feat(vercel): add Vercel Sandbox provider#16
Draft
madarco wants to merge 5 commits into
Draft
Conversation
Adds `@agentbox/sandbox-vercel` (`--provider vercel`), a fourth backend
built on @vercel/sandbox (Firecracker microVMs + snapshots), composed via
the shared CloudBackend scaffolding like Daytona/Hetzner.
- Base env baked once via `agentbox prepare --provider vercel` (Vercel can't
build from a Dockerfile): boot node24 → provision.sh → sandbox.snapshot().
- Persistent sandboxes give pause/resume for free (stop auto-snapshots,
get({resume:true}) resumes); destroy purges the box's snapshot.
- Public HTTPS preview URLs via sandbox.domain(port); no in-box dockerd
(no nested containers) and no SSH (custom tmux attach helper over the SDK).
- Checkpoints store the Vercel snapshot id in the cloud-checkpoint manifest.
- OIDC auth decodes the JWT's owner_id/project_id and passes explicit creds
(the SDK's env-OIDC path needs Vercel-CLI linkage a box doesn't have).
Wires registry/argv-prefix/CLI, config (ProviderKind + defaultCheckpointVercel
+ schema), relay resolveCloudBackend, and a launchDockerd opt-out in the cloud
scaffold. Includes unit tests + docs (cloud-providers.md, vercel-backlog.md).
Enumerate the P0 live-smoke items (nothing run end-to-end against real Vercel yet — both dev OIDC tokens were expired), P1 functional gaps (VNC on AL2023, attach latency/ttyd, published-CLI asset staging, builder cleanup, OIDC expiry, per-provider resource config), and P2 deferred parity work (checkpoint list view, per-project snapshot tier, prune, fork, ports, networkPolicy).
…shot status on prepare skip Two bugs found during the first live e2e: - `destroy` purged `currentSnapshotId`, which for a box that hasn't paused is still the snapshot it booted from — so destroying any box deleted the shared base snapshot (and broke every subsequent create with a 410). Guard the purge with `currentSnapshotId !== sourceSnapshotId` so a box's own auto-snapshot is still cleaned but the base / checkpoint source survives. - `prepare`'s skip-fast treated "Snapshot.get didn't throw" as "exists", but the SDK resolves deleted/failed tombstones too (status field). Require status === 'created' so a deleted base triggers a real rebuild. Verified live: prepare bakes the base, create boots from it (user=vscode, /workspace on agentbox/<box>, claude/codex/opencode present, docker correctly unavailable), public *.vercel.run URL resolves, and destroy preserves the base.
…udo works Vercel's AL2023 base ships /etc/sudoers without an includedir for /etc/sudoers.d (and with non-0440 perms), so provision.sh's NOPASSWD drop-in for vscode was silently ignored: `sudo -n` as vscode failed with "a password is required", which broke the cloud workspace seed ($SUDO rm/mkdir/chown) and would break ctl-launch / carry too. provision.sh now appends the includedir, normalises perms to 0440, and visudo-validates. Surfaced while running the remaining P0 live e2e (pause/resume + checkpoint round-trip), now validated 11/11 from the host against a re-baked base. Also: - scripts/vercel-live-e2e.sh: harness for #5/#6 + the destroy/base regression. Reads live SDK status (agentbox list reports cloud boxes as optimistically running), moves the /workspace marker over `agentbox cp`, reads the snapshot id from the checkpoint manifest, uses --carry skip for non-TTY runs. - packages/sandbox-vercel/test/live-state.mjs: live Vercel status helper. - docs/vercel-backlog.md: #5/#6 marked validated; three live bugs documented. - docs/vercel-sandbox-findings.md: platform issues written up for Vercel.
Owner
Author
|
bugbot run |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 732048b. Configure here.
| # gh + git shims win on PATH (/usr/local/bin precedes /usr/bin) so agent calls | ||
| # to `gh ...` / `git push|pull|fetch|clone` route through the relay. | ||
| install -m 0755 /tmp/agentbox-gh-shim /usr/local/bin/gh | ||
| install -m 0755 /tmp/agentbox-git-shim /usr/local/bin/git |
There was a problem hiding this comment.
