@madarco/agentbox 0.8.0 → 0.10.0

package/dist/{prepared-state-CL4CWXQA-ME4HSKDE.js → prepared-state-CL4CWXQA-H5THETIM.js}

@@ -6,7 +6,7 @@ import {
   readPreparedDockerState,
   resolveContextFiles,
   writePreparedDockerState
-} from "./chunk-BGK32PZE.js";
+} from "./chunk-KL36BRN4.js";
 export {
   DOCKERFILE_PATH,
   computeDockerContextFingerprint,
@@ -15,4 +15,4 @@ export {
   resolveContextFiles,
   writePreparedDockerState
 };
-//# sourceMappingURL=prepared-state-CL4CWXQA-ME4HSKDE.js.map
+//# sourceMappingURL=prepared-state-CL4CWXQA-H5THETIM.js.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@madarco/agentbox",
-  "version": "0.8.0",
+  "version": "0.10.0",
   "description": "Launch Claude Code, Codex, and other coding agents in isolated sandboxes",
   "license": "MIT",
   "author": "Marco D'Alia",
@@ -37,11 +37,13 @@
   "files": [
     "dist",
     "share",
-    "runtime"
+    "runtime",
+    "CHANGELOG.md"
   ],
   "dependencies": {
     "@clack/prompts": "^0.9.0",
     "@daytonaio/sdk": "^0.179.0",
+    "@vercel/sandbox": "^2.0.1",
     "@xterm/headless": "^5.5.0",
     "commander": "^12.1.0",
     "execa": "^9.5.2",
@@ -57,14 +59,15 @@
     "typescript": "^5.7.2",
     "vitest": "^2.1.8",
     "@agentbox/config": "0.0.0",
-    "@agentbox/relay": "0.0.0",
     "@agentbox/ctl": "0.0.0",
-    "@agentbox/core": "0.0.0",
-    "@agentbox/sandbox-cloud": "0.0.0",
     "@agentbox/sandbox-core": "0.0.0",
-    "@agentbox/sandbox-docker": "0.0.0",
+    "@agentbox/core": "0.0.0",
+    "@agentbox/relay": "0.0.0",
     "@agentbox/sandbox-daytona": "0.0.0",
-    "@agentbox/sandbox-hetzner": "0.0.0"
+    "@agentbox/sandbox-docker": "0.0.0",
+    "@agentbox/sandbox-cloud": "0.0.0",
+    "@agentbox/sandbox-hetzner": "0.0.0",
+    "@agentbox/sandbox-vercel": "0.0.0"
   },
   "scripts": {
     "build": "tsup",
@@ -73,6 +76,7 @@
     "test": "vitest run",
     "typecheck": "tsc --noEmit",
     "clean": "rm -rf dist runtime .turbo",
+    "version": "git add CHANGELOG.md",
     "publish:patch": "npm version patch && git push --follow-tags",
     "publish:minor": "npm version minor && git push --follow-tags"
   }

package/runtime/docker/apps/cli/share/agentbox-setup/SKILL.md

@@ -164,14 +164,7 @@ services:
 - A service with `restart: never` and an autostart dependency will block the dependent forever after one failed run — usually a mistake.
 - `command:` is either a shell string (run via `bash -c`) or an argv array. Use the argv form if you need to avoid shell quoting.
 
-## 8. Checkpoint the warm state (do this at the very end)
-
-Checkpoint (snapshot) this box writable layer: once the box is warmed up (deps installed, services ready), checkpoint it with `agentbox-ctl checkpoint --name setup --replace --set-default` so future boxes start ready.
-Run this command exactly once. The `--name setup --replace` makes it idempotent — if it ever needs to run again it overwrites the existing `setup` checkpoint instead of stacking duplicates.
-This doesn't need to be confirmed by the user.
-It will pause the container for several seconds so warn the user about it and write Done when it's done.
-
-## 9. Hand-off
+## 8. Hand-off
 
 Tell the user (verbatim):
 
@@ -187,6 +180,14 @@ Tell the user (verbatim):
    your box is ready, you can start more sessions with `agentbox claude`
    you can access the web app at https://<boxname>.localhost
 
