@madarco/agentbox 0.9.0 → 0.10.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@madarco/agentbox",
-  "version": "0.9.0",
+  "version": "0.10.0",
   "description": "Launch Claude Code, Codex, and other coding agents in isolated sandboxes",
   "license": "MIT",
   "author": "Marco D'Alia",
@@ -37,7 +37,8 @@
   "files": [
     "dist",
     "share",
-    "runtime"
+    "runtime",
+    "CHANGELOG.md"
   ],
   "dependencies": {
     "@clack/prompts": "^0.9.0",
@@ -57,16 +58,16 @@
     "tsup": "^8.3.5",
     "typescript": "^5.7.2",
     "vitest": "^2.1.8",
+    "@agentbox/config": "0.0.0",
+    "@agentbox/ctl": "0.0.0",
     "@agentbox/sandbox-core": "0.0.0",
     "@agentbox/core": "0.0.0",
     "@agentbox/relay": "0.0.0",
-    "@agentbox/ctl": "0.0.0",
-    "@agentbox/config": "0.0.0",
     "@agentbox/sandbox-daytona": "0.0.0",
-    "@agentbox/sandbox-vercel": "0.0.0",
-    "@agentbox/sandbox-cloud": "0.0.0",
     "@agentbox/sandbox-docker": "0.0.0",
-    "@agentbox/sandbox-hetzner": "0.0.0"
+    "@agentbox/sandbox-cloud": "0.0.0",
+    "@agentbox/sandbox-hetzner": "0.0.0",
+    "@agentbox/sandbox-vercel": "0.0.0"
   },
   "scripts": {
     "build": "tsup",
@@ -75,6 +76,7 @@
     "test": "vitest run",
     "typecheck": "tsc --noEmit",
     "clean": "rm -rf dist runtime .turbo",
+    "version": "git add CHANGELOG.md",
     "publish:patch": "npm version patch && git push --follow-tags",
     "publish:minor": "npm version minor && git push --follow-tags"
   }

package/runtime/docker/apps/cli/share/agentbox-setup/SKILL.md

@@ -164,14 +164,7 @@ services:
 - A service with `restart: never` and an autostart dependency will block the dependent forever after one failed run — usually a mistake.
 - `command:` is either a shell string (run via `bash -c`) or an argv array. Use the argv form if you need to avoid shell quoting.
 
-## 8. Checkpoint the warm state (do this at the very end)
-
-Checkpoint (snapshot) this box writable layer: once the box is warmed up (deps installed, services ready), checkpoint it with `agentbox-ctl checkpoint --name setup --replace --set-default` so future boxes start ready.
-Run this command exactly once. The `--name setup --replace` makes it idempotent — if it ever needs to run again it overwrites the existing `setup` checkpoint instead of stacking duplicates.
-This doesn't need to be confirmed by the user.
-It will pause the container for several seconds so warn the user about it and write Done when it's done.
-
-## 9. Hand-off
+## 8. Hand-off
 
 Tell the user (verbatim):
 
@@ -187,6 +180,14 @@ Tell the user (verbatim):
    your box is ready, you can start more sessions with `agentbox claude`
    you can access the web app at https://<boxname>.localhost
 
+
+## 9. Checkpoint the warm state - DON't SKIP THIS STEP
+
+Checkpoint (snapshot) this box writable layer: once the box is warmed up (deps installed, services ready), checkpoint it with `agentbox-ctl checkpoint --name setup --replace --set-default` so future boxes start ready.
+Run this command exactly once. The `--name setup --replace` makes it idempotent — if it ever needs to run again it overwrites the existing `setup` checkpoint instead of stacking duplicates.
+On all providers except Vercel, this doesn't need to be confirmed by the user. It will pause the container for several seconds so warn the user about it and write Done when it's done.
+On Vercel: this actually STOPS the sandbox, so warn the user about it. Also the system will ask confirmation.
+
 ## 10. Known issues
 
 - For Nextjs/Vite/Tasnstack projects, makes sure to forward also websocket for hot reload.

