@madarco/agentbox 0.8.0 → 0.10.0

package/dist/{chunk-67N47KUS.js → chunk-2GPORKYF.js}

@@ -1,7 +1,10 @@
 #!/usr/bin/env node
 import {
   CLAUDE_FORWARDED_ENV_KEYS,
+  CODEX_CREDENTIALS_BACKUP_FILE,
   CODEX_FORWARDED_ENV_KEYS,
+  CREDENTIALS_BACKUP_FILE,
+  OPENCODE_CREDENTIALS_BACKUP_FILE,
   OPENCODE_FORWARDED_ENV_KEYS,
   buildHostEnvFindArgs,
   buildTmuxConfigShellSnippet,
@@ -10,6 +13,7 @@ import {
   generateRelayToken,
   generateVncPassword,
   hashProjectPath,
+  isRealAgentCredential,
   portlessAlias,
   portlessGetUrl,
   portlessUnalias,
@@ -23,22 +27,24 @@ import {
   stageOpencodeCredentialsForUpload,
   stageOpencodeStateForUpload,
   stageOpencodeStaticForUpload
-} from "./chunk-6OZDFNBF.js";
+} from "./chunk-7UIAO7PC.js";
 import {
   allocateProjectIndex,
   detectGitRepos,
   readState,
   recordBox,
   removeBoxRecord
-} from "./chunk-BGK32PZE.js";
+} from "./chunk-KL36BRN4.js";
 
 // ../../packages/sandbox-cloud/dist/index.js
 import { randomBytes } from "crypto";
 import { basename as basename2 } from "path";
-import { mkdir, readFile, readdir, rm, writeFile } from "fs/promises";
+import { chmod, mkdir, writeFile } from "fs/promises";
+import { dirname } from "path";
+import { mkdir as mkdir2, readFile, readdir, rm, writeFile as writeFile2 } from "fs/promises";
 import { homedir } from "os";
 import { basename, join } from "path";
-import { mkdtemp, rm as rm2, writeFile as writeFile2 } from "fs/promises";
+import { mkdtemp, rm as rm2, writeFile as writeFile3 } from "fs/promises";
 import { tmpdir } from "os";
 import { join as join2 } from "path";
 import { execa } from "execa";
@@ -228,6 +234,39 @@ function agentSpecsForCloud() {
     credentialsSubpath: s.credentialsSubpath
   }));
 }
+var EXTRACT_SPECS = [
+  { kind: "claude", boxPath: "/home/vscode/.claude/.credentials.json", hostBackup: CREDENTIALS_BACKUP_FILE },
+  { kind: "codex", boxPath: "/home/vscode/.codex/auth.json", hostBackup: CODEX_CREDENTIALS_BACKUP_FILE },
+  {
+    kind: "opencode",
+    boxPath: "/home/vscode/.local/share/opencode/auth.json",
+    hostBackup: OPENCODE_CREDENTIALS_BACKUP_FILE
+  }
+];
+async function extractCloudAgentCredentials(backend, handle, opts = {}) {
+  const log = opts.onLog ?? (() => {
+  });
+  const extracted = [];
+  for (const spec of EXTRACT_SPECS) {
+    const hostBackup = opts.backups?.[spec.kind] ?? spec.hostBackup;
+    try {
+      const r = await backend.exec(handle, `cat ${spec.boxPath} 2>/dev/null`, { noRetry: true });
+      const text = r.stdout;
+      if (r.exitCode !== 0 || !text || !isRealAgentCredential(spec.kind, text)) continue;
+      await mkdir(dirname(hostBackup), { recursive: true });
+      await writeFile(hostBackup, text, { mode: 384 });
+      await chmod(hostBackup, 384).catch(() => {
+      });
+      extracted.push(spec.kind);
+      log(`extracted ${spec.kind} login from box to ${hostBackup}`);
+    } catch (err) {
+      log(
+        `WARN: ${spec.kind} credential extract failed (${err instanceof Error ? err.message : String(err)}) \u2014 skipping`
+      );
+    }
+  }
+  return extracted;
+}
 var CLOUD_CHECKPOINTS_ROOT = join(homedir(), ".agentbox", "cloud-checkpoints");
 var CLOUD_SNAPSHOT_NAME_PREFIX = "agentbox-ckpt-";
 function cloudSnapshotName(projectRoot, name) {
@@ -275,7 +314,7 @@ async function resolveCloudCheckpoint(projectRoot, backend, ref) {
 }