+
+## 9. Checkpoint the warm state - DON't SKIP THIS STEP
+
+Checkpoint (snapshot) this box writable layer: once the box is warmed up (deps installed, services ready), checkpoint it with `agentbox-ctl checkpoint --name setup --replace --set-default` so future boxes start ready.
+Run this command exactly once. The `--name setup --replace` makes it idempotent — if it ever needs to run again it overwrites the existing `setup` checkpoint instead of stacking duplicates.
+On all providers except Vercel, this doesn't need to be confirmed by the user. It will pause the container for several seconds so warn the user about it and write Done when it's done.
+On Vercel: this actually STOPS the sandbox, so warn the user about it. Also the system will ask confirmation.
+
 ## 10. Known issues
 
 - For Nextjs/Vite/Tasnstack projects, makes sure to forward also websocket for hot reload.

package/runtime/docker/packages/ctl/dist/bin.cjs

@@ -18469,8 +18469,8 @@ var KEY_REGISTRY = [
   {
     key: "box.provider",
     type: "enum",
-    enumValues: ["docker", "daytona", "hetzner"],
-    description: "Sandbox backend new boxes are created on: local Docker containers, Daytona Cloud sandboxes, or Hetzner Cloud VPSes."
+    enumValues: ["docker", "daytona", "hetzner", "vercel"],
+    description: "Sandbox backend new boxes are created on: local Docker containers, Daytona Cloud sandboxes, Hetzner Cloud VPSes, or Vercel Sandboxes."
   },
   {
     key: "box.hostSnapshot",
@@ -18500,6 +18500,12 @@ var KEY_REGISTRY = [
     description: "Per-provider override of `box.defaultCheckpoint` for hetzner. Wins over the global when set; set via `agentbox checkpoint set-default --provider hetzner`.",
     advanced: true
   },
+  {
+    key: "box.defaultCheckpointVercel",
+    type: "string",
+    description: "Per-provider override of `box.defaultCheckpoint` for vercel. Wins over the global when set; set via `agentbox checkpoint set-default --provider vercel`.",
+    advanced: true
+  },
   {
     key: "checkpoint.maxLayers",
     type: "int",
@@ -18573,16 +18579,41 @@ var KEY_REGISTRY = [
     type: "int",
     description: "Cap git bundle history shipped to cloud sandboxes (daytona, hetzner). 0 = full history. Unset = adaptive default (last 200 commits; re-bundle at 100 if the bundle exceeds 20 MB). Ignored for docker (which bind-mounts .git/)."
   },
+  {
+    key: "box.vercelVcpus",
+    type: "int",
+    description: "vCPUs for new --provider vercel boxes (Vercel couples RAM at 2048 MB/vCPU). Default 2. Vercel only accepts specific counts (e.g. 1, 2, 4, 8) \u2014 an unsupported value fails create with a 400. Vercel-only; ignored by other providers."
+  },
+  {
+    key: "box.vercelTimeoutMs",
+    type: "int",
+    description: "Max session length (ms) for new --provider vercel boxes before the VM auto-snapshots; persistent mode auto-resumes on the next call. Default 2700000 (45 min, the Hobby ceiling). Vercel-only."
+  },
+  {
+    key: "box.vercelNetworkPolicy",
+    type: "string",
+    description: "Egress lock for new --provider vercel boxes: 'allow-all' (default, unset), 'deny-all', or a comma-separated domain allowlist (e.g. 'github.com,*.npmjs.org') that denies everything else. Vercel-only; ignored by other providers."
+  },
   {
     key: "claude.sessionName",
     type: "string",
     description: "tmux session name for `agentbox claude`."
   },
+  {
+    key: "claude.dangerouslySkipPermissions",
+    type: "bool",
+    description: "Launch claude in new boxes with --dangerously-skip-permissions (auto-accept tool use). Safe because boxes are isolated; on by default. Override per-box with --no-dangerously-skip-permissions."
+  },
   {
     key: "codex.sessionName",
     type: "string",
     description: "tmux session name for `agentbox codex`."
   },
+  {
+    key: "codex.dangerouslySkipPermissions",
+    type: "bool",
+    description: "Launch codex in new boxes with --dangerously-bypass-approvals-and-sandbox (never prompt for approval). Safe because boxes are isolated; on by default. Override per-box with --no-dangerously-skip-permissions."
+  },
   {
     key: "opencode.sessionName",
     type: "string",
@@ -18690,6 +18721,21 @@ var KEY_REGISTRY = [
     type: "int",
     description: "Max number of simultaneously-running boxes (across providers) before background `-i` jobs queue up instead of starting immediately. Per-invocation override: `--max-running <n>`."
   },
+  {
+    key: "queue.maxWorking",
+    type: "int",
