vibebox 0.0.2 → 0.0.4

package/Dockerfile

@@ -17,6 +17,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     fzf \
     gh \
     git \
+    gosu \
     openssh-client \
     gnupg2 \
     iproute2 \
@@ -38,11 +39,17 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 # Create parent directory for non-standard home paths (e.g., /Users/joe on macOS)
 RUN mkdir -p $(dirname $LOCAL_HOME) 2>/dev/null || true
 
-# Create group and user
+# Create group and user (handle case where UID already exists, e.g. in CI)
 RUN groupadd -g $LOCAL_GID $LOCAL_USER 2>/dev/null || true && \
     GROUP_NAME=$(getent group $LOCAL_GID | cut -d: -f1) && \
-    useradd -m -s /bin/zsh -u $LOCAL_UID -g $GROUP_NAME -d $LOCAL_HOME $LOCAL_USER && \
-    echo "$LOCAL_USER ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
+    if id -u $LOCAL_UID >/dev/null 2>&1; then \
+        EXISTING_USER=$(getent passwd $LOCAL_UID | cut -d: -f1) && \
+        usermod -d $LOCAL_HOME -s /bin/zsh -l $LOCAL_USER -g $GROUP_NAME $EXISTING_USER 2>/dev/null || true && \
+        mkdir -p $LOCAL_HOME && chown $LOCAL_UID:$LOCAL_GID $LOCAL_HOME; \
+    else \
+        useradd -m -s /bin/zsh -u $LOCAL_UID -g $GROUP_NAME -d $LOCAL_HOME $LOCAL_USER; \
+    fi && \
+    touch /etc/sudoers.d/vibebox-user && chmod 440 /etc/sudoers.d/vibebox-user
 
 USER $LOCAL_USER
 WORKDIR $LOCAL_HOME
@@ -60,16 +67,20 @@ RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.0/install.sh | b
 RUN curl -fsSL https://claude.ai/install.sh | bash && \
     . "$NVM_DIR/nvm.sh" && npm install -g sfw
 
+# Add SSH known hosts for common git providers
+RUN mkdir -p $LOCAL_HOME/.ssh && chmod 700 $LOCAL_HOME/.ssh && \
+    ssh-keyscan -t ed25519,rsa github.com gitlab.com bitbucket.org >> $LOCAL_HOME/.ssh/known_hosts 2>/dev/null && \
+    chmod 600 $LOCAL_HOME/.ssh/known_hosts
+
 # Configure zsh
 RUN echo 'export NVM_DIR="$HOME/.nvm"' >> $LOCAL_HOME/.zshrc && \
     echo '[ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh"' >> $LOCAL_HOME/.zshrc && \
-    echo 'export PS1="vibebox:%~ %(#.#.$) "' >> $LOCAL_HOME/.zshrc && \
-    echo 'setopt PROMPT_SUBST' >> $LOCAL_HOME/.zshrc && \
+    echo 'source $HOME/.local/bin/prompt' >> $LOCAL_HOME/.zshrc && \
     echo 'alias npm="sfw npm"' >> $LOCAL_HOME/.zshrc && \
     echo 'alias npx="sfw npx"' >> $LOCAL_HOME/.zshrc && \
     echo '$HOME/.local/bin/port-monitor.sh &!' >> $LOCAL_HOME/.zshrc
 
-# Copy container scripts
+# Copy container scripts (as user)
 COPY --chown=$LOCAL_USER:$LOCAL_GID container-scripts/ $LOCAL_HOME/.local/bin/
 RUN chmod +x $LOCAL_HOME/.local/bin/*.sh
 
@@ -81,6 +92,35 @@ ENV SHELL=/bin/zsh \
     VISUAL=nano \
     DEVCONTAINER=true \
     PATH="$LOCAL_HOME/.local/bin:$LOCAL_HOME/.nvm/versions/node/v$NODE_VERSION/bin:$PATH" \
-    NODE_PATH="$LOCAL_HOME/.nvm/versions/node/v$NODE_VERSION/lib/node_modules"
+    NODE_PATH="$LOCAL_HOME/.nvm/versions/node/v$NODE_VERSION/lib/node_modules" \
+    LOCAL_USER=$LOCAL_USER \
+    LOCAL_HOME=$LOCAL_HOME
+
+# Create entrypoint (runs as root, sets up sudo if enabled, then drops to user)
+USER root
+RUN cat <<'ENTRYPOINT_EOF' > /entrypoint.sh
+#!/bin/bash
+set -e
+LOCAL_USER="${LOCAL_USER:-coder}"
+LOCAL_HOME="${LOCAL_HOME:-/home/$LOCAL_USER}"
+
+# Enable sudo if VIBEBOX_SUDO=1
+if [[ "$VIBEBOX_SUDO" == "1" ]]; then
+  echo "$LOCAL_USER ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/vibebox-user
+  chmod 440 /etc/sudoers.d/vibebox-user
+fi
+
+# Fix SSH socket permissions (Docker on macOS mounts as root:root)
+# Use 600 (owner-only) instead of 666 (world-writable) for security
+if [[ -S /ssh-agent ]]; then
+  chown "$LOCAL_USER" /ssh-agent 2>/dev/null || true
+  chmod 600 /ssh-agent 2>/dev/null || true
+fi
+
+# Drop to user and run startup.sh (gosu preserves env vars, unlike su -)
+exec gosu "$LOCAL_USER" "$LOCAL_HOME/.local/bin/startup.sh" "$@"
+ENTRYPOINT_EOF
+RUN chmod +x /entrypoint.sh
 
-CMD ["/bin/zsh", "-c", "$HOME/.local/bin/startup.sh tail -f /dev/null"]
+ENTRYPOINT ["/entrypoint.sh"]
+CMD ["tail", "-f", "/dev/null"]

package/README.md

@@ -44,9 +44,9 @@ vibebox rebuild           # Rebuild image with current host config
 
 # Customization (experimental)
 vibebox customize setup global   # Edit ~/.vibebox/setup.sh (runs in all sandboxes)
-vibebox customize setup local    # Edit .vibebox/setup.sh (runs in this project)
+vibebox customize setup local    # Edit vibebox.setup.sh (runs in this project)
 vibebox customize image global   # Edit ~/.vibebox/Dockerfile (custom base image)
-vibebox customize image local    # Edit .vibebox/Dockerfile (custom project-specific image)
+vibebox customize image local    # Edit vibebox.Dockerfile (custom project-specific image)
 ```
 
 ## Temporary Workspaces
@@ -100,9 +100,18 @@ Choose update strategy:
 
 Git config is automatically synced from host (user.name, user.email, aliases, common settings).
 
-**SSH agent forwarding:** If `$SSH_AUTH_SOCK` exists, it's mounted into the container. Your SSH keys work without copying them.
+**SSH agent forwarding** and **GitHub CLI** are **disabled by default** for security (prevents prompt injection from using your credentials). Enable in `vibebox.config.json`:
 
-**GitHub CLI:** If `~/.config/gh/hosts.yml` exists, it's mounted into the container and `gh auth setup-git` runs automatically.
+```json
+{
+  "sshAgent": true,
+  "ghAuth": true
+}
+```
+
+When enabled:
+- **SSH agent:** Forwarded to container. Keys never leave the host. Works with Docker Desktop (macOS) and native Docker (Linux).
+- **GitHub CLI:** `~/.config/gh/hosts.yml` mounted read-only, `gh auth setup-git` runs automatically.
 
 **HTTPS hint:** If using HTTPS remotes with SSH available, you'll see:
 ```
@@ -114,42 +123,43 @@ Git config is automatically synced from host (user.name, user.email, aliases, co
 
 **Setup scripts** run once when a container is first created:
 - `~/.vibebox/setup.sh` - Global, runs in all sandboxes
-- `.vibebox/setup.sh` - Local, runs in this project sandbox only
+- `vibebox.setup.sh` - Local, runs in this project sandbox only
 
 **Custom Dockerfiles** extend the base image:
 - `~/.vibebox/Dockerfile` - Global customizations (`FROM vibebox`)
-- `.vibebox/Dockerfile` - Project-specific (`FROM vibebox:user` or `FROM vibebox`)
+- `vibebox.Dockerfile` - Project-specific (`FROM vibebox:user` or `FROM vibebox`)
 
-Image hierarchy: `vibebox` → `vibebox:user` (global) → `vibebox:<hash>` (local)
+**Config** is stored in `vibebox.config.json` at project root and `~/.vibebox/config.json` globally. Local overrides global.
 
