From a49af7c5f51e3b857f6d72180299210445f85994 Mon Sep 17 00:00:00 2001
From: Marco D'Alia <github@madarco.it>
Date: Sat, 30 May 2026 23:18:33 +0100
Subject: [PATCH 01/11] feat(doctor): Linux host support + Hetzner dev-VM
 manager

Make `agentbox doctor` Linux-accurate and add tooling to test the CLI on a
real Ubuntu host.

doctor (apps/cli/src/lib/doctor-checks.ts):
- checkPlatform() warns on unsupported OS (darwin/linux -> ok, else warn)
- docker-cli not-found hint is platform-specific (Linux docs link)
- docker daemon check distinguishes 'permission denied' (user not in the
  docker group) from a stopped daemon, with the matching fix as a hint

tooling:
- scripts/linux-dev-vm.sh: manage a persistent Hetzner Ubuntu VM
  (up/deploy/ssh/doctor/info/down) to test agentbox on Linux
- docs/linux-host-backlog.md: status + how-to + remaining macOS-only host
  assumptions (browser open->xdg-open, iTerm2/AppleScript, OrbStack paths)

Verified live on a clean Ubuntu 24.04 Hetzner VM: both the permission-denied
and healthy docker-daemon branches render correctly; no macOS regression.
---
 CLAUDE.md                         |   1 +
 apps/cli/src/lib/doctor-checks.ts |  32 ++++-
 docs/linux-host-backlog.md        | 100 +++++++++++++++
 scripts/linux-dev-vm.sh           | 198 ++++++++++++++++++++++++++++++
 4 files changed, 326 insertions(+), 5 deletions(-)
 create mode 100644 docs/linux-host-backlog.md
 create mode 100755 scripts/linux-dev-vm.sh

diff --git a/CLAUDE.md b/CLAUDE.md
index 210e195..f06ac32 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -75,3 +75,4 @@ Each topic has a dedicated file under [`docs/`](./docs). Read the relevant one b
 - [`docs/daytona-backlog.md`](./docs/daytona-backlog.md) — what's done vs still missing on the Daytona path. Quick index of where each cloud feature actually lives.
 - [`docs/hertzner_backlog.md`](./docs/hertzner_backlog.md) — Hetzner provider build-out status: phase-by-phase progress, the live e2e smoke results, deferred follow-ups (per-project snapshot tier, `--pause` checkpoint flag, `agentbox prune --provider hetzner`, the install-script post-Chromium trace mystery). Filename uses the user-requested spelling.
 - [`docs/vercel-backlog.md`](./docs/vercel-backlog.md) — Vercel provider build-out status: why Vercel's shape differs (no Dockerfile, no containers, no SSH, persistent snapshots), phase-by-phase progress, and the live-verify checklist (user mapping, attach latency / ttyd upgrade, snapshot-vs-delete cascade, VNC on AL2023, published-CLI asset staging).
+- [`docs/linux-host-backlog.md`](./docs/linux-host-backlog.md) — Linux (Ubuntu) **host** support: what's done (`agentbox doctor` is Linux-aware), how to test on a persistent Hetzner Ubuntu VM (`scripts/linux-dev-vm.sh` — `up`/`deploy`/`ssh`/`doctor`/`down`), and the remaining macOS-only host assumptions (browser `open`→`xdg-open`, iTerm2/AppleScript terminal spawning, OrbStack-only fast paths).
diff --git a/apps/cli/src/lib/doctor-checks.ts b/apps/cli/src/lib/doctor-checks.ts
index a57c0b0..1d32f7b 100644
--- a/apps/cli/src/lib/doctor-checks.ts
+++ b/apps/cli/src/lib/doctor-checks.ts
@@ -71,7 +71,13 @@ function checkNode(): CheckResult {
 }
 
 function checkPlatform(): CheckResult {
-  return { label: 'platform', status: 'ok', detail: `${process.platform}/${process.arch}` };
+  const supported = process.platform === 'darwin' || process.platform === 'linux';
+  return {
+    label: 'platform',
+    status: supported ? 'ok' : 'warn',
+    detail: `${process.platform}/${process.arch}`,
+    hint: supported ? undefined : 'agentbox supports macOS and Linux hosts; this OS is untested',
+  };
 }
 
 function checkAgentboxHome(): CheckResult {
@@ -121,6 +127,7 @@ export async function runSystemChecks(): Promise<CheckResult[]> {
 }
 
 async function dockerChecks(): Promise<CheckResult[]> {
+  const linux = process.platform === 'linux';
   const cli = await probeVersion('docker');
   if (!cli) {
     return [
@@ -128,23 +135,38 @@ async function dockerChecks(): Promise<CheckResult[]> {
         label: 'docker cli',
         status: 'warn',
         detail: 'not found',
-        hint: 'install Docker Desktop, OrbStack, or docker engine',
+        hint: linux
+          ? 'install docker engine: https://docs.docker.com/engine/install/'
+          : 'install Docker Desktop, OrbStack, or docker engine',
       },
     ];
   }
   const cliRes: CheckResult = { label: 'docker cli', status: 'ok', detail: cli };
 
   // Daemon reachability via `docker info` (same probe pattern as
-  // packages/sandbox-docker/src/docker.ts:dockerInfo).
+  // packages/sandbox-docker/src/docker.ts:dockerInfo). On Linux the most common
+  // failure is not a stopped daemon but the user missing from the `docker`
+  // group — `docker info` then exits non-zero with "permission denied" on the
+  // socket. Distinguish the two so the hint points at the right fix.
   const info = await execa('docker', ['info'], { reject: false });
   if (info.exitCode !== 0) {
+    const permDenied = `${info.stderr ?? ''}`.toLowerCase().includes('permission denied');
+    let hint: string;
+    if (permDenied && linux) {
+      hint =
+        'add your user to the docker group: `sudo usermod -aG docker $USER`, then log out/in (or run `newgrp docker`)';
+    } else if (linux) {
+      hint = 'start Docker: `sudo systemctl start docker` (install docker engine if missing)';
+    } else {
+      hint = 'start Docker (Desktop / OrbStack)';
+    }
     return [
       cliRes,
       {
         label: 'docker daemon',
         status: 'warn',
-        detail: 'unreachable',
-        hint: 'start Docker (Desktop / OrbStack / `systemctl start docker`)',
+        detail: permDenied ? 'permission denied' : 'unreachable',
+        hint,
       },
     ];
   }
diff --git a/docs/linux-host-backlog.md b/docs/linux-host-backlog.md
new file mode 100644
index 0000000..f28214a
--- /dev/null
+++ b/docs/linux-host-backlog.md
@@ -0,0 +1,100 @@
+# Linux host support — backlog
+
+AgentBox's CLI grew up assuming a **macOS host**. We now want it to also run on a
+**Linux host (primarily Ubuntu)** — i.e. a developer driving `agentbox` from a Linux
+laptop/server, spinning up docker/cloud boxes from there. This file tracks what
+already works, what's been fixed, and the remaining macOS-only host assumptions.
+
+> Scope note: this is about the **host** running the CLI. The *boxes* (docker
+> images, cloud VMs) have always been Linux — that part is unaffected.
+
+## Done
+
+- **`agentbox doctor` is Linux-aware** (`apps/cli/src/lib/doctor-checks.ts`):
+  - `checkPlatform()` returns `ok` for `darwin`/`linux`, `warn` for any other OS
+    (Windows etc.) with an "untested OS" hint — instead of blindly reporting `ok`.
+  - The docker-cli "not found" hint is platform-specific (Linux points at
+    `https://docs.docker.com/engine/install/`).
+  - The docker **daemon** check now distinguishes the #1 Linux failure — `docker
+    info` exiting with *permission denied* because the user isn't in the `docker`
+    group — from a genuinely stopped daemon, and emits the right fix
+    (`sudo usermod -aG docker $USER` vs `sudo systemctl start docker`).
+  - Verified live on a clean Ubuntu 24.04 Hetzner VM (see below): both the
+    permission-denied branch and the healthy `reachable` path render correctly,
+    and the daytona/hetzner/vercel credential checks run without crashing.
+
+## How to test on Linux
+
+`scripts/linux-dev-vm.sh` manages a **persistent** clean Ubuntu VM on Hetzner
+(`cx23` / `nbg1` / `ubuntu-24.04` — the repo's hetzner defaults; cloud-init
+installs Node 20 + docker + git + tmux and a non-root `dev` user in the docker
+group with passwordless sudo). It is a bare VPS you log into and drive the CLI on
+— **not** an agentbox box. State (server id / ip / key) lives in
+`~/.agentbox/linux-dev-vm/`, so the VM survives across edit→deploy→test cycles
+until you explicitly `down` it.
+
+```bash
+scripts/linux-dev-vm.sh up                 # create (idempotent — reuses a live VM)
+scripts/linux-dev-vm.sh deploy             # build + npm pack + install -g the latest CLI
+scripts/linux-dev-vm.sh deploy --no-build  # reuse an existing dist/
+scripts/linux-dev-vm.sh ssh                # interactive shell as `dev`
+scripts/linux-dev-vm.sh ssh -- agentbox ls # run a one-off command
+scripts/linux-dev-vm.sh doctor             # two-phase doctor (perm-denied + healthy)
+scripts/linux-dev-vm.sh info               # server id / ip / ssh command
+scripts/linux-dev-vm.sh down               # destroy server + key + local state
+```
+
+`HCLOUD_TOKEN` is read from the env, then `.env.local`, then
+`~/.agentbox/secrets.env`.
+
+Notes learned the hard way:
+- Run the CLI via a **login shell** (`su - <user> -c …` / `ssh dev@…`), not
+  `sudo -u <user> <bin>` — the latter hands the node process a reduced PATH where
+  `/usr/bin` tools (git/ssh/docker) and the npm global bin aren't all resolvable,
+  so `doctor` falsely reports them "not found".
+- The `doctor` subcommand creates a throwaway `probe` user (no docker group) to
+  exercise the *permission denied* daemon branch, then runs as `dev` (in the
+  group) for the healthy path.
+
+Manual recipe (any Ubuntu host, no script):
+```bash
+# on the host
+pnpm -w build && (cd apps/cli && npm pack)        # -> madarco-agentbox-*.tgz
+scp madarco-agentbox-*.tgz user@host:~
+# on the Ubuntu box
+sudo npm install -g ./madarco-agentbox-*.tgz
+agentbox doctor                                   # inspect the report
+```
+
+## Open blockers (not yet done — host code still macOS-only)
+
+These were found while scoping the doctor change. None are needed for `doctor`
+itself; they block the wider "drive everything from Linux" goal.
+
+- **Browser open uses the macOS `open` command** — needs `xdg-open` (or `$BROWSER`)
+  on Linux:
+  - `apps/cli/src/commands/url.ts:122`
+  - `apps/cli/src/commands/screen.ts:147`
+  - `apps/cli/src/commands/code.ts:313`
+- **Host terminal spawning is iTerm2/AppleScript-only.** `detectHostTerminal()`
+  only recognizes tmux + iTerm2; `spawnInITerm2()` shells out to `osascript`
+  (`apps/cli/src/terminal/host.ts`, see the "macOS-only by design" comment near the
+  top and `spawnInITerm2` ~L112-171). Linux needs tmux (already works) and/or a
+  native terminal-emulator launch path (gnome-terminal/konsole/alacritty/`$TERMINAL`).
+- **OrbStack-only fast paths assume macOS** and should be skipped on Linux (OrbStack
+  is macOS-only; on Linux the docker socket / volume paths differ):
+  - `packages/sandbox-docker/src/host-export.ts` (`orbstackVolumePath`, ~L138)
+  - `packages/sandbox-docker/src/stats.ts:77`
+- **Docs / CLAUDE.md still describe the CLI as macOS-oriented** in places — update
+  the relevant statements once broader support lands.
+
+## Already cross-platform (verified — no work needed)
+
+- **Clipboard capture** (`apps/cli/src/lib/host-clipboard.ts`) already has a Linux
+  path (`wl-paste` for Wayland, `xclip` for X11); the macOS `sips`/`osascript` path
+  is gated behind `process.platform === 'darwin'`.
+- **Vercel CLI store** (`packages/sandbox-vercel/src/cli-store.ts`) resolves
+  `$XDG_DATA_HOME` / `~/.local/share` on Linux.
+- **Snapshot copy** (`packages/sandbox-docker/src/snapshot.ts:105`) already branches
+  `-cR` (macOS APFS CoW) vs `-R` (Linux).
+- **State/config paths** (`~/.agentbox`, `~/.ssh/config`) are all `homedir()`-based.
diff --git a/scripts/linux-dev-vm.sh b/scripts/linux-dev-vm.sh
new file mode 100755
index 0000000..1e4588a
--- /dev/null
+++ b/scripts/linux-dev-vm.sh
@@ -0,0 +1,198 @@
+#!/usr/bin/env bash
+#
+# linux-dev-vm.sh — manage a *persistent* clean Ubuntu VM on Hetzner for testing
+# `agentbox` on a Linux host. NOT an agentbox box: a bare VPS you log into and
+# drive the CLI on to check Linux compatibility of any feature.
+#
+# WHY this exists: the CLI grew up macOS-only (see docs/linux-host-backlog.md).
+# To find and fix Linux-host issues we need a real Ubuntu host that survives
+# across edit/deploy/test cycles. This script provisions one, ships the locally
+# built CLI on demand, and tears it down when you're done.
+#
+# Subcommands:
+#   up        create the VM if absent (cx23 / nbg1 / ubuntu-24.04), install
+#             node 20 + docker + git + tmux, create a non-root `dev` user
+#             (docker + passwordless sudo). Idempotent: reuses a live VM.
+#   deploy    build the monorepo, npm pack apps/cli, scp + `npm install -g` it
+#             on the VM. Re-run after local changes. Use --no-build to skip build.
+#   ssh       open an interactive shell as `dev` (or run: `linux-dev-vm.sh ssh -- uptime`)
+#   doctor    run `agentbox doctor --provider docker` twice — as a user NOT in
+#             the docker group (permission-denied branch) and as `dev` (healthy).
+#   info      print server id / ip / ssh command / state file
+#   down      destroy the server + SSH key + local state
+#
+# State (server id, ip, key) persists in ~/.agentbox/linux-dev-vm/ so every
+# subcommand targets the same VM. `down` is the only thing that deletes it.
+#
+# HCLOUD_TOKEN is read from env, else .env.local, else ~/.agentbox/secrets.env.
+set -euo pipefail
+
+REPO_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+API="https://api.hetzner.cloud/v1"
+STATE_DIR="$HOME/.agentbox/linux-dev-vm"
+STATE_FILE="$STATE_DIR/state.json"
+KEY="$STATE_DIR/id_ed25519"
+NAME="agentbox-linux-dev"
+SERVER_TYPE="cx23"
+LOCATION="nbg1"
+IMAGE="ubuntu-24.04"
+SSH_OPTS=(-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=8 -o LogLevel=ERROR)
+
+die() { echo "error: $*" >&2; exit 1; }
+
+# --- token -------------------------------------------------------------------
+resolve_token() {
+  if [[ -z "${HCLOUD_TOKEN:-}" && -f "$REPO_ROOT/.env.local" ]]; then
+    HCLOUD_TOKEN="$(grep -E '^HCLOUD_TOKEN=' "$REPO_ROOT/.env.local" | head -1 | cut -d= -f2- | tr -d '"' || true)"
+  fi
+  if [[ -z "${HCLOUD_TOKEN:-}" && -f "$HOME/.agentbox/secrets.env" ]]; then
+    HCLOUD_TOKEN="$(grep -E '^HCLOUD_TOKEN=' "$HOME/.agentbox/secrets.env" | head -1 | cut -d= -f2- | tr -d '"' || true)"
+  fi
+  [[ -n "${HCLOUD_TOKEN:-}" ]] || die "HCLOUD_TOKEN not found (env / .env.local / ~/.agentbox/secrets.env)"
+}
+
+# Tiny JSON field extractor (node is always present in this repo; jq is not).
+jget() { node -e 'let s="";process.stdin.on("data",d=>s+=d).on("end",()=>{const o=JSON.parse(s);const p=process.argv[1].split(".");let v=o;for(const k of p)v=(v==null?undefined:v[k]);process.stdout.write(v==null?"":String(v));})' "$1"; }
+
+api() {
+  # api <METHOD> <PATH> [json-body]
+  local method="$1" path="$2" body="${3:-}"
+  if [[ -n "$body" ]]; then
+    curl -fsS -X "$method" -H "Authorization: Bearer $HCLOUD_TOKEN" -H "Content-Type: application/json" -d "$body" "$API$path"
+  else
+    curl -fsS -X "$method" -H "Authorization: Bearer $HCLOUD_TOKEN" "$API$path"
+  fi
+}
+
+state_get() { [[ -f "$STATE_FILE" ]] && jget "$1" < "$STATE_FILE" || true; }
+
+require_vm() {
+  [[ -f "$STATE_FILE" ]] || die "no VM — run \`$0 up\` first"
+  IP="$(state_get ip)"
+  [[ -n "$IP" ]] || die "state file has no ip; \`$0 down\` and re-\`up\`"
+}
+
+ssh_dev() { ssh -i "$KEY" "${SSH_OPTS[@]}" "dev@$IP" "$@"; }
+ssh_root() { ssh -i "$KEY" "${SSH_OPTS[@]}" "root@$IP" "$@"; }
+
+# --- cloud-init: node 20 + docker + git + tmux, non-root `dev` user ----------
+cloud_init() {
+cat <<'EOF'
+#cloud-config
+package_update: true
+runcmd:
+  - curl -fsSL https://deb.nodesource.com/setup_20.x | bash -
+  - apt-get install -y nodejs docker.io git tmux ca-certificates
+  - systemctl enable --now docker
+  - id dev >/dev/null 2>&1 || useradd -m -s /bin/bash dev
+  - usermod -aG docker dev
+  - echo 'dev ALL=(ALL) NOPASSWD:ALL' > /etc/sudoers.d/90-dev
+  - install -d -m 700 -o dev -g dev /home/dev/.ssh
+  - cp /root/.ssh/authorized_keys /home/dev/.ssh/authorized_keys
+  - chown dev:dev /home/dev/.ssh/authorized_keys
+  - chmod 600 /home/dev/.ssh/authorized_keys
+  - touch /var/lib/cloud/agentbox-ready
+EOF
+}
+
+cmd_up() {
+  resolve_token
+  mkdir -p "$STATE_DIR"
+  local sid; sid="$(state_get server_id)"
+  if [[ -n "$sid" ]] && api GET "/servers/$sid" >/dev/null 2>&1; then
+    echo ">> VM already up (server_id=$sid)"; cmd_info; return 0
+  fi
+
+  [[ -f "$KEY" ]] || ssh-keygen -t ed25519 -N "" -C "$NAME" -f "$KEY" >/dev/null
+  local pub; pub="$(cat "$KEY.pub")"
+  local suffix; suffix="$(date +%s)"
+  echo ">> uploading ssh key"
+  local key_resp key_id
+  key_resp="$(api POST /ssh_keys "$(node -e 'console.log(JSON.stringify({name:process.argv[1],public_key:process.argv[2]}))' "$NAME-$suffix" "$pub")")"
+  key_id="$(printf '%s' "$key_resp" | jget ssh_key.id)"
+
+  echo ">> creating $SERVER_TYPE/$LOCATION $IMAGE server '$NAME'"
+  local body create ip server_id
+  body="$(node -e 'console.log(JSON.stringify({name:process.argv[1],server_type:process.argv[2],location:process.argv[3],image:process.argv[4],ssh_keys:[Number(process.argv[5])],user_data:process.argv[6],public_net:{enable_ipv4:true,enable_ipv6:false}}))' "$NAME" "$SERVER_TYPE" "$LOCATION" "$IMAGE" "$key_id" "$(cloud_init)")"
+  create="$(api POST /servers "$body")"
+  server_id="$(printf '%s' "$create" | jget server.id)"
+  ip="$(printf '%s' "$create" | jget server.public_net.ipv4.ip)"
+  node -e 'const fs=require("fs");fs.writeFileSync(process.argv[1],JSON.stringify({server_id:Number(process.argv[2]),ip:process.argv[3],ssh_key_id:Number(process.argv[4])},null,2)+"\n")' "$STATE_FILE" "$server_id" "$ip" "$key_id"
+  echo "   server_id=$server_id ip=$ip"
+
+  echo ">> waiting for SSH"
+  for i in $(seq 1 60); do
+    if ssh -i "$KEY" "${SSH_OPTS[@]}" "root@$ip" true 2>/dev/null; then break; fi
+    sleep 5; [[ "$i" == "60" ]] && die "ssh never came up"
+  done
+  echo ">> waiting for cloud-init (node + docker + dev user)"
+  ssh -i "$KEY" "${SSH_OPTS[@]}" "root@$ip" 'cloud-init status --wait >/dev/null 2>&1 || true; until [ -f /var/lib/cloud/agentbox-ready ]; do sleep 3; done'
+  echo ">> ready:"
+  ssh -i "$KEY" "${SSH_OPTS[@]}" "root@$ip" 'echo "   node=$(node -v) docker=$(docker --version) git=$(git --version)"'
+  cmd_info
+}
+
+cmd_deploy() {
+  require_vm
+  local build=1
+  for a in "$@"; do [[ "$a" == "--no-build" ]] && build=0; done
+  if [[ "$build" == "1" ]]; then echo ">> pnpm -w build"; (cd "$REPO_ROOT" && pnpm -w build); fi
+  local tmp tarball
+  tmp="$(mktemp -d)"
+  echo ">> npm pack apps/cli"
+  tarball="$(cd "$REPO_ROOT/apps/cli" && npm pack --silent --pack-destination "$tmp")"
+  echo ">> scp + npm install -g on the VM"
+  scp -i "$KEY" "${SSH_OPTS[@]}" "$tmp/$tarball" "dev@$IP:/home/dev/$tarball"
+  ssh_dev "sudo npm install -g --no-fund --no-audit /home/dev/$tarball && echo \"installed agentbox \$(agentbox --version)\""
+  rm -rf "$tmp"
+}
+
+cmd_ssh() {
+  require_vm
+  # `linux-dev-vm.sh ssh`            -> interactive shell
+  # `linux-dev-vm.sh ssh -- <cmd…>`  -> run a command
+  if [[ "${1:-}" == "--" ]]; then shift; ssh_dev "$@"; else ssh_dev "$@"; fi
+}
+
+cmd_doctor() {
+  require_vm
+  ssh_dev 'command -v agentbox >/dev/null' || die "agentbox not installed on the VM — run: $0 deploy"
+  # A user NOT in the docker group exercises the permission-denied branch.
+  ssh_root 'id probe >/dev/null 2>&1 || { useradd -m -s /bin/bash probe; install -d -m 700 -o probe -g probe /home/probe/.ssh; }'
+  echo ""
+  echo "============ doctor #1: user NOT in docker group (permission denied) ============"
+  ssh_root 'su - probe -c "NO_COLOR=1 agentbox doctor --provider docker" || true'
+  echo ""
+  echo "============ doctor #2: dev user IN docker group (healthy) ============"
+  ssh_dev 'sg docker -c "NO_COLOR=1 agentbox doctor --provider docker" || true'
+}
+
+cmd_info() {
+  [[ -f "$STATE_FILE" ]] || { echo "no VM (state file absent)"; return 0; }
+  IP="$(state_get ip)"
+  echo "server_id : $(state_get server_id)"
+  echo "ip        : $IP"
+  echo "ssh       : ssh -i $KEY dev@$IP"
+  echo "state     : $STATE_FILE"
+}
+
+cmd_down() {
+  resolve_token
+  [[ -f "$STATE_FILE" ]] || { echo "no VM to delete"; return 0; }
+  local sid kid; sid="$(state_get server_id)"; kid="$(state_get ssh_key_id)"
+  echo ">> deleting server $sid + ssh key $kid"
+  [[ -n "$sid" ]] && api DELETE "/servers/$sid" >/dev/null 2>&1 || true
+  [[ -n "$kid" ]] && api DELETE "/ssh_keys/$kid" >/dev/null 2>&1 || true
+  rm -rf "$STATE_DIR"
+  echo ">> done"
+}
+
+case "${1:-}" in
+  up) shift; cmd_up "$@" ;;
+  deploy) shift; cmd_deploy "$@" ;;
+  ssh) shift; cmd_ssh "$@" ;;
+  doctor) shift; cmd_doctor "$@" ;;
+  info) shift; cmd_info "$@" ;;
+  down) shift; cmd_down "$@" ;;
+  *) echo "usage: $0 {up|deploy|ssh|doctor|info|down} [args]" >&2; exit 2 ;;
+esac