package/runtime/docker/packages/ctl/dist/bin.cjs

@@ -18599,11 +18599,21 @@ var KEY_REGISTRY = [
     type: "string",
     description: "tmux session name for `agentbox claude`."
   },
+  {
+    key: "claude.dangerouslySkipPermissions",
+    type: "bool",
+    description: "Launch claude in new boxes with --dangerously-skip-permissions (auto-accept tool use). Safe because boxes are isolated; on by default. Override per-box with --no-dangerously-skip-permissions."
+  },
   {
     key: "codex.sessionName",
     type: "string",
     description: "tmux session name for `agentbox codex`."
   },
+  {
+    key: "codex.dangerouslySkipPermissions",
+    type: "bool",
+    description: "Launch codex in new boxes with --dangerously-bypass-approvals-and-sandbox (never prompt for approval). Safe because boxes are isolated; on by default. Override per-box with --no-dangerously-skip-permissions."
+  },
   {
     key: "opencode.sessionName",
     type: "string",
@@ -19657,6 +19667,18 @@ async function runCheckpointRpc(action, deps) {
       stderr: "relay: AGENTBOX_CLI_ENTRY not set; cannot run checkpoint host-side\n"
     };
   }
+  if (deps.backendName === "vercel" && deps.prompts && deps.subscribers && deps.subscribers.forBox(deps.boxId).length > 0) {
+    const verdict = await askPrompt(deps.prompts, deps.subscribers, deps.boxId, {
+      kind: "confirm",
+      message: `Create checkpoint on ${deps.boxName ?? deps.boxId}? The vercel box will stop and reboot.`,
+      detail: params.name ? `checkpoint: ${params.name}` : "(auto-named)",
+      defaultAnswer: "n",
+      context: { command: "checkpoint create", argv: params.name ? [params.name] : [] }
+    });
+    if (verdict.answer !== "y") {
+      return { exitCode: 10, stdout: "", stderr: "checkpoint denied by user\n" };
+    }
+  }
   const argv = [process.execPath, entry, "checkpoint", "create", deps.boxId];
   if (params.name) argv.push("--name", params.name);
   if (params.merged === true) argv.push("--merged");
@@ -20013,7 +20035,12 @@ function createRelayServer(opts) {
         boxes: registry.size(),
         events: events.size(),
         pid: process.pid,
-        cliEntry: Boolean(process.env.AGENTBOX_CLI_ENTRY)
+        cliEntry: Boolean(process.env.AGENTBOX_CLI_ENTRY),
+        // The spawning CLI's version/commit (inherited via env at spawn time).
+        // `version` lets host-side ensureRelay reclaim a relay left over from a
+        // different agentbox version; `commit` is observability-only.
+        version: process.env.AGENTBOX_CLI_VERSION || void 0,
+        commit: process.env.AGENTBOX_CLI_COMMIT || void 0
       });
       return;
     }
@@ -21957,6 +21984,7 @@ var Supervisor = class extends import_node_events15.EventEmitter {
     super();
     this.opts = opts;
     this.relay = new RelayClient();
+    this.webProxy = new WebProxy(opts.webProxyPort);
   }
   opts;
   units = /* @__PURE__ */ new Map();
@@ -21966,7 +21994,7 @@ var Supervisor = class extends import_node_events15.EventEmitter {
   scheduling = false;
   rescheduleDirty = false;
   relay;
-  webProxy = new WebProxy();
+  webProxy;
   /** The relay client the supervisor pushes state events on. Shared with the
    * status reporter so both use the same fire-and-forget channel. */
   get relayClient() {
@@ -22893,7 +22921,8 @@ function resolveBoxRelayPort() {
 }
 var daemonCommand = new Command("daemon").description("Run the agentbox-ctl supervisor in the foreground").option("--socket <path>", "unix socket path", DEFAULT_SOCKET_PATH).option("--config <path>", "path to agentbox.yaml", DEFAULT_CONFIG_PATH).option("--log-dir <path>", "where per-service log files are written", DEFAULT_LOG_DIR).option("--workspace <path>", "cwd for service processes", "/workspace").action(async (opts) => {
   const cfg = await loadConfig(opts.config);
-  const sup = new Supervisor({ workspace: opts.workspace, logDir: opts.logDir });
+  const webProxyPort = Number(process.env.AGENTBOX_WEB_PROXY_PORT) || void 0;
+  const sup = new Supervisor({ workspace: opts.workspace, logDir: opts.logDir, webProxyPort });
   await sup.init(cfg);
   const reporter = new StatusReporter({
     supervisor: sup,

package/runtime/hetzner/agentbox-setup-skill.md

@@ -164,14 +164,7 @@ services:
 - A service with `restart: never` and an autostart dependency will block the dependent forever after one failed run — usually a mistake.
 - `command:` is either a shell string (run via `bash -c`) or an argv array. Use the argv form if you need to avoid shell quoting.
 