 async function writeCloudCheckpointManifest(projectRoot, backend, name, fields) {
   const dir = checkpointDir(backend, projectRoot, name);
-  await mkdir(dir, { recursive: true });
+  await mkdir2(dir, { recursive: true });
   const manifest = {
     schema: 1,
     name,
@@ -285,7 +324,7 @@ async function writeCloudCheckpointManifest(projectRoot, backend, name, fields)
     sourceBoxName: fields.sourceBoxName,
     createdAt: (/* @__PURE__ */ new Date()).toISOString()
   };
-  await writeFile(join(dir, "manifest.json"), JSON.stringify(manifest, null, 2) + "\n", "utf8");
+  await writeFile2(join(dir, "manifest.json"), JSON.stringify(manifest, null, 2) + "\n", "utf8");
   return { name, dir, manifest };
 }
 async function removeCloudCheckpointDir(projectRoot, backend, name) {
@@ -295,6 +334,27 @@ async function removeCloudCheckpointDir(projectRoot, backend, name) {
   await rm(dir, { recursive: true, force: true });
   return true;
 }
+async function probeCloudCheckpoint(backend, projectRoot, ref) {
+  const found = await resolveCloudCheckpoint(projectRoot, backend.name, ref);
+  if (!found) return { live: false, pruned: false };
+  if (!backend.snapshotExists) return { live: true, pruned: false };
+  const live = await backend.snapshotExists(found.manifest.snapshotName);
+  if (live) return { live: true, pruned: false };
+  await removeCloudCheckpointDir(projectRoot, backend.name, ref);
+  return { live: false, pruned: true };
+}
+function isSnapshotGoneError(err) {
+  if (err === null || typeof err !== "object") return false;
+  const e = err;
+  const status = e.response?.status ?? e.status;
+  if (status === 410) return true;
+  const parts = [
+    typeof e.json?.error?.message === "string" ? e.json.error.message : "",
+    typeof e.message === "string" ? e.message : ""
+  ];
+  const msg = parts.join(" ").toLowerCase();
+  return /snapshot[^.]*\b(expired|deleted|gone|not[ -]?found)\b/.test(msg) || msg.includes("expired or deleted");
+}
 var WORKSPACE_DIR_DEFAULT = "/workspace";
 var REMOTE_TAR_PATH = "/tmp/agentbox-envfiles.tar";
 async function uploadEnvFiles(args) {
@@ -324,7 +384,7 @@ async function uploadEnvFiles(args) {
       log(`env-file tar pack failed: ${String(packed.stderr).slice(0, 300)}`);
       return { copied: 0 };
     }
-    await writeFile2(join2(stage, ".marker"), "").catch(() => {
+    await writeFile3(join2(stage, ".marker"), "").catch(() => {
     });
     await args.backend.uploadFile(args.handle, localTar, REMOTE_TAR_PATH);
     const extract = await args.backend.exec(
@@ -418,7 +478,8 @@ async function uploadOneEntry(args) {
   }
   parts.push(`rm -f ${remoteTar}`);
   const cmd = parts.join(" && ");
-  const res = await args.backend.exec(args.handle, cmd);
+  const execOpts = args.backend.name === "vercel" ? { user: "root" } : void 0;
+  const res = await args.backend.exec(args.handle, cmd, execOpts);
   if (res.exitCode !== 0) {
     throw new Error(
       `in-box extract failed (exit ${String(res.exitCode)}): ${(res.stderr || res.stdout).slice(-300)}`
@@ -602,6 +663,8 @@ async function launchCloudCtlDaemon(args) {
   if (args.relayUrl) env.push(`AGENTBOX_RELAY_URL=${quoteShellArgv([args.relayUrl])}`);
   if (args.relayToken) env.push(`AGENTBOX_RELAY_TOKEN=${quoteShellArgv([args.relayToken])}`);
   if (args.bridgeToken) env.push(`AGENTBOX_BRIDGE_TOKEN=${quoteShellArgv([args.bridgeToken])}`);
+  if (args.webProxyPort !== void 0)