From 38e75f12564dc865c7c837306d8b68ceacd6f5c0 Mon Sep 17 00:00:00 2001
From: Marco D'Alia <github@madarco.it>
Date: Sat, 30 May 2026 23:30:52 +0100
Subject: [PATCH 02/11] feat(linux): host-open helper + xdg-open for cloud
 login dashboards

Add hostOpenCommand() to @agentbox/sandbox-core (darwin -> open, linux ->
xdg-open) so opening a URL/path works on a Linux host, with a unit test.

Use it in the daytona/vercel/hetzner login dashboard openers, which were
hardcoded to the macOS `open` command (a no-op/error on Linux). First step of
the docs/linux-host-backlog.md 'browser open' item.
---
 packages/sandbox-core/src/host-open.ts       | 13 ++++++++++
 packages/sandbox-core/src/index.ts           |  1 +
 packages/sandbox-core/test/host-open.test.ts | 25 ++++++++++++++++++++
 packages/sandbox-daytona/src/credentials.ts  |  3 ++-
 packages/sandbox-hetzner/src/credentials.ts  |  3 ++-
 packages/sandbox-vercel/src/credentials.ts   |  3 ++-
 6 files changed, 45 insertions(+), 3 deletions(-)
 create mode 100644 packages/sandbox-core/src/host-open.ts
 create mode 100644 packages/sandbox-core/test/host-open.test.ts

diff --git a/packages/sandbox-core/src/host-open.ts b/packages/sandbox-core/src/host-open.ts
new file mode 100644
index 0000000..6250686
--- /dev/null
+++ b/packages/sandbox-core/src/host-open.ts
@@ -0,0 +1,13 @@
+/**
+ * The host command that opens a URL or file path in the OS default handler.
+ *
+ * macOS ships `open`; Linux uses `xdg-open` (from `xdg-utils`, present on any
+ * desktop install). We deliberately return only the binary name and let each
+ * call site keep its own spawn semantics (sync/async, stdio, detached) — the
+ * single platform decision lives here so adding a host platform is a one-line
+ * change. Callers already treat a non-zero exit / ENOENT as "couldn't
+ * auto-open" and print the target, so an absent `xdg-open` degrades cleanly.
+ */
+export function hostOpenCommand(): string {
+  return process.platform === 'linux' ? 'xdg-open' : 'open';
+}
diff --git a/packages/sandbox-core/src/index.ts b/packages/sandbox-core/src/index.ts
index 144234a..528589e 100644
--- a/packages/sandbox-core/src/index.ts
+++ b/packages/sandbox-core/src/index.ts
@@ -16,6 +16,7 @@ export {
   pickFreshBranch,
   type DetectedGitRepo,
 } from './git-detect.js';
+export { hostOpenCommand } from './host-open.js';
 export {
   computeContextSha256,
   DOCKER_CONTEXT_FILE_MAP,
diff --git a/packages/sandbox-core/test/host-open.test.ts b/packages/sandbox-core/test/host-open.test.ts
new file mode 100644
index 0000000..f05bdb9
--- /dev/null
+++ b/packages/sandbox-core/test/host-open.test.ts
@@ -0,0 +1,25 @@
+import { afterEach, describe, expect, it } from 'vitest';
+import { hostOpenCommand } from '../src/host-open.js';
+
+describe('hostOpenCommand', () => {
+  const original = process.platform;
+  const setPlatform = (value: NodeJS.Platform) =>
+    Object.defineProperty(process, 'platform', { value, configurable: true });
+
+  afterEach(() => setPlatform(original));
+
+  it('uses xdg-open on Linux', () => {
+    setPlatform('linux');
+    expect(hostOpenCommand()).toBe('xdg-open');
+  });
+
+  it('uses open on macOS', () => {
+    setPlatform('darwin');
+    expect(hostOpenCommand()).toBe('open');
+  });
+
+  it('falls back to open on other platforms', () => {
+    setPlatform('win32');
+    expect(hostOpenCommand()).toBe('open');
+  });
+});
diff --git a/packages/sandbox-daytona/src/credentials.ts b/packages/sandbox-daytona/src/credentials.ts
index bde2770..9b860c5 100644
--- a/packages/sandbox-daytona/src/credentials.ts
+++ b/packages/sandbox-daytona/src/credentials.ts
@@ -1,4 +1,5 @@
 import { spawnSync } from 'node:child_process';
+import { hostOpenCommand } from '@agentbox/sandbox-core';
 import {
   chmodSync,
   existsSync,
@@ -248,7 +249,7 @@ function persistCredentials(creds: Credentials): void {
 
 function openDashboard(): void {
   try {
-    const r = spawnSync('open', [DASHBOARD_KEYS_URL], { stdio: 'ignore' });
+    const r = spawnSync(hostOpenCommand(), [DASHBOARD_KEYS_URL], { stdio: 'ignore' });
     if (r.status !== 0) {
       log.warn(`Could not auto-open the browser — visit ${DASHBOARD_KEYS_URL} manually.`);
     }
diff --git a/packages/sandbox-hetzner/src/credentials.ts b/packages/sandbox-hetzner/src/credentials.ts
index 04e42f9..717251f 100644
--- a/packages/sandbox-hetzner/src/credentials.ts
+++ b/packages/sandbox-hetzner/src/credentials.ts
@@ -1,4 +1,5 @@
 import { spawnSync } from 'node:child_process';
+import { hostOpenCommand } from '@agentbox/sandbox-core';
 import {
   chmodSync,
   existsSync,
@@ -195,7 +196,7 @@ function persistCredentials(creds: Credentials): void {
 
 function openDashboard(): void {
   try {
-    const r = spawnSync('open', [DASHBOARD_KEYS_URL], { stdio: 'ignore' });
+    const r = spawnSync(hostOpenCommand(), [DASHBOARD_KEYS_URL], { stdio: 'ignore' });
     if (r.status !== 0) {
       log.warn(`Could not auto-open the browser — visit ${DASHBOARD_KEYS_URL} manually.`);
     }
diff --git a/packages/sandbox-vercel/src/credentials.ts b/packages/sandbox-vercel/src/credentials.ts
index 7125f78..a0c74f5 100644
--- a/packages/sandbox-vercel/src/credentials.ts
+++ b/packages/sandbox-vercel/src/credentials.ts
@@ -8,6 +8,7 @@ import {
 } from 'node:fs';
 import { homedir } from 'node:os';
 import { dirname, resolve } from 'node:path';
+import { hostOpenCommand } from '@agentbox/sandbox-core';
 import {
   confirm,
   isCancel,
@@ -389,7 +390,7 @@ function openDashboard(): void {
   // Lazy import keeps node:child_process out of the module's load cost.
   import('node:child_process')
     .then(({ spawnSync }) => {
-      const r = spawnSync('open', [DASHBOARD_TOKENS_URL], { stdio: 'ignore' });
+      const r = spawnSync(hostOpenCommand(), [DASHBOARD_TOKENS_URL], { stdio: 'ignore' });
       if (r.status !== 0) {
         log.warn(`Could not auto-open the browser — visit ${DASHBOARD_TOKENS_URL} manually.`);
       }