+    description: "Max agents actively working/thinking (quota-consuming) at once before background `-i` jobs queue. 0 = disabled (use the queue.maxConcurrent running-box gate). Counts all boxes, foreground + queued. Per-invocation override: `--max-working <n>`."
+  },
+  {
+    key: "queue.idleGraceSeconds",
+    type: "int",
+    description: "Seconds an agent must stay non-working before it frees its working slot (debounce against brief idle flaps between turns). Only used when queue.maxWorking > 0."
+  },
+  {
+    key: "cloud.useCurrentBranch",
+    type: "bool",
+    description: "On cloud providers (daytona/hetzner), start new boxes on the host's current branch instead of forking a new agentbox/<box-name> branch. Overridden by an explicit --use-branch / --from-branch."
+  },
   {
     key: "maintenance.pruneProjectConfigs",
     type: "bool",
@@ -19119,6 +19165,23 @@ function isGhPrOp(value) {
   return GH_PR_OPS.includes(value);
 }
 var GH_PR_READ_ONLY_OPS = /* @__PURE__ */ new Set(["view", "list"]);
+function injectPrCreateHead(op, branch, args) {
+  if (op !== "create") return args;
+  if (!branch || branch === "HEAD") return args;
+  if (hasHeadArg(args)) return args;
+  return ["--head", branch, ...args];
+}
+function hasHeadArg(args) {
+  return args.some((a2) => a2 === "--head" || a2.startsWith("--head=") || a2.startsWith("-H"));
+}
+function prCreateNeedsHead(op, args) {
+  return op === "create" && !hasHeadArg(args);
+}
+var PR_CREATE_NO_HEAD_REFUSAL = {
+  exitCode: 65,
+  stdout: "",
+  stderr: "gh pr create: refusing to run without --head \u2014 could not resolve this box's branch, and falling back to the host repo's checked-out branch would open a PR for the wrong branch. Ensure the box branch is pushed, or pass --head <branch> explicitly.\n"
+};
 var GH_RPC_TIMEOUT_MS = 12e4;
 var GH_READY_CACHE_TTL_MS = 6e4;
 var ghReadyCache;
@@ -19320,36 +19383,31 @@ var BoxStatusStore = class {
 async function resolveCloudBackend(name) {
   if (name === "daytona") {
     const pkg = "@agentbox/sandbox-daytona";
-    try {
-      const mod = await import(pkg);
-      return mod.daytonaBackend;
-    } catch (err) {
-      const msg = err instanceof Error ? err.message : String(err);
-      if (/cannot find module|MODULE_NOT_FOUND/i.test(msg)) {
-        throw new Error(
-          `relay: cannot load '${pkg}' at runtime \u2014 install it alongside @agentbox/relay (the @madarco/agentbox CLI normally provides this dependency). Original: ${msg}`
-        );
-      }
-      throw err;
-    }
+    return loadCloudBackend(pkg, async () => (await import(pkg)).daytonaBackend);
   }
   if (name === "hetzner") {
     const pkg = "@agentbox/sandbox-hetzner";
-    try {
-      const mod = await import(pkg);
-      return mod.hetznerBackend;
-    } catch (err) {
-      const msg = err instanceof Error ? err.message : String(err);
-      if (/cannot find module|MODULE_NOT_FOUND/i.test(msg)) {
-        throw new Error(
-          `relay: cannot load '${pkg}' at runtime \u2014 install it alongside @agentbox/relay (the @madarco/agentbox CLI normally provides this dependency). Original: ${msg}`
-        );
-      }
-      throw err;
-    }
+    return loadCloudBackend(pkg, async () => (await import(pkg)).hetznerBackend);
+  }
+  if (name === "vercel") {
+    const pkg = "@agentbox/sandbox-vercel";
+    return loadCloudBackend(pkg, async () => (await import(pkg)).vercelBackend);
   }
   throw new Error(`no host executor for cloud backend '${name}'`);
 }
+async function loadCloudBackend(pkg, load2) {
+  try {
+    return await load2();
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    if (/cannot find module|MODULE_NOT_FOUND/i.test(msg)) {
+      throw new Error(
+        `relay: cannot load '${pkg}' at runtime \u2014 install it alongside @agentbox/relay (the @madarco/agentbox CLI normally provides this dependency). Original: ${msg}`
+      );
+    }
+    throw err;
+  }
+}
 async function refreshCloudPreviewUrl(backendName, boxId, port) {
   try {
     const backend = await resolveCloudBackend(backendName);
@@ -19477,7 +19535,20 @@ async function runGhPrRpc(action, deps) {
       }
     }
   }
-  return runHostGh(["pr", op, ...args], lookup.workspacePath);
+  let finalArgs = args;
+  if (op === "create" && !args.some((a2) => a2 === "--head" || a2.startsWith("--head="))) {
+    const backend = await resolveCloudBackend(deps.backendName);
+    const handle = { sandboxId: lookup.cloudSandboxId };
+    const containerPath = params.path ?? "/workspace";
+    const branchProbe = await backend.exec(
+      handle,