+    env.push(`AGENTBOX_WEB_PROXY_PORT=${quoteShellArgv([String(args.webProxyPort)])}`);
   const script = [
     `set -e`,
     `if command -v sudo >/dev/null 2>&1; then SUDO='sudo -n'; else SUDO=''; fi`,
@@ -687,6 +750,7 @@ async function seedCloudWorkspace(args) {
       workspaceDir,
       bundleDepth: args.bundleDepth,
       fromBranch: args.fromBranch,
+      useBranch: args.useBranch,
       onLog: log
     });
     for (const r of nested) {
@@ -725,8 +789,8 @@ async function seedFromGitClone(args) {
   const cloneDir = join5(stage, "clone");
   const tarPath = join5(stage, "workspace.tar.gz");
   const untrackedTarPath = join5(stage, "untracked.tar.gz");
-  const stashSha = await safeStashCreate(args.hostRepo);
-  const untrackedSize = await maybeBuildUntrackedTar(args.hostRepo, untrackedTarPath);
+  const stashSha = args.useBranch ? null : await safeStashCreate(args.hostRepo);
+  const untrackedSize = args.useBranch ? 0 : await maybeBuildUntrackedTar(args.hostRepo, untrackedTarPath);
   let stashRefCreated = false;
   try {
     if (stashSha) {
@@ -743,7 +807,8 @@ async function seedFromGitClone(args) {
     log(
       adaptive ? `clone: depth=${String(DEFAULT_BUNDLE_DEPTH)} (default, adaptive)` : initialDepth === null ? "clone: depth=full (configured)" : `clone: depth=${String(initialDepth)} (configured)`
     );
-    await runShallowClone(args.hostRepo, cloneDir, initialDepth, stashRefCreated, args.fromBranch);
+    const cloneBranch = args.useBranch ?? args.fromBranch;
+    await runShallowClone(args.hostRepo, cloneDir, initialDepth, stashRefCreated, cloneBranch);
     await tarCloneDir(cloneDir, tarPath);
     if (adaptive && initialDepth !== null) {
       const size = await safeFileSize(tarPath);
@@ -754,7 +819,7 @@ async function seedFromGitClone(args) {
         );
         await rm5(cloneDir, { recursive: true, force: true });
         await rm5(tarPath, { force: true });
-        await runShallowClone(args.hostRepo, cloneDir, LARGE_BUNDLE_DEPTH, stashRefCreated, args.fromBranch);
+        await runShallowClone(args.hostRepo, cloneDir, LARGE_BUNDLE_DEPTH, stashRefCreated, cloneBranch);
         await tarCloneDir(cloneDir, tarPath);
       }
     }
@@ -791,7 +856,10 @@ async function seedFromGitClone(args) {
       `$SUDO chown "$(id -un):$(id -gn)" ${quoteShellArgv([args.workspaceDir])}`,
       `tar -C ${quoteShellArgv([args.workspaceDir])} -xzf ${quoteShellArgv([remoteTar])}`,
       setOrigin,
-      `git -C ${quoteShellArgv([args.workspaceDir])} checkout -B ${quoteShellArgv([args.branch])}`,
+      // reuse: the clone already landed on `<branch>` (pinned via `--branch`);
+      // a plain checkout materializes the working tree without resetting the
+      // ref. fork: `-B` (re)points `<branch>` at the clone HEAD.
+      args.useBranch ? `git -C ${quoteShellArgv([args.workspaceDir])} checkout ${quoteShellArgv([args.branch])}` : `git -C ${quoteShellArgv([args.workspaceDir])} checkout -B ${quoteShellArgv([args.branch])}`,
       ...carryOverSteps,
       `rm -f ${quoteShellArgv([remoteTar])}`
     ].join("\n");
@@ -989,7 +1057,9 @@ function createCloudProvider(backend, opts = {}) {
     return {
       id,
       name,
-      branch: `agentbox/${name}`
+      // --use-branch reuses the named branch directly; otherwise fork a fresh
+      // per-box branch. The CLI validated `useBranch` exists host-side.