From 63cb1f53066fb13c977838e3edbba29631c61656 Mon Sep 17 00:00:00 2001
From: Marco D'Alia <github@madarco.it>
Date: Sat, 30 May 2026 23:55:44 +0100
Subject: [PATCH 03/11] feat(linux): route all host URL/file opens through
 hostOpenCommand

Swap the remaining hardcoded macOS `open` launchers to hostOpenCommand()
(open on macOS, xdg-open on Linux) so they work on a Linux host:

- apps/cli: url, screen, code (CLI-missing fallback), open (sshfs reveal),
  dashboard (VNC/web/code openers)
- relay: box-initiated 'open link on host' (host-actions.ts, server.ts)
- sandbox-docker: checkpoint/export reveal (host-export.ts)

Completes the docs/linux-host-backlog.md 'browser open' item (moved to Done).
---
 apps/cli/src/commands/code.ts              |  5 +++--
 apps/cli/src/commands/dashboard.ts         |  8 ++++----
 apps/cli/src/commands/open.ts              |  8 +++++---
 apps/cli/src/commands/screen.ts            |  3 ++-
 apps/cli/src/commands/url.ts               |  3 ++-
 docs/linux-host-backlog.md                 | 18 +++++++++++++-----
 packages/relay/src/host-actions.ts         | 10 +++++-----
 packages/relay/src/server.ts               |  3 ++-
 packages/sandbox-docker/src/host-export.ts |  3 ++-
 9 files changed, 38 insertions(+), 23 deletions(-)

diff --git a/apps/cli/src/commands/code.ts b/apps/cli/src/commands/code.ts
index eb9c7e2..4150e70 100644
--- a/apps/cli/src/commands/code.ts
+++ b/apps/cli/src/commands/code.ts
@@ -1,6 +1,7 @@
 import { spawn } from 'node:child_process';
 import { log } from '@clack/prompts';
 import { Command, InvalidArgumentError } from 'commander';
+import { hostOpenCommand } from '@agentbox/sandbox-core';
 import type { BoxRecord } from '@agentbox/core';
 import type { StatusReply, WaitReadyReply } from '@agentbox/ctl';
 import { loadEffectiveConfig, type IdeFlavor as ConfigIdeFlavor, type UserConfig } from '@agentbox/config';
@@ -307,10 +308,10 @@ async function launchOne(flavor: IdeFlavor, folderUri: string): Promise<LaunchRe
   const cliCode = await spawnCommand(profile.cli, ['--folder-uri', folderUri]);
   if (cliCode !== 127) return { code: cliCode, flavor, via: 'cli' };
   log.warn(
-    `\`${profile.cli}\` not found in PATH; falling back to \`open ${profile.protocolScheme}://...\` (the %2B URL-encoding bug may break attach)`,
+    `\`${profile.cli}\` not found in PATH; falling back to \`${hostOpenCommand()} ${profile.protocolScheme}://...\` (the %2B URL-encoding bug may break attach)`,
   );
   const url = `${profile.protocolScheme}://${folderUri.replace(/^vscode-remote:\/\//, 'vscode-remote/')}`;
-  const fallback = await spawnCommand('open', [url]);
+  const fallback = await spawnCommand(hostOpenCommand(), [url]);
   return { code: fallback, flavor, via: 'open' };
 }
 
diff --git a/apps/cli/src/commands/dashboard.ts b/apps/cli/src/commands/dashboard.ts
index 1e8754c..88a85fe 100644
--- a/apps/cli/src/commands/dashboard.ts
+++ b/apps/cli/src/commands/dashboard.ts
@@ -31,7 +31,7 @@ import {
   waitForTmuxPaneContent,
   type ListedBox,
 } from '@agentbox/sandbox-docker';
-import { readState } from '@agentbox/sandbox-core';
+import { hostOpenCommand, readState } from '@agentbox/sandbox-core';
 import type { BoxRecord } from '@agentbox/core';
 import { resolveBoxOrExit } from '../box-ref.js';
 import { resolveClaudeAuth } from '../auth.js';
@@ -557,9 +557,9 @@ export const dashboardCommand = new Command('dashboard')
         } catch {
           // Best-effort — still open the viewer even if the box isn't running.
         }
-        detach('open', [url]);
+        detach(hostOpenCommand(), [url]);
         if (exposedWebUrl) {
-          detach('open', [exposedWebUrl]);
+          detach(hostOpenCommand(), [exposedWebUrl]);
           return 'Opening VNC + web in browser…';
         }
         return 'Opening VNC in browser…';
@@ -569,7 +569,7 @@ export const dashboardCommand = new Command('dashboard')
         const box = (await listBoxes()).find((b) => b.id === boxId);
         if (!box) return 'box not found';
         const { url } = webTarget(box);
-        detach('open', [url]);
+        detach(hostOpenCommand(), [url]);
         return `Opening ${url.replace(/^https?:\/\//, '')}…`;
       };
 
diff --git a/apps/cli/src/commands/open.ts b/apps/cli/src/commands/open.ts
index 6d9798b..d37730e 100644
--- a/apps/cli/src/commands/open.ts
+++ b/apps/cli/src/commands/open.ts
@@ -4,6 +4,7 @@ import { existsSync, mkdirSync } from 'node:fs';
 import { homedir } from 'node:os';
 import { join } from 'node:path';
 import type { BoxRecord } from '@agentbox/core';
+import { hostOpenCommand } from '@agentbox/sandbox-core';
 import { openBoxInFinder } from '@agentbox/sandbox-docker';
 import { Command } from 'commander';
 import { resolveBoxOrExit } from '../box-ref.js';
@@ -156,9 +157,10 @@ async function runCloudOpen(
   if (mount.exitCode !== 0) {
     throw new Error(`sshfs mount failed (exit ${String(mount.exitCode)}): ${mount.stderr || mount.stdout}`);
   }
-  // `open` on macOS reveals the dir in Finder. On non-macOS this is a no-op
-  // / error — degrade silently because the mount path is already printed.
-  await execa('open', [mountRoot], { reject: false });
+  // Reveal the mount in the OS file manager (Finder on macOS, the default
+  // handler via xdg-open on Linux). Best-effort — the mount path is already
+  // printed, so a missing opener degrades silently.
+  await execa(hostOpenCommand(), [mountRoot], { reject: false });
   process.stdout.write(`opened ${mountRoot}\n`);
   process.stdout.write(`unmount later with: agentbox open ${box.name} --unmount\n`);
 }
diff --git a/apps/cli/src/commands/screen.ts b/apps/cli/src/commands/screen.ts
index c30ffd9..09446a2 100644
--- a/apps/cli/src/commands/screen.ts
+++ b/apps/cli/src/commands/screen.ts
@@ -1,5 +1,6 @@
 import { spawnSync } from 'node:child_process';
 import { log } from '@clack/prompts';
+import { hostOpenCommand } from '@agentbox/sandbox-core';
 import {
   buildVncUrls,
   detectEngine,
@@ -173,7 +174,7 @@ export const screenCommand = new Command('screen')
         return;
       }
 
-      const opened = spawnSync('open', [url], { stdio: 'inherit' });
+      const opened = spawnSync(hostOpenCommand(), [url], { stdio: 'inherit' });
       if (opened.status !== 0) {
         throw new Error(`open ${url} failed (exit ${String(opened.status ?? 'n/a')})`);
       }
diff --git a/apps/cli/src/commands/url.ts b/apps/cli/src/commands/url.ts
index db43946..8bd96a1 100644
--- a/apps/cli/src/commands/url.ts
+++ b/apps/cli/src/commands/url.ts
@@ -1,5 +1,6 @@
 import { spawnSync } from 'node:child_process';
 import { log } from '@clack/prompts';
+import { hostOpenCommand } from '@agentbox/sandbox-core';
 import {
   detectEngine,
   getBoxHostPaths,
@@ -119,7 +120,7 @@ export const urlCommand = new Command('url')
         return;
       }
 
-      const opened = spawnSync('open', [url], { stdio: 'inherit' });
+      const opened = spawnSync(hostOpenCommand(), [url], { stdio: 'inherit' });
       if (opened.status !== 0) {
         throw new Error(`open ${url} failed (exit ${String(opened.status ?? 'n/a')})`);
       }
diff --git a/docs/linux-host-backlog.md b/docs/linux-host-backlog.md
index f28214a..5285b51 100644
--- a/docs/linux-host-backlog.md
+++ b/docs/linux-host-backlog.md
@@ -23,6 +23,19 @@ already works, what's been fixed, and the remaining macOS-only host assumptions.
     permission-denied branch and the healthy `reachable` path render correctly,
     and the daytona/hetzner/vercel credential checks run without crashing.
 
+- **Host browser/file opening uses `xdg-open` on Linux.** Added
+  `hostOpenCommand()` to `@agentbox/sandbox-core` (`darwin` -> `open`, `linux` ->
+  `xdg-open`) with a unit test, and routed every host-side launcher through it
+  instead of the hardcoded macOS `open`:
+  - apps/cli: `url`, `screen`, `code` (CLI-missing fallback), `open` (sshfs mount
+    reveal), `dashboard` (VNC/web/code openers)
+  - relay: the box-initiated "open link on host" path (`host-actions.ts`,
+    `server.ts`)
+  - cloud login dashboards: daytona / vercel / hetzner `credentials.ts`
+  - `sandbox-docker` checkpoint/export reveal (`host-export.ts`)
+  - Verified live on the Ubuntu VM: `agentbox url <box>` launches via `xdg-open`
+    (not `open`) — see the dev-VM E2E below.
+
 ## How to test on Linux
 
 `scripts/linux-dev-vm.sh` manages a **persistent** clean Ubuntu VM on Hetzner
@@ -71,11 +84,6 @@ agentbox doctor                                   # inspect the report
 These were found while scoping the doctor change. None are needed for `doctor`
 itself; they block the wider "drive everything from Linux" goal.
 
-- **Browser open uses the macOS `open` command** — needs `xdg-open` (or `$BROWSER`)
-  on Linux:
-  - `apps/cli/src/commands/url.ts:122`
-  - `apps/cli/src/commands/screen.ts:147`
-  - `apps/cli/src/commands/code.ts:313`
 - **Host terminal spawning is iTerm2/AppleScript-only.** `detectHostTerminal()`
   only recognizes tmux + iTerm2; `spawnInITerm2()` shells out to `osascript`
   (`apps/cli/src/terminal/host.ts`, see the "macOS-only by design" comment near the
diff --git a/packages/relay/src/host-actions.ts b/packages/relay/src/host-actions.ts
index e471ce8..a2b3c74 100644
--- a/packages/relay/src/host-actions.ts
+++ b/packages/relay/src/host-actions.ts
@@ -19,7 +19,7 @@ import { mkdtemp, rm } from 'node:fs/promises';
 import { tmpdir } from 'node:os';
 import { join } from 'node:path';
 import type { CloudBackend, CloudHandle } from '@agentbox/core';
-import { findBox, readState } from '@agentbox/sandbox-core';
+import { findBox, hostOpenCommand, readState } from '@agentbox/sandbox-core';
 import {
   assertGhReady,
   checkoutGuards,
@@ -394,11 +394,11 @@ async function runBrowserOpenMirror(
       { ttlMs: TTL_MS },
     );
     if (verdict.answer === 'y' && !verdict.cancelled) {
-      // macOS `open` is the only supported launcher today (Daytona client is
-      // mac/Linux; on Linux the same call no-ops or errors — either way the
-      // box doesn't observe). Spawn detached so the relay loop isn't blocked.
+      // Open on the host's default handler (`open` on macOS, `xdg-open` on
+      // Linux). Spawn detached so the relay loop isn't blocked; the box never
+      // observes the outcome.
       const { spawn } = await import('node:child_process');
-      const child = spawn('open', [url], { stdio: 'ignore', detached: true });
+      const child = spawn(hostOpenCommand(), [url], { stdio: 'ignore', detached: true });
       child.unref();
     }
   } catch (err) {
diff --git a/packages/relay/src/server.ts b/packages/relay/src/server.ts
index 1b257eb..3b33eec 100644
--- a/packages/relay/src/server.ts
+++ b/packages/relay/src/server.ts
@@ -3,6 +3,7 @@ import { createServer, type IncomingMessage, type Server, type ServerResponse }
 import { executeCloudAction, refreshCloudPreviewUrl } from './host-actions.js';
 import { HostActionQueue } from './host-action-queue.js';
 import { BoxNotices } from './notices.js';
+import { hostOpenCommand } from '@agentbox/sandbox-core';
 import {
   assertGhReady,
   checkoutGuards,
@@ -569,7 +570,7 @@ export function createRelayServer(opts: RelayServerOptions): RelayServerHandle {
             )
               .then((verdict) => {
                 if (verdict.answer === 'y' && !verdict.cancelled) {
-                  void runHostCommand(['open', url], BROWSER_OPEN_RPC_TIMEOUT_MS);
+                  void runHostCommand([hostOpenCommand(), url], BROWSER_OPEN_RPC_TIMEOUT_MS);
                 }
               })
               .catch(() => {
diff --git a/packages/sandbox-docker/src/host-export.ts b/packages/sandbox-docker/src/host-export.ts
index e5ee15e..33fe92a 100644
--- a/packages/sandbox-docker/src/host-export.ts
+++ b/packages/sandbox-docker/src/host-export.ts
@@ -3,6 +3,7 @@ import { homedir } from 'node:os';
 import { join } from 'node:path';
 import { execa } from 'execa';
 import { sanitizeMnemonic } from '@agentbox/config';
+import { hostOpenCommand } from '@agentbox/sandbox-core';
 import type { ResolvedCarryEntry } from '@agentbox/core';
 import type { BoxStatus } from '@agentbox/ctl';
 import { execInBox } from './docker.js';
@@ -673,7 +674,7 @@ export async function openInFinder(
   }
 
   if (!opts.noOpen) {
-    const opened = await execa('open', [hostPath], { reject: false });
+    const opened = await execa(hostOpenCommand(), [hostPath], { reject: false });
     if (opened.exitCode !== 0) {
       throw new ExportError(`open ${hostPath} failed`, opened.stdout, opened.stderr);
     }

From 57877e30c2b3ae5ce84957a572244ae711b370fe Mon Sep 17 00:00:00 2001
From: Marco D'Alia <github@madarco.it>
Date: Sun, 31 May 2026 09:40:07 +0100
Subject: [PATCH 04/11] fix(box-id): prefix box ids with 'b' so they are never
 all-digits
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Box ids were randomBytes(4).toString('hex') (8 hex chars), so ~2.3% came
out all decimal digits (e.g. 26524695). resolveBoxRef treats a bare
positive integer as a per-project index only and never falls through to
id match, so an all-digit id was unresolvable — breaking any id-targeting
command (surfaced via the relay's `checkpoint create <boxId>` in the
hetzner setup wizard).