-## 8. Checkpoint the warm state (do this at the very end)
-
-Checkpoint (snapshot) this box writable layer: once the box is warmed up (deps installed, services ready), checkpoint it with `agentbox-ctl checkpoint --name setup --replace --set-default` so future boxes start ready.
-Run this command exactly once. The `--name setup --replace` makes it idempotent — if it ever needs to run again it overwrites the existing `setup` checkpoint instead of stacking duplicates.
-This doesn't need to be confirmed by the user.
-It will pause the container for several seconds so warn the user about it and write Done when it's done.
-
-## 9. Hand-off
+## 8. Hand-off
 
 Tell the user (verbatim):
 
@@ -187,6 +180,14 @@ Tell the user (verbatim):
    your box is ready, you can start more sessions with `agentbox claude`
    you can access the web app at https://<boxname>.localhost
 
+
+## 9. Checkpoint the warm state - DON't SKIP THIS STEP
+
+Checkpoint (snapshot) this box writable layer: once the box is warmed up (deps installed, services ready), checkpoint it with `agentbox-ctl checkpoint --name setup --replace --set-default` so future boxes start ready.
+Run this command exactly once. The `--name setup --replace` makes it idempotent — if it ever needs to run again it overwrites the existing `setup` checkpoint instead of stacking duplicates.
+On all providers except Vercel, this doesn't need to be confirmed by the user. It will pause the container for several seconds so warn the user about it and write Done when it's done.
+On Vercel: this actually STOPS the sandbox, so warn the user about it. Also the system will ask confirmation.
+
 ## 10. Known issues
 
 - For Nextjs/Vite/Tasnstack projects, makes sure to forward also websocket for hot reload.

package/runtime/hetzner/ctl.cjs

@@ -18599,11 +18599,21 @@ var KEY_REGISTRY = [
     type: "string",
     description: "tmux session name for `agentbox claude`."
   },
+  {
+    key: "claude.dangerouslySkipPermissions",
+    type: "bool",
+    description: "Launch claude in new boxes with --dangerously-skip-permissions (auto-accept tool use). Safe because boxes are isolated; on by default. Override per-box with --no-dangerously-skip-permissions."
+  },
   {
     key: "codex.sessionName",
     type: "string",
     description: "tmux session name for `agentbox codex`."
   },
+  {
+    key: "codex.dangerouslySkipPermissions",
+    type: "bool",
+    description: "Launch codex in new boxes with --dangerously-bypass-approvals-and-sandbox (never prompt for approval). Safe because boxes are isolated; on by default. Override per-box with --no-dangerously-skip-permissions."
+  },
   {
     key: "opencode.sessionName",
     type: "string",
@@ -19657,6 +19667,18 @@ async function runCheckpointRpc(action, deps) {
       stderr: "relay: AGENTBOX_CLI_ENTRY not set; cannot run checkpoint host-side\n"
     };
   }
+  if (deps.backendName === "vercel" && deps.prompts && deps.subscribers && deps.subscribers.forBox(deps.boxId).length > 0) {
+    const verdict = await askPrompt(deps.prompts, deps.subscribers, deps.boxId, {
+      kind: "confirm",
+      message: `Create checkpoint on ${deps.boxName ?? deps.boxId}? The vercel box will stop and reboot.`,
+      detail: params.name ? `checkpoint: ${params.name}` : "(auto-named)",
+      defaultAnswer: "n",
+      context: { command: "checkpoint create", argv: params.name ? [params.name] : [] }
+    });
+    if (verdict.answer !== "y") {
+      return { exitCode: 10, stdout: "", stderr: "checkpoint denied by user\n" };
+    }
+  }
   const argv = [process.execPath, entry, "checkpoint", "create", deps.boxId];
   if (params.name) argv.push("--name", params.name);
   if (params.merged === true) argv.push("--merged");
@@ -20013,7 +20035,12 @@ function createRelayServer(opts) {
         boxes: registry.size(),
         events: events.size(),
         pid: process.pid,
-        cliEntry: Boolean(process.env.AGENTBOX_CLI_ENTRY)
+        cliEntry: Boolean(process.env.AGENTBOX_CLI_ENTRY),
+        // The spawning CLI's version/commit (inherited via env at spawn time).
+        // `version` lets host-side ensureRelay reclaim a relay left over from a
+        // different agentbox version; `commit` is observability-only.
+        version: process.env.AGENTBOX_CLI_VERSION || void 0,
+        commit: process.env.AGENTBOX_CLI_COMMIT || void 0
       });
       return;
     }
@@ -21957,6 +21984,7 @@ var Supervisor = class extends import_node_events15.EventEmitter {
     super();
     this.opts = opts;
     this.relay = new RelayClient();
+    this.webProxy = new WebProxy(opts.webProxyPort);
   }
   opts;
   units = /* @__PURE__ */ new Map();
@@ -21966,7 +21994,7 @@ var Supervisor = class extends import_node_events15.EventEmitter {
   scheduling = false;
   rescheduleDirty = false;
   relay;
-  webProxy = new WebProxy();
+  webProxy;
   /** The relay client the supervisor pushes state events on. Shared with the
    * status reporter so both use the same fire-and-forget channel. */
   get relayClient() {
@@ -22893,7 +22921,8 @@ function resolveBoxRelayPort() {
 }
 var daemonCommand = new Command("daemon").description("Run the agentbox-ctl supervisor in the foreground").option("--socket <path>", "unix socket path", DEFAULT_SOCKET_PATH).option("--config <path>", "path to agentbox.yaml", DEFAULT_CONFIG_PATH).option("--log-dir <path>", "where per-service log files are written", DEFAULT_LOG_DIR).option("--workspace <path>", "cwd for service processes", "/workspace").action(async (opts) => {
   const cfg = await loadConfig(opts.config);
-  const sup = new Supervisor({ workspace: opts.workspace, logDir: opts.logDir });
+  const webProxyPort = Number(process.env.AGENTBOX_WEB_PROXY_PORT) || void 0;
+  const sup = new Supervisor({ workspace: opts.workspace, logDir: opts.logDir, webProxyPort });
   await sup.init(cfg);
   const reporter = new StatusReporter({
     supervisor: sup,

