -geometry 1280x800 \
+  -depth 24 \
+  -AlwaysShared \
+  -AcceptCutText=1 \
+  -SendCutText=1 \
+  -SetPrimary=1 \
+  -SendPrimary=1 \
+  >/var/log/agentbox/xvnc.log 2>&1 &
+
+# Wait for Xvnc's RFB socket (5901). bash's /dev/tcp pseudo-device makes the
+# probe a one-liner without needing netcat in the image.
+for _ in $(seq 1 50); do
+  if (echo > /dev/tcp/127.0.0.1/5901) 2>/dev/null; then break; fi
+  sleep 0.1
+done
+
+# With no window manager, nothing owns the X selections, so Xvnc's RFB cut-text
+# isn't reliably handed to Chromium on Ctrl+V. autocutsel (one daemon per
+# selection) keeps CLIPBOARD and PRIMARY populated and synced. Best-effort: a
+# clipboard failure must never abort VNC, and the pgrep guard keeps a stray
+# re-entry from spawning duplicates (Xvnc is up now, so DISPLAY=:1 resolves).
+if ! pgrep -u "$(id -u)" -x autocutsel >/dev/null; then
+  DISPLAY=:1 autocutsel -selection CLIPBOARD -fork >/dev/null 2>&1 || true
+  DISPLAY=:1 autocutsel -selection PRIMARY -fork >/dev/null 2>&1 || true
+fi
+
+# websockify serves noVNC at /vnc.html (--web) and tunnels WS frames to Xvnc's
+# RFB. Bind 0.0.0.0:6080 so both Docker `-p` mappings and OrbStack's
+# <name>.orb.local routing reach it.
+websockify \
+  --web=/usr/share/novnc \
+  0.0.0.0:6080 \
+  127.0.0.1:5901 \
+  >/var/log/agentbox/websockify.log 2>&1 &
+
+disown -a

package/runtime/hetzner/claude-managed-settings.json

@@ -0,0 +1,54 @@
+{
+  "$comment": "AgentBox enterprise-managed Claude Code settings, baked into the box image at /etc/claude-code/managed-settings.json. Highest precedence and NOT synced from the host ~/.claude, so claude-hooks-filter.ts never touches it; per Claude Code, hook arrays MERGE across settings sources, so the user's own hooks still run. These hooks report Claude's activity to the box supervisor (agentbox-ctl claude-state -> ctl socket -> relay -> ~/.agentbox/boxes/<id>/status.json) so `agentbox status/list/inspect` can show it even when the box is paused. Each command is exit-0 fast and shell-backgrounded so a hook can never block or fail a Claude turn.",
+  "hooks": {
+    "UserPromptSubmit": [
+      {
+        "hooks": [
+          { "type": "command", "command": "agentbox-ctl claude-state working >/dev/null 2>&1 &", "timeout": 3 }
+        ]
+      }
+    ],
+    "PreToolUse": [
+      {
+        "hooks": [
+          { "type": "command", "command": "agentbox-ctl claude-state working >/dev/null 2>&1 &", "timeout": 3 }
+        ]
+      }
+    ],
+    "Stop": [
+      {
+        "hooks": [
+          { "type": "command", "command": "agentbox-ctl claude-state idle >/dev/null 2>&1 &", "timeout": 3 }
+        ]
+      }
+    ],
+    "Notification": [
+      {
+        "matcher": "permission_prompt",
+        "hooks": [
+          { "type": "command", "command": "agentbox-ctl claude-state waiting >/dev/null 2>&1 &", "timeout": 3 }
+        ]
+      },
+      {
+        "matcher": "idle_prompt",
+        "hooks": [
+          { "type": "command", "command": "agentbox-ctl claude-state idle >/dev/null 2>&1 &", "timeout": 3 }
+        ]
+      }
+    ],
+    "SessionStart": [
+      {
+        "hooks": [
+          { "type": "command", "command": "agentbox-ctl claude-state idle >/dev/null 2>&1 &", "timeout": 3 }
+        ]
+      }
+    ],
+    "SessionEnd": [
+      {
+        "hooks": [
+          { "type": "command", "command": "agentbox-ctl claude-state idle >/dev/null 2>&1 &", "timeout": 3 }
+        ]
+      }
+    ]
+  }
+}