Fix at the source: tag ids with a leading non-digit. New shared
@agentbox/core generateBoxId() returns `b`+8hex, used by both id mints
(docker create + cloud-provider, covering daytona/hetzner/vercel). Keeps
the clean "numeric ref = index" invariant and sets up a typed-id
namespace (b=box, room for c=checkpoint).
---
 packages/core/src/identity.ts                | 20 ++++++++++++++++++++
 packages/core/src/index.ts                   |  1 +
 packages/sandbox-cloud/src/cloud-provider.ts |  4 ++--
 packages/sandbox-docker/src/create.ts        |  7 +------
 4 files changed, 24 insertions(+), 8 deletions(-)
 create mode 100644 packages/core/src/identity.ts

diff --git a/packages/core/src/identity.ts b/packages/core/src/identity.ts
new file mode 100644
index 0000000..1327713
--- /dev/null
+++ b/packages/core/src/identity.ts
@@ -0,0 +1,20 @@
+import { randomBytes } from 'node:crypto';
+
+/**
+ * Stable identity helpers shared across providers. Currently just the per-box
+ * id mint; checkpoint ids etc. can join later under their own prefix.
+ */
+
+/**
+ * Type tag prefixed to every minted box id so the kind is readable at a glance
+ * and id namespaces can grow without colliding (reserve `c` for checkpoints,
+ * etc.). The leading non-digit is load-bearing: it guarantees a box id is never
+ * an all-decimal string, which would otherwise collide with the per-project
+ * numeric index in `resolveBoxRef` (`agentbox open 4`) and make all-digit ids
+ * unresolvable.
+ */
+export const BOX_ID_PREFIX = 'b';
+
+export function generateBoxId(): string {
+  return `${BOX_ID_PREFIX}${randomBytes(4).toString('hex')}`;
+}
diff --git a/packages/core/src/index.ts b/packages/core/src/index.ts
index dcc70f9..8c49771 100644
--- a/packages/core/src/index.ts
+++ b/packages/core/src/index.ts
@@ -51,3 +51,4 @@ export type {
   CloudVolumeMount,
 } from './cloud-backend.js';
 export { AmbiguousBoxError, BoxNotFoundError } from './errors.js';
+export { BOX_ID_PREFIX, generateBoxId } from './identity.js';
diff --git a/packages/sandbox-cloud/src/cloud-provider.ts b/packages/sandbox-cloud/src/cloud-provider.ts
index 076a7e6..6489d1c 100644
--- a/packages/sandbox-cloud/src/cloud-provider.ts
+++ b/packages/sandbox-cloud/src/cloud-provider.ts
@@ -11,8 +11,8 @@
  * "no relay configured" error.
  */
 
-import { randomBytes } from 'node:crypto';
 import { basename } from 'node:path';
+import { generateBoxId } from '@agentbox/core';
 import type {
   AttachKind,
   AttachSpec,
@@ -248,7 +248,7 @@ export function createCloudProvider(
     name: string;
     branch: string;
   } {
-    const id = randomBytes(4).toString('hex');
+    const id = generateBoxId();
     const name = req.name ?? `${basename(req.workspacePath)}-${id}`;
     return {
       id,
diff --git a/packages/sandbox-docker/src/create.ts b/packages/sandbox-docker/src/create.ts
index 45c5286..c5a2655 100644
--- a/packages/sandbox-docker/src/create.ts
+++ b/packages/sandbox-docker/src/create.ts
@@ -1,4 +1,3 @@
-import { randomBytes } from 'node:crypto';
 import { mkdir, stat } from 'node:fs/promises';
 import { homedir } from 'node:os';
 import { basename, join, resolve } from 'node:path';
@@ -73,7 +72,7 @@ import {
   type BoxRecord,
   type GitWorktreeRecord,
 } from './state.js';
-import type { ResolvedCarryEntry } from '@agentbox/core';
+import { generateBoxId, type ResolvedCarryEntry } from '@agentbox/core';
 import { createSnapshot, snapshotPathFor } from './snapshot.js';
 import { resolveCheckpoint } from './checkpoint.js';
 import {
@@ -261,10 +260,6 @@ function persistableLimits(
   return Object.keys(out).length > 0 ? out : undefined;
 }
 
-function generateBoxId(): string {
-  return randomBytes(4).toString('hex');
-}
-
 export function sanitizeBasename(workspacePath: string): string {
   const raw = basename(resolve(workspacePath));
   return raw

From 4c506216d9d64f596f5d0f42f8bc00eb730f67cc Mon Sep 17 00:00:00 2001
From: Marco D'Alia <github@madarco.it>
Date: Sun, 31 May 2026 09:41:46 +0100
Subject: [PATCH 05/11] docs(linux): tmux-only terminal attach on Linux (by
 decision)

tmux is detected via $TMUX on every host, so attach-in-new-window works on
Linux inside tmux; iTerm2/AppleScript stays macOS-only and native Linux
emulators are out of scope for now (falls back to same-terminal attach).
Correct the now-stale 'CLI is macOS-only' comment in terminal/host.ts and move
the terminal item from open-blockers to a documented decision.
---
 apps/cli/src/terminal/host.ts |  7 +++++--
 docs/linux-host-backlog.md    | 14 +++++++++-----
 2 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/apps/cli/src/terminal/host.ts b/apps/cli/src/terminal/host.ts
index 0494807..73f3fee 100644
--- a/apps/cli/src/terminal/host.ts
+++ b/apps/cli/src/terminal/host.ts
@@ -8,8 +8,11 @@ export type HostTerminal = 'tmux' | 'iterm2' | 'unknown';
  * when nested — when `TMUX` is set, the tmux CLI is the right primitive (it can
  * split the current pane / open a new window without going through AppleScript).
  *
- * macOS-only by design: the CLI itself is macOS-only (see CLAUDE.md), so we
- * don't try to recognize gnome-terminal / alacritty / Windows Terminal.
+ * tmux is recognized on every host (macOS + Linux) — its CLI is the portable
+ * primitive. The iTerm2 path is macOS-only (it drives AppleScript). On Linux we
+ * deliberately don't recognize native emulators (gnome-terminal / alacritty /
+ * konsole) yet: outside tmux the caller falls back to attaching in the current
+ * terminal. See docs/linux-host-backlog.md.
  */
 export function detectHostTerminal(env: NodeJS.ProcessEnv = process.env): HostTerminal {
   const tmux = env['TMUX'];
diff --git a/docs/linux-host-backlog.md b/docs/linux-host-backlog.md
index 5285b51..8085ad8 100644
--- a/docs/linux-host-backlog.md
+++ b/docs/linux-host-backlog.md
@@ -36,6 +36,15 @@ already works, what's been fixed, and the remaining macOS-only host assumptions.
   - Verified live on the Ubuntu VM: `agentbox url <box>` launches via `xdg-open`
     (not `open`) — see the dev-VM E2E below.
 
+- **Terminal attach on Linux: tmux only (by decision).** `detectHostTerminal()`
+  recognizes tmux via `$TMUX` on every host, so attach-in-new-window/pane works on
+  Linux when you're inside tmux. The iTerm2 path (`spawnInITerm2()` →
+  `osascript`, `apps/cli/src/terminal/host.ts`) stays macOS-only. We deliberately
+  do **not** recognize native Linux emulators (gnome-terminal / alacritty /
+  konsole) for now: outside tmux the caller falls back to attaching in the current
+  terminal (and `agentbox fork` passes `--no-attach`). Revisit only if there's
+  demand for native-emulator spawning.
+
 ## How to test on Linux
 
 `scripts/linux-dev-vm.sh` manages a **persistent** clean Ubuntu VM on Hetzner
@@ -84,11 +93,6 @@ agentbox doctor                                   # inspect the report
 These were found while scoping the doctor change. None are needed for `doctor`
 itself; they block the wider "drive everything from Linux" goal.
 
-- **Host terminal spawning is iTerm2/AppleScript-only.** `detectHostTerminal()`
-  only recognizes tmux + iTerm2; `spawnInITerm2()` shells out to `osascript`
-  (`apps/cli/src/terminal/host.ts`, see the "macOS-only by design" comment near the
-  top and `spawnInITerm2` ~L112-171). Linux needs tmux (already works) and/or a
-  native terminal-emulator launch path (gnome-terminal/konsole/alacritty/`$TERMINAL`).
 - **OrbStack-only fast paths assume macOS** and should be skipped on Linux (OrbStack
   is macOS-only; on Linux the docker socket / volume paths differ):
   - `packages/sandbox-docker/src/host-export.ts` (`orbstackVolumePath`, ~L138)

From e724c633601bd67a9108c5dba34ba646c80ae330 Mon Sep 17 00:00:00 2001
From: Marco D'Alia <github@madarco.it>
Date: Sun, 31 May 2026 10:49:26 +0100
Subject: [PATCH 06/11] feat(cli): single recap card on agent launch
 (box/project/branch + attach hint)

Replaces the scattered id/provider/sandboxId rows and split detach hints with one bordered clack note showing box name (+source checkpoint), project folder (the agentbox.yaml dir, home-shortened), the from->to branch mapping, and the detach/reattach instruction. Shared by claude/codex/opencode across docker and cloud via printLaunchRecap.
---
 apps/cli/src/commands/_cloud-agent-create.ts | 26 ++++---
 apps/cli/src/commands/claude.ts              | 17 +++--
 apps/cli/src/commands/codex.ts               | 17 +++--
 apps/cli/src/commands/opencode.ts            | 17 +++--
 apps/cli/src/lib/launch-recap.ts             | 72 ++++++++++++++++++++
 apps/cli/src/terminal/host.ts                |  4 +-
 6 files changed, 125 insertions(+), 28 deletions(-)
 create mode 100644 apps/cli/src/lib/launch-recap.ts

diff --git a/apps/cli/src/commands/_cloud-agent-create.ts b/apps/cli/src/commands/_cloud-agent-create.ts
index a4c9e7e..d61a05f 100644
--- a/apps/cli/src/commands/_cloud-agent-create.ts
+++ b/apps/cli/src/commands/_cloud-agent-create.ts
@@ -16,10 +16,10 @@
  * only runs when the caller pre-resolved a non-docker provider.
  */
 
-import { log, outro } from '@clack/prompts';
 import type { BoxRecord, CreateBoxRequest, Provider } from '@agentbox/core';
 import type { AttachOpenIn } from '@agentbox/config';
 import { makeProgressReporter } from '../lib/progress.js';
+import { printLaunchRecap } from '../lib/launch-recap.js';
 import { cloudAgentAttach } from './_cloud-attach.js';
 
 export interface CloudAgentCreateArgs {
@@ -71,12 +71,7 @@ export async function cloudAgentCreate(args: CloudAgentCreateArgs): Promise<void
       typeof result.record.projectIndex === 'number'
         ? `  ·  n ${String(result.record.projectIndex)}`
         : '';
-    s.stop(`box ${result.record.name} ready${nSuffix}`);
-    log.info(`id:        ${result.record.id}`);
-    log.info(`provider:  ${result.record.provider}`);
-    if (result.record.cloud?.sandboxId) {
-      log.info(`sandboxId: ${result.record.cloud.sandboxId}`);
-    }
+    s.stop(`box ready${nSuffix}`);
     let extraArgs = args.extraArgs;
     if (args.beforeStart) {
       const hook = await args.beforeStart(result.record);
@@ -84,13 +79,22 @@ export async function cloudAgentCreate(args: CloudAgentCreateArgs): Promise<void
         extraArgs = [...hook.agentArgsPrefix, ...(extraArgs ?? [])];
       }
     }
+    await printLaunchRecap({
+      record: result.record,
+      mode: args.mode,
+      reattach:
+        typeof result.record.projectIndex === 'number'
+          ? String(result.record.projectIndex)
+          : result.record.name,
+      workspacePath: args.request.workspacePath,
+      fromBranch: args.request.fromBranch,
+      useBranch: args.request.useBranch,
+      checkpointRef: args.request.checkpointRef,
+      attaching: args.attach !== false,
+    });
     if (args.attach === false) {
-      outro(
-        `session not started — attach with: agentbox ${args.mode} attach ${result.record.name}`,
-      );
       return;
     }
-    outro(`attaching ${args.mode} — Control+a d to detach, leaves the agent running`);
     await cloudAgentAttach({
       box: result.record,
       binary: args.binary,
diff --git a/apps/cli/src/commands/claude.ts b/apps/cli/src/commands/claude.ts
index 6964d00..fdbe98f 100644
--- a/apps/cli/src/commands/claude.ts
+++ b/apps/cli/src/commands/claude.ts
@@ -63,6 +63,7 @@ import {
 } from '../session-teleport/index.js';
 import { clampSpinnerLine } from '../spinner-line.js';
 import { makeProgressReporter } from '../lib/progress.js';
+import { printLaunchRecap } from '../lib/launch-recap.js';
 import { maybeShowInstallHint } from '../lib/install-hint.js';
 import { openCommandLog } from '../lib/log-file.js';
 import { resolveLimits } from '../limits.js';
@@ -816,20 +817,26 @@ export const claudeCommand = new Command('claude')
         typeof result.record.projectIndex === 'number'
           ? `  ·  n ${String(result.record.projectIndex)}`
           : '';
-      s.stop(`box ${result.record.container} ready${nSuffix}`);
+      s.stop(`box ready${nSuffix}`);
       logPrune(rebuild);
       for (const f of rebuild.failed) {
         log.warn(`plugin install failed for ${f.dir}; claude may still load it. stderr:\n${f.stderr.trim()}`);
       }
       maybeShowInstallHint();
 