package/runtime/relay/bin.cjs

@@ -18684,6 +18684,18 @@ async function runCheckpointRpc(action, deps) {
       stderr: "relay: AGENTBOX_CLI_ENTRY not set; cannot run checkpoint host-side\n"
     };
   }
+  if (deps.backendName === "vercel" && deps.prompts && deps.subscribers && deps.subscribers.forBox(deps.boxId).length > 0) {
+    const verdict = await askPrompt(deps.prompts, deps.subscribers, deps.boxId, {
+      kind: "confirm",
+      message: `Create checkpoint on ${deps.boxName ?? deps.boxId}? The vercel box will stop and reboot.`,
+      detail: params.name ? `checkpoint: ${params.name}` : "(auto-named)",
+      defaultAnswer: "n",
+      context: { command: "checkpoint create", argv: params.name ? [params.name] : [] }
+    });
+    if (verdict.answer !== "y") {
+      return { exitCode: 10, stdout: "", stderr: "checkpoint denied by user\n" };
+    }
+  }
   const argv = [process.execPath, entry, "checkpoint", "create", deps.boxId];
   if (params.name) argv.push("--name", params.name);
   if (params.merged === true) argv.push("--merged");
@@ -19300,7 +19312,12 @@ function createRelayServer(opts) {
         boxes: registry.size(),
         events: events.size(),
         pid: process.pid,
-        cliEntry: Boolean(process.env.AGENTBOX_CLI_ENTRY)
+        cliEntry: Boolean(process.env.AGENTBOX_CLI_ENTRY),
+        // The spawning CLI's version/commit (inherited via env at spawn time).
+        // `version` lets host-side ensureRelay reclaim a relay left over from a
+        // different agentbox version; `commit` is observability-only.
+        version: process.env.AGENTBOX_CLI_VERSION || void 0,
+        commit: process.env.AGENTBOX_CLI_COMMIT || void 0
       });
       return;
     }
@@ -20111,10 +20128,12 @@ var BUILT_IN_DEFAULTS = {
     maxLayers: 3
   },
   claude: {
-    sessionName: "claude"
+    sessionName: "claude",
+    dangerouslySkipPermissions: true
   },
   codex: {
-    sessionName: "codex"
+    sessionName: "codex",
+    dangerouslySkipPermissions: true
   },
   opencode: {
     sessionName: "opencode"
@@ -20302,11 +20321,21 @@ var KEY_REGISTRY = [
     type: "string",
     description: "tmux session name for `agentbox claude`."
   },
+  {
+    key: "claude.dangerouslySkipPermissions",
+    type: "bool",
+    description: "Launch claude in new boxes with --dangerously-skip-permissions (auto-accept tool use). Safe because boxes are isolated; on by default. Override per-box with --no-dangerously-skip-permissions."
+  },
   {
     key: "codex.sessionName",
     type: "string",
     description: "tmux session name for `agentbox codex`."
   },
+  {
+    key: "codex.dangerouslySkipPermissions",
+    type: "bool",
+    description: "Launch codex in new boxes with --dangerously-bypass-approvals-and-sandbox (never prompt for approval). Safe because boxes are isolated; on by default. Override per-box with --no-dangerously-skip-permissions."
+  },
   {
     key: "opencode.sessionName",
     type: "string",