-Run `vibebox rebuild` after editing Dockerfiles.
+```json
+{
+  "ports": ["3000", "5173"],
+  "sudo": false,
+  "sshAgent": false,
+  "ghAuth": false
+}
+```
 
-## Why vibebox?
+| Option | Default | Description |
+|--------|---------|-------------|
+| `ports` | `["3000", "3001", ...]` | Ports to expose from sandbox |
+| `sudo` | `false` | Enable sudo access in sandbox |
+| `sshAgent` | `false` | Forward SSH agent to sandbox |
+| `ghAuth` | `false` | Mount GitHub CLI credentials |
 
-### vs `docker sandbox`
+All `vibebox.*` files at project root are meant to be git-tracked. The `.vibebox/` folder contains only runtime artifacts and can be gitignored.
 
-Docker Desktop includes an experimental `docker sandbox` command for running agents (Claude Code, Gemini) in containers. Here's why vibebox takes a different approach:
+Image hierarchy: `vibebox` → `vibebox:user` (global) → `vibebox:<hash>` (local)
 
-- **Transparency over black box**: `docker sandbox` is opaque. You can't see what it mounts, how it configures the environment, debug issues, or customize the image. vibebox is simple TypeScript you can read and modify.
-- **No `--dangerously-skip-permissions`**: `docker sandbox` runs Claude with all permissions bypassed. vibebox respects your existing Claude settings and permission model, including allowing you to launch with `--dangerously-skip-permissions` if that's your thing.
-- **Shared credentials**: `docker sandbox` doesn't share auth with your host, so you log in fresh every time you create a sandbox. vibebox syncs credentials bidirectionally with your system keychain.
-- **Works with any Docker runtime**: `docker sandbox` requires Docker Desktop. vibebox works with Docker Engine, Colima, or any Docker-compliant runtime.
-- **Interactive shell access**: `vibebox enter` drops you into a shell inside the container. Useful for debugging, running commands, or working alongside the agent.
-- **Port management**: vibebox automatically exposes common dev ports with dynamic host allocation, shows you the mappings when services start, and lets you add custom ports.
-- **Persistent containers**: Containers persist between sessions. Your installed packages, build artifacts, and environment stay intact until you explicitly remove them.
+Run `vibebox rebuild` after editing Dockerfiles.
 
-### vs raw docker
+## Why vibebox?
 
-- **Zero boilerplate**: No writing Dockerfiles, figuring out mount paths, or managing `docker run` flags. Just `vibebox agent run claude`.
-- **Automatic credential sync**: Credentials are extracted from your system keychain and mounted into the container. No manual token copying.
-- **User matching**: Container user matches your host UID/GID/home path, so file permissions just work.
-- **Built-in port detection**: When a service starts listening, vibebox shows you the mapped URL. No guessing which host port maps where.
+**vs `docker sandbox`**: Docker Desktop's sandbox uses microVM isolation—stronger security, but a blackbox. No credential sync (re-auth every session), no customization, runs in full yolo mode. On Linux it falls back to container isolation anyway. vibebox trades some isolation for **continuity**: credentials sync, config persists, you can customize and debug.
 
-### vs devcontainers
+**vs raw docker**: No Dockerfiles, no mount flags, no manual credential copying. Just `vibebox agent run claude`. Container user matches your UID/GID so file permissions work. Port mappings shown automatically when services start.
 
-- **No IDE coupling**: Devcontainers are designed for VS Code. vibebox works from any terminal.
-- **Simpler model**: No `devcontainer.json`, no features, no lifecycle hooks. One command to start.
-- **Agent-first**: Built specifically for CLI agents with credential mounting, not general-purpose dev environments.
+**vs devcontainers**: No VS Code dependency, no `devcontainer.json`. Built for CLI agents, not general dev environments.
 
 ## License
 

package/container-scripts/gitignore_global

@@ -0,0 +1,43 @@
+# custom #
+###################
+.vibebox
+
+
+# Compiled source #
+###################
+*.com
+*.class
+*.dll
+*.exe
+*.o
+*.so
+
+# Packages #
+############
+# it's better to unpack these files and commit the raw source
+# git has its own built in compression methods
+*.7z
+*.dmg
+*.gz
+*.iso
+*.jar
+*.rar
+*.tar
+*.zip
+
+# Logs and databases #
+######################
+*.log
+*.sql
+*.sqlite
+!**/prisma/**/*.sql
+
+# OS generated files #
+######################
+.DS_Store
+.DS_Store?
+._*
+.Spotlight-V100
+.Trashes
+ehthumbs.db
+Thumbs.db

package/container-scripts/prompt

@@ -0,0 +1,49 @@
+prompt_git() {
+  # check if the current directory is in a git repository
+  if [ $(git rev-parse --is-inside-work-tree &>/dev/null; print $?) = 0 ]; then
+    # check if the current directory is in .git before running git checks
+    if [ "$(git rev-parse --is-inside-git-dir 2> /dev/null)" = "false" ]; then
+
+      # ensure index is up to date
+      git update-index --really-refresh  -q &>/dev/null
+
+      # check for uncommitted changes in the index
+      if ! $(git diff --quiet --ignore-submodules --cached); then
+          s="$s+";
+      fi
+
+      # check for unstaged changes
+      if ! $(git diff-files --quiet --ignore-submodules --); then
+          s="$s!";
+      fi
+
+      # check for untracked files
+      if [ -n "$(git ls-files --others --exclude-standard)" ]; then
+          s="$s?";
+      fi
+
+      # check for stashed files
+      # if $(git rev-parse --verify refs/stash &>/dev/null); then
+      #     s="$s$";
+      # fi
+
+    fi
+
+    # get the short symbolic ref
+    # if HEAD isn't a symbolic ref, get the short SHA
+    # otherwise, just give up
+    branchName="$(git symbolic-ref --quiet --short HEAD 2> /dev/null || \
+                  git rev-parse --short HEAD 2> /dev/null || \
+                  printf "(unknown)")"
+
+    [ -n "$s" ] && s="[$s] "
+
+    printf "%s %s %s" "$1 " "$branchName" "$s"
+  else
+    return
+  fi
+}
+
+# Set up the prompt (with git branch name)
+setopt prompt_subst
+PROMPT='🇻 %~ $(prompt_git '⎇')%(!.#.\$) '

package/container-scripts/startup.sh

@@ -3,7 +3,8 @@ set -e
 
 HOME_DIR="$HOME"
 WORKSPACE="${VIBEBOX_PROJECT_ROOT:-$(pwd)}"
-SETUP_MARKER="$HOME_DIR/.vibebox/.setup-done-$(echo "$WORKSPACE" | tr '/' '-')"
+# Store setup marker in workspace .vibebox/ (writable), not ~/.vibebox (read-only)
+SETUP_MARKER="$WORKSPACE/.vibebox/.setup-done"
 