+      `git -C ${shellQuote(containerPath)} rev-parse --abbrev-ref HEAD`
+    );
+    const branch = branchProbe.exitCode === 0 ? (branchProbe.stdout ?? "").trim() : "";
+    finalArgs = injectPrCreateHead(op, branch, args);
+  }
+  if (prCreateNeedsHead(op, finalArgs)) return PR_CREATE_NO_HEAD_REFUSAL;
+  return runHostGh(["pr", op, ...finalArgs], lookup.workspacePath);
 }
 async function runBrowserOpenMirror(action, deps) {
   const params = action.params ?? {};
@@ -19596,6 +19667,18 @@ async function runCheckpointRpc(action, deps) {
       stderr: "relay: AGENTBOX_CLI_ENTRY not set; cannot run checkpoint host-side\n"
     };
   }
+  if (deps.backendName === "vercel" && deps.prompts && deps.subscribers && deps.subscribers.forBox(deps.boxId).length > 0) {
+    const verdict = await askPrompt(deps.prompts, deps.subscribers, deps.boxId, {
+      kind: "confirm",
+      message: `Create checkpoint on ${deps.boxName ?? deps.boxId}? The vercel box will stop and reboot.`,
+      detail: params.name ? `checkpoint: ${params.name}` : "(auto-named)",
+      defaultAnswer: "n",
+      context: { command: "checkpoint create", argv: params.name ? [params.name] : [] }
+    });
+    if (verdict.answer !== "y") {
+      return { exitCode: 10, stdout: "", stderr: "checkpoint denied by user\n" };
+    }
+  }
   const argv = [process.execPath, entry, "checkpoint", "create", deps.boxId];
   if (params.name) argv.push("--name", params.name);
   if (params.merged === true) argv.push("--merged");
@@ -19947,7 +20030,18 @@ function createRelayServer(opts) {
     const url = new URL(req.url ?? "/", `http://${req.headers.host ?? "relay"}`);
     const route = `${req.method ?? "GET"} ${url.pathname}`;
     if (route === "GET /healthz") {
-      send(res, 200, { ok: true, boxes: registry.size(), events: events.size() });
+      send(res, 200, {
+        ok: true,
+        boxes: registry.size(),
+        events: events.size(),
+        pid: process.pid,
+        cliEntry: Boolean(process.env.AGENTBOX_CLI_ENTRY),
+        // The spawning CLI's version/commit (inherited via env at spawn time).
+        // `version` lets host-side ensureRelay reclaim a relay left over from a
+        // different agentbox version; `commit` is observability-only.
+        version: process.env.AGENTBOX_CLI_VERSION || void 0,
+        commit: process.env.AGENTBOX_CLI_COMMIT || void 0
+      });
       return;
     }
     if (url.pathname.startsWith("/bridge/")) {
@@ -20605,7 +20699,9 @@ async function handleGhPrRpc(op, reg, params, prompts, subscribers, hostInitiate
       return { exitCode: 10, stdout: "", stderr: "denied by user\n" };
     }
   }
-  return runHostGh(["pr", op, ...args], worktree.hostMainRepo);
+  const finalArgs = injectPrCreateHead(op, worktree.branch, args);
+  if (prCreateNeedsHead(op, finalArgs)) return PR_CREATE_NO_HEAD_REFUSAL;
+  return runHostGh(["pr", op, ...finalArgs], worktree.hostMainRepo);
 }
 async function handleCpRpc(reg, method, params) {
   const entry = process.env.AGENTBOX_CLI_ENTRY;
@@ -21888,6 +21984,7 @@ var Supervisor = class extends import_node_events15.EventEmitter {
     super();
     this.opts = opts;
     this.relay = new RelayClient();
+    this.webProxy = new WebProxy(opts.webProxyPort);
   }
   opts;
   units = /* @__PURE__ */ new Map();
@@ -21897,7 +21994,7 @@ var Supervisor = class extends import_node_events15.EventEmitter {
   scheduling = false;
   rescheduleDirty = false;
   relay;
-  webProxy = new WebProxy();
+  webProxy;
   /** The relay client the supervisor pushes state events on. Shared with the
    * status reporter so both use the same fire-and-forget channel. */
   get relayClient() {
@@ -22824,7 +22921,8 @@ function resolveBoxRelayPort() {
 }
 var daemonCommand = new Command("daemon").description("Run the agentbox-ctl supervisor in the foreground").option("--socket <path>", "unix socket path", DEFAULT_SOCKET_PATH).option("--config <path>", "path to agentbox.yaml", DEFAULT_CONFIG_PATH).option("--log-dir <path>", "where per-service log files are written", DEFAULT_LOG_DIR).option("--workspace <path>", "cwd for service processes", "/workspace").action(async (opts) => {
   const cfg = await loadConfig(opts.config);
-  const sup = new Supervisor({ workspace: opts.workspace, logDir: opts.logDir });
+  const webProxyPort = Number(process.env.AGENTBOX_WEB_PROXY_PORT) || void 0;
+  const sup = new Supervisor({ workspace: opts.workspace, logDir: opts.logDir, webProxyPort });
   await sup.init(cfg);
   const reporter = new StatusReporter({
     supervisor: sup,