+      branch: req.useBranch ?? `agentbox/${name}`
     };
   }
   async function probe(box) {
@@ -1001,6 +1071,141 @@ function createCloudProvider(backend, opts = {}) {
       return "missing";
     }
   }
+  async function persistLastState(box, lastState) {
+    if (!box.cloud) return;
+    try {
+      await recordBox({ ...box, cloud: { ...box.cloud, lastState } });
+    } catch {
+    }
+  }
+  async function reEnsureCloudBox(box, h) {
+    const webPort = box.cloud?.webPort ?? backend.webProxyPort ?? CLOUD_WEB_PROXY_PORT;
+    let webPreview;
+    try {
+      webPreview = await backend.previewUrl(h, webPort);
+    } catch {
+      const cached = box.cloud?.previewUrls?.[webPort];
+      webPreview = cached ? { url: cached } : void 0;
+    }
+    const servicePreviews = {};
+    try {
+      const ports = await readExposedServicePorts(box.workspacePath);
+      for (const port of ports) {
+        if (port === webPort) continue;
+        try {
+          const p = await backend.previewUrl(h, port);
+          servicePreviews[port] = p.url;
+        } catch {
+        }
+      }
+    } catch {
+    }
+    let relayPreview;
+    try {
+      relayPreview = await backend.previewUrl(h, 8788);
+    } catch {
+      relayPreview = box.cloud?.relayPreviewUrl ? { url: box.cloud.relayPreviewUrl, token: box.cloud.relayPreviewToken } : void 0;
+    }
+    const mergedPreviews = {
+      ...box.cloud?.previewUrls ?? {},
+      ...servicePreviews
+    };
+    if (webPreview !== void 0) mergedPreviews[webPort] = webPreview.url;
+    let portlessAliasName = box.portlessAlias;
+    let portlessUrlResolved = box.portlessUrl;
+    if (box.portlessAlias && webPreview) {
+      const r = await bootstrapPortlessForCloudBox(backend, h, {
+        boxName: box.name,
+        webPreviewUrl: webPreview.url,
+        webPort,
+        onLog: () => {
+        }
+      });
+      if (r) {
+        portlessAliasName = r.alias;
+        portlessUrlResolved = r.url;
+      }
+    }
+    let portlessVncAliasName = box.portlessVncAlias;
+    let portlessVncUrlResolved = box.portlessVncUrl;
+    if (box.portlessVncAlias && box.vncEnabled) {
+      try {
+        const vncPreview = await backend.previewUrl(h, CLOUD_VNC_PORT);
+        const url = await registerHostPortlessAlias({
+          alias: box.portlessVncAlias,
+          previewUrl: vncPreview.url,
+          label: "vnc",
+          onLog: () => {
+          }
+        });
+        if (url) {
+          portlessVncAliasName = box.portlessVncAlias;
+          portlessVncUrlResolved = url;
+        }
+      } catch {
+      }
+    }
+    const next = {
+      ...box,
+      portlessAlias: portlessAliasName,
+      portlessUrl: portlessUrlResolved,
+      portlessVncAlias: portlessVncAliasName,
+      portlessVncUrl: portlessVncUrlResolved,
+      cloud: {
+        ...box.cloud ?? { backend: providerName, sandboxId: h.sandboxId },
+        webPort,
+        previewUrls: Object.keys(mergedPreviews).length > 0 ? mergedPreviews : void 0,
+        relayPreviewUrl: relayPreview?.url ?? box.cloud?.relayPreviewUrl,
+        relayPreviewToken: relayPreview?.token ?? box.cloud?.relayPreviewToken,
+        // reEnsureCloudBox only runs on a freshly-woken box (start/resume), so
+        // the box is now running — persist it for the fast `agentbox list` path.
+        lastState: "running"
+      }
+    };
+    await recordBox(next);
+    await launchCloudCtlDaemon({
+      backend,
+      handle: h,
+      boxId: box.id,
+      boxName: box.name,
+      relayUrl: `http://127.0.0.1:${String(8788)}`,
+      relayToken: box.relayToken ?? "",
+      bridgeToken: box.cloud?.bridgeToken,
+      webProxyPort: backend.webProxyPort
+    });
+    if (opts.launchDockerd !== false) {
+      try {
+        const dockerd = await launchCloudDockerdDaemon({ backend, handle: h, timeoutMs: 6e4 });
+        if (!dockerd.up) {
+        }
+      } catch {
+      }
+    }
+    if (box.vncEnabled && box.vncPassword) {
+      try {
+        await launchCloudVncDaemon({ backend, handle: h, vncPassword: box.vncPassword });
+      } catch {
+      }
+    }
+    if (relayPreview && box.relayToken && box.cloud?.bridgeToken) {
+      try {
+        await registerBoxWithRelay({
+          boxId: box.id,
+          token: box.relayToken,
+          name: box.name,
+          kind: "cloud",
+          backend: backend.name,
+          previewUrl: relayPreview.url,
+          previewToken: relayPreview.token,