 # ============ Git Config Sync ============
 # Apply safe git settings from host (passed as VIBEBOX_GIT_* env vars)
@@ -17,14 +18,21 @@ setup_git_config() {
   [[ -n "$VIBEBOX_GIT_PULL_REBASE" ]] && git config --global pull.rebase "$VIBEBOX_GIT_PULL_REBASE"
   [[ -n "$VIBEBOX_GIT_HELP_AUTOCORRECT" ]] && git config --global help.autocorrect "$VIBEBOX_GIT_HELP_AUTOCORRECT"
 
+  # Default global gitignore (shipped with vibebox)
+  git config --global core.excludesFile "$HOME_DIR/.local/bin/gitignore_global"
+
   # Apply git aliases (passed as JSON in VIBEBOX_GIT_ALIASES)
+  # Node calls git config directly to avoid shell injection via alias values
   if [[ -n "$VIBEBOX_GIT_ALIASES" ]]; then
     echo "$VIBEBOX_GIT_ALIASES" | node -e "
+const { execFileSync } = require('child_process');
 const aliases = JSON.parse(require('fs').readFileSync(0, 'utf8'));
-for (const [name, cmd] of Object.entries(aliases)) console.log(name, cmd);
-" 2>/dev/null | while read -r name cmd; do
-      git config --global "alias.$name" "$cmd"
-    done
+for (const [name, cmd] of Object.entries(aliases)) {
+  try {
+    execFileSync('git', ['config', '--global', 'alias.' + name, cmd], { stdio: 'pipe' });
+  } catch {}
+}
+" 2>/dev/null || true
   fi
 }
 
@@ -58,7 +66,7 @@ show_ssh_hint() {
 }
 
 # ============ User Setup Scripts ============
-# Run once per container: global ~/.vibebox/setup.sh then local .vibebox/setup.sh
+# Run once per container: global ~/.vibebox/setup.sh then local vibebox.setup.sh
 
 run_setup_scripts() {
   if [[ -f "$SETUP_MARKER" ]]; then
@@ -67,35 +75,33 @@ run_setup_scripts() {
 
   # Global setup (runs in all sandboxes)
   local global_setup="$HOME_DIR/.vibebox/setup.sh"
-  if [[ -x "$global_setup" ]]; then
+  if [[ -f "$global_setup" ]]; then
     echo "[vibebox] Running global setup..."
-    "$global_setup" || echo "[vibebox] Global setup failed (continuing)"
+    if [[ -x "$global_setup" ]]; then
+      "$global_setup" || echo "[vibebox] Global setup failed (continuing)"
+    else
+      zsh "$global_setup" || echo "[vibebox] Global setup failed (continuing)"
+    fi
   fi
 
   # Local setup (project-specific)
-  local local_setup="$WORKSPACE/.vibebox/setup.sh"
-  if [[ -x "$local_setup" ]]; then
+  local local_setup="$WORKSPACE/vibebox.setup.sh"
+  if [[ -f "$local_setup" ]]; then
     echo "[vibebox] Running local setup..."
-    "$local_setup" || echo "[vibebox] Local setup failed (continuing)"
+    if [[ -x "$local_setup" ]]; then
+      "$local_setup" || echo "[vibebox] Local setup failed (continuing)"
+    else
+      zsh "$local_setup" || echo "[vibebox] Local setup failed (continuing)"
+    fi
   fi
 
   mkdir -p "$(dirname "$SETUP_MARKER")"
   touch "$SETUP_MARKER"
 }
 
-# ============ SSH Agent Socket Fix ============
-# Docker on macOS mounts sockets as root:root, fix permissions if needed
-
-fix_ssh_socket() {
-  if [[ -S /ssh-agent ]] && ! [[ -r /ssh-agent ]]; then
-    sudo chmod 666 /ssh-agent 2>/dev/null || true
-  fi
-}
-
 # ============ Main ============
 
 # Run setup on container start
-fix_ssh_socket
 setup_git_config
 setup_gh_cli
 run_setup_scripts

package/container-scripts/watcher.sh

@@ -1,45 +1,54 @@
 #!/bin/bash
-# Idle watcher - exits after TIMEOUT seconds of no lock files (except detached.lock)
+# Idle watcher - exits after TIMEOUT seconds of no active sessions
+# Sessions are tracked via heartbeat files (lock files touched every 5s by host)
 
-LOCKS_DIR="$HOME/.vibebox/locks"
-DETACHED_LOCK="$LOCKS_DIR/detached.lock"
-IDLE_FILE="$LOCKS_DIR/idle"
+# Use workspace's .vibebox/locks (writable), not ~/.vibebox (read-only)
+LOCKS_DIR="${VIBEBOX_PROJECT_ROOT:-.}/.vibebox/locks"
 TIMEOUT=${1:-300}
+STALE_THRESHOLD=15  # Lock considered stale if not updated in 15 seconds
 
-# Ensure locks directory exists
 mkdir -p "$LOCKS_DIR"
 
 echo "Starting watcher with ${TIMEOUT}s idle timeout"
 
+idle_start=""
+
 while true; do
-  # If detached.lock exists, loop forever
-  if [ -f "$DETACHED_LOCK" ]; then
-    rm -f "$IDLE_FILE"
-    sleep 1
-    continue
-  fi
+  now=$(date +%s)
+  active_sessions=0
+
+  # Check each lock file's modification time
+  for lock in "$LOCKS_DIR"/session-*.lock; do
+    [ -f "$lock" ] || continue
+
+    # Get modification time (Linux stat syntax, container is Ubuntu)
+    mtime=$(stat -c %Y "$lock" 2>/dev/null)
+    [ -z "$mtime" ] && continue
+
+    age=$((now - mtime))
 
-  # Count session lock files (session-*.lock)
-  lock_count=$(find "$LOCKS_DIR" -name 'session-*.lock' 2>/dev/null | wc -l)
-
-  if [ "$lock_count" -eq 0 ]; then
-    # No session locks - check/start idle timer
-    if [ -f "$IDLE_FILE" ]; then
-      idle_start=$(cat "$IDLE_FILE")
-      now=$(date +%s)
-      elapsed=$((now - idle_start))
-      if [ "$elapsed" -ge "$TIMEOUT" ]; then
-        echo "Idle timeout of ${TIMEOUT}s reached. Exiting."
-        rm -f "$IDLE_FILE"
-        exit 0
-      fi
+    if [ "$age" -lt "$STALE_THRESHOLD" ]; then
+      active_sessions=$((active_sessions + 1))
     else
-      # Start idle timer
-      date +%s > "$IDLE_FILE"
+      # Stale lock - session died without cleanup
+      rm -f "$lock"
+    fi
+  done
+
+  if [ "$active_sessions" -eq 0 ]; then
+    # No active sessions - manage idle timer
+    if [ -z "$idle_start" ]; then
+      idle_start=$now
+    fi
+
+    elapsed=$((now - idle_start))
+    if [ "$elapsed" -ge "$TIMEOUT" ]; then
+      echo "Idle timeout of ${TIMEOUT}s reached. Exiting."
+      exit 0
     fi
   else
-    # Sessions active - reset idle timer
-    rm -f "$IDLE_FILE"
+    # Active sessions - reset idle timer
+    idle_start=""
   fi
 
   sleep 1

package/dist/agents/auth.js

@@ -60,7 +60,16 @@ function getCredentialStore() {
                     }
                 },
                 set: (service, account, value) => {
-                    (0, node_child_process_1.execSync)(`echo -n "${value}" | secret-tool store --label="${service}" service "${service}" account "${account}"`);
+                    // Use execFileSync with input pipe to avoid shell injection via value
+                    (0, node_child_process_1.execFileSync)("secret-tool", [
+                        "store",
+                        `--label=${service}`,
+                        "service", service,
+                        "account", account,
+                    ], {
+                        input: value,
+                        stdio: ["pipe", "pipe", "pipe"],
+                    });
                 },
             };
     }