package/runtime/vercel/agentbox-setup-skill.md

@@ -164,14 +164,7 @@ services:
 - A service with `restart: never` and an autostart dependency will block the dependent forever after one failed run — usually a mistake.
 - `command:` is either a shell string (run via `bash -c`) or an argv array. Use the argv form if you need to avoid shell quoting.
 
-## 8. Checkpoint the warm state (do this at the very end)
-
-Checkpoint (snapshot) this box writable layer: once the box is warmed up (deps installed, services ready), checkpoint it with `agentbox-ctl checkpoint --name setup --replace --set-default` so future boxes start ready.
-Run this command exactly once. The `--name setup --replace` makes it idempotent — if it ever needs to run again it overwrites the existing `setup` checkpoint instead of stacking duplicates.
-This doesn't need to be confirmed by the user.
-It will pause the container for several seconds so warn the user about it and write Done when it's done.
-
-## 9. Hand-off
+## 8. Hand-off
 
 Tell the user (verbatim):
 
@@ -187,6 +180,14 @@ Tell the user (verbatim):
    your box is ready, you can start more sessions with `agentbox claude`
    you can access the web app at https://<boxname>.localhost
 
+
+## 9. Checkpoint the warm state - DON't SKIP THIS STEP
+
+Checkpoint (snapshot) this box writable layer: once the box is warmed up (deps installed, services ready), checkpoint it with `agentbox-ctl checkpoint --name setup --replace --set-default` so future boxes start ready.
+Run this command exactly once. The `--name setup --replace` makes it idempotent — if it ever needs to run again it overwrites the existing `setup` checkpoint instead of stacking duplicates.
+On all providers except Vercel, this doesn't need to be confirmed by the user. It will pause the container for several seconds so warn the user about it and write Done when it's done.
+On Vercel: this actually STOPS the sandbox, so warn the user about it. Also the system will ask confirmation.
+
 ## 10. Known issues
 
 - For Nextjs/Vite/Tasnstack projects, makes sure to forward also websocket for hot reload.