+          bridgeToken: box.cloud.bridgeToken,
+          createdAt: box.createdAt,
+          projectIndex: box.projectIndex
+        });
+      } catch {
+      }
+    }
+    return next;
+  }
   return {
     name: providerName,
     async create(req) {
@@ -1008,7 +1213,13 @@ function createCloudProvider(backend, opts = {}) {
       });
       const { id, name, branch } = mintBox(req);
       const image = opts.provisionImage ? await opts.provisionImage(req) : req.image ?? FALLBACK_IMAGE;
-      const resources = opts.defaultResources ?? { cpu: 2, memory: 4, disk: 8 };
+      const baseResources = opts.defaultResources ?? { cpu: 2, memory: 4, disk: 8 };
+      const vcpuOverride = req.providerOptions?.["vcpus"];
+      const resources = typeof vcpuOverride === "number" && vcpuOverride > 0 ? { ...baseResources, cpu: vcpuOverride } : baseResources;
+      const timeoutOverride = req.providerOptions?.["timeoutMs"];
+      const timeoutMs = typeof timeoutOverride === "number" && timeoutOverride > 0 ? timeoutOverride : void 0;
+      const networkPolicyOpt = req.providerOptions?.["networkPolicy"];
+      const networkPolicy = typeof networkPolicyOpt === "string" && networkPolicyOpt.trim() !== "" ? networkPolicyOpt.trim() : void 0;
       const relayToken = generateRelayToken();
       const bridgeToken = generateRelayToken();
       try {
@@ -1031,29 +1242,57 @@ function createCloudProvider(backend, opts = {}) {
         }
       }
       const agentVolumes = await ensureAgentVolumesForCloud(backend, { onLog: log });
-      log(
-        snapshotName ? `provisioning ${providerName} sandbox from snapshot` : `provisioning ${providerName} sandbox`
-      );
-      const handle = await backend.provision({
-        name,
-        image,
-        snapshot: snapshotName,
-        resources,
-        env: {
-          AGENTBOX_BOX_ID: id,
-          AGENTBOX_BOX_NAME: name,
-          AGENTBOX_BOX_KIND: "cloud",
-          // In-sandbox relay is on the box's loopback at the in-box port.
-          // 8788 is distinct from the host relay's 8787 so a nested agentbox
-          // run inside the box can claim :8787 without colliding.
-          AGENTBOX_RELAY_URL: `http://127.0.0.1:${String(8788)}`,
-          AGENTBOX_RELAY_TOKEN: relayToken,
-          AGENTBOX_BRIDGE_TOKEN: bridgeToken,
-          ...agentVolumes.env
-        },
-        volumes: agentVolumes.mounts,
-        onLog: log
-      });
+      const exposeServicePorts = await readExposedServicePorts(req.workspacePath);
+      const provisionEnv = {
+        AGENTBOX_BOX_ID: id,
+        AGENTBOX_BOX_NAME: name,
+        AGENTBOX_BOX_KIND: "cloud",
+        // In-sandbox relay is on the box's loopback at the in-box port.
+        // 8788 is distinct from the host relay's 8787 so a nested agentbox
+        // run inside the box can claim :8787 without colliding.
+        AGENTBOX_RELAY_URL: `http://127.0.0.1:${String(8788)}`,
+        AGENTBOX_RELAY_TOKEN: relayToken,
+        AGENTBOX_BRIDGE_TOKEN: bridgeToken,
+        ...agentVolumes.env
+      };
+      const provisionFrom = async (snapshot) => {
+        log(
+          snapshot ? `provisioning ${providerName} sandbox from snapshot` : `provisioning ${providerName} sandbox`
+        );
+        return backend.provision({
+          name,
+          image,
+          snapshot,
+          resources,
+          timeoutMs,
+          exposePorts: exposeServicePorts,
+          networkPolicy,
+          env: provisionEnv,
+          volumes: agentVolumes.mounts,
+          onLog: log
+        });
+      };
+      let handle;
+      try {
+        handle = await provisionFrom(snapshotName);
+      } catch (err) {
+        if (snapshotName && isSnapshotGoneError(err)) {
+          log(
+            `checkpoint snapshot '${resolvedCheckpointRef ?? snapshotName}' has expired or been deleted; starting a fresh box from the base image instead`
+          );
+          if (req.projectRoot && resolvedCheckpointRef) {
+            try {
+              await removeCloudCheckpointDir(req.projectRoot, backend.name, resolvedCheckpointRef);
+            } catch {
+            }
+          }
+          snapshotName = void 0;
+          resolvedCheckpointRef = void 0;
+          handle = await provisionFrom(void 0);
+        } else {
+          throw err;
+        }
+      }
       try {
         if (snapshotName) {
           log("skipping workspace seed \u2014 snapshot already contains /workspace");