package/dist/agents/claude/index.js

@@ -84,7 +84,6 @@ exports.claude = {
         // Container-only mode: minimal mounts, container manages its own ~/.claude
         if (containerOnly) {
             return [
-                // Mount config copy (not the original, to prevent corruption)
                 "-v", `${configCopy}:${config}`,
             ];
         }
@@ -107,7 +106,7 @@ exports.claude = {
     },
     install: (containerName) => {
         console.log("Installing Claude Code...");
-        (0, node_child_process_1.spawnSync)("docker", ["exec", containerName, "bash", "-c", "curl -fsSL https://claude.ai/install.sh | sh"], { stdio: "inherit" });
+        (0, node_child_process_1.spawnSync)("docker", ["exec", "-u", (0, node_os_1.userInfo)().username, containerName, "bash", "-c", "curl -fsSL https://claude.ai/install.sh | sh"], { stdio: "inherit" });
     },
     setup: ({ workspace, containerOnly }) => {
         const home = (0, node_os_1.homedir)();
@@ -119,8 +118,8 @@ exports.claude = {
         const emptyFile = (0, node_path_1.join)(workspace, ".vibebox", "empty-file");
         if (!(0, node_fs_1.existsSync)(emptyFile))
             (0, node_fs_1.writeFileSync)(emptyFile, "");
-        // Create minimal config to skip onboarding and trust prompts
-        const configCopy = (0, node_path_1.join)(workspace, ".vibebox", "claude.json");
+        // Create minimal config to skip onboarding (mounted to ~/.claude.json)
+        const configFile = (0, node_path_1.join)(workspace, ".vibebox", "claude.json");
         const minimalConfig = {
             hasCompletedOnboarding: true,
             projects: {
@@ -131,7 +130,7 @@ exports.claude = {
                 },
             },
         };
-        (0, node_fs_1.writeFileSync)(configCopy, JSON.stringify(minimalConfig, null, 2));
+        (0, node_fs_1.writeFileSync)(configFile, JSON.stringify(minimalConfig, null, 2));
         // Container-only mode: skip credential sync, agent will prompt for login
         if (containerOnly)
             return;

package/dist/agents/index.js

@@ -4,6 +4,7 @@ exports.agents = void 0;
 exports.detectInstalledAgents = detectInstalledAgents;
 exports.isAgentInstalled = isAgentInstalled;
 const node_child_process_1 = require("node:child_process");
+const node_os_1 = require("node:os");
 const claude_1 = require("./claude");
 exports.agents = {
     claude: claude_1.claude,
@@ -14,11 +15,10 @@ function detectInstalledAgents() {
         .map(([name]) => name);
 }
 function isAgentInstalled(containerName, agent) {
-    try {
-        (0, node_child_process_1.execSync)(`docker exec ${containerName} which ${agent.command}`, { stdio: "pipe" });
-        return true;
-    }
-    catch {
-        return false;
-    }
+    // Use spawnSync to fully suppress stderr (execFileSync can still leak on error)
+    const result = (0, node_child_process_1.spawnSync)("docker", ["exec", "-u", (0, node_os_1.userInfo)().username, containerName, "which", agent.command], {
+        stdio: ["pipe", "pipe", "pipe"],
+        encoding: "utf8",
+    });
+    return result.status === 0;
 }

package/dist/index.js

@@ -71,7 +71,7 @@ agent
         containerOnly = true;
     }
     agentDef.setup?.({ workspace, containerOnly });
-    const containerName = ensureSandbox({ workspace, agents: [agentDef], containerOnly });
+    const containerName = await ensureSandbox({ workspace, agents: [agentDef], containerOnly });
     agentDef.install(containerName);
     console.log(`✓ ${agentDef.name} installed`);
 });
@@ -98,6 +98,7 @@ async function runAgent(name, args, opts) {
     // Check if we need container-only mode
     const existing = getSandboxName(workspace);
     const existingRunning = existing && isContainerRunning(existing);
+    // Only check if agent is installed when container is running (docker exec requires running container)
     const needsInstall = !existingRunning || !(0, agents_1.isAgentInstalled)(existing, agent);
     const hostInstalled = agent.isInstalledOnHost();
     let containerOnly = false;
@@ -108,7 +109,7 @@ async function runAgent(name, args, opts) {
     }
     // Run agent setup (auth, config files)
     agent.setup?.({ workspace, containerOnly });
-    const containerName = ensureSandbox({ workspace, agents: [agent], containerOnly });
+    const containerName = await ensureSandbox({ workspace, agents: [agent], containerOnly });
     if (agent.versionCommand && !containerOnly) {
         await (0, update_1.checkVersions)(containerName, agent);
     }
@@ -126,13 +127,10 @@ async function runAgent(name, args, opts) {
             agent.install(containerName);
         }
     }
-    const r = withSessionLock({
-        name: containerName,
-        fn: () => (0, node_child_process_1.spawnSync)("docker", ["exec", "-it", containerName, agent.command, ...args], { stdio: "inherit" }),
-    });
+    const code = await withSessionLock({ name: containerName, workspace, cmd: [agent.command, ...args], interactive: true });
     if (opts.temp)
         await promptKeep(workspace);
-    process.exit(r.status ?? 0);
+    process.exit(code);
 }
 async function promptContainerOnly(agentName) {
     console.log(`\n${agentName} is not installed on your host machine.`);
@@ -161,12 +159,9 @@ commander_1.program
     await (0, update_1.checkForUpdates)();
     const workspace = process.cwd();
     const installedAgents = setupInstalledAgents({ workspace });
-    const name = ensureSandbox({ workspace, agents: installedAgents });
+    const name = await ensureSandbox({ workspace, agents: installedAgents });
     await (0, update_1.checkVersions)(name);
-    withSessionLock({
-        name,
-        fn: () => (0, node_child_process_1.spawnSync)("docker", ["exec", "-it", name, "/bin/zsh"], { stdio: "inherit" }),
-    });
+    await withSessionLock({ name, workspace, cmd: ["/bin/zsh"], interactive: true });
 });
 commander_1.program
     .command("exec <cmd...>")
@@ -177,12 +172,9 @@ commander_1.program
     await ensureDocker();
     const workspace = process.cwd();
     const installedAgents = setupInstalledAgents({ workspace });
-    const name = ensureSandbox({ workspace, agents: installedAgents });
-    const r = withSessionLock({
-        name,
-        fn: () => (0, node_child_process_1.spawnSync)("docker", ["exec", name, ...cmd], { stdio: "inherit" }),
-    });
-    process.exit(r.status ?? 0);
+    const name = await ensureSandbox({ workspace, agents: installedAgents });
+    const code = await withSessionLock({ name, workspace, cmd });
+    process.exit(code);
 });
 commander_1.program
     .command("ls")
@@ -268,19 +260,16 @@ commander_1.program
 commander_1.program
     .command("rebuild")
     .description("Force rebuild image with current host config")
-    .action(async () => {
+    .option("--no-cache", "Build without using Docker layer cache")
+    .action(async (opts) => {
     await ensureDocker();
     await (0, update_1.checkForUpdates)();
     console.log("Rebuilding vibebox image...");
-    try {
-        (0, node_child_process_1.execSync)("docker rmi vibebox", { stdio: "pipe" });
-    }
-    catch { }
-    buildImage();
+    buildImage({ noCache: !opts.cache });
     console.log("Image rebuilt");
 });
 // ============ Ports Commands ============
-const DEFAULT_PORTS = ["5173", "3000", "3001", "4173", "8080"];
+const DEFAULT_PORTS = ["3000", "3001", "4173", "5000", "5173", "8080", "8081", "8545"];
 const ports = commander_1.program.command("ports").description("Manage port mappings");
 ports
     .command("ls")
@@ -294,7 +283,7 @@ ports
     try {
         const mappings = getPortMappings(name);
         // Get listening ports
-        const ssOut = (0, node_child_process_1.execFileSync)("docker", ["exec", name, "ss", "-tln"], { encoding: "utf8" });
+        const ssOut = (0, node_child_process_1.execFileSync)("docker", ["exec", "-u", (0, node_os_1.userInfo)().username, name, "ss", "-tln"], { encoding: "utf8" });
         const listening = new Set();
         for (const line of ssOut.split("\n").slice(1)) {
             const match = line.match(/:(\d+)\s*$/);
@@ -336,7 +325,7 @@ ports
     saveConfig(ws, cfg);
     console.log(`Ports: ${cfg.ports.join(", ")}`);
     if (getSandboxName(ws))
-        console.log("Restart for changes: vibebox stop && vibebox claude");
+        console.log("Port changes require container restart (Docker sets ports at creation time)");
 });
 ports
     .command("rm <ports...>")
@@ -349,19 +338,21 @@ ports
     saveConfig(ws, cfg);
     console.log(`Ports: ${cfg.ports.join(", ")}`);
     if (getSandboxName(ws))
-        console.log("Restart for changes: vibebox stop && vibebox claude");
+        console.log("Port changes require container restart (Docker sets ports at creation time)");
 });
 // ============ Customize Command ============
 const TEMPLATES = {
-    setupGlobal: `#!/bin/bash
+    setupGlobal: `#!/bin/zsh
 # Runs once when a sandbox is created (all sandboxes)
 # Example: git clone https://github.com/YOU/dotfiles ~/.dotfiles && ~/.dotfiles/install.sh
-# Example: sudo apt-get update && sudo apt-get install -y ripgrep
+# Note: sudo is disabled by default. For apt installs, use ~/.vibebox/Dockerfile instead,
+#       or enable sudo with: vibebox config sudo on
 `,
-    setupLocal: `#!/bin/bash
+    setupLocal: `#!/bin/zsh
 # Runs once when this project's sandbox is created
 # Example: pip install -r requirements.txt
-# Example: echo 'export DATABASE_URL=...' >> ~/.bashrc
+# Example: echo 'export DATABASE_URL=...' >> ~/.zshrc
+# Note: sudo is disabled by default. Enable with: vibebox config sudo on
 `,
     imageGlobal: `# Baked into image, applies to ALL sandboxes. Run 'vibebox rebuild' after editing.
 FROM vibebox
@@ -391,6 +382,9 @@ function openInEditor({ file, template, isExecutable }) {
         (0, node_fs_1.writeFileSync)(file, template, isExecutable ? { mode: 0o755 } : undefined);
         console.log(`Created ${file}`);
     }
+    else if (isExecutable) {
+        (0, node_fs_1.chmodSync)(file, 0o755);
+    }
     const editor = process.env.EDITOR || process.env.VISUAL || "vi";
     const r = (0, node_child_process_1.spawnSync)(editor, [file], { stdio: "inherit" });
     if (r.status !== 0)
@@ -401,30 +395,30 @@ customize
     .command("image [scope]")
     .description("Edit custom Dockerfile (global or local)")
     .action(async (scope) => {
-    const targetScope = scope || await promptScope("Dockerfile", "~/.vibebox/Dockerfile", ".vibebox/Dockerfile");
+    const targetScope = scope || await promptScope("Dockerfile", "~/.vibebox/Dockerfile", "vibebox.Dockerfile");
     if (targetScope !== "global" && targetScope !== "local") {
         console.error("Usage: vibebox customize image <global|local>");
         process.exit(1);
     }
     const isGlobal = targetScope === "global";
-    const file = (0, node_path_1.join)(isGlobal ? (0, node_os_1.homedir)() : process.cwd(), ".vibebox", "Dockerfile");
+    const file = isGlobal ? (0, node_path_1.join)((0, node_os_1.homedir)(), ".vibebox", "Dockerfile") : (0, node_path_1.join)(process.cwd(), "vibebox.Dockerfile");
     openInEditor({ file, template: isGlobal ? TEMPLATES.imageGlobal : TEMPLATES.imageLocal });
-    console.log(`\nDockerfile saved: ${file}`);
+    console.log(`\nDockerfile location: ${file}`);
     console.log("Run 'vibebox rebuild' to apply changes.");
 });
 customize
     .command("setup [scope]")
     .description("Edit setup script (global or local)")
     .action(async (scope) => {
-    const targetScope = scope || await promptScope("setup script", "~/.vibebox/setup.sh", ".vibebox/setup.sh");
+    const targetScope = scope || await promptScope("setup script", "~/.vibebox/setup.sh", "vibebox.setup.sh");
     if (targetScope !== "global" && targetScope !== "local") {
         console.error("Usage: vibebox customize setup <global|local>");
         process.exit(1);
     }
     const isGlobal = targetScope === "global";
-    const file = (0, node_path_1.join)(isGlobal ? (0, node_os_1.homedir)() : process.cwd(), ".vibebox", "setup.sh");
+    const file = isGlobal ? (0, node_path_1.join)((0, node_os_1.homedir)(), ".vibebox", "setup.sh") : (0, node_path_1.join)(process.cwd(), "vibebox.setup.sh");
     openInEditor({ file, template: isGlobal ? TEMPLATES.setupGlobal : TEMPLATES.setupLocal, isExecutable: true });
-    console.log(`\nSetup script saved: ${file}`);
+    console.log(`\nSetup script location: ${file}`);
     if (getSandboxName(process.cwd()))
         console.log("Note: Runs on new sandboxes. To re-run: vibebox rm");
 });
@@ -436,9 +430,74 @@ async function promptScope(type, globalPath, localPath) {
     rl.close();
     return answer.trim().toLowerCase();
 }
+// ============ Config Command ============
+const config = commander_1.program.command("config").description("Manage sandbox configuration");
+config
+    .command("sudo <on|off>")
+    .description("Enable or disable sudo access in sandbox (requires rebuild)")
+    .action((value) => {
+    const ws = process.cwd();
+    const cfg = loadConfig(ws);
+    if (value === "on") {
+        cfg.sudo = true;
+        saveConfig(ws, cfg);
+        console.log("Sudo enabled for this workspace");
+    }
+    else if (value === "off") {
+        cfg.sudo = false;
+        saveConfig(ws, cfg);
+        console.log("Sudo disabled for this workspace");
+    }
+    else {
+        console.error("Usage: vibebox config sudo <on|off>");
+        process.exit(1);
+    }
+    if (getSandboxName(ws))
+        console.log("Restart for changes: vibebox stop && vibebox enter");
+});
+config
+    .command("show")
+    .description("Show current configuration")
+    .action(() => {
+    const ws = process.cwd();
+    const cfg = loadConfig(ws);
+    console.log("Workspace:", ws);
+    console.log("Config:", JSON.stringify(cfg, null, 2));
+});
 // ============ Help Display & Parse ============
 // Only parse CLI when run directly (not when imported)
 if (require.main === module) {
+    const warningFile = (0, node_path_1.join)((0, node_os_1.homedir)(), ".vibebox", ".accepted-warning");
+    if (!(0, node_fs_1.existsSync)(warningFile)) {
+        const red = "\x1b[31m";
+        const reset = "\x1b[0m";
+        console.log(`
+${red}==================================
+  WARNING: EXPERIMENTAL SOFTWARE
+==================================${reset}
+
+This is alpha software with potential security holes.
+Use at your own risk.
+`);
+        const rl = (0, node_readline_1.createInterface)({ input: process.stdin, output: process.stdout });
+        rl.question(`Type ${red}Accept${reset} to continue: `, (answer) => {
+            rl.close();
+            if (answer.toLowerCase() !== "accept") {
+                console.log("Goodbye.");
+                process.exit(1);
+            }
+            const dir = (0, node_path_1.dirname)(warningFile);
+            if (!(0, node_fs_1.existsSync)(dir))
+                (0, node_fs_1.mkdirSync)(dir, { recursive: true });
+            (0, node_fs_1.writeFileSync)(warningFile, new Date().toISOString());
+            runCli();
+        });
+    }
+    else {
+        runCli();
+    }
+}
+function runCli() {
     const isSubcommand = process.argv.length > 2 && !process.argv[2].startsWith("-");
     if (process.argv.length === 2 ||
         (!isSubcommand && (process.argv.includes("--help") || process.argv.includes("-h")))) {
@@ -448,12 +507,11 @@ if (require.main === module) {
 }
 // ============ Library code =========
 // ============ Constants ============
-const LOCKS_DIR = `${(0, node_os_1.homedir)()}/.vibebox/locks`;
-const DETACHED_LOCK = `${LOCKS_DIR}/detached.lock`;
 const WATCHER_SCRIPT = `${(0, node_os_1.homedir)()}/.local/bin/watcher.sh`;
 const IDLE_TIMEOUT = 300; // 5 minutes
-function loadConfig(ws) {
-    const p = (0, node_path_1.join)(ws, ".vibebox", "config.json");
+const HEARTBEAT_INTERVAL = 5000; // 5 seconds
+function loadGlobalConfig() {
+    const p = (0, node_path_1.join)((0, node_os_1.homedir)(), ".vibebox", "config.json");
     if (!(0, node_fs_1.existsSync)(p))
         return {};
     try {
@@ -463,11 +521,28 @@ function loadConfig(ws) {
         return {};
     }
 }
+function loadLocalConfig(ws) {
+    const p = (0, node_path_1.join)(ws, "vibebox.config.json");
+    if (!(0, node_fs_1.existsSync)(p))
+        return {};
+    try {
+        return JSON.parse((0, node_fs_1.readFileSync)(p, "utf8"));
+    }
+    catch {
+        return {};
+    }
+}
+function loadConfig(ws) {
+    const global = loadGlobalConfig();
+    const local = loadLocalConfig(ws);
+    // Local overrides global (undefined means "use global default")
+    return {
+        ...global,
+        ...Object.fromEntries(Object.entries(local).filter(([_, v]) => v !== undefined)),
+    };
+}
 function saveConfig(ws, cfg) {
-    const dir = (0, node_path_1.join)(ws, ".vibebox");
-    if (!(0, node_fs_1.existsSync)(dir))
-        (0, node_fs_1.mkdirSync)(dir, { recursive: true });
-    (0, node_fs_1.writeFileSync)((0, node_path_1.join)(dir, "config.json"), JSON.stringify(cfg, null, 2));
+    (0, node_fs_1.writeFileSync)((0, node_path_1.join)(ws, "vibebox.config.json"), JSON.stringify(cfg, null, 2));
 }
 function setupInstalledAgents({ workspace }) {
     const installedAgentNames = (0, agents_1.detectInstalledAgents)();
@@ -479,40 +554,58 @@ function setupInstalledAgents({ workspace }) {
 }
 // ============ Helpers ============
 function getWorkspaceInode(workspace) {
-    const flag = process.platform === "darwin" ? "-f" : "-c";
-    return (0, node_child_process_1.execSync)(`stat ${flag} %i "${workspace}"`, { encoding: "utf8" }).trim();
+    // Use execFileSync to avoid shell injection via workspace path
+    const args = process.platform === "darwin"
+        ? ["-f", "%i", workspace]
+        : ["-c", "%i", workspace];
+    return (0, node_child_process_1.execFileSync)("stat", args, { encoding: "utf8" }).trim();
 }
-function withSessionLock({ name, fn }) {
+async function withSessionLock({ name, workspace, cmd, interactive = false }) {
     const sessionId = (0, node_crypto_1.randomBytes)(8).toString("hex");
-    const lockFile = `${LOCKS_DIR}/session-${sessionId}.lock`;
-    (0, node_child_process_1.execFileSync)("docker", ["exec", name, "mkdir", "-p", LOCKS_DIR], { stdio: "pipe" });
-    (0, node_child_process_1.execFileSync)("docker", ["exec", name, "touch", lockFile], { stdio: "pipe" });
-    try {
-        return fn();
+    // Use workspace's .vibebox/locks for session locks (writable)
+    const locksDir = (0, node_path_1.join)(workspace, ".vibebox", "locks");
+    const lockFile = (0, node_path_1.join)(locksDir, `session-${sessionId}.lock`);
+    const user = (0, node_os_1.userInfo)().username;
+    // Retry first exec to handle race between docker run and container readiness
+    const maxRetries = 20;
+    for (let attempt = 0; attempt < maxRetries; attempt++) {
+        try {
+            (0, node_child_process_1.execFileSync)("docker", ["exec", "-u", user, name, "mkdir", "-p", locksDir], { stdio: "pipe" });
+            break;
+        }
+        catch (e) {
+            const isNotRunning = e instanceof Error && e.message.includes("is not running");
+            if (attempt === maxRetries - 1 || !isNotRunning)
+                throw e;
+            (0, node_child_process_1.spawnSync)("sleep", ["0.1"]);
+        }
     }
-    finally {
-        // Remove this session's lock
+    (0, node_child_process_1.execFileSync)("docker", ["exec", "-u", user, name, "touch", lockFile], { stdio: "pipe" });
+    // Heartbeat: touch lock file periodically so watcher knows session is alive
+    const heartbeat = setInterval(() => {
         try {
-            (0, node_child_process_1.execFileSync)("docker", ["exec", name, "rm", "-f", lockFile], { stdio: "pipe" });
+            (0, node_child_process_1.execFileSync)("docker", ["exec", "-u", user, name, "touch", lockFile], { stdio: "pipe" });
         }
         catch { } // container stopped
-        // Check if other sessions exist, remove detached lock if none
-        let hasOthers = false;
+    }, HEARTBEAT_INTERVAL);
+    try {
+        // Use spawn (async) so event loop keeps running for heartbeat
+        const dockerArgs = ["exec", "-u", user, ...(interactive ? ["-it"] : []), name, ...cmd];
+        const child = (0, node_child_process_1.spawn)("docker", dockerArgs, { stdio: "inherit" });
+        const code = await new Promise((resolve) => {
+            child.on("close", (code) => resolve(code ?? 0));
+        });
+        return code;
+    }
+    finally {
+        clearInterval(heartbeat);
         try {
-            const out = (0, node_child_process_1.execFileSync)("docker", ["exec", name, "ls", LOCKS_DIR], { encoding: "utf8" });
-            const locks = out.split("\n").filter((f) => f.startsWith("session-") && f.endsWith(".lock"));
-            hasOthers = locks.filter((f) => f !== `session-${sessionId}.lock`).length > 0;
+            (0, node_child_process_1.execFileSync)("docker", ["exec", "-u", user, name, "rm", "-f", lockFile], { stdio: "pipe" });
         }
         catch { } // container stopped
-        if (!hasOthers) {
-            try {
-                (0, node_child_process_1.execFileSync)("docker", ["exec", name, "rm", "-f", DETACHED_LOCK], { stdio: "pipe" });
-            }
-            catch { } // container stopped
-        }
     }
 }
-function buildImage() {
+function buildImage({ noCache = false } = {}) {
     const info = (0, node_os_1.userInfo)();
     const nodeVersion = (0, node_child_process_1.execSync)("node --version", { encoding: "utf8" }).trim().replace(/^v/, "");
     const npmVersion = (0, node_child_process_1.execSync)("npm --version", { encoding: "utf8" }).trim();
@@ -527,6 +620,7 @@ function buildImage() {
     const buildHash = (0, update_1.hashString)(buildFiles.map(f => (0, node_fs_1.readFileSync)((0, node_path_1.join)(contextDir, f), "utf8")).join("\n"));
     const r = (0, node_child_process_1.spawnSync)("docker", [
         "build", "-t", "vibebox",
+        ...(noCache ? ["--no-cache"] : []),
         "--build-arg", `NODE_VERSION=${nodeVersion}`,
         "--build-arg", `NPM_VERSION=${npmVersion}`,
         "--build-arg", `LOCAL_USER=${info.username}`,
@@ -549,28 +643,28 @@ function getImageHash(tag) {
         return null;
     }
 }
-function buildCustomImage({ tag, contextDir, fromTag }) {
-    const dockerfilePath = (0, node_path_1.join)(contextDir, "Dockerfile");
-    if (!(0, node_fs_1.existsSync)(dockerfilePath))
+function buildCustomImage({ tag, dockerfile, fromTag }) {
+    if (!(0, node_fs_1.existsSync)(dockerfile))
         return false;