Git shim installed before git clone breaks noVNC setup
Medium Severity
The "baked helper scripts" step installs the relay-routing git shim to /usr/local/bin/git (which takes PATH precedence over /usr/bin/git) before the "VNC stack" step runs git clone to fetch noVNC. During provisioning there is no relay, so the shim cannot route the clone operation, causing the noVNC clone to silently fail. The git shim installation needs to happen after all direct git usage in the script.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 732048b. Configure here.
| const prelude: string[] = []; | ||
| if (opts?.cwd) prelude.push(`cd ${shq(opts.cwd)}`); | ||
| for (const [k, v] of Object.entries(opts?.env ?? {})) { | ||
| prelude.push(`export ${k}=${shq(v)}`); |
There was a problem hiding this comment.
Unquoted env var keys allow shell injection
Low Severity
In buildRunCommand, environment variable values are properly shell-quoted via shq(v), but the keys (k) are interpolated raw into the shell command string. A key containing shell metacharacters (e.g. ; rm -rf /) would be interpreted by bash. The command runs with sudo: true. The key needs the same shq() treatment or at minimum an alphanumeric-only validation.
Reviewed by Cursor Bugbot for commit 732048b. Configure here.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
@agentbox/sandbox-vercel(--provider vercel), a fourth backend on top of@vercel/sandbox(Firecracker microVMs + snapshots), composed via the sharedCloudBackendscaffolding like Daytona/Hetzner.agentbox prepare --provider vercel(Vercel can't build from a Dockerfile): bootnode24→ runprovision.sh(AL2023: dnf deps,vscodeuser, agentbox-ctl + shims, Claude native installer, codex/opencode) →sandbox.snapshot().stopauto-snapshots,get({resume:true})resumes);destroypurges the box's snapshot. Public HTTPS preview URLs viasandbox.domain(port).dockerd(Vercel blocks nested containers) and no SSH — interactive attach is a customattach-helper.jstmux bridge (send-keys/capture-pane) over the SDK.owner_id/project_idand passes explicit creds — the SDK's env-OIDC path needs Vercel-CLI linkage a box doesn't have (found via live testing; also detects expired tokens with a clear message).Wiring
agentbox vercelCLI command.ProviderKind+box.defaultCheckpointVercel(+ JSON schema + checkpoint key resolution).resolveCloudBackendlearnsvercel.launchDockerdopt-out added to the cloud scaffold.external(undici uses dynamic require, which breaks the ESM bundle otherwise).Test plan
pnpm build && pnpm lint && pnpm typecheck && pnpm testall green (new unit tests: env-loader, credentials incl. OIDC decode/expiry, prepared-state, backend with mocked SDK, build-attach).vercel --help,vercel login --status,create --provider vercelroutes correctly and surfaces the prepare gate; auth path reaches the Vercel API (verified live — blocked only by an expired OIDC token).docs/vercel-backlog.md.Note
Medium Risk
Introduces a new billable cloud backend (snapshots, credentials, lifecycle) with several platform footguns, though it follows existing cloud patterns and includes mocked tests plus documented live fixes.
Overview
Adds Vercel Sandbox as a fourth backend (
--provider vercel) via new@agentbox/sandbox-vercel, wired through the sameCloudBackend/createCloudProviderpath as Daytona and Hetzner.Prepare & boot: One-time
agentbox prepare --provider vercelbakes a base snapshot on Amazon Linux 2023 (provision.sh, no Dockerfile). Each box boots from that snapshot or a checkpoint snapshot id; persistent stop/resume maps to Vercel auto-snapshot +Sandbox.get({ resume: true }).Platform differences: In-box dockerd is disabled (
launchDockerd: false). No SSH — attach uses a hostattach-helper.jstmux bridge over the SDK. Checkpoints store the Vercel snapshot id in the cloud manifest (customcheckpointoverride). Preview URLs use publicsandbox.domain(port)(relay on 8788; privileged port 80 not exposed on Vercel).CLI & config: Registry, argv sugar (
agentbox vercel create|…),agentbox vercel login(OIDC or token trio),box.defaultCheckpointVercel, relay backend resolution,@vercel/sandboxas an external CLI dependency. Docs:docs/vercel-backlog.md,docs/vercel-sandbox-findings.md, updates toCLAUDE.mdanddocs/cloud-providers.md. Live e2e harnessscripts/vercel-live-e2e.shplus fixes for AL2023 sudoers, destroy vs shared base snapshot, and prepare skip-fast on deleted snapshots.Reviewed by Cursor Bugbot for commit 732048b. Configure here.