@@ -1066,6 +1305,7 @@ function createCloudProvider(backend, opts = {}) {
             workspaceDir: CLOUD_WORKSPACE_DIR,
             bundleDepth: req.bundleDepth,
             fromBranch: req.fromBranch,
+            useBranch: req.useBranch,
             onLog: log
           });
         }
@@ -1111,14 +1351,17 @@ function createCloudProvider(backend, opts = {}) {
           boxName: name,
           relayUrl: `http://127.0.0.1:${String(8788)}`,
           relayToken,
-          bridgeToken
+          bridgeToken,
+          webProxyPort: backend.webProxyPort
         });
-        log("launching in-box dockerd");
-        try {
-          const dockerd = await launchCloudDockerdDaemon({ backend, handle, timeoutMs: 6e4 });
-          if (!dockerd.up) log(`dockerd did not become ready (continuing): ${dockerd.reason ?? "unknown"}`);
-        } catch (err) {
-          log(`dockerd daemon launch failed (continuing): ${err instanceof Error ? err.message : String(err)}`);
+        if (opts.launchDockerd !== false) {
+          log("launching in-box dockerd");
+          try {
+            const dockerd = await launchCloudDockerdDaemon({ backend, handle, timeoutMs: 6e4 });
+            if (!dockerd.up) log(`dockerd did not become ready (continuing): ${dockerd.reason ?? "unknown"}`);
+          } catch (err) {
+            log(`dockerd daemon launch failed (continuing): ${err instanceof Error ? err.message : String(err)}`);
+          }
         }
         const vncEnabled = req.vnc?.enabled !== false;
         const vncPassword = vncEnabled ? generateVncPassword() : void 0;
@@ -1132,9 +1375,10 @@ function createCloudProvider(backend, opts = {}) {
             );
           }
         }
+        const wp = backend.webProxyPort ?? CLOUD_WEB_PROXY_PORT;
         let webPreview;
         try {
-          webPreview = await backend.previewUrl(handle, CLOUD_WEB_PROXY_PORT);
+          webPreview = await backend.previewUrl(handle, wp);
         } catch {
           webPreview = void 0;
         }
@@ -1145,7 +1389,7 @@ function createCloudProvider(backend, opts = {}) {
           const r = await bootstrapPortlessForCloudBox(backend, handle, {
             boxName: name,
             webPreviewUrl: webPreview.url,
-            webPort: CLOUD_WEB_PROXY_PORT,
+            webPort: wp,
             onLog: log
           });
           if (r) {
@@ -1176,10 +1420,10 @@ function createCloudProvider(backend, opts = {}) {
             portlessVncUrlResolved = url;
           }
         }
-        const servicePorts = await readExposedServicePorts(req.workspacePath);
+        const servicePorts = exposeServicePorts;
         const servicePreviews = {};
         for (const port of servicePorts) {
-          if (port === CLOUD_WEB_PROXY_PORT) continue;
+          if (port === wp) continue;
           try {
             const p = await backend.previewUrl(handle, port);
             servicePreviews[port] = p.url;
@@ -1192,12 +1436,15 @@ function createCloudProvider(backend, opts = {}) {
         } catch {
           relayPreview = void 0;
         }
+        const state = await readState();
+        const projectIndex = req.projectRoot ? allocateProjectIndex(state, req.projectRoot) : void 0;
         if (relayPreview) {
           try {
             await registerBoxWithRelay({
               boxId: id,
               token: relayToken,
               name,
+              projectIndex,
               kind: "cloud",
               backend: backend.name,
               previewUrl: relayPreview.url,
@@ -1211,8 +1458,6 @@ function createCloudProvider(backend, opts = {}) {
             );
           }
         }
-        const state = await readState();
-        const projectIndex = req.projectRoot ? allocateProjectIndex(state, req.projectRoot) : void 0;
         const record = {
           id,
           name,
@@ -1249,16 +1494,17 @@ function createCloudProvider(backend, opts = {}) {
             backend: backend.name,
             sandboxId: handle.sandboxId,
             image,
-            webPort: CLOUD_WEB_PROXY_PORT,
+            webPort: wp,
             previewUrls: (() => {
               const m = { ...servicePreviews };
-              if (webPreview) m[CLOUD_WEB_PROXY_PORT] = webPreview.url;
+              if (webPreview) m[wp] = webPreview.url;
               return Object.keys(m).length > 0 ? m : void 0;
             })(),
             relayPreviewUrl: relayPreview?.url,
             relayPreviewToken: relayPreview?.token,