-    const content = (0, node_fs_1.readFileSync)(dockerfilePath, "utf8");
+    const content = (0, node_fs_1.readFileSync)(dockerfile, "utf8");
     const hash = (0, update_1.hashString)(content + fromTag);
     if (getImageHash(tag) === hash)
         return true; // Already up to date
     console.log(`Building ${tag}...`);
-    const r = (0, node_child_process_1.spawnSync)("docker", ["build", "-t", tag, "--label", `vibebox.hash=${hash}`, contextDir], { stdio: "inherit" });
+    const contextDir = (0, node_path_1.dirname)(dockerfile);
+    const r = (0, node_child_process_1.spawnSync)("docker", ["build", "-t", tag, "-f", dockerfile, "--label", `vibebox.hash=${hash}`, contextDir], { stdio: "inherit" });
     return r.status === 0;
 }
 function getImageTag({ workspace }) {
-    const globalDir = (0, node_path_1.join)((0, node_os_1.homedir)(), ".vibebox");
-    const localDir = (0, node_path_1.join)(workspace, ".vibebox");
-    const hasGlobal = (0, node_fs_1.existsSync)((0, node_path_1.join)(globalDir, "Dockerfile"));
-    const hasLocal = (0, node_fs_1.existsSync)((0, node_path_1.join)(localDir, "Dockerfile"));
+    const globalDockerfile = (0, node_path_1.join)((0, node_os_1.homedir)(), ".vibebox", "Dockerfile");
+    const localDockerfile = (0, node_path_1.join)(workspace, "vibebox.Dockerfile");
+    const hasGlobal = (0, node_fs_1.existsSync)(globalDockerfile);
+    const hasLocal = (0, node_fs_1.existsSync)(localDockerfile);
     const wsHash = (0, update_1.hashString)(workspace).slice(0, 8);
     if (hasGlobal)
-        buildCustomImage({ tag: "vibebox:user", contextDir: globalDir, fromTag: "vibebox" });
+        buildCustomImage({ tag: "vibebox:user", dockerfile: globalDockerfile, fromTag: "vibebox" });
     if (hasLocal)
-        buildCustomImage({ tag: `vibebox:${wsHash}`, contextDir: localDir, fromTag: hasGlobal ? "vibebox:user" : "vibebox" });
+        buildCustomImage({ tag: `vibebox:${wsHash}`, dockerfile: localDockerfile, fromTag: hasGlobal ? "vibebox:user" : "vibebox" });
     if (hasLocal)
         return `vibebox:${wsHash}`;
     if (hasGlobal)
@@ -630,7 +724,7 @@ function writePortMappings(workspace, name) {
     const parsed = [...mappings].map(([c, h]) => `${c}:${h}`).join("\n");
     (0, node_fs_1.writeFileSync)((0, node_path_1.join)(vibeboxDir, "port-mappings.txt"), parsed);
 }
-function ensureSandbox({ workspace, agents: requestedAgents = [], containerOnly = false, }) {
+async function ensureSandbox({ workspace, agents: requestedAgents = [], containerOnly = false, }) {
     const existing = getSandboxName(workspace);
     if (existing) {
         try {
@@ -641,13 +735,16 @@ function ensureSandbox({ workspace, agents: requestedAgents = [], containerOnly
                 (0, node_child_process_1.execFileSync)("docker", ["start", existing], { stdio: "pipe" });
                 writePortMappings(workspace, existing);
             }
-            // Verify container is now running
-            const newState = (0, node_child_process_1.execFileSync)("docker", ["inspect", existing, "--format={{.State.Running}}"], {
-                encoding: "utf8",
-            }).trim();
-            if (newState === "true")
-                return existing;
-            // Container failed to start, remove it and create fresh
+            // Verify container is actually usable (not just "running" state but able to exec)
+            const user = (0, node_os_1.userInfo)().username;
+            const maxRetries = 10;
+            for (let i = 0; i < maxRetries; i++) {
+                const result = (0, node_child_process_1.spawnSync)("docker", ["exec", "-u", user, existing, "true"], { stdio: "pipe" });
+                if (result.status === 0)
+                    return existing;
+                (0, node_child_process_1.spawnSync)("sleep", ["0.2"]);
+            }
+            // Container not usable, remove and recreate
             (0, node_child_process_1.execFileSync)("docker", ["rm", "-f", existing], { stdio: "pipe" });
         }
         catch {
@@ -670,10 +767,12 @@ function ensureSandbox({ workspace, agents: requestedAgents = [], containerOnly
         (0, node_fs_1.writeFileSync)(emptyFile, "");
     const home = (0, node_os_1.homedir)();
     const inode = getWorkspaceInode(workspace);
-    const ports = loadConfig(workspace).ports ?? DEFAULT_PORTS;
+    const cfg = loadConfig(workspace);
+    const ports = cfg.ports ?? DEFAULT_PORTS;
     // ---- Agent args ----
     const agentArgs = requestedAgents.flatMap((agent) => agent.dockerArgs({ workspace, home, containerOnly }));
     // ---- Symlinks ----
+    // Scan for symlinks in mounted directories
     const symlinkMounts = new Set();
     const scanForSymlinks = (dir) => {
         try {
@@ -703,27 +802,46 @@ function ensureSandbox({ workspace, agents: requestedAgents = [], containerOnly
             }
         }
     }
+    // If symlinks found, show them and ask user
+    if (symlinkMounts.size > 0) {
+        console.log("\nSymlinks found pointing outside workspace:");
+        for (const s of symlinkMounts)
+            console.log(`  \x1b[2m${s}\x1b[0m`);
+        const mount = await promptConfirm("\nMount these paths?");
+        if (!mount) {
+            symlinkMounts.clear();
+            console.log("Symlinks not mounted.");
+        }
+    }
     // Agent names for label
     const agentNames = requestedAgents.map((a) => a.name).join(",") || "none";
     // Generate sandbox name
     const now = new Date();
     const name = `vibebox-${now.toISOString().slice(0, 10)}-${String(now.getHours()).padStart(2, "0")}${String(now.getMinutes()).padStart(2, "0")}${String(now.getSeconds()).padStart(2, "0")}`;
     // ---- SSH ----
-    // Windows named pipes (\\.\pipe\...) can't be mounted with Docker -v
+    // Opt-in via config (default: false)
+    // macOS: Docker Desktop runs in a VM, can't mount host socket directly.
+    //        Use Docker's built-in forwarding via /run/host-services/ssh-auth.sock
+    // Linux: Mount host socket directly
+    // Windows: Named pipes (\\.\pipe\...) can't be mounted with -v
     const sshAuthSock = process.env.SSH_AUTH_SOCK;
-    const sshArgs = sshAuthSock && process.platform !== "win32" && (0, node_fs_1.existsSync)(sshAuthSock)
-        ? ["-v", `${sshAuthSock}:/ssh-agent`, "-e", "SSH_AUTH_SOCK=/ssh-agent"]
-        : [];
+    const sshArgs = !cfg.sshAgent ? [] :
+        process.platform === "darwin" && sshAuthSock
+            ? ["-v", "/run/host-services/ssh-auth.sock:/ssh-agent", "-e", "SSH_AUTH_SOCK=/ssh-agent"]
+            : process.platform !== "win32" && sshAuthSock && (0, node_fs_1.existsSync)(sshAuthSock)
+                ? ["-v", `${sshAuthSock}:/ssh-agent`, "-e", "SSH_AUTH_SOCK=/ssh-agent"]
+                : [];
     // Global vibebox config dir (for setup.sh)
     const vibeboxGlobalDir = (0, node_path_1.join)(home, ".vibebox");
     const vibeboxGlobalArgs = (0, node_fs_1.existsSync)(vibeboxGlobalDir)
         ? ["-v", `${vibeboxGlobalDir}:${vibeboxGlobalDir}:ro`]
         : [];
     // ---- GitHub CLI ----
+    // Opt-in via config (default: false)
     const ghConfigDir = process.platform === "win32" && process.env.APPDATA
         ? (0, node_path_1.join)(process.env.APPDATA, "GitHub CLI")
         : (0, node_path_1.join)(home, ".config", "gh");
-    const ghArgs = (0, node_fs_1.existsSync)((0, node_path_1.join)(ghConfigDir, "hosts.yml"))
+    const ghArgs = cfg.ghAuth && (0, node_fs_1.existsSync)((0, node_path_1.join)(ghConfigDir, "hosts.yml"))
         ? ["-v", `${ghConfigDir}:${(0, node_path_1.join)(home, ".config", "gh")}:ro`]
         : [];
     // ---- Git config ----
@@ -760,10 +878,23 @@ function ensureSandbox({ workspace, agents: requestedAgents = [], containerOnly
         }
     }
     catch { } // no aliases
+    // ---- Security ----
+    const sudoArgs = cfg.sudo ? ["-e", "VIBEBOX_SUDO=1"] : [];
     // ---- Docker run ----
     const args = [
         "run", "-d",
         "--name", name,
+        // Security hardening: drop all capabilities, add back only what's needed
+        // See: man 7 capabilities
+        "--security-opt", "no-new-privileges",
+        "--cap-drop", "ALL",
+        // Required for entrypoint (runs as root, then drops to user via gosu):
+        "--cap-add", "CHOWN", // chown on SSH socket
+        "--cap-add", "SETUID", // gosu to switch user
+        "--cap-add", "SETGID", // gosu to switch group
+        "--cap-add", "DAC_OVERRIDE", // write to /etc/sudoers.d
+        "--cap-add", "FOWNER", // operate on files regardless of owner
+        "--cap-add", "KILL", // send signals to processes
         // Labels for container lookup
         "--label", "docker/sandbox=true",
         "--label", `com.docker.sandbox.agent=${agentNames}`,
@@ -780,6 +911,8 @@ function ensureSandbox({ workspace, agents: requestedAgents = [], containerOnly
         // Environment
         "-e", `TZ=${process.env.TZ || Intl.DateTimeFormat().resolvedOptions().timeZone}`,
         "-e", `VIBEBOX_PROJECT_ROOT=${workspace}`,
+        // Sudo opt-in
+        ...sudoArgs,
         // Git config env vars
         ...gitEnvArgs,
         // Agent-specific mounts
@@ -790,8 +923,8 @@ function ensureSandbox({ workspace, agents: requestedAgents = [], containerOnly
         "-v", `${workspace}:${workspace}`,
         "-w", workspace,
         imageTag,
-        // Run startup script with watcher
-        `${home}/.local/bin/startup.sh`, "bash", "-c", `mkdir -p ${LOCKS_DIR} && touch ${DETACHED_LOCK} && ${WATCHER_SCRIPT} ${IDLE_TIMEOUT}`,
+        // Command passed to entrypoint -> startup.sh
+        "bash", "-c", `${WATCHER_SCRIPT} ${IDLE_TIMEOUT}`,
     ];
     const result = (0, node_child_process_1.spawnSync)("docker", args, { stdio: "pipe", encoding: "utf-8" });
     if (result.status !== 0) {