package/runtime/vercel/ctl.cjs

@@ -18599,11 +18599,21 @@ var KEY_REGISTRY = [
     type: "string",
     description: "tmux session name for `agentbox claude`."
   },
+  {
+    key: "claude.dangerouslySkipPermissions",
+    type: "bool",
+    description: "Launch claude in new boxes with --dangerously-skip-permissions (auto-accept tool use). Safe because boxes are isolated; on by default. Override per-box with --no-dangerously-skip-permissions."
+  },
   {
     key: "codex.sessionName",
     type: "string",
     description: "tmux session name for `agentbox codex`."
   },
+  {
+    key: "codex.dangerouslySkipPermissions",
+    type: "bool",
+    description: "Launch codex in new boxes with --dangerously-bypass-approvals-and-sandbox (never prompt for approval). Safe because boxes are isolated; on by default. Override per-box with --no-dangerously-skip-permissions."
+  },
   {
     key: "opencode.sessionName",
     type: "string",
@@ -19657,6 +19667,18 @@ async function runCheckpointRpc(action, deps) {
       stderr: "relay: AGENTBOX_CLI_ENTRY not set; cannot run checkpoint host-side\n"
     };
   }
+  if (deps.backendName === "vercel" && deps.prompts && deps.subscribers && deps.subscribers.forBox(deps.boxId).length > 0) {
+    const verdict = await askPrompt(deps.prompts, deps.subscribers, deps.boxId, {
+      kind: "confirm",
+      message: `Create checkpoint on ${deps.boxName ?? deps.boxId}? The vercel box will stop and reboot.`,
+      detail: params.name ? `checkpoint: ${params.name}` : "(auto-named)",
+      defaultAnswer: "n",
+      context: { command: "checkpoint create", argv: params.name ? [params.name] : [] }
+    });
+    if (verdict.answer !== "y") {
+      return { exitCode: 10, stdout: "", stderr: "checkpoint denied by user\n" };
+    }
+  }
   const argv = [process.execPath, entry, "checkpoint", "create", deps.boxId];
   if (params.name) argv.push("--name", params.name);
   if (params.merged === true) argv.push("--merged");
@@ -20013,7 +20035,12 @@ function createRelayServer(opts) {
         boxes: registry.size(),
         events: events.size(),
         pid: process.pid,
-        cliEntry: Boolean(process.env.AGENTBOX_CLI_ENTRY)
+        cliEntry: Boolean(process.env.AGENTBOX_CLI_ENTRY),
+        // The spawning CLI's version/commit (inherited via env at spawn time).
+        // `version` lets host-side ensureRelay reclaim a relay left over from a
+        // different agentbox version; `commit` is observability-only.
+        version: process.env.AGENTBOX_CLI_VERSION || void 0,
+        commit: process.env.AGENTBOX_CLI_COMMIT || void 0
       });
       return;
     }
@@ -21957,6 +21984,7 @@ var Supervisor = class extends import_node_events15.EventEmitter {
     super();
     this.opts = opts;
     this.relay = new RelayClient();
+    this.webProxy = new WebProxy(opts.webProxyPort);
   }
   opts;
   units = /* @__PURE__ */ new Map();
@@ -21966,7 +21994,7 @@ var Supervisor = class extends import_node_events15.EventEmitter {
   scheduling = false;
   rescheduleDirty = false;
   relay;
-  webProxy = new WebProxy();
+  webProxy;
   /** The relay client the supervisor pushes state events on. Shared with the
    * status reporter so both use the same fire-and-forget channel. */
   get relayClient() {
@@ -22893,7 +22921,8 @@ function resolveBoxRelayPort() {
 }
 var daemonCommand = new Command("daemon").description("Run the agentbox-ctl supervisor in the foreground").option("--socket <path>", "unix socket path", DEFAULT_SOCKET_PATH).option("--config <path>", "path to agentbox.yaml", DEFAULT_CONFIG_PATH).option("--log-dir <path>", "where per-service log files are written", DEFAULT_LOG_DIR).option("--workspace <path>", "cwd for service processes", "/workspace").action(async (opts) => {
   const cfg = await loadConfig(opts.config);
-  const sup = new Supervisor({ workspace: opts.workspace, logDir: opts.logDir });
+  const webProxyPort = Number(process.env.AGENTBOX_WEB_PROXY_PORT) || void 0;
+  const sup = new Supervisor({ workspace: opts.workspace, logDir: opts.logDir, webProxyPort });
   await sup.init(cfg);
   const reporter = new StatusReporter({
     supervisor: sup,

package/runtime/vercel/custom-system-CLAUDE.md

@@ -15,10 +15,7 @@ This box is **persistent**: stopping it captures a snapshot and resuming
 restarts from that snapshot, so the filesystem survives a pause. You can also
 save the current filesystem state for future boxes with
 `agentbox-ctl checkpoint --set-default`, but a checkpoint/snapshot STOPS the
-box, so use it only at the end of the setup wizard — otherwise rely on
-idempotent tasks in `agentbox.yaml`. NB: this `agentbox-ctl` command normally
-doesn't need user confirmation, but since it stops the box, ask for
-confirmation before running it.
+box, so use it only at the end of the setup wizard.
 
 `/workspace` is a normal git checkout seeded from the host repo at create time.
 Because there is no host bind-mount, plain `git` inside the box only affects

package/runtime/vercel/scripts/provision.sh

@@ -245,6 +245,46 @@ step "Claude Code (native installer, run as vscode)"
 sudo -u vscode -H bash -lc 'curl -fsSL https://claude.ai/install.sh | bash -s stable'
 done_ "Claude Code (native installer, run as vscode)"
 