             bridgeToken,
-            snapshotRef: resolvedCheckpointRef
+            snapshotRef: resolvedCheckpointRef,
+            lastState: "running"
           },
           createdAt: (/* @__PURE__ */ new Date()).toISOString()
         };
@@ -1275,135 +1521,20 @@ function createCloudProvider(backend, opts = {}) {
     async start(box) {
       const h = handleFor(box);
       await backend.start(h);
-      const webPort = box.cloud?.webPort ?? CLOUD_WEB_PROXY_PORT;
-      let webPreview;
-      try {
-        webPreview = await backend.previewUrl(h, webPort);
-      } catch {
-        const cached = box.cloud?.previewUrls?.[webPort];
-        webPreview = cached ? { url: cached } : void 0;
-      }
-      const servicePreviews = {};
-      try {
-        const ports = await readExposedServicePorts(box.workspacePath);
-        for (const port of ports) {
-          if (port === webPort) continue;
-          try {
-            const p = await backend.previewUrl(h, port);
-            servicePreviews[port] = p.url;
-          } catch {
-          }
-        }
-      } catch {
-      }
-      let relayPreview;
-      try {
-        relayPreview = await backend.previewUrl(h, 8788);
-      } catch {
-        relayPreview = box.cloud?.relayPreviewUrl ? { url: box.cloud.relayPreviewUrl, token: box.cloud.relayPreviewToken } : void 0;
-      }
-      const mergedPreviews = {
-        ...box.cloud?.previewUrls ?? {},
-        ...servicePreviews
-      };
-      if (webPreview !== void 0) mergedPreviews[webPort] = webPreview.url;
-      let portlessAliasName = box.portlessAlias;
-      let portlessUrlResolved = box.portlessUrl;
-      if (box.portlessAlias && webPreview) {
-        const r = await bootstrapPortlessForCloudBox(backend, h, {
-          boxName: box.name,
-          webPreviewUrl: webPreview.url,
-          webPort,
-          onLog: () => {
-          }
-        });
-        if (r) {
-          portlessAliasName = r.alias;
-          portlessUrlResolved = r.url;
-        }
-      }
-      let portlessVncAliasName = box.portlessVncAlias;
-      let portlessVncUrlResolved = box.portlessVncUrl;
-      if (box.portlessVncAlias && box.vncEnabled) {
-        try {
-          const vncPreview = await backend.previewUrl(h, CLOUD_VNC_PORT);
-          const url = await registerHostPortlessAlias({
-            alias: box.portlessVncAlias,
-            previewUrl: vncPreview.url,
-            label: "vnc",
-            onLog: () => {
-            }
-          });
-          if (url) {
-            portlessVncAliasName = box.portlessVncAlias;
-            portlessVncUrlResolved = url;
-          }
-        } catch {
-        }
-      }
-      const next = {
-        ...box,
-        portlessAlias: portlessAliasName,
-        portlessUrl: portlessUrlResolved,
-        portlessVncAlias: portlessVncAliasName,
-        portlessVncUrl: portlessVncUrlResolved,
-        cloud: {
-          ...box.cloud ?? { backend: providerName, sandboxId: h.sandboxId },
-          webPort,
-          previewUrls: Object.keys(mergedPreviews).length > 0 ? mergedPreviews : void 0,
-          relayPreviewUrl: relayPreview?.url ?? box.cloud?.relayPreviewUrl,
-          relayPreviewToken: relayPreview?.token ?? box.cloud?.relayPreviewToken
-        }
-      };
-      await recordBox(next);
-      await launchCloudCtlDaemon({
-        backend,
-        handle: h,
-        boxId: box.id,
-        boxName: box.name,
-        relayUrl: `http://127.0.0.1:${String(8788)}`,
-        relayToken: box.relayToken ?? "",
-        bridgeToken: box.cloud?.bridgeToken
-      });
-      try {
-        const dockerd = await launchCloudDockerdDaemon({ backend, handle: h, timeoutMs: 6e4 });
-        if (!dockerd.up) {
-        }
-      } catch {
-      }
-      if (box.vncEnabled && box.vncPassword) {
-        try {
-          await launchCloudVncDaemon({ backend, handle: h, vncPassword: box.vncPassword });
-        } catch {
-        }
-      }
-      if (relayPreview && box.relayToken && box.cloud?.bridgeToken) {
-        try {
-          await registerBoxWithRelay({
-            boxId: box.id,
-            token: box.relayToken,
-            name: box.name,
-            kind: "cloud",
-            backend: backend.name,
-            previewUrl: relayPreview.url,
-            previewToken: relayPreview.token,
-            bridgeToken: box.cloud.bridgeToken,
-            createdAt: box.createdAt,
-            projectIndex: box.projectIndex
-          });
-        } catch {
-        }
-      }
-      return next;
+      return reEnsureCloudBox(box, h);
     },
     async pause(box) {
       await backend.pause(handleFor(box));
+      await persistLastState(box, "paused");
     },
     async resume(box) {
-      await backend.resume(handleFor(box));
+      const h = handleFor(box);
+      await backend.resume(h);
+      await reEnsureCloudBox(box, h);
     },
     async stop(box) {
       await backend.stop(handleFor(box));
+      await persistLastState(box, "paused");
     },
     async destroy(box) {
       try {
@@ -1435,7 +1566,7 @@ function createCloudProvider(backend, opts = {}) {
     },
     async inspect(box) {
       const state = await probe(box);
-      const webPort = box.cloud?.webPort ?? CLOUD_WEB_PROXY_PORT;
+      const webPort = box.cloud?.webPort ?? backend.webProxyPort ?? CLOUD_WEB_PROXY_PORT;
       const portlessWebUrl = box.portlessAlias !== void 0 ? box.portlessUrl ?? `https://${box.portlessAlias}.localhost` : void 0;
       const cachedWebUrl = box.cloud?.previewUrls?.[webPort];
       const webUrl = portlessWebUrl ?? cachedWebUrl;
@@ -1515,11 +1646,22 @@ function createCloudProvider(backend, opts = {}) {
           return box.portlessVncUrl ?? `https://${box.portlessVncAlias}.localhost`;
         }
       }
-      const port = kind === "vnc" ? CLOUD_VNC_PORT : box.cloud?.webPort ?? CLOUD_WEB_PROXY_PORT;
+      const port = kind === "vnc" ? CLOUD_VNC_PORT : box.cloud?.webPort ?? backend.webProxyPort ?? CLOUD_WEB_PROXY_PORT;
       if (backend.signedPreviewUrl) {
         const ttl = opts2?.ttl ?? DEFAULT_SIGNED_URL_TTL_SECONDS;
-        const signed = await backend.signedPreviewUrl(h, port, ttl);
-        return signed.url;
+        try {
+          const signed = await backend.signedPreviewUrl(h, port, ttl);
+          return signed.url;
+        } catch (err) {
+          if (kind === "web") {
+            const fallbackPort = await firstExposedServicePort(box);
+            if (fallbackPort !== void 0 && fallbackPort !== port) {
+              const signed = await backend.signedPreviewUrl(h, fallbackPort, ttl);
+              return signed.url;
+            }
+          }
+          throw err;
+        }
       }
       const p = await backend.previewUrl(h, port);
       throw new Error(
@@ -1530,11 +1672,32 @@ function createCloudProvider(backend, opts = {}) {
     // capability stub whose methods throw — the CLI's `agentbox checkpoint
     // create` then surfaces a clean "not supported" error rather than a
     // silent no-op.
-    checkpoint: makeCloudCheckpoint(backend)
+    checkpoint: makeCloudCheckpoint(backend),
+    // Extract the box's agent login(s) back to the host (~/.agentbox) so the
+    // next box inherits the login. Lives on the base cloud provider (not inside
+    // `checkpoint.create`) so it works even for providers that override the
+    // whole `checkpoint` capability (vercel). The CLI calls this on
+    // `checkpoint create --set-default`, while the box is guaranteed running.
+    async extractAgentCredentials(box) {
+      if (!box.cloud?.sandboxId) return [];
+      return extractCloudAgentCredentials(backend, { sandboxId: box.cloud.sandboxId });
+    }
     // stats is provider-optional; cloud backends without a metrics API just
     // omit it. Backends that have one can decorate the returned provider.
   };
 }
+var RESERVED_CLOUD_PORTS = /* @__PURE__ */ new Set([CLOUD_WEB_PROXY_PORT, CLOUD_VNC_PORT, 8788]);
+async function firstExposedServicePort(box) {
+  const reserved = (p) => RESERVED_CLOUD_PORTS.has(p) || p === box.cloud?.webPort;
+  const fromRecord = Object.keys(box.cloud?.previewUrls ?? {}).map(Number).filter((p) => Number.isInteger(p) && !reserved(p));
+  if (fromRecord.length > 0) return Math.min(...fromRecord);
+  try {
+    const fromYaml = (await readExposedServicePorts(box.workspacePath)).filter((p) => !reserved(p));
+    if (fromYaml.length > 0) return Math.min(...fromYaml);
+  } catch {
+  }
+  return void 0;
+}
 function makeCloudCheckpoint(backend) {
   return {
     async create(box, name) {
@@ -1635,6 +1798,10 @@ export {
   agentSpecsForCloud,
   listCloudCheckpoints,
   resolveCloudCheckpoint,
-  createCloudProvider
+  writeCloudCheckpointManifest,
+  removeCloudCheckpointDir,
+  probeCloudCheckpoint,
+  createCloudProvider,
+  renderInnerCommand
 };
-//# sourceMappingURL=chunk-67N47KUS.js.map
+//# sourceMappingURL=chunk-2GPORKYF.js.map