@madarco/agentbox 0.7.0 → 0.9.0

package/dist/prepared-state-CL4CWXQA-H5THETIM.js

@@ -0,0 +1,18 @@
+#!/usr/bin/env node
+import {
+  DOCKERFILE_PATH,
+  computeDockerContextFingerprint,
+  preparedMatches,
+  readPreparedDockerState,
+  resolveContextFiles,
+  writePreparedDockerState
+} from "./chunk-KL36BRN4.js";
+export {
+  DOCKERFILE_PATH,
+  computeDockerContextFingerprint,
+  preparedMatches,
+  readPreparedDockerState,
+  resolveContextFiles,
+  writePreparedDockerState
+};
+//# sourceMappingURL=prepared-state-CL4CWXQA-H5THETIM.js.map

package/dist/prepared-state-CL4CWXQA-H5THETIM.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@madarco/agentbox",
-  "version": "0.7.0",
+  "version": "0.9.0",
   "description": "Launch Claude Code, Codex, and other coding agents in isolated sandboxes",
   "license": "MIT",
   "author": "Marco D'Alia",
@@ -42,6 +42,7 @@
   "dependencies": {
     "@clack/prompts": "^0.9.0",
     "@daytonaio/sdk": "^0.179.0",
+    "@vercel/sandbox": "^2.0.1",
     "@xterm/headless": "^5.5.0",
     "commander": "^12.1.0",
     "execa": "^9.5.2",
@@ -56,13 +57,14 @@
     "tsup": "^8.3.5",
     "typescript": "^5.7.2",
     "vitest": "^2.1.8",
+    "@agentbox/sandbox-core": "0.0.0",
     "@agentbox/core": "0.0.0",
-    "@agentbox/config": "0.0.0",
-    "@agentbox/ctl": "0.0.0",
     "@agentbox/relay": "0.0.0",
-    "@agentbox/sandbox-cloud": "0.0.0",
-    "@agentbox/sandbox-core": "0.0.0",
+    "@agentbox/ctl": "0.0.0",
+    "@agentbox/config": "0.0.0",
     "@agentbox/sandbox-daytona": "0.0.0",
+    "@agentbox/sandbox-vercel": "0.0.0",
+    "@agentbox/sandbox-cloud": "0.0.0",
     "@agentbox/sandbox-docker": "0.0.0",
     "@agentbox/sandbox-hetzner": "0.0.0"
   },

package/runtime/daytona/custom-system-CLAUDE.md

@@ -0,0 +1,39 @@
+# AgentBox sandbox (daytona provider)
+
+You are running inside an AgentBox sandbox: a Daytona Cloud sandbox
+provisioned just for this box, with docker-in-docker available (run `docker`
+directly, no sudo). Your user is `vscode` and you can use passwordless
+**sudo** to run commands as root. The whole sandbox is yours — the user's
+host filesystem is not visible from here and nothing is bind-mounted.
+
+You can save the current filesystem state to be reused by future boxes by
+running `agentbox-ctl checkpoint --set-default`. This doesn't need to be confirmed by the user.
+
+`/workspace` is a normal git checkout seeded from the host repo at create
+time (via a `git bundle`). Because there is no host bind-mount, plain `git`
+inside the box only affects this box-local repo — commits do **not** appear
+in the user's host `git log` until you hand them off. For any operation that
+must reach the host repo or its remotes (push, fetch, pull, picking up
+host-side changes), use `agentbox-ctl git push|fetch|pull -- <args>` — it
+RPCs to the host, which runs git with the real SSH agent and writes back into
+the host's worktree state. The wrapper already builds `git push <remote>
+<branch>` host-side from the registered worktree; the `-- <args>` slot is for
+extra flags only (e.g. `--force-with-lease`, `--tags`). Re-passing the remote
+or branch makes git treat them as refspecs and fails with
+`refs/remotes/origin/HEAD cannot be resolved to branch`.
+
+For GitHub PR work, use `agentbox-ctl git pr <op> [args...]` — same model,
+relay shells to host `gh`. Ops: `create`, `view`, `list`, `comment`,
+`review`, `merge`, `close`, `reopen`, `checkout`. `view` / `list` are
+read-only and run silently; everything else asks the user to confirm in
+the host wrapper (deny → exit 10).
+
+For ad-hoc file transfers between this box and the host, use
+`agentbox-ctl cp toHost <boxPath> <hostPath>` and
+`agentbox-ctl cp fromHost <hostPath> <boxPath>` or `agentbox-ctl download claude` / `download env` /
+`download config`. They RPC to the host and
+ask the user for confirmation on the wrapper that runs `agentbox claude`;
+deny returns exit 10 (`denied by user`).
+Don't put any timeout on the command, it will run forever and the user will be notified through multiple channels.
+
+Box identity: /etc/agentbox/box.env and the AGENTBOX_* env vars.