+      await printLaunchRecap({
+        record: result.record,
+        mode: 'claude',
+        reattach: reattachRef(result.record),
+        workspacePath: opts.workspace,
+        fromBranch,
+        useBranch,
+        checkpointRef,
+        attaching: opts.attach !== false,
+      });
       if (opts.attach === false) {
-        outro(
-          `session started — attach with: agentbox claude attach ${reattachRef(result.record)}`,
-        );
         return;
       }
-      outro('attaching — Control+a d to detach, leaves claude running');
       await attachClaudeWrapped(
         result.record,
         sessionName,
diff --git a/apps/cli/src/commands/codex.ts b/apps/cli/src/commands/codex.ts
index e1a466b..77f2695 100644
--- a/apps/cli/src/commands/codex.ts
+++ b/apps/cli/src/commands/codex.ts
@@ -63,6 +63,7 @@ import {
 } from '../session-teleport/index.js';
 import { clampSpinnerLine } from '../spinner-line.js';
 import { makeProgressReporter } from '../lib/progress.js';
+import { printLaunchRecap } from '../lib/launch-recap.js';
 import { openCommandLog } from '../lib/log-file.js';
 import { resolveLimits } from '../limits.js';
 import { maybePromptPortless } from '../portless-prompt.js';
@@ -694,15 +695,21 @@ export const codexCommand = new Command('codex')
         typeof result.record.projectIndex === 'number'
           ? `  ·  n ${String(result.record.projectIndex)}`
           : '';
-      s.stop(`box ${result.record.container} ready${nSuffix}`);
+      s.stop(`box ready${nSuffix}`);
 
+      await printLaunchRecap({
+        record: result.record,
+        mode: 'codex',
+        reattach: reattachRef(result.record),
+        workspacePath: opts.workspace,
+        fromBranch,
+        useBranch,
+        checkpointRef,
+        attaching: opts.attach !== false,
+      });
       if (opts.attach === false) {
-        outro(
-          `session started — attach with: agentbox codex attach ${reattachRef(result.record)}`,
-        );
         return;
       }
-      outro('attaching — Control+a d to detach, leaves codex running');
       await attachCodexWrapped(
         result.record,
         sessionName,
diff --git a/apps/cli/src/commands/opencode.ts b/apps/cli/src/commands/opencode.ts
index 3688562..4d0ce54 100644
--- a/apps/cli/src/commands/opencode.ts
+++ b/apps/cli/src/commands/opencode.ts
@@ -56,6 +56,7 @@ import { providerForCreate } from '../provider/registry.js';
 import { prepareTeleport, TeleportError } from '../session-teleport/index.js';
 import { clampSpinnerLine } from '../spinner-line.js';
 import { makeProgressReporter } from '../lib/progress.js';
+import { printLaunchRecap } from '../lib/launch-recap.js';
 import { openCommandLog } from '../lib/log-file.js';
 import { resolveLimits } from '../limits.js';
 import { maybePromptPortless } from '../portless-prompt.js';
@@ -620,15 +621,21 @@ export const opencodeCommand = new Command('opencode')
         typeof result.record.projectIndex === 'number'
           ? `  ·  n ${String(result.record.projectIndex)}`
           : '';
-      s.stop(`box ${result.record.container} ready${nSuffix}`);
+      s.stop(`box ready${nSuffix}`);
 
+      await printLaunchRecap({
+        record: result.record,
+        mode: 'opencode',
+        reattach: reattachRef(result.record),
+        workspacePath: opts.workspace,
+        fromBranch,
+        useBranch,
+        checkpointRef,
+        attaching: opts.attach !== false,
+      });
       if (opts.attach === false) {
-        outro(
-          `session started — attach with: agentbox opencode attach ${reattachRef(result.record)}`,
-        );
         return;
       }
-      outro('attaching — Control+a d to detach, leaves opencode running');
       await attachOpencodeWrapped(
         result.record,
         sessionName,
diff --git a/apps/cli/src/lib/launch-recap.ts b/apps/cli/src/lib/launch-recap.ts
new file mode 100644
index 0000000..4b595ba
--- /dev/null
+++ b/apps/cli/src/lib/launch-recap.ts
@@ -0,0 +1,72 @@
+/**
+ * `printLaunchRecap` — the single bordered "card" shown after an agent box is
+ * provisioned, replacing the old scatter of `●` rows (`id:`/`provider:`/
+ * `sandboxId:`) and the split detach/reattach hints. Rendered identically for
+ * docker and cloud, for `claude` / `codex` / `opencode` / `shell`, so the
+ * post-create surface stays consistent across every launch path.
+ *
+ * The card shows the box name (+ source checkpoint when started from one), the
+ * project folder (the dir that actually held `agentbox.yaml`, which may be a
+ * parent of cwd), the `from → to` branch mapping, and the detach/reattach
+ * instructions on the last line.
+ */
+import { homedir } from 'node:os';
+import { note } from '@clack/prompts';
+import type { BoxRecord } from '@agentbox/core';
+import { currentHostBranch } from './from-branch.js';
+
+export interface LaunchRecapArgs {
+  record: BoxRecord;
+  mode: 'claude' | 'codex' | 'opencode' | 'shell';
+  /** Reattach ref shown in the hint: the per-project index `n` or the box name. */
+  reattach: string;
+  /** Host repo path — used to resolve the base branch label when none was given. */
+  workspacePath: string;
+  /** Resolved `--from-branch` (base ref), if any. */
+  fromBranch?: string;
+  /** Resolved `--use-branch` (reused existing branch), if any. */
+  useBranch?: string;
+  /** Source checkpoint the box started from, when applicable. */
+  checkpointRef?: string;
+  /** true → attaching now (detach hint); false → background create (attach hint). */
+  attaching: boolean;
+}
+
+/** Collapse an absolute path under $HOME to a `~/…` form for display. */
+function homeShorten(p: string): string {
+  const home = homedir();
+  return p === home || p.startsWith(home + '/') ? '~' + p.slice(home.length) : p;
+}
+
+export async function printLaunchRecap(args: LaunchRecapArgs): Promise<void> {
+  const { record } = args;
+  const rows: Array<[string, string]> = [];
+
+  rows.push([
+    'box',
+    args.checkpointRef ? `${record.name} (${args.checkpointRef})` : record.name,
+  ]);
+
+  if (record.projectRoot) {
+    rows.push(['project', homeShorten(record.projectRoot)]);
+  }
+
+  const toBranch = record.gitWorktrees?.find((w) => w.kind === 'root')?.branch;
+  if (toBranch) {
+    if (args.useBranch) {
+      rows.push(['branch', `${toBranch} (reused)`]);
+    } else {
+      const base = args.fromBranch ?? (await currentHostBranch(args.workspacePath)) ?? 'HEAD';
+      rows.push(['branch', `${base} → ${toBranch}`]);
+    }
+  }
+
+  const pad = Math.max(...rows.map(([label]) => label.length)) + 2;
+  const body = rows.map(([label, value]) => `${label.padEnd(pad)}${value}`).join('\n');
+
+  const instruction = args.attaching
+    ? `Ctrl+a d to detach. Reattach with: agentbox ${args.mode} attach ${args.reattach}`
+    : `Attach with: agentbox ${args.mode} attach ${args.reattach}`;
+
+  note(`${body}\n\n${instruction}`);
+}
diff --git a/apps/cli/src/terminal/host.ts b/apps/cli/src/terminal/host.ts
index 73f3fee..c170f6c 100644
--- a/apps/cli/src/terminal/host.ts
+++ b/apps/cli/src/terminal/host.ts
@@ -108,7 +108,7 @@ async function spawnInTmux(args: SpawnInNewTerminalArgs): Promise<SpawnInNewTerm
   }
   return {
     launched: true,
-    note: `Attached in new ${noteKind} — Ctrl+a d to detach the box's tmux session.`,
+    note: `Attached in new ${noteKind}.`,
   };
 }
 
@@ -169,7 +169,7 @@ async function spawnInITerm2(args: SpawnInNewTerminalArgs): Promise<SpawnInNewTe
   }
   return {
     launched: true,
-    note: `Attached in new ${noteKind} — Ctrl+a d to detach the box's tmux session.`,
+    note: `Attached in new ${noteKind}.`,
   };
 }
 

From 925b2144c797f4b10aadd2606ff7fb4c18cd27cf Mon Sep 17 00:00:00 2001
From: Marco D'Alia <github@madarco.it>
Date: Sun, 31 May 2026 10:53:57 +0100
Subject: [PATCH 07/11] feat(web): marketing site with favicons + CLAUDE.md

---
 apps/web/CLAUDE.md                  |  41 ++++++++++++++++++++++++++++
 apps/web/index.html                 |   6 ++++
 apps/web/public/favicon-16x16.png   | Bin 0 -> 353 bytes
 apps/web/public/favicon-256x256.png | Bin 0 -> 3162 bytes
 apps/web/public/favicon-32x32.png   | Bin 0 -> 533 bytes
 apps/web/public/logo.png            | Bin 0 -> 4439 bytes
 apps/web/public/logo.svg            |   5 ++++
 apps/web/public/site.webmanifest    |  20 ++++++++++++++
 8 files changed, 72 insertions(+)
 create mode 100644 apps/web/CLAUDE.md
 create mode 100644 apps/web/public/favicon-16x16.png
 create mode 100644 apps/web/public/favicon-256x256.png
 create mode 100644 apps/web/public/favicon-32x32.png
 create mode 100644 apps/web/public/logo.png
 create mode 100644 apps/web/public/logo.svg
 create mode 100644 apps/web/public/site.webmanifest

diff --git a/apps/web/CLAUDE.md b/apps/web/CLAUDE.md
new file mode 100644
index 0000000..9e3c7fb
--- /dev/null
+++ b/apps/web/CLAUDE.md
@@ -0,0 +1,41 @@
+# apps/web — marketing site
+
+The public marketing/landing site for AgentBox. Deployed on Vercel.
+
+## What it is
+
+- A **hand-written static site**, NOT a framework (no Astro/Vite/Next/React).
+- The whole site is a single file: **`index.html`** — markup plus one big inline `<style>` block (no external CSS, no build step for the page itself).
+- `public/` is a **literal subfolder**, not a framework-managed asset root.
+
+## Layout
+
+- `index.html` — the entire page (head + inline CSS + body). Edit this directly.
+- `public/` — static assets:
+  - `logo.svg`, `logo.png`
+  - `favicon-16x16.png`, `favicon-32x32.png`, `favicon-256x256.png`
+  - `site.webmanifest` — PWA manifest (icons + theme colors)
+- `vercel.json` — deploy config.
+
+## Asset URLs — important
+
+`vercel.json` sets `"outputDirectory": "."`, so Vercel serves **this folder (`apps/web/`) as the site root**. There is no step that hoists `public/` to `/`. Therefore:
+
+- Reference assets with the **`/public/` prefix**, e.g. `href="/public/favicon-32x32.png"`, `src="/public/logo.svg"`.
+- Do NOT use `/favicon-32x32.png` (that 404s in production).
+
+`vercel.json` also sets `"cleanUrls": true` (strips `.html` from page URLs; does not affect asset paths).
+
+## Build
+
+The page needs no build. `buildCommand` only copies JSON schemas into `schema/` for the docs:
+
+```
+mkdir -p schema && cp ../../packages/ctl/schema/agentbox.schema.json ../../packages/config/schema/user-config.schema.json schema/
+```
+
+## Conventions
+
+- Keep styling in the single inline `<style>` block in `index.html`; match the existing CSS-variable design tokens (`:root { --paper, --ink, --accent: #128a4f, ... }`).
+- No emojis in output unless asked.
+- When adding assets, drop the file in `public/` and reference it as `/public/<name>`.
diff --git a/apps/web/index.html b/apps/web/index.html
index 6b85714..f79d570 100644
--- a/apps/web/index.html
+++ b/apps/web/index.html
@@ -4,6 +4,12 @@
 <meta charset="UTF-8" />
 <meta name="viewport" content="width=device-width, initial-scale=1.0" />
 <title>AgentBox — Teleport for agents</title>
+<link rel="icon" type="image/svg+xml" href="/public/logo.svg" />
+<link rel="icon" type="image/png" sizes="32x32" href="/public/favicon-32x32.png" />
+<link rel="icon" type="image/png" sizes="16x16" href="/public/favicon-16x16.png" />
+<link rel="apple-touch-icon" sizes="256x256" href="/public/favicon-256x256.png" />
+<link rel="manifest" href="/public/site.webmanifest" />
+<meta name="theme-color" content="#f6f6f3" />
 <link rel="preconnect" href="https://fonts.googleapis.com" />
 <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin />
 <link href="https://fonts.googleapis.com/css2?family=IBM+Plex+Mono:wght@400;500;600&family=IBM+Plex+Sans:wght@400;450;500;600&display=swap" rel="stylesheet" />
diff --git a/apps/web/public/favicon-16x16.png b/apps/web/public/favicon-16x16.png
new file mode 100644
index 0000000000000000000000000000000000000000..4037f01481ad3a7a8966a8880869a659563a9861
GIT binary patch
literal 353
zcmeAS@N?(olHy`uVBq!ia0vp^0wB!61|;P_|4#%`oCO|{#S9GG!XV7ZFl&wkP>``W
z$lZxy-8q?;Kn_c~qpu?a!^VE@KZ&eBK3|DzL`iUdT1k0gQ7VI5W_oVoyp7Y6fiibI
zT^vIy81DvKa~*OJn0s|gr1ZuMA}?FMEQ)oyuqDnRu!xEKpqoKc?*qvrhk_+IZ)t{^
zWn~HmMXY1*u;$uma8%Fik#^a%#Cx;(ZJ1<Q7uhMX=uB{sIs8m4_PE!+CEw@ldb{)P
zG#>e9-AlKAVqTQOILl*QsI~%kz3dFhA42sC3zn!JHu!bo;vBA!(4#DV&rcg09lOUg
zrRnm9qbwSs3+*M;CTBzmrd{@odbwUs@L}1l1Mk*LKky1-@-XNz;_y8XyVW(hL*)Ip
u_9y2pCHh$6^V0io-(=xTNX|=t&p1iKBKhU9iMl|4GI+ZBxvX<aXaWEwV}YXp

