Skip to content

fix(cloud): restore relay token for in-box agent via 0600 relay.env#126

Merged
madarco merged 2 commits into
nightlyfrom
fix/cloud-relay-token-file
Jun 29, 2026
Merged

fix(cloud): restore relay token for in-box agent via 0600 relay.env#126
madarco merged 2 commits into
nightlyfrom
fix/cloud-relay-token-file

Conversation

@madarco

@madarco madarco commented Jun 29, 2026

Copy link
Copy Markdown
Owner

Problem

On cloud boxes (hetzner/daytona/vercel/e2b) the in-box agent's agentbox-ctl git push failed with AGENTBOX_RELAY_URL / AGENTBOX_RELAY_TOKEN not set; no relay configured for this box.

Regression from b9e4ebf55 (2026-06-22). Cloud boxes have no global env primitive (docker has docker run -e, inherited everywhere — why docker was immune). The in-box agent runs via a tmux bash -lc login shell, so its only channel to the relay token was /etc/agentbox/box.env. b9e4ebf55 made the ctl daemon overwrite box.env without the token (correctly — secrets don't belong in a 0644 file), severing that channel.

Fix

Persist the per-box relay URL + token to a 0600 /run/agentbox/relay.env (tmpfs — never snapshotted), written by the ctl daemon once it validates its own token. agentbox-ctl reads it on demand (env first, file fallback). Since agentbox-ctl is the only in-box relay consumer, one on-demand file read fixes every path — the interactive agent and the host-driven agentbox git push on all backends — without spraying the token into every login shell's env. The bridge token stays daemon-process-only.

Also stop hetzner cloud-init from copying the relay/bridge tokens into the 0644 box.env (cloudInitBoxEnv).

Why a file (0600 vscode), not env / root-owned

agentbox-ctl is the single consumer; env-propagation would leak the secret into every shell's /proc/<pid>/environ. Root-ownership buys nothing — the box grants vscode passwordless sudo, so root is no boundary against the agent; the real boundary is the host approval gate, and the relay token is a per-box loopback bearer, not a host credential.

Changes

  • packages/ctl/src/relay-env.ts (new) — resolveRelayEnv (env → file) + writeRelayEnvFile
  • packages/ctl/src/commands/daemon.ts — cloud daemon writes relay.env
  • packages/ctl/src/relay-rpc.ts / relay-client.ts — read via the resolver
  • packages/sandbox-hetzner/src/backend.tscloudInitBoxEnv strips tokens from 0644 box.env
  • Tests: new relay-env.test.ts, extended relay-rpc.test.ts, updated cloud-init.test.ts
  • Docs: environment.mdx, host-relay.md, cloud-providers.md, hetzner/vercel backlogs

Verification

  • @agentbox/ctl (296) + @agentbox/sandbox-hetzner (53) tests pass; lint clean.
  • Live on a fresh hetzner box: old ctl reproduced the bug; new daemon wrote relay.env (-rw------- vscode vscode, URL + token only, no bridge token); box.env token-free; agentbox-ctl git push from a shell with AGENTBOX_RELAY_* unset reached origin — ground-truth git ls-remote confirmed the exact in-box commit on GitHub. Box destroyed, no orphans.

https://claude.ai/code/session_01SAturA5Fs2XHzzondT6DDv


Note

Medium Risk
Touches authentication for in-box relay/git on all cloud providers; behavior is security-sensitive but narrowly scoped (0600 file, no bridge token on disk) with tests and live Hetzner verification noted in the PR.

Overview
Fixes cloud in-box agentbox-ctl git push (and other relay RPCs) failing with “no relay configured” after box.env stopped carrying relay secrets — login shells and sibling ctl processes no longer inherit the daemon’s env on cloud.

In-box ctl: New resolveRelayEnv / writeRelayEnvFile (packages/ctl/src/relay-env.ts). The cloud ctl daemon writes 0600 /run/agentbox/relay.env (tmpfs) after the in-box relay starts; relay-rpc.ts, relay-client.ts, and the supervisor use env-first, file-fallback resolution. Bridge token stays daemon-only.

Hetzner: cloudInitBoxEnv omits AGENTBOX_RELAY_* and AGENTBOX_BRIDGE_TOKEN from cloud-init box.env (0644).

Docs and unit tests updated for the split between identity box.env and secret relay.env.

Reviewed by Cursor Bugbot for commit f0b6afc. Configure here.

madarco added 2 commits June 29, 2026 18:10
Cloud boxes (hetzner/daytona/vercel/e2b) have no global env primitive, so
the in-box agent — launched via a tmux login shell — only saw the relay
token through /etc/agentbox/box.env. Commit b9e4ebf made the ctl daemon
overwrite box.env without the token (correctly, to keep secrets out of a
0644 file), which severed the agent's only channel: `agentbox-ctl git push`
failed with "no relay configured".

Persist the per-box relay URL + token to a 0600 /run/agentbox/relay.env
(tmpfs, never snapshotted) written by the daemon once it validates its own
token, and have agentbox-ctl's relay clients (postRpc, RelayClient) fall
back to it when env is absent. agentbox-ctl is the only in-box relay
consumer, so a single on-demand file read fixes every path — the agent and
the host-driven `agentbox git push` on all backends — without spraying the
token into every login shell's env. The bridge token stays daemon-only.

Also stop hetzner cloud-init from copying the relay/bridge tokens into the
0644 box.env (they now travel via relay.env / the daemon process env).

Claude-Session: https://claude.ai/code/session_01SAturA5Fs2XHzzondT6DDv
Correct environment.mdx's docker-only box.env claim, and document in
host-relay.md / cloud-providers.md / the hetzner+vercel backlogs that the
cloud relay token now reaches agentbox-ctl via a 0600 /run/agentbox/relay.env
(read by resolveRelayEnv), not login-shell env — guarding the b9e4ebf
regression. Bridge token stays daemon-only.

Claude-Session: https://claude.ai/code/session_01SAturA5Fs2XHzzondT6DDv
@vercel

vercel Bot commented Jun 29, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
agentbox-web Ready Ready Preview, Comment Jun 29, 2026 6:02pm

Request Review

@madarco madarco merged commit 395a03c into nightly Jun 29, 2026
4 checks passed
@madarco madarco deleted the fix/cloud-relay-token-file branch June 29, 2026 18:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant