@madarco/agentbox 0.6.0 → 0.8.0

package/dist/prepared-state-CL4CWXQA-ME4HSKDE.js

@@ -0,0 +1,18 @@
+#!/usr/bin/env node
+import {
+  DOCKERFILE_PATH,
+  computeDockerContextFingerprint,
+  preparedMatches,
+  readPreparedDockerState,
+  resolveContextFiles,
+  writePreparedDockerState
+} from "./chunk-BGK32PZE.js";
+export {
+  DOCKERFILE_PATH,
+  computeDockerContextFingerprint,
+  preparedMatches,
+  readPreparedDockerState,
+  resolveContextFiles,
+  writePreparedDockerState
+};
+//# sourceMappingURL=prepared-state-CL4CWXQA-ME4HSKDE.js.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@madarco/agentbox",
-  "version": "0.6.0",
+  "version": "0.8.0",
   "description": "Launch Claude Code, Codex, and other coding agents in isolated sandboxes",
   "license": "MIT",
   "author": "Marco D'Alia",
@@ -41,6 +41,7 @@
   ],
   "dependencies": {
     "@clack/prompts": "^0.9.0",
+    "@daytonaio/sdk": "^0.179.0",
     "@xterm/headless": "^5.5.0",
     "commander": "^12.1.0",
     "execa": "^9.5.2",
@@ -56,10 +57,14 @@
     "typescript": "^5.7.2",
     "vitest": "^2.1.8",
     "@agentbox/config": "0.0.0",
-    "@agentbox/core": "0.0.0",
+    "@agentbox/relay": "0.0.0",
     "@agentbox/ctl": "0.0.0",
+    "@agentbox/core": "0.0.0",
+    "@agentbox/sandbox-cloud": "0.0.0",
+    "@agentbox/sandbox-core": "0.0.0",
     "@agentbox/sandbox-docker": "0.0.0",
-    "@agentbox/relay": "0.0.0"
+    "@agentbox/sandbox-daytona": "0.0.0",
+    "@agentbox/sandbox-hetzner": "0.0.0"
   },
   "scripts": {
     "build": "tsup",

package/runtime/daytona/custom-system-CLAUDE.md

@@ -0,0 +1,39 @@
+# AgentBox sandbox (daytona provider)
+
+You are running inside an AgentBox sandbox: a Daytona Cloud sandbox
+provisioned just for this box, with docker-in-docker available (run `docker`
+directly, no sudo). Your user is `vscode` and you can use passwordless
+**sudo** to run commands as root. The whole sandbox is yours — the user's
+host filesystem is not visible from here and nothing is bind-mounted.
+
+You can save the current filesystem state to be reused by future boxes by
+running `agentbox-ctl checkpoint --set-default`. This doesn't need to be confirmed by the user.
+
+`/workspace` is a normal git checkout seeded from the host repo at create
+time (via a `git bundle`). Because there is no host bind-mount, plain `git`
+inside the box only affects this box-local repo — commits do **not** appear
+in the user's host `git log` until you hand them off. For any operation that
+must reach the host repo or its remotes (push, fetch, pull, picking up
+host-side changes), use `agentbox-ctl git push|fetch|pull -- <args>` — it
+RPCs to the host, which runs git with the real SSH agent and writes back into
+the host's worktree state. The wrapper already builds `git push <remote>
+<branch>` host-side from the registered worktree; the `-- <args>` slot is for
+extra flags only (e.g. `--force-with-lease`, `--tags`). Re-passing the remote
+or branch makes git treat them as refspecs and fails with
+`refs/remotes/origin/HEAD cannot be resolved to branch`.
+
+For GitHub PR work, use `agentbox-ctl git pr <op> [args...]` — same model,
+relay shells to host `gh`. Ops: `create`, `view`, `list`, `comment`,
+`review`, `merge`, `close`, `reopen`, `checkout`. `view` / `list` are
+read-only and run silently; everything else asks the user to confirm in
+the host wrapper (deny → exit 10).
+
+For ad-hoc file transfers between this box and the host, use
+`agentbox-ctl cp toHost <boxPath> <hostPath>` and
+`agentbox-ctl cp fromHost <hostPath> <boxPath>` or `agentbox-ctl download claude` / `download env` /
+`download config`. They RPC to the host and
+ask the user for confirmation on the wrapper that runs `agentbox claude`;
+deny returns exit 10 (`denied by user`).
+Don't put any timeout on the command, it will run forever and the user will be notified through multiple channels.
+
+Box identity: /etc/agentbox/box.env and the AGENTBOX_* env vars.

package/runtime/docker/Dockerfile.box

@@ -7,7 +7,7 @@
 # tar pipe for the no-git case). The old FUSE overlay over /host-src+/upper
 # is gone — but fuse3 + fuse-overlayfs stay as the in-box dockerd's fallback
 # storage driver (it prefers the kernel-native overlay2). Plus the "universal-ish" set of
-# language runtimes (Node.js 22 from NodeSource, Python 3 from apt). Heavier
+# language runtimes (Node.js 24 from NodeSource, Python 3 from apt). Heavier
 # tooling (Go, Java, Ruby, .NET, more browser tooling, vscode-server) goes in
 # a later iteration.
 #
@@ -57,7 +57,7 @@ ENV COLORTERM=truecolor \
 RUN apt-get update \
     && apt-get install -y --no-install-recommends \
         curl ca-certificates gnupg \
-    && curl -fsSL https://deb.nodesource.com/setup_22.x | bash - \
+    && curl -fsSL https://deb.nodesource.com/setup_24.x | bash - \
     && apt-get install -y --no-install-recommends \
         fuse3 \
         fuse-overlayfs \
@@ -87,7 +87,7 @@ RUN setcap cap_net_bind_service=+ep "$(readlink -f "$(command -v node)")"
 # Enable corepack (pnpm/yarn shims) at build time as root. Doing this here
 # rather than in the wizard's install task avoids two failures the runtime
 # `corepack enable` (run as non-root `vscode`) hits: it can't write shims into
-# the root-owned NodeSource bin dir (/usr/bin), and node 22's bundled corepack
+# the root-owned NodeSource bin dir (/usr/bin), and node 24's bundled corepack
 # resolves its dist path relative to the symlink dirname, so a
 # ~/.local/bin/pnpm symlink looks for ~/.local/dist/pnpm.js and breaks.
 # `corepack@latest` fixes the symlink resolution; baking the shims into
@@ -97,6 +97,13 @@ RUN setcap cap_net_bind_service=+ep "$(readlink -f "$(command -v node)")"
 RUN npm install -g corepack@latest \
     && corepack enable pnpm yarn
 
+# Pre-create the corepack download cache owned by `vscode`. Without this,
+# the first corepack-driven install (e.g. the setup wizard's verification
+# step) hits ENOENT on /home/vscode/.cache/node/corepack/v1 because nothing
+# else creates ~/.cache for the runtime user.
+RUN mkdir -p /home/vscode/.cache/node/corepack \
+    && chown -R vscode:vscode /home/vscode/.cache
+
 # Host repos are bind-mounted in at their identical absolute path (worktree
 # pointer files contain absolute paths to <main>/.git/worktrees/<name>, so both
 # sides have to resolve the same path), and the host owns those `.git/` dirs.
@@ -134,6 +141,19 @@ RUN apt-get update \
 COPY packages/ctl/dist/bin.cjs /usr/local/bin/agentbox-ctl
 RUN chmod +x /usr/local/bin/agentbox-ctl
 
+# `gh` + `git` shims: route a strict subset of upstream subcommands through
+# the host relay (via agentbox-ctl) so the host's authenticated `gh` / git
+# creds stay on the host — the in-box agent never sees a token. The shims
+# also light up Claude Code's branch-linked-to-PR badge (Claude Code calls
+# `gh pr view --json …` on refresh). See packages/sandbox-docker/scripts/
+# {gh,git}-shim and docs/plans/gh-and-git-shims-host-only.md. PATH ordering
+# (line 50 above) puts /usr/local/bin ahead of /usr/bin, so the shim wins;
+# the git shim execs /usr/bin/git directly for everything outside its tiny
+# network-op whitelist (push/pull/fetch/clone).
+COPY packages/sandbox-docker/scripts/gh-shim /usr/local/bin/gh
+COPY packages/sandbox-docker/scripts/git-shim /usr/local/bin/git
+RUN chmod +x /usr/local/bin/gh /usr/local/bin/git
+
 # Setup guide for the first-run wizard. This baked copy is the single source
 # of the /agentbox-setup skill: seedSetupSkillIntoVolume()
 # (packages/sandbox-docker/src/claude.ts) copies it into the box's
@@ -161,6 +181,38 @@ RUN mkdir -p /home/vscode/.claude \
     && ln -s /home/vscode/.claude/_claude.json /home/vscode/.claude.json \
     && chown -h vscode:vscode /home/vscode/.claude.json
 
+# Cloud-provider credential pivot: ~/.agentbox-creds/<agent>/ is where the
+# per-org `agentbox-credentials` Daytona volume gets mounted at runtime (three
+# subpath mounts: claude/, codex/, opencode/). Three symlinks route the
+# agent-expected credential paths through to it so the in-box agent reads
+# tokens from the volume while the surrounding config sits on the snapshot-
+# baked sandbox FS.
+#
+# These symlinks are dangling at build time — their targets only resolve once
+# the volume is mounted. That's fine: ln succeeds, and the kernel resolves
+# symlinks lazily on open().
+#
+# The Docker provider is unaffected: its named `agentbox-{claude,codex,
+# opencode}-config` volumes mount *over* /home/vscode/.claude etc., obscuring
+# the symlinks; the volume content includes the credential files directly.
+RUN mkdir -p /home/vscode/.agentbox-creds/claude \
+             /home/vscode/.agentbox-creds/codex \
+             /home/vscode/.agentbox-creds/opencode \
+             /home/vscode/.codex \
+             /home/vscode/.local/share/opencode \
+    && ln -s /home/vscode/.agentbox-creds/claude/.credentials.json \
+             /home/vscode/.claude/.credentials.json \
+    && ln -s /home/vscode/.agentbox-creds/codex/auth.json \
+             /home/vscode/.codex/auth.json \
+    && ln -s /home/vscode/.agentbox-creds/opencode/auth.json \
+             /home/vscode/.local/share/opencode/auth.json \
+    && chown -R vscode:vscode /home/vscode/.agentbox-creds \
+                              /home/vscode/.codex \
+                              /home/vscode/.local \
+    && chown -h vscode:vscode /home/vscode/.claude/.credentials.json \
+                              /home/vscode/.codex/auth.json \
+                              /home/vscode/.local/share/opencode/auth.json
+
 # Prepare /home/vscode/.vscode-server and /home/vscode/.cursor-server (+ their
 # extensions subdirs) so the named volumes mounted at runtime — per-box
 # `agentbox-{vscode,cursor}-server-<id>` over the server dirs, then shared
@@ -184,6 +236,29 @@ USER vscode
 RUN curl -fsSL https://claude.ai/install.sh | bash -s stable
 USER root
 
+# OpenAI Codex CLI. The @openai/codex npm package ships platform-native
+# prebuilds for linux arm64/amd64, so a plain global install is enough.
+# Parallel to the Claude Code install above: `agentbox codex` launches it in a
+# tmux session and the box mounts a synced `agentbox-codex-config` volume at
+# ~/.codex for auth/config (see packages/sandbox-docker/src/codex.ts).
+#
+# `bubblewrap` (bwrap) is Codex's command-sandbox backend; without it on PATH
+# Codex falls back to a bundled copy and prints a warning on every run. It
+# works nested because the agentbox container already runs with --cap-add
+# SYS_ADMIN + apparmor:unconfined.
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends bubblewrap \
+    && rm -rf /var/lib/apt/lists/* \
+    && npm install -g @openai/codex
+
+# OpenCode CLI (sst/opencode) — the multi-provider terminal coding agent.
+# Parallel to the Claude/Codex installs: `agentbox opencode` launches it in a
+# tmux session and the box mounts a synced `agentbox-opencode-config` volume
+# (see packages/sandbox-docker/src/opencode.ts). OpenCode splits its state
+# across ~/.config/opencode (config) and ~/.local/share/opencode (data + auth);
+# the volume holds both, with the config dir relocated via OPENCODE_CONFIG_DIR.
+RUN npm install -g opencode-ai
+
 # Browser support for in-box agents: Vercel's agent-browser drives Chrome via
 # CDP. Two things have to happen here:
 #
@@ -217,15 +292,26 @@ RUN apt-get update \
 
 RUN npm install -g agent-browser playwright
 
+# Portless CLI (https://portless.sh). Only the client — the box never runs the
+# proxy; that's a host process. With `portless.enabled`, createBox bind-mounts
+# the host's Portless state dir into the box and sets PORTLESS_STATE_DIR, so
+# the in-box `portless list`/`get` share the host's route registry (discovery).
+# Requires Node 24+ — hence the setup_24.x bump above.
+RUN npm install -g portless
+
 # Download Chromium as `vscode` so the ms-playwright cache lands in vscode's
 # home (the user agent-browser runs as). The downloaded binary lives at
-# `chromium-XXXX/chrome-linux/chrome`, where XXXX is a Playwright-internal
-# revision number that changes between releases — we resolve it once here and
-# write the result to a stable symlink so AGENT_BROWSER_EXECUTABLE_PATH can
-# point at something predictable.
+# `chromium-XXXX/chrome-linux*/chrome`, where XXXX is a Playwright-internal
+# revision number that changes between releases — and the inner dir is
+# `chrome-linux` for old releases and `chrome-linux64` (or `chrome-linux/arm64`)
+# for current Chrome-for-Testing builds. Glob both. We resolve once and write
+# a stable symlink so AGENT_BROWSER_EXECUTABLE_PATH can point at something
+# predictable.
 USER vscode
 RUN playwright install chromium \
-    && ln -sf "$(ls /home/vscode/.cache/ms-playwright/chromium-*/chrome-linux/chrome | sort | tail -1)" /tmp/chromium-link \
+    && CHROME_BIN="$(ls /home/vscode/.cache/ms-playwright/chromium-*/chrome-linux*/chrome 2>/dev/null | sort | tail -1)" \
+    && test -n "$CHROME_BIN" \
+    && ln -sf "$CHROME_BIN" /tmp/chromium-link \
     && test -x "$(readlink /tmp/chromium-link)"
 USER root
 RUN mv /tmp/chromium-link /usr/local/bin/chromium
@@ -285,12 +371,12 @@ RUN chmod +x /usr/local/bin/agentbox-dockerd-start
 COPY packages/sandbox-docker/scripts/agentbox-checkpoint-cleanup /usr/local/bin/agentbox-checkpoint-cleanup
 RUN chmod +x /usr/local/bin/agentbox-checkpoint-cleanup
 
-# Host-routed link opener. The box has no real browser; this wrapper forwards
-# http(s) URLs to the host's default browser via the relay (`agentbox-ctl
-# open`). It shadows xdg-utils' /usr/bin/xdg-open (the symlink lands earlier
-# in PATH) and is set as $BROWSER so any tool that opens a link — Claude
-# Code's OAuth flow, `gh`, `git web--browse`, python's webbrowser — routes
-# to the host.
+# In-box link opener. This wrapper routes http(s) URLs to `agentbox-ctl open`,
+# which opens the link in the box's own Chromium (agent-browser) and notifies
+# the relay so the host user can be offered to also open it on the host. It
+# shadows xdg-utils' /usr/bin/xdg-open (the symlink lands earlier in PATH) and
+# is set as $BROWSER so any tool that opens a link — Claude Code's OAuth flow,
+# `gh`, `git web--browse`, python's webbrowser — routes through it.
 COPY packages/sandbox-docker/scripts/agentbox-open /usr/local/bin/agentbox-open
 RUN chmod +x /usr/local/bin/agentbox-open \
     && ln -sf /usr/local/bin/agentbox-open /usr/local/bin/xdg-open
@@ -309,6 +395,10 @@ RUN printf '%s\n' \
         'set -as terminal-overrides ",*:RGB"' \
         'set -as terminal-features ",*:hyperlinks"' \
         'set -as terminal-features ",*:RGB"' \
+        'set -g allow-passthrough on' \
+        'set -g set-clipboard on' \
+        'set -g extended-keys on' \
+        'set -as terminal-features ",*:extkeys"' \
         'set -g mouse on' \
         'bind -T copy-mode    WheelUpPane   send -N2 -X scroll-up' \
         'bind -T copy-mode    WheelDownPane send -N2 -X scroll-down' \
@@ -337,6 +427,22 @@ RUN chmod 0644 /etc/claude-code/CLAUDE.md
 COPY packages/sandbox-docker/scripts/claude-managed-settings.json /etc/claude-code/managed-settings.json
 RUN chmod 0644 /etc/claude-code/managed-settings.json
 