literal 0
HcmV?d00001

diff --git a/apps/web/public/favicon-256x256.png b/apps/web/public/favicon-256x256.png
new file mode 100644
index 0000000000000000000000000000000000000000..970eba7826ef98c3a71f7e15cad8d2755825760b
GIT binary patch
literal 3162
zcmeHK`8O2q8h>XP%S_fRSw|=mSu*rhwn7LA8B=z$M0O3nn6Z^2OOqj6eJ$AvC0h!0
zQ#9GLhCwv;C21_P-07Tq?)~AO^Zf(vxj($;d7tw<KfLGje4gj?ymzdv&hx;<;Q#<0
zGgBiQ03fU@1aNV%jAKZ-7t3%5nPNf#5IOSuK+J69H-4vt+MGWNs(U0CSq{6mp`{@J
z&(je!HyF$34KsEKvkmkL!@7lB117%SH{1%J6FmSx44D}j+C@NCC!PHBhNM1jJ}PMV
zH2wkQo}|1fA8PzHCDZxAcW8f+FQF;UAoNlNVLVKfO<u;7OY6?2?9GH*Mpxu@R*O`i
znkQUeVvF513$!Yd%y}FWLr`*m`1+u_-XBA#bk&7UXvo|Y{7Q)wBrvIR!V)8q0<+PN
zw(=>XMAqZLq5C!|OP?uQQ2XSY6?Te3=GWCp;`mQ8ZIuO?VR^Filjn5TVx8OJ^Bj(E
z>BZ9woNDt|+lmJ!NAD)NsSu9v;3d|_7Hfu1O8D07kLXd6hmV7h!-op9oNruxHp8ub
zxla&tANa5IP)kbRtSz*r8}ccC=K16i@bq<5@arH8?hBfrpqbXAIB;^U*9zieci4Qf
z`GQAMvAL-%WP|dn|FV?ZG~07iW%e6)$1I(8y^AnX;kI;3DF5xJr){XuNS<3#+Fts(
zN?GnLx%^iF?GkQve8milZB#<*g7;4qaxam`Eq<k_l1c?SWQd^2xb;nLmP>6X!r;DA
zUEKCV|6d`^KdYgz8pzJEww6eHKpZ!Xy0?aC_CF*9uyeR$!oJpkc;T(_bhVdUUl^Fk
zWG2(XV*u&dB3H>!;_@IP2HFSzQHKtD@o=P9Qxf#-#u4Y_Hqyue<W5mkm~cA}Ll3*9
z0P!&{Kzk1@R`W{MP!UVK2G_9URL1Pui)^HilkW0}cU#k$%Q{ZIgk@*;u=C7NM&5D5
zX2<NPz_!UrhS9^cR1Jw?gah~8j$lh7NnDC<SJoR{o|rXJG(8+80z+5uYEyoso78n3
zU`(xk{nEB9P5&XPk4<PjhllAw1L@mMExOCIYEN>m(fxuaR-ICGgZstskM{P3O*&qa
zYH%ZO#G~g9&%bJ6cbNBvDOkO(`74{RLpoluG_J$h;H3`;Sh_i~U%Yc-cUO)vcu}`P
zB`;7I?|0YZn@;o`N=k3<mAl=Q7L!KhpZ1=J6HsTDozs;$E6ANJXX(9StpM6{5Ph7m
z*q3&Cy<Ae}A}+|DK)BZNn7)+S8iI!1qWt+T{v`fXIzzQ}<MyYQ$o6+Me^+WDJ-9$n
z`4l1tD`$NTEs%h82#IxC>DK0LsdAgVYxt|prCUFZ!qfhFC}OIcvRGE=y1~YC7X|h0
zJ`E^NY!2kinDcRYu{0%SLfdXV(Cn!}>~w_Sn$@gZJ<k35^2M`4jjDQ`!_`BNOvvpI
z6mHL6?!C>+Ww1p%^#c)4G10S6RvhrI7h&@&gqBp7UyO5(o{5BTp~qAY#wyh|4ky&J
zWeo7bHYhYk2nRlhVduIr!zrvt9>dT>W-5W_)~^4;*GMY4w+P9vfV1xQ)PSoG+Ur(V
zLHiitqlGyA%QFjn?*o~wy70{EP50JH&{T}G24`_*pniKD?wFfWd2zK0swS~hgiK=?
zXwaqr^Zu^a(B9l?*gehwTSB!{;~ZNYzJy)cwJwyb@pMl}#&wG?0cko+v~=_EkGg{3
zl$rb1LO%cuLgL9s{D!C(*(%vG;9OvRflXd%M2dt+WT*~{8FWHn_|lOtoC&}|j0?CP
zf`9{Z0Pn^Q)KUSsB>>vhpx}@R0RQ-Z@V`Lt&*IOU9c`M5+Rw?zXZ4;Ej-L<8U+f-i
zagLLZyGtzEh+W1cANp??KZqN=3uzA6Cgalkng+dlUg;y@U55cTDID9JRCPP?1CLa6
z5|B@|{X5j33zQpMSP{c#-?Wk9r&b%$TBdHh0(cR1%!%bqg;-U@Z>nyuFC8Qz%l@|t
zS(Ql4SY8{@zfI19J>-!(>n8(L<g=FrYag6~{T*v1;smw!x*}Jn>RfyrgZ(W`MIff5
zbDkL17*%{M91Q;tzx{yv_=`xwRP?vnjC{xHtI2$j<V!~f|6<jaon{@x%CtWYV5kZQ
zNl`qK*9)}sC6m#DWlNyM&W2#pi&Fw!+=bV0bh=pVGa&S(#69y_p22-99DhUA%Qy6W
z&YenNl&NP+82ts8C$%-m8&p^;Dof(S+GQVO_da7F$u7bEXBLEHvIaUQJ`QZ3sSx-K
z@SgdnHd~=Fn$);TU{M3-0|H<cyE8N*RHQPnG4ZhyI&CFr9w4Ij6#QnLK{Shw5gWqz
zu`wMh$eBj|2y;jd3~Y)=?FuKEn#mnJnDlPqqaTM%0dF28B3*y?!BG+c%I~!>eSBtw
zX<N^?bfaE6KUZ0JINX!k+=4-Mxd_shJ_)ZjZSg{UdKMHOEzP`D5V{_2&PODb-f2#6
z?54s_0PUu{0(elsoCixs>aUTGLVQx&RvNKPwzpq#^q<Uk5i`wKaN2>uo}44)n>WO^
z7SICCk64e91)80FjLAPa+#}<hbV|vVSr<?>Yuys~MH}DoZm3pEi!OXlE~CryWj)0k
zT3dUHv+eYrs2)=Fz-KD;1|lZ-<Es_Z2Lq4YgO-rYN}A4VHx4y@-1g_Td$iIE%uA9J
z{mkdPX$)ucl+n=wq`7gFoqE^&tDoN`&QJInW&_8Qm=k^r?T4lG#2dyaE!9YRAZG3l
z1nK+M7z(`|Xx!~0P+s~kg**!eY3=&abK9TV)9Lk$V>}kA!f7Xd<{Pt3PfipdQ)S<j
zu<zK$Gxpan2d-<mgM+lkNGV+xjKtPy+N|`>$UR3%Rez@yvv62@sKBX3*;-rf@fY*M
ze&_>Q<VuV4CJ%X*VNcm(4Qm`;TkkfVWZs`j<e;ODWeuDhzv4%6*|uH&GWM{yw_(w7
zq6`XV=Z9CM_i1O{$_pvO^g?`AZV8Ij5680x;-Wa)MxJmu7AhCGjAU-t-70|gT{ju7
z?l-8g%dMs&#Nl{sv!l3kUf0yLQr~f)^48_Yh2Et#_vdQ;og*kouuckD3|!X0;9}Gx
zvSsjUu^VMx;b`5I*ie)(=<Q}tQ$GlZ=+0?sE-xPakh}IMP|g<6Uk$vu@uwkVgO+P>
z{^&mDL8Xz*LRJD;`i9<DO%q+q%T+?r4fV3ti*t5jpqH*F$Q@G!U8WUtA4Wa0MaE{Y
z)=Z1FYe(Oi@Sg@{>@3C0+kWC5M(sc(xpl}lh_z!c-{g6+{j{Y84dU%Y_6Edr6hCNh
zv~9g1oa4fOzswP9-fQ_@bMg_zTYf!{zX{opfP%WZ#a6nA?QlzOR>cyDqn7&JR9};r
z_n@gqWo1`;EsUDR^r=tlp@Uve+)s`1(Sr5hstn!!da0yFW5$h6xtpTy^FIcouw4^;
z8v<CS921kjTBZ5oK|*ZL`e5z^<{WD|?sxuH-2D5m;ChG7NBt%Qi}lsH@O!&9Gqy6S
IKI<C)Pf|ifNdN!<

literal 0
HcmV?d00001

diff --git a/apps/web/public/favicon-32x32.png b/apps/web/public/favicon-32x32.png
new file mode 100644
index 0000000000000000000000000000000000000000..3304535d0fb05d0439cdfa762dc996c8e69f6b4e
GIT binary patch
literal 533
zcmV+w0_y#VP)<h;3K|Lk000e1NJLTq001BW001Be1^@s6b9#F800009a7bBm000XU
z000XU0RWnu7ytkO0drDELIAGL9O(c600d`2O+f$vv5yP<VFdsH01k9TSaefwW^{L9
za%BKUX=iO=p0So=0004yNkl<ZcmeH~ze~eF6vyAi;$-8fG#TQi?$(a&>d->1n;`m6
zxQKs)AUG;gH>*$t2Su7cp_9e!hNQ$z6F0H(-m3>0BE4W^DC7f2em(NO_bz$dmqCPO
z)2fa}P=yrHG_XB~+wz)GV#~6^Pq+xfbdyKm+C0=e&Upc^WOCCq;9zeT^u+~81ONR4
z&M&XPaa@|PxK(36W$$6~`@3t<i$zEi-w$A`zJnrgIcl0*^H#H-dU8b9i&SL<b8C<R
z(Iw7AK$KiSE+7|>3n-`tJ`Y~R7%0V>h5?n$4W(FR0S}K)V45X*`6N0wU1b4@mY`BD
z)6sF=*g-Lhi6zPvkaTXlG{ZPr%|>DY`CpI=n4Lx>!F?n4gV<+!@;zl@0mny&G^T~J
z0PKJ#r)NsB>ual^N`WzW6Q*P$t?dSlX@CYrq6q<gJi!j<2R@{Y9|Xc3wdq`xzfaz9
z$*_83YgVFm`rAkL=j3F~+QJnL(UkJnAzvArQ{hg-x&Je#qUtvLf_+c8Qx<)Yg+2cU
X%oUPB>%dy+00000NkvXXu0mjfXNBS$