package/dist/update.js

@@ -43,6 +43,7 @@ const node_readline_1 = require("node:readline");
 const node_fs_1 = require("node:fs");
 const node_crypto_1 = require("node:crypto");
 const node_path_1 = require("node:path");
+const node_os_1 = require("node:os");
 function getVersion(cmd) {
     const out = (0, node_child_process_1.execSync)(cmd, { encoding: "utf8" });
     const match = out.match(/^(\d+\.\d+\.\d+(-[^\s]+)?)/);
@@ -101,7 +102,7 @@ function updateHost(agentCommand, version) {
 }
 function updateSandbox(sandboxName, agentCommand, version) {
     console.log(`\nUpdating sandbox ${agentCommand}${version ? ` to ${version}` : " to latest"}...`);
-    const args = ["exec", "-it", sandboxName, agentCommand, "install"];
+    const args = ["exec", "-u", (0, node_os_1.userInfo)().username, "-it", sandboxName, agentCommand, "install"];
     if (version)
         args.push(version);
     const result = (0, node_child_process_1.spawnSync)("docker", args, { stdio: "inherit" });
@@ -111,7 +112,8 @@ function updateSandbox(sandboxName, agentCommand, version) {
 }
 function verifyVersionsMatch({ sandboxName, versionCommand, successMsg }) {
     const newHost = getVersion(versionCommand);
-    const newSandbox = getVersion(`docker exec ${sandboxName} ${versionCommand}`);
+    // Use zsh -lc to get login shell PATH (includes ~/.local/bin after install)
+    const newSandbox = getVersion(`docker exec -u ${(0, node_os_1.userInfo)().username} ${sandboxName} zsh -lc '${versionCommand}'`);
     if (newHost === newSandbox) {
         console.log(`\nSuccess! ${successMsg} ${newHost}`);
     }
@@ -211,7 +213,7 @@ async function checkVersions(sandboxName, agent) {
     const agentCommand = agent?.command ?? "claude";
     try {
         const host = getVersion(versionCommand);
-        const sandbox = getVersion(`docker exec ${sandboxName} ${versionCommand}`);
+        const sandbox = getVersion(`docker exec -u ${(0, node_os_1.userInfo)().username} ${sandboxName} zsh -lc '${versionCommand}'`);
         if (host !== sandbox) {
             const comparison = compareVersions(host, sandbox);
             const higher = comparison >= 0 ? host : sandbox;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "vibebox",
-  "version": "0.0.2",
+  "version": "0.0.4",
   "license": "SEE LICENSE IN LICENSE.md",
   "bin": {
     "vibebox": "./dist/index.js"
@@ -16,7 +16,7 @@
     "build": "tsc",
     "postbuild": "chmod +x dist/index.js",
     "build:image": "docker build -t vibebox .",
-    "rebuild": "tsc && node scripts/update-build-hashes.mjs && vibebox rm --all && vibebox rebuild",
+    "rebuild": "npm run build && node scripts/update-build-hashes.mjs && vibebox rm --all && vibebox rebuild",
     "preversion": "npm run build && node scripts/update-build-hashes.mjs",
     "prepublishOnly": "npm run build",
     "test": "vitest run",
@@ -32,7 +32,7 @@
   },
   "vibebox": {
     "version": {
-      "build": "bc83a65b541a24ce"
+      "build": "90d18f8d395b9ad5"
     }
   }
 }