+# Codex activity-reporting hooks. Unlike Claude's managed-settings (an /etc
+# enterprise path), Codex discovers hooks at ~/.codex/hooks.json — so this is
+# staged in the image and seeded into the codex-config volume by
+# seedCodexHooks() at create/start time. See packages/sandbox-docker/src/codex.ts.
+COPY packages/sandbox-docker/scripts/agentbox-codex-hooks.json /usr/local/share/agentbox/codex-hooks.json
+RUN chmod 0644 /usr/local/share/agentbox/codex-hooks.json
+
+# OpenCode activity-reporting plugin. Unlike Claude's managed-settings hooks,
+# OpenCode has no native hooks system — its only extension surface is a plugin
+# loaded from $OPENCODE_CONFIG_DIR/plugins/*.js. The plugin subscribes to
+# OpenCode's event bus and shells `agentbox-ctl opencode-state` on each
+# lifecycle transition. Staged in the image; copied into the OpenCode config
+# volume by seedOpencodePlugin() at create/start time. See packages/sandbox-docker/src/opencode.ts.
+COPY packages/sandbox-docker/scripts/opencode-agentbox-plugin.js /usr/local/share/agentbox/opencode-agentbox-plugin.js
+RUN chmod 0644 /usr/local/share/agentbox/opencode-agentbox-plugin.js
+
 # /etc/agentbox/ holds runtime-injected box.env (written by `agentbox create`
 # via docker exec). Pre-created here so the writable layer starts with the
 # right perms; the file itself appears at create time.

package/runtime/docker/apps/cli/share/agentbox-setup/SKILL.md

@@ -7,16 +7,22 @@ description: Generate an agentbox.yaml for the current AgentBox workspace. Invok
 
 ## Box layout (what you're configuring against)
 
-Your user i `vscode` and you can use passwordless sudo to run commands as root.
+Your user i `vscode` and you can use `sudo` to run commands as root.
 
-`/workspace` is the box's plain writable filesystem — a per-box git worktree on a fresh `agentbox/<box-name>` branch (or a tar-piped copy of the host workspace for non-git projects). Anything you install or build into `/workspace` (incl. `node_modules`, `.next`, `target`, `.venv`) lives in the **container's writable layer** and is captured wholesale by `agentbox checkpoint` (`docker commit`) — so a setup task that runs the install once becomes a warm-start asset for every future box in the project. Everything is wiped on `agentbox destroy`.
+`/workspace` is where the user code lives, a per-box git worktree on a fresh `agentbox/<box-name>` branch (or a tar-piped copy of the host workspace for non-git projects).
+Run `agentbox checkpoint --set-default` (similar to `docker commit`) to save any changes make to the system and workspace so that new boxes will start from a warm state. Everything is wiped on `agentbox destroy`.
 