package/runtime/docker/packages/sandbox-docker/scripts/agentbox-vnc-start

@@ -65,11 +65,25 @@ if ! pgrep -u "$(id -u)" -x autocutsel >/dev/null; then
   DISPLAY=:1 autocutsel -selection PRIMARY -fork >/dev/null 2>&1 || true
 fi
 
+# noVNC's static assets live at different paths per base image: Debian/Ubuntu
+# (docker, hetzner) ship them at /usr/share/novnc via apt; the AL2023 bake
+# (vercel) git-clones them to /usr/local/share/novnc. websockify runs
+# os.chdir(--web) at startup, so a wrong path makes it FileNotFoundError and
+# never bind 6080 — pick the first dir that exists.
+NOVNC_WEB=""
+for _d in /usr/share/novnc /usr/local/share/novnc; do
+  if [[ -d "$_d" ]]; then NOVNC_WEB="$_d"; break; fi
+done
+if [[ -z "$NOVNC_WEB" ]]; then
+  echo "agentbox-vnc-start: noVNC assets not found (looked in /usr/share/novnc, /usr/local/share/novnc)" >&2
+  exit 65
+fi
+
 # websockify serves noVNC at /vnc.html (--web) and tunnels WS frames to Xvnc's
 # RFB. Bind 0.0.0.0:6080 so both Docker `-p` mappings and OrbStack's
 # <name>.orb.local routing reach it.
 websockify \
-  --web=/usr/share/novnc \
+  --web="$NOVNC_WEB" \
   0.0.0.0:6080 \
   127.0.0.1:5901 \
   >/var/log/agentbox/websockify.log 2>&1 &