literal 0
HcmV?d00001

diff --git a/apps/web/public/logo.png b/apps/web/public/logo.png
new file mode 100644
index 0000000000000000000000000000000000000000..aeb383687fc6fcaf320da091e36149e96f17f277
GIT binary patch
literal 4439
zcmeHLXHb*dy8aSE7Xq@SLr}Kp6-8<QDG3UqTa*r=Bauk&O+d;<ks{ze0!oQQ*do0M
zNKN5@u%#meK_oyTMUbYD1VYG(zs}4#KhE5l`|Hm6v1ZNlu359n^Sra3ccok1G8Yk&
z6#@W2<oY#J8vp<$b6bJ{A2)IbTfWNe1VgSlg#&=F#Lor-3X7$=K~T7j`DLJPME)xm
zK<=8{Gy#Cd9O1*;yj(0AVTOvZ4aP)7-wyKzuKL~$y#1mv9}NIvAFi94*u{W0<}4q(
zk?)gs=H<|;8Zo=20@P`D!`y4H@=wWEYP;JFh`rLTMs`=Fr9HT9{fFA`P1mK;Nw;Rr
zIs_Ze+Dm%gFu8p0I?mqZH)VAjsVnKfDF1rx*FO#I<SeYokNQ=lX^gPZ9yBIZChlmS
zwanPRmOtMmgU)=nPYEBvue5lj%uv2YP*YZWaR>G?rp^2*KK!KPSuLfrFw@|G^Rc03
z5tdP%bJL#A8l|Zz?DppseEaJck1^w_K4JlsOTTmNIU({EnRod|QMFaE-nfyZvfrIk
zR$2QS^Vm#wj|qaB9})@GHgA=+$k}t*nJga;jmX6u%gRQ|Fz4?hHfyU4tWQLr0<I!;
zFbW&y@-h#VwAH{p$((qL=7Z4sWSDg1gh>p`lo6tBg+8TzpX|ZT6h*Cp;JBc@_3i0=
zy$^rRm~4ovGkLx?S4jtCU%8oP68IDLcGtR4yQ_Hd74OR{y2%CxEW~O*(eWbDfqh^K
ze9;cwjQ>oC>|&2}+TxvqwA?-xAlq9LL(~*o7KPPaW{^RF*_~5y={|E9aLEk0Jvzi#
zu|7YcP8e8TvqOJLR&8ye4cTq&qt5snON8t}8?@K;RZ$ZH0rTX7RR(Q5q?m_f6RF!u
z9sPK4EknmeR920%TfI~gvH~S(HnYSTHGAL33QZT*uvnPAKZl<uDX$PUC|2VK8NhQ~
z-oAy^O+DWf1RMr?^Jp6*<dPu7{Q4dx)4tg+4lJd36k8YDeg;4Z_rDEFmvj8F_{Kgx
z2>@z}>_xgWl$8KrJ&1f+T~gJKcftH57x|8MuB4*3GHQL$%t8e$t9o7(0;~s)+S4}Z
z1(lS<UZL{_U@35jI#4l4sjl-QhA&41Yv%hp#ep5SzJ2o*p*n()8-0D$zNh`2=4hGx
zt}|96;41L;4*(}Vuw&>QknN2MgACjbSv;?lr1I5Oy69QJb?#2-AUZ#AbHZulh*Zje
z4A_-%5)R>jPZec4pGmdJ#<}l?jfK6I<?ftr)4yhRfj@5)lAXK);_Bh<dJJptT>@su
z`&o*bys&i;{{{po!?i}<aP54KKCRX%&pjPQ3`nxJQKLw;#D>2wAe{~7+xpa^9K~6T
z)F1?Q#j<ArR0geo{xR*$t=>vo+ns@GVzzj5#SH1hvjYsr^)pP_D?Z+kK1bi1X7%g#
zQt-NVDV(<eO5}BUxmVctcQMOSqkUh5i8bKRQ&&m50SgPS5`4M~NEJh1dcxOKz3q))
zkwktJ^y$SeY0JZJl`+)UmS#O}QSgR^ITM%Gw}b8^Q|(E@Y*03gL%R~nI0|+cG&11v
z#OG?Plq1-`>4?s07N73=z7|~i(wHmBVk0fGLB|;Myq-iG#{BgV_|mv~XS9bD<Nj7>
z-C=T{UII0%jh)?D)L{|veumT)%`Z|S?BfY+64r}$f;oqlU_g7I4r@RqW*Zy176#$o
z=&Co4>8`kmeu7ifN>CH&sb`A_=8E_9Hko}M5TtFM@MM@Hwcb7UUW}u)ZL@PD-ud_?
z%`L_<VZ2#n@eQ5MMCTm4A*?P`*k)*VLGZpG;q=R#3;bBb$Kqj6E=|@lO{r+dlptrP
z)y2lfdz3aUStOSdxWeymisvBYzl}XxiA!{V4A_i$jy>k47|%8Cs6$@^3~`9mHj$Yf
zbP5TdFFBE1ex6r>N%s)h>gJV>^loZ19G!#^4Olx+-l7x9ejOp<lQrjgbavsYN#5;S
ztVE+O|B9d#2Ui3GKNAOLPfO^i`uhNK!}sSoLE5AX;qz_M$<+qf<4LzBE97}^!+`0u
zfj3q%G`}f|d*IPXJk1N@yt1CCSM!Y*2(Y^;O&bX=#53YFz$pp%qQ7H6q^pj7Z5=uI
zN<OwxIDx>V9#o7IT>MK^KsD{3g5za|-1qi<RIF-GnB5#uFcE#oqj?tXhJ`*6S$5sd
z8D`!JjON>5e}M5KC0Rl2*vSg5ADOoy%bSw*twn^jZgr)c4o725_C9O`Qdhwk!QtbE
zAxVaQ9!D=UmZ8dH!Q@t$mGS=s#JgyTqQEF9jW%0_A3NAgHAFm@NH!r71Re*^N&++5
zi_+;{(#cae!jjS`A0U%AgLLb|xH5ChhS!RZgC<{%2rrman}`EA<5R$s=K{d5DqtWz
z9YA{h7yduH4M#|2gfZt~(!&UkIQ_rgSpZ5J;=nZv2yk2il+<hb@6hs?)<w(gpz|+&
zxqA}xzg304S+4z3^FYf|grh@I!GHDie~?a5W~6g#1bP@y*7Kjq`xk0or)k!YtPsUW
zeRoy<W1gQ$efst1Iu=?I{}f27xKB%|l#YJFVHWV$GBX|X_<oPTZW%$KxUf(tDPXM&
zP;4$WV0X}$aE|WmNZ?NRn%#XVQV~DQjR{q5@V$Cs%B6C#veFjx#7q#0l_Iel^~KYm
zYnez5{ry4UFR$+prOF&&Lr$WX?!B4KlD&BpJ<PcROpR+1W8iDr;X@_uXU4J$4R<D9
zgOxHb-38aCp|yyLMLTP#$v<my$i_xs6u);(_1+XyKL_IanB*x|Z=R(Xv$_aOufAY9
zZK%R74j+0ghgk(`C3~UzQw<G44Uz-Wj*Rb&aua#%{@y!*fJ+FLTx86`%S3^stSUjY
ztN(~HsJ6hvwW;X`M<Xq2a&@O)F&*#GaT0+4O;ecp^diS;vQl=tGZ;UPk6MmvDv?$+
z-N>{@Fgsy<q^sd9g=jOLE^S7ZlXykBV9TcPFZEsD<+zh`-yEBK(4$$carC}@YdC{6
zGaRZXyYPp3A~oOI^GeJzq9kx+F6YNL_DBY@es;tDm7c7~_Otnpk8_tv*HqCcTL<{S
zwDJ5`F_?i_gnHUa8EAm#j<?87fh23YzPd%}sVAcrmGFl-LyV*TQ`<-RF-o$fhocf;
z&q?hIz!hObz6Re-xvjm}EjJy?iwgIsQqaI-oc!Bn|CJHu=ao8<Bo$RwLF;^IbQhb>
zF|*Bmg=?jJGuE4Dz=s*jc^h;CjkMXalfMZZEqRn=Yrfn$1{$+NFlUK5TXPKEQ2IC4
z_^;?%y@=Q<-L1Kj+I>nu^rejpE7aCVgdV)atuv~ZmSf~Rd@Krrl*p~-yaBleg$5Vy
zD~c8QQVNhx$2-DYSWn4==|0ajRb#$vTc-L4{j@mTM-Ge=orvb-${?TSCoacqbN%(|
z<@taMyICrue3(zsv%`&BQ$-gfK<nkM`_JMy=8N~r8xvgPDxsqOZfj7Frn2ycgN-9;
zkat1FgN5??gwym*{K>x7f|EcsZF17i;ub;g@R!~&As;O4IMMVGhmo~;dbGOj4&<sg
zT)kwjlY<lLW^UJ&x^)`M0XISqnMLG<L_cQoc2);DTu@C{_^g^tvR5vK2XKw3DCCvz
z`V7r-+vHD$<_z!aX#$1SpT(Oa|9~F3!@*02FV`LsB!I^c98^Uks~h925ptQk1z79~
zU&`{FrVz<I)snwtmC`m{Li}d2Kuu)EfA)3~z|Ewh_l^fRe}ld-o?GYgXY7JMbOy#u
zA5mhPSYK?oHu_mgxsxQ==fx{Eo|`UQ`}~erQRtV8UHR$6pLb1q<75(}zP{aBv)E<r
zxB^z4CaMG`J$>_yv2wzA99Ro$OkQ_j@oYU{gOWNFVp&<6v_^};3}h&#O1GU`4^{e|
zYt#iQdP-ji5puoFaWT<Vj9qRG5_W6v1>k9<PzerEa`1UC*AtE>>WkVL2oE}Ef<2wG
z1LuybiXt0pvKHIbis1*Y$A$!eDU={7E7M4l8s=~s{7?+2X}1?aHd2>xzDu}vKi}29
zbE@XxBy!Z979Oh_A9PIJ_nF?i<*}CT?X_+gX$cT1qs4j0vqdo8vR)RA&a3r<l;=Tp
zB*95}{vuR^;M#5Y*o`9wTEq?C)O0sM3;{EZ04JHrDe`JaMq>>rMza1sWIANoRuLVv
zN9zk~um&2=dJmmPuQ>C2GNa#J+HraZJR8q&*I_=R;iUG)pH%;FtSj4?HNbY4$4pvJ
z0!<?IN288|h%=pYDD!pMWZ&87D7xdxwt08Z6ZgnH595CJm-NlWitfVC3K9CRU&r>t
z6FctTnb<#DVh0xoX5yKlc*N(9(}d8&#Ez%dPn|Jft-RBvM=1FkcZv)k=O%N=zvHRH
zL^OPYCS2GmnGlomY9Jo)&-oSzOozzAnU?+*5RB}mOs@1alJBbP%(g<j9upS$VF6M5
zhxl^`3_rQ<-2)|{?91OtocM{lgO!O@fgx>$2S-Xlbw}fI=Vd@yJBun?Ps!7}AI|9Z
zFP1|OwX!TA%je8(n)^y8)}VI<J~~?a81%`a{Fn3|`E}_#xNQ*K@y3!xwAJ^U2b5W2
z;Z-<TxKia9mZ@}!?a<tRFkXid<<|bC4)<bpsXeL(4iU7B)$H${#3%DSbK6%KjK;$U
R+<y<?y4fw$y33xw{{s<Mm6iYi

literal 0
HcmV?d00001

diff --git a/apps/web/public/logo.svg b/apps/web/public/logo.svg
new file mode 100644
index 0000000..74f7c92
--- /dev/null
+++ b/apps/web/public/logo.svg
@@ -0,0 +1,5 @@
+<svg width="385" height="382" viewBox="0 0 385 382" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M325 16H59C35.804 16 17 34.804 17 58V324C17 347.196 35.804 366 59 366H325C348.196 366 367 347.196 367 324V58C367 34.804 348.196 16 325 16Z" fill="#F6F6F3" stroke="#161A20" stroke-width="31"/>
+<path d="M255 191H129V317H255V191Z" stroke="#161A20" stroke-width="10"/>
+<path d="M236 210H148V298H236V210Z" fill="#161A20"/>
+</svg>
diff --git a/apps/web/public/site.webmanifest b/apps/web/public/site.webmanifest
new file mode 100644
index 0000000..13d1950
--- /dev/null
+++ b/apps/web/public/site.webmanifest
@@ -0,0 +1,20 @@
+{
+	"name": "AgentBox",
+	"short_name": "AgentBox",
+	"description": "Isolated sandboxes for coding agents",
+	"icons": [
+		{
+			"src": "/public/favicon-32x32.png",
+			"type": "image/png",
+			"sizes": "32x32"
+		},
+		{
+			"src": "/public/favicon-256x256.png",
+			"type": "image/png",
+			"sizes": "256x256"
+		}
+	],
+	"theme_color": "#f6f6f3",
+	"background_color": "#f6f6f3",
+	"display": "standalone"
+}

From e93f0b19e743c488fa2457b0fcb47830d9c437dc Mon Sep 17 00:00:00 2001
From: Marco D'Alia <github@madarco.it>
Date: Sun, 31 May 2026 10:54:47 +0100
Subject: [PATCH 08/11] fix(cli): render launch recap card in bright white, not
 dim gray

clack's note() dims every body line; prefix each with reset + bright-white (honoring NO_COLOR) so the recap reads in plain white. strip-ansi padding is unaffected, so box alignment stays correct.
---
 apps/cli/src/lib/launch-recap.ts | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/apps/cli/src/lib/launch-recap.ts b/apps/cli/src/lib/launch-recap.ts
index 4b595ba..0849aac 100644
--- a/apps/cli/src/lib/launch-recap.ts
+++ b/apps/cli/src/lib/launch-recap.ts
@@ -38,6 +38,20 @@ function homeShorten(p: string): string {
   return p === home || p.startsWith(home + '/') ? '~' + p.slice(home.length) : p;
 }
 
+/**
+ * clack's `note` wraps every body line in `color.dim`, which renders dark gray.
+ * Prefix each line with reset + bright-white so the recap reads in plain white;
+ * the leading reset cancels the dim attribute clack opened. `strip-ansi` length
+ * (clack's padding math) ignores these codes, so box alignment is unaffected.
+ */
+function whiten(text: string): string {
+  if (process.env.NO_COLOR) return text;
+  return text
+    .split('\n')
+    .map((line) => `\x1b[0m\x1b[97m${line}\x1b[0m`)
+    .join('\n');
+}
+
 export async function printLaunchRecap(args: LaunchRecapArgs): Promise<void> {
   const { record } = args;
   const rows: Array<[string, string]> = [];
@@ -68,5 +82,5 @@ export async function printLaunchRecap(args: LaunchRecapArgs): Promise<void> {
     ? `Ctrl+a d to detach. Reattach with: agentbox ${args.mode} attach ${args.reattach}`
     : `Attach with: agentbox ${args.mode} attach ${args.reattach}`;
 
-  note(`${body}\n\n${instruction}`);
+  note(whiten(`${body}\n\n${instruction}`));
 }

From 32f678570500b7b34afa4e943ff5a180acfd0291 Mon Sep 17 00:00:00 2001
From: Marco D'Alia <github@madarco.it>
Date: Sun, 31 May 2026 11:21:53 +0100
Subject: [PATCH 09/11] fix(vercel): make Ctrl+V clipboard-image paste work

Two independent breaks in the host->box image-paste chain on the vercel
provider, both fixed:

1. Box side: the AL2023 bake never installed xclip/autocutsel (not in the
   AL2023 repos, unlike the Debian/Ubuntu apt path on docker/hetzner), so the
   in-box loadClipboardScript's xclip call failed silently. provision.sh now
   builds both from source (all build deps are in the AL2023 default repos),
   fail-loud. Requires a re-`prepare --provider vercel`.

2. Host side: the wrapped-PTY input router intercepted Ctrl+V only as the raw
   0x16 byte, while the Ctrl+a leader already handled the enhanced-keyboard
   (kitty / modifyOtherKeys) CSI-u encoding. When the inner app negotiates that
   protocol, the terminal sends Ctrl+V as ESC[118;5u, which slipped past the
   paste check -> forwarded verbatim, Claude read its own empty clipboard.
   Mirror the leader handling: intercept the CSI-u form too and re-emit the
   original sequence after the image loads. Provider-agnostic (hardens
   docker/daytona/hetzner against the same latent gap).

Verified: input-router unit tests cover both encodings; live vercel attach
pastes [Image #1] for both raw 0x16 and ESC[118;5u.
---
 apps/cli/src/lib/paste-image.ts               |  2 +-
 apps/cli/src/wrapped-pty/input-router.ts      | 31 +++++++++++++++----
 .../cli/test/wrapped-pty/input-router.test.ts | 29 +++++++++++++++++
 docs/vercel-backlog.md                        | 14 +++++++--
 packages/sandbox-vercel/scripts/provision.sh  | 20 ++++++++++++
 5 files changed, 87 insertions(+), 9 deletions(-)

diff --git a/apps/cli/src/lib/paste-image.ts b/apps/cli/src/lib/paste-image.ts
index 4b8fb81..58d54fd 100644
--- a/apps/cli/src/lib/paste-image.ts
+++ b/apps/cli/src/lib/paste-image.ts
@@ -11,7 +11,7 @@
  * "paste image from clipboard" binding reads the now-populated selection.
  *
  * All steps go through the provider-neutral `Provider` seam (`uploadPath` +
- * `exec`), so it works identically on docker / daytona / hetzner.
+ * `exec`), so it works identically on docker / daytona / hetzner / vercel.
  */
 
 import { rm } from 'node:fs/promises';
diff --git a/apps/cli/src/wrapped-pty/input-router.ts b/apps/cli/src/wrapped-pty/input-router.ts
index a23f848..17f09a8 100644
--- a/apps/cli/src/wrapped-pty/input-router.ts
+++ b/apps/cli/src/wrapped-pty/input-router.ts
@@ -47,6 +47,7 @@ const KEY_N_UP = 0x4e;
 const KEY_LEADER = 0x01; // Ctrl-a
 const KEY_CTRL_V = 0x16; // Ctrl-v — Claude Code's "paste image from clipboard"
 const KEY_A_LOW = 0x61; // 'a'
+const KEY_V_LOW = 0x76; // 'v'
 
 /**
  * A key decoded from an enhanced-keyboard escape sequence. TUIs like Claude Code
@@ -258,15 +259,18 @@ export function createInputRouter(opts: InputRouterOptions): InputRouter {
   };
 