+step "Chrome runtime libs (dnf)"
+# agent-browser launches Chromium at AGENT_BROWSER_EXECUTABLE_PATH
+# (/usr/local/bin/chromium, set in the login-shell shim above). Docker + hetzner
+# bake that binary in; do the same here. These are the AL2023 (dnf) equivalents
+# of the Ubuntu `t64` Chrome deps the other two providers apt-install — the
+# Ubuntu package names don't exist on Amazon Linux 2023. Fail loud: a missing lib
+# means a silently broken browser, not a convenience we can skip.
+dnf install -y -q --allowerasing \
+  nss nspr atk at-spi2-atk at-spi2-core cups-libs \
+  libdrm libxkbcommon libXcomposite libXdamage libXfixes libXrandr \
+  libXext libX11 libxcb mesa-libgbm pango cairo alsa-lib \
+  liberation-fonts
+done_ "Chrome runtime libs (dnf)"
+
+step "playwright + Chromium download (as vscode)"
+# Run the download as vscode so the cache lands under
+# /home/vscode/.cache/ms-playwright. Resolve a stable symlink at
+# /usr/local/bin/chromium so AGENT_BROWSER_EXECUTABLE_PATH stays predictable
+# across Chromium revision bumps (mirrors hetzner install-box.sh).
+npm install -g playwright 2>&1 | tail -3
+sudo -u vscode -H bash -lc 'playwright install chromium'
+CHROME_BIN="$(sudo -u vscode -H bash -lc 'ls /home/vscode/.cache/ms-playwright/chromium-*/chrome-linux*/chrome 2>/dev/null | sort | tail -1')"
+if [ -z "$CHROME_BIN" ] || [ ! -x "$CHROME_BIN" ]; then
+  echo "provision.sh: could not resolve Playwright Chromium binary" >&2
+  exit 70
+fi
+# Fail loud if a shared lib is missing — this is where an incomplete AL2023 dep
+# set surfaces at bake time instead of at first agent-browser launch. Capture
+# ldd's output first (|| true): under `set -euo pipefail` a non-zero ldd exit
+# would otherwise dominate the `ldd | grep` pipeline and make the missing-libs
+# check a silent no-op even when 'not found' lines are present.
+LDD_OUT="$(ldd "$CHROME_BIN" 2>&1 || true)"
+if printf '%s\n' "$LDD_OUT" | grep -q 'not found'; then
+  echo "provision.sh: Chromium has unresolved shared libs:" >&2
+  printf '%s\n' "$LDD_OUT" | grep 'not found' >&2
+  exit 71
+fi
+ln -sf "$CHROME_BIN" /usr/local/bin/chromium
+done_ "playwright + Chromium download (as vscode)"
+
 step "dnf cleanup"
 dnf clean all 2>/dev/null || true
 done_ "dnf cleanup"

package/share/agentbox-setup/SKILL.md

@@ -164,14 +164,7 @@ services:
 - A service with `restart: never` and an autostart dependency will block the dependent forever after one failed run — usually a mistake.
 - `command:` is either a shell string (run via `bash -c`) or an argv array. Use the argv form if you need to avoid shell quoting.
 
-## 8. Checkpoint the warm state (do this at the very end)
-
-Checkpoint (snapshot) this box writable layer: once the box is warmed up (deps installed, services ready), checkpoint it with `agentbox-ctl checkpoint --name setup --replace --set-default` so future boxes start ready.
-Run this command exactly once. The `--name setup --replace` makes it idempotent — if it ever needs to run again it overwrites the existing `setup` checkpoint instead of stacking duplicates.
-This doesn't need to be confirmed by the user.
-It will pause the container for several seconds so warn the user about it and write Done when it's done.
-
-## 9. Hand-off
+## 8. Hand-off
 
 Tell the user (verbatim):
 
@@ -187,6 +180,14 @@ Tell the user (verbatim):
    your box is ready, you can start more sessions with `agentbox claude`
    you can access the web app at https://<boxname>.localhost
 
+
+## 9. Checkpoint the warm state - DON't SKIP THIS STEP
+
+Checkpoint (snapshot) this box writable layer: once the box is warmed up (deps installed, services ready), checkpoint it with `agentbox-ctl checkpoint --name setup --replace --set-default` so future boxes start ready.
+Run this command exactly once. The `--name setup --replace` makes it idempotent — if it ever needs to run again it overwrites the existing `setup` checkpoint instead of stacking duplicates.
+On all providers except Vercel, this doesn't need to be confirmed by the user. It will pause the container for several seconds so warn the user about it and write Done when it's done.
+On Vercel: this actually STOPS the sandbox, so warn the user about it. Also the system will ask confirmation.
+
 ## 10. Known issues
 
 - For Nextjs/Vite/Tasnstack projects, makes sure to forward also websocket for hot reload.