package/runtime/hetzner/agentbox-setup-skill.md

@@ -164,14 +164,7 @@ services:
 - A service with `restart: never` and an autostart dependency will block the dependent forever after one failed run — usually a mistake.
 - `command:` is either a shell string (run via `bash -c`) or an argv array. Use the argv form if you need to avoid shell quoting.
 
-## 8. Checkpoint the warm state (do this at the very end)
-
-Checkpoint (snapshot) this box writable layer: once the box is warmed up (deps installed, services ready), checkpoint it with `agentbox-ctl checkpoint --name setup --replace --set-default` so future boxes start ready.
-Run this command exactly once. The `--name setup --replace` makes it idempotent — if it ever needs to run again it overwrites the existing `setup` checkpoint instead of stacking duplicates.
-This doesn't need to be confirmed by the user.
-It will pause the container for several seconds so warn the user about it and write Done when it's done.
-
-## 9. Hand-off
+## 8. Hand-off
 
 Tell the user (verbatim):
 
@@ -187,6 +180,14 @@ Tell the user (verbatim):
    your box is ready, you can start more sessions with `agentbox claude`
    you can access the web app at https://<boxname>.localhost
 
+
+## 9. Checkpoint the warm state - DON't SKIP THIS STEP
+
+Checkpoint (snapshot) this box writable layer: once the box is warmed up (deps installed, services ready), checkpoint it with `agentbox-ctl checkpoint --name setup --replace --set-default` so future boxes start ready.
+Run this command exactly once. The `--name setup --replace` makes it idempotent — if it ever needs to run again it overwrites the existing `setup` checkpoint instead of stacking duplicates.
+On all providers except Vercel, this doesn't need to be confirmed by the user. It will pause the container for several seconds so warn the user about it and write Done when it's done.
+On Vercel: this actually STOPS the sandbox, so warn the user about it. Also the system will ask confirmation.
+
 ## 10. Known issues
 
 - For Nextjs/Vite/Tasnstack projects, makes sure to forward also websocket for hot reload.

package/runtime/hetzner/agentbox-vnc-start

@@ -65,11 +65,25 @@ if ! pgrep -u "$(id -u)" -x autocutsel >/dev/null; then
   DISPLAY=:1 autocutsel -selection PRIMARY -fork >/dev/null 2>&1 || true
 fi
 
+# noVNC's static assets live at different paths per base image: Debian/Ubuntu
+# (docker, hetzner) ship them at /usr/share/novnc via apt; the AL2023 bake
+# (vercel) git-clones them to /usr/local/share/novnc. websockify runs
+# os.chdir(--web) at startup, so a wrong path makes it FileNotFoundError and
+# never bind 6080 — pick the first dir that exists.
+NOVNC_WEB=""
+for _d in /usr/share/novnc /usr/local/share/novnc; do
+  if [[ -d "$_d" ]]; then NOVNC_WEB="$_d"; break; fi
+done
+if [[ -z "$NOVNC_WEB" ]]; then
+  echo "agentbox-vnc-start: noVNC assets not found (looked in /usr/share/novnc, /usr/local/share/novnc)" >&2
+  exit 65
+fi
+
 # websockify serves noVNC at /vnc.html (--web) and tunnels WS frames to Xvnc's
 # RFB. Bind 0.0.0.0:6080 so both Docker `-p` mappings and OrbStack's
 # <name>.orb.local routing reach it.
 websockify \
-  --web=/usr/share/novnc \
+  --web="$NOVNC_WEB" \
   0.0.0.0:6080 \
   127.0.0.1:5901 \
   >/var/log/agentbox/websockify.log 2>&1 &