-Three bind mounts wire the box back to the host:
+Some special folders:
 
-- **Host main repo's `.git/`** — bind-mounted RW at its identical absolute host path. In-box commits land on the host's branch refs (visible to `git log` on the host immediately); the box itself carries no SSH/git creds, so `git push` goes through the host relay (`agentbox-ctl git push`). The host's **working tree is never written to** — only refs/objects under `.git/`.
-- **`~/.claude`** — a Docker named volume (`agentbox-claude-config`, shared across boxes by default) seeded from the host's `~/.claude` on each create so auth, skills, and plugins persist without leaking the host's home dir.
+- **Host main repo's `.git/`** — If the box bind-mounted RW at its identical absolute host path. In-box commits land on the host's branch refs (visible to `git log` on the host immediately); the box itself carries no SSH/git creds, so `git push` goes through the host relay (`agentbox-ctl git push`). The host's **working tree is never written to** — only refs/objects under `.git/`. GitHub PR ops (`agentbox-ctl git pr create|view|list|comment|review|merge|close|reopen|checkout`) flow the same way through host `gh`; write ops require host confirmation (deny → exit 10), `merge` and `checkout` have additional opt-in guards.
+- **`~/.claude`** — and similar home folders for coding agents are seeded from the host's `~/.claude` on each create so auth, skills, and plugins persist without leaking the host's home dir.
 - **`agentbox.yaml`** — read by `agentbox-ctl` from `/workspace`. Tasks and services declared here are what the supervisor will run.
 
+Exposed ports and services:
+- **portless** - every port with `expose:` setting in agentbox.yaml, will be exposed not only as a local port but also as a special domain name `https://<name>.localhost` (so on https) using `portless` cli and proxy. This will be also mapped to the host where also `portless` proxy is running so users can access the same service on the same looking url.
+- **vnc** - the webVNC server exposed on 6080 will be proxies to the host on a random port.
+- **vscode** - the vscode server is proxied to the host on a random port.
+
 ## Goal
 
 Produce a `/workspace/agentbox.yaml` that captures this project's services, tasks, and box defaults so the in-box supervisor (`agentbox-ctl`) can boot the workspace deterministically.
@@ -64,7 +70,7 @@ The box's primary web app (the dev server / Next.js / API the user opens in a br
       as: 80        # must be 80 — the container port AgentBox publishes
 ```
 
-At most **one** service may set `expose:`. AgentBox forwards container `:80` to `127.0.0.1:<port>` and publishes it on the host, so `agentbox list`/`status` show it as the box's main URL on every engine (no OrbStack dependency). Set this on the same service whose `ready_when:` you just wrote (a DB or worker should **not** get `expose:`).
+At most **one** service may set `expose:`. AgentBox forwards container `:80` to `127.0.0.1:<port>` and publishes it on the host with `portless` proxy to a <boxname>.localhost url, so `agentbox list`/`status` show it as the box's main URL on every engine (no OrbStack dependency). Set this on the same service whose `ready_when:` you just wrote (a DB or worker should **not** get `expose:`).
 
 ## 4. Restart + backoff
 
@@ -179,11 +185,12 @@ Tell the user (verbatim):
    ```
 
    your box is ready, you can start more sessions with `agentbox claude`
+   you can access the web app at https://<boxname>.localhost
 
 ## 10. Known issues
 
 - For Nextjs/Vite/Tasnstack projects, makes sure to forward also websocket for hot reload.
 
-- The `install` task is intentionally a no-op once `node_modules/.agentbox-installed` exists. Do **not** remove the marker guard to "force a fresh install" — that reinstalls on every box start. To force a one-off rebuild, delete `node_modules` (or just the marker) then run `agentbox-ctl reload`.
+- Service like flask, nextjs, BETTER_AUTH_URL, NEXT_PUBLIC_APP_URL should use the <boxname>.localhost url for the local development so that on the host it will use the same url as the box.
 
-- Host-only CLI wrappers (portless, etc.) must be bypassed, eg some projects wrap the dev server with a host-side proxy (here: `portless projectname next dev --turbopack`). Override the service command: to call the underlying tool directly (`next dev --turbopack`)
+- The `install` task is intentionally a no-op once `node_modules/.agentbox-installed` exists. Do **not** remove the marker guard to "force a fresh install" — that reinstalls on every box start. To force a one-off rebuild, delete `node_modules` (or just the marker) then run `agentbox-ctl reload`.