package/runtime/docker/Dockerfile.box

@@ -141,6 +141,19 @@ RUN apt-get update \
 COPY packages/ctl/dist/bin.cjs /usr/local/bin/agentbox-ctl
 RUN chmod +x /usr/local/bin/agentbox-ctl
 
+# `gh` + `git` shims: route a strict subset of upstream subcommands through
+# the host relay (via agentbox-ctl) so the host's authenticated `gh` / git
+# creds stay on the host — the in-box agent never sees a token. The shims
+# also light up Claude Code's branch-linked-to-PR badge (Claude Code calls
+# `gh pr view --json …` on refresh). See packages/sandbox-docker/scripts/
+# {gh,git}-shim and docs/plans/gh-and-git-shims-host-only.md. PATH ordering
+# (line 50 above) puts /usr/local/bin ahead of /usr/bin, so the shim wins;
+# the git shim execs /usr/bin/git directly for everything outside its tiny
+# network-op whitelist (push/pull/fetch/clone).
+COPY packages/sandbox-docker/scripts/gh-shim /usr/local/bin/gh
+COPY packages/sandbox-docker/scripts/git-shim /usr/local/bin/git
+RUN chmod +x /usr/local/bin/gh /usr/local/bin/git
+
 # Setup guide for the first-run wizard. This baked copy is the single source
 # of the /agentbox-setup skill: seedSetupSkillIntoVolume()
 # (packages/sandbox-docker/src/claude.ts) copies it into the box's
@@ -421,6 +434,15 @@ RUN chmod 0644 /etc/claude-code/managed-settings.json
 COPY packages/sandbox-docker/scripts/agentbox-codex-hooks.json /usr/local/share/agentbox/codex-hooks.json
 RUN chmod 0644 /usr/local/share/agentbox/codex-hooks.json
 
+# OpenCode activity-reporting plugin. Unlike Claude's managed-settings hooks,
+# OpenCode has no native hooks system — its only extension surface is a plugin
+# loaded from $OPENCODE_CONFIG_DIR/plugins/*.js. The plugin subscribes to
+# OpenCode's event bus and shells `agentbox-ctl opencode-state` on each
+# lifecycle transition. Staged in the image; copied into the OpenCode config
+# volume by seedOpencodePlugin() at create/start time. See packages/sandbox-docker/src/opencode.ts.
+COPY packages/sandbox-docker/scripts/opencode-agentbox-plugin.js /usr/local/share/agentbox/opencode-agentbox-plugin.js
+RUN chmod 0644 /usr/local/share/agentbox/opencode-agentbox-plugin.js
+
 # /etc/agentbox/ holds runtime-injected box.env (written by `agentbox create`
 # via docker exec). Pre-created here so the writable layer starts with the
 # right perms; the file itself appears at create time.

package/runtime/docker/apps/cli/share/agentbox-setup/SKILL.md

@@ -14,7 +14,7 @@ Run `agentbox checkpoint --set-default` (similar to `docker commit`) to save any
 
 Some special folders:
 
-- **Host main repo's `.git/`** — If the box bind-mounted RW at its identical absolute host path. In-box commits land on the host's branch refs (visible to `git log` on the host immediately); the box itself carries no SSH/git creds, so `git push` goes through the host relay (`agentbox-ctl git push`). The host's **working tree is never written to** — only refs/objects under `.git/`.
+- **Host main repo's `.git/`** — If the box bind-mounted RW at its identical absolute host path. In-box commits land on the host's branch refs (visible to `git log` on the host immediately); the box itself carries no SSH/git creds, so `git push` goes through the host relay (`agentbox-ctl git push`). The host's **working tree is never written to** — only refs/objects under `.git/`. GitHub PR ops (`agentbox-ctl git pr create|view|list|comment|review|merge|close|reopen|checkout`) flow the same way through host `gh`; write ops require host confirmation (deny → exit 10), `merge` and `checkout` have additional opt-in guards.
 - **`~/.claude`** — and similar home folders for coding agents are seeded from the host's `~/.claude` on each create so auth, skills, and plugins persist without leaking the host's home dir.
 - **`agentbox.yaml`** — read by `agentbox-ctl` from `/workspace`. Tasks and services declared here are what the supervisor will run.