   // Intercepted Ctrl+V: run the host→box image-paste hook, then re-emit the
-  // Ctrl+V so the inner program reads the (now-loaded) box clipboard. A press
-  // while one is in flight is dropped — the Ctrl+V was already swallowed by the
-  // caller, so there's nothing to forward.
-  const triggerPaste = (): void => {
+  // original keypress so the inner program reads the (now-loaded) box clipboard.
+  // `reemit` is the exact byte sequence we swallowed — a raw 0x16, or the CSI-u /
+  // modifyOtherKeys encoding when an enhanced keyboard protocol is active — so
+  // the inner program (Claude) sees the encoding it negotiated. A press while one
+  // is in flight is dropped — the Ctrl+V was already swallowed by the caller, so
+  // there's nothing to forward.
+  const triggerPaste = (reemit: Buffer): void => {
     if (pasteInFlight) return;
     pasteInFlight = true;
     const done = (): void => {
       pasteInFlight = false;
-      if (!disposed) opts.onForward(Buffer.from([KEY_CTRL_V]));
+      if (!disposed) opts.onForward(reemit);
     };
     void Promise.resolve()
       .then(() => onPasteImage?.())
@@ -333,11 +337,26 @@ export function createInputRouter(opts: InputRouterOptions): InputRouter {
           continue;
         }
       }
+      // Ctrl+V re-encoded by an enhanced keyboard protocol (kitty / modifyOtherKeys).
+      // The inner app (Claude) can flip this on, in which case the host terminal
+      // sends `ESC [ 118 ; 5 u` instead of a raw 0x16 — mirror the leader handling
+      // above so the paste hook still fires.
+      if (pasteEnabled && byte === KEY_ESC) {
+        const k = parseCsiKey(buf, i);
+        if (k && k.ctrl && k.code === KEY_V_LOW) {
+          flushChunk(i);
+          const seq = Buffer.from(buf.subarray(i, i + k.len));
+          i += k.len;
+          chunkStart = i; // swallow it; triggerPaste re-emits after the load
+          triggerPaste(seq);
+          continue;
+        }
+      }
       if (pasteEnabled && byte === KEY_CTRL_V) {
         flushChunk(i); // forward everything typed before the Ctrl+V
         i += 1;
         chunkStart = i; // swallow it; triggerPaste re-emits after the load
-        triggerPaste();
+        triggerPaste(Buffer.from([KEY_CTRL_V]));
         continue;
       }
       i += 1;
diff --git a/apps/cli/test/wrapped-pty/input-router.test.ts b/apps/cli/test/wrapped-pty/input-router.test.ts
index 55e15b5..6e1695a 100644
--- a/apps/cli/test/wrapped-pty/input-router.test.ts
+++ b/apps/cli/test/wrapped-pty/input-router.test.ts
@@ -368,6 +368,35 @@ describe('input router (Ctrl+V image paste)', () => {
     await flushMicrotasks();
     expect(Buffer.concat(s.forwarded)).toEqual(Buffer.from('abcd\x16'));
   });
+
+  it('intercepts kitty-encoded Ctrl+V (ESC[118;5u): re-emits the same sequence', async () => {
+    const s = pasteSetup();
+    s.router.feed(Buffer.from('\x1b[118;5u', 'latin1'));
+    await flushMicrotasks();
+    expect(s.calls()).toBe(1);
+    expect(s.forwarded).toHaveLength(0); // nothing forwarded until the load finishes
+    s.resolveAll();
+    await flushMicrotasks();
+    expect(Buffer.concat(s.forwarded)).toEqual(Buffer.from('\x1b[118;5u', 'latin1'));
+  });
+
+  it('intercepts modifyOtherKeys Ctrl+V (ESC[27;5;118~)', async () => {
+    const s = pasteSetup();
+    s.router.feed(Buffer.from('\x1b[27;5;118~', 'latin1'));
+    await flushMicrotasks();
+    expect(s.calls()).toBe(1);
+    s.resolveAll();
+    await flushMicrotasks();
+    expect(Buffer.concat(s.forwarded)).toEqual(Buffer.from('\x1b[27;5;118~', 'latin1'));
+  });
+
+  it('does NOT intercept a non-ctrl kitty "v" (ESC[118u) — forwards verbatim', async () => {
+    const s = pasteSetup();
+    s.router.feed(Buffer.from('\x1b[118u', 'latin1'));
+    await flushMicrotasks();
+    expect(s.calls()).toBe(0);
+    expect(Buffer.concat(s.forwarded)).toEqual(Buffer.from('\x1b[118u', 'latin1'));
+  });
 });
 
 describe('input router (enhanced keyboard: kitty / modifyOtherKeys)', () => {
diff --git a/docs/vercel-backlog.md b/docs/vercel-backlog.md
index 6d761fb..96a4078 100644
--- a/docs/vercel-backlog.md
+++ b/docs/vercel-backlog.md
@@ -262,8 +262,18 @@ agentbox/<box>` shows the commit, then try `agentbox-ctl git pull` and a `gh pr`
    hetzner unaffected). Verified live on a snapshot box: 6080 binds, `vnc.html`
    returns HTTP 200, web root `/usr/local/share/novnc`. The script is in the
    prepare context fingerprint, so the next `agentbox prepare` auto-rebakes.
-   (Minor follow-up: `autocutsel` isn't in the AL2023 bake, so VNC clipboard
-   sync is degraded there — the script already tolerates its absence.)
+   **Clipboard tooling resolved:** `xclip` and `autocutsel` are absent from the
+   AL2023 repos (unlike the Debian/Ubuntu apt path), which left the host->box
+   Ctrl+V image paste (`apps/cli/src/lib/paste-image.ts`) silently broken on
+   vercel and VNC clipboard sync degraded. `provision.sh` now builds both from
+   source (all deps in the AL2023 default repos), fail-loud. Requires a
+   re-`prepare` to take effect.
+   (Follow-up: building from source pulls a full toolchain into the bake and
+   adds ~minutes + snapshot size. We should instead ship pre-built `xclip` /
+   `autocutsel` binaries for AL2023 — bake them once and stage them as runtime
+   assets, the way the relay/ctl bins are staged — so the per-prepare bake just
+   drops the binaries in rather than compiling. Optionally `dnf remove` the
+   build toolchain after compiling in the meantime.)
 8. [x] **Attach is laggy.** Done — replaced the `send-keys`/`capture-pane` pump
    with the official Vercel `sandbox` CLI's real PTY. `buildVercelAttach` now emits
    `sbx exec --sudo [-i] --project <p> --scope <team> <name> -- sudo -u vscode -H
diff --git a/packages/sandbox-vercel/scripts/provision.sh b/packages/sandbox-vercel/scripts/provision.sh
index c2b6f19..edd5705 100644
--- a/packages/sandbox-vercel/scripts/provision.sh
+++ b/packages/sandbox-vercel/scripts/provision.sh
@@ -235,6 +235,26 @@ fi
 sudo -u vscode -H mkdir -p /home/vscode/.vnc
 done_ "VNC stack (TigerVNC + websockify + noVNC)"
 
+step "X11 clipboard tools (xclip + autocutsel, built from source)"
+# xclip and autocutsel are NOT in the AL2023 repos (unlike Debian/Ubuntu where
+# docker + hetzner apt-install them). They are load-bearing: xclip backs the
+# host->box Ctrl+V image paste (apps/cli/src/lib/paste-image.ts), and autocutsel
+# keeps the VNC CLIPBOARD/PRIMARY selections in sync (agentbox-vnc-start). Build
+# both from source — all deps are in the AL2023 default repos. Fail loud: a
+# missing binary is a silently broken feature, not a skippable convenience.
+dnf install -y -q --allowerasing \
+  gcc make automake autoconf git \
+  libX11-devel libXmu-devel libXt-devel libXaw-devel
+git clone --depth 1 https://github.com/astrand/xclip /tmp/xclip
+( cd /tmp/xclip && autoreconf -i && ./configure --prefix=/usr/local && make && make install )
+rm -rf /tmp/xclip
+command -v xclip >/dev/null || { echo "provision.sh: xclip build failed"; exit 1; }
+git clone --depth 1 https://github.com/sigmike/autocutsel /tmp/autocutsel
+( cd /tmp/autocutsel && autoreconf -i && ./configure --prefix=/usr/local && make && make install )
+rm -rf /tmp/autocutsel
+command -v autocutsel >/dev/null || { echo "provision.sh: autocutsel build failed"; exit 1; }
+done_ "X11 clipboard tools (xclip + autocutsel, built from source)"
+
 step "agent CLIs (codex + opencode + agent-browser, global npm)"
 npm install -g @openai/codex opencode-ai agent-browser 2>&1 | tail -3 || \
   echo "provision.sh: one or more agent npm installs failed (continuing)"

From 3ca0b19ced83ade1b08d74d3e834c5f037a4fde6 Mon Sep 17 00:00:00 2001
From: Marco D'Alia <github@madarco.it>
Date: Sun, 31 May 2026 12:02:50 +0100
Subject: [PATCH 10/11] Updated release-notes skill

---
 .claude/commands/release-notes.md | 61 ++++++++++++++++++++++++++++---
 .claude/scheduled_tasks.lock      |  1 +
 2 files changed, 56 insertions(+), 6 deletions(-)
 create mode 100644 .claude/scheduled_tasks.lock

diff --git a/.claude/commands/release-notes.md b/.claude/commands/release-notes.md
index cd20429..26fca4e 100644
--- a/.claude/commands/release-notes.md
+++ b/.claude/commands/release-notes.md
@@ -1,7 +1,7 @@
 ---
-description: Generate a short, curated CHANGELOG.md entry from the commits since the last release
+description: Curate a CHANGELOG.md entry from commits since the last release; with a bump arg, also version, commit, push, and publish to npm
 argument-hint: "[patch|minor|major]"
-allowed-tools: Bash(git describe:*), Bash(git log:*), Bash(git tag:*), Bash(git rev-list:*), Bash(node:*), Read, Edit
+allowed-tools: Bash(git describe:*), Bash(git log:*), Bash(git tag:*), Bash(git rev-list:*), Bash(git rev-parse:*), Bash(git status:*), Bash(git add:*), Bash(git commit:*), Bash(git push:*), Bash(node:*), Bash(npm version:*), Bash(npm publish:*), Bash(npm view:*), Bash(cp:*), Bash(pnpm:*), Read, Edit
 ---
 
 You are writing the next release-notes entry for `@madarco/agentbox`. The
@@ -56,7 +56,56 @@ changelog is at `apps/cli/CHANGELOG.md` (Keep a Changelog format). Produce
   ```
 
   Use today's real date — get it from the environment context, do not invent one.
-- Do **not** bump `package.json` or create a git tag — that happens at publish
-  time (`pnpm --filter @madarco/agentbox run publish:<bump>`).
-- Print the entry you wrote and stop, so the user can review and edit before
-  releasing.
+- Print the entry you wrote.
+
+## 6. Release (only when `$ARGUMENTS` named a bump)
+
+If `$ARGUMENTS` did **not** name a bump (`patch` / `minor` / `major`), stop here so
+the user can review and edit the changelog before releasing — do not bump or push.
+
+Otherwise continue. **This publishes to a public registry and is irreversible**, so
+get the user's explicit go-ahead at step 6.4 before publishing.
+
+1. **Bump `package.json` (no commit, no tag yet).** Section 5 just edited the
+   changelog, so the tree is dirty and a plain `npm version` would abort with
+   `EGITDIRTYWORKINGDIR`. Bump the version field only, from the package dir:
+   `cd apps/cli && npm version <bump> --no-git-tag-version`
+   (this is the version you already wrote into the changelog heading).
+
+2. **Commit the changelog + bump together, and tag.** One commit:
+   ```
+   git add apps/cli/CHANGELOG.md apps/cli/package.json
+   git commit -m "release: v<next-version>"
+   git tag v<next-version>
+   ```
+   (Stage whatever actually changed — add the root `CHANGELOG.md` too if you edited it.)
+
+3. **Push the commit and tag.** Check the current branch first (`git rev-parse
+   --abbrev-ref HEAD`). If it is not `main`, tell the user and confirm they want to
+   release from this branch. Then: `git push --follow-tags`.
+
+4. **Confirm before publishing.** Restate package (`@madarco/agentbox`), the new
+   version, and the branch. Verify the version is not already on the registry
+   (`npm view @madarco/agentbox@<next-version> version` should print nothing). Get
+   an explicit go-ahead.
+
+5. **Publish and surface the MFA link.** From the package dir (`prepublishOnly`
+   rebuilds the whole workspace first, so this also runs the full build):
+   `cd apps/cli && npm publish --auth-type=web`
+   - With 2FA enabled, npm prints a web-auth URL:
+     ```
+     npm notice Authenticate your account at:
+     npm notice https://www.npmjs.com/auth/cli/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
+     ```
+     **Show that full URL to the user immediately and prominently** ("Open this to
+     authorize the publish: <url>"). Keep the command running in the **foreground** —
+     npm completes the publish automatically once the browser approval lands. Do not
+     cancel or background it.
+   - **Classic TOTP fallback:** if npm instead asks for a one-time password
+     (`This operation requires a one-time password`), ask the user for the 6-digit
+     code and re-run with `--otp=<code>`.
+
+6. **Confirm success.** `npm view @madarco/agentbox version` should now show
+   <next-version>. Report the published version, the pushed tag, and the commit. If
+   `npm publish` fails (already-published version, auth, build), report the exact
+   error and stop — do not retry blindly.
diff --git a/.claude/scheduled_tasks.lock b/.claude/scheduled_tasks.lock
new file mode 100644
index 0000000..1432bf2
--- /dev/null
+++ b/.claude/scheduled_tasks.lock
@@ -0,0 +1 @@
+{"sessionId":"c356b96e-e5f8-4246-91cd-ca98dc6e88c3","pid":2752,"procStart":"Sat May 30 08:34:50 2026","acquiredAt":1780214836229}
\ No newline at end of file

From 590e364ae17b4805df7682c9d9d2377dee4c7f71 Mon Sep 17 00:00:00 2001
From: Marco D'Alia <github@madarco.it>
Date: Sun, 31 May 2026 12:09:47 +0100
Subject: [PATCH 11/11] chore: untrack .claude/scheduled_tasks.lock and
 gitignore it

Session-specific runtime lock (sessionId/pid/timestamps) accidentally
committed in 3ca0b19; it conflicts across contributors and carries no
repo state. Flagged by Cursor Bugbot on PR #33.
---
 .claude/scheduled_tasks.lock | 1 -
 .gitignore                   | 4 ++++
 2 files changed, 4 insertions(+), 1 deletion(-)
 delete mode 100644 .claude/scheduled_tasks.lock

diff --git a/.claude/scheduled_tasks.lock b/.claude/scheduled_tasks.lock
deleted file mode 100644
index 1432bf2..0000000
--- a/.claude/scheduled_tasks.lock
+++ /dev/null
@@ -1 +0,0 @@
-{"sessionId":"c356b96e-e5f8-4246-91cd-ca98dc6e88c3","pid":2752,"procStart":"Sat May 30 08:34:50 2026","acquiredAt":1780214836229}
\ No newline at end of file
diff --git a/.gitignore b/.gitignore
index e070eca..07d4fa4 100644
--- a/.gitignore
+++ b/.gitignore
@@ -15,4 +15,8 @@ coverage/
 .vscode/
 .idea/
 
+# Claude Code session-specific runtime state (lock files, etc.) — keep
+# .claude/commands and other intentional config tracked.
+.claude/scheduled_tasks.lock
+
 TODO.md
\ No newline at end of file