fix(cloud): restore relay token for in-box agent via 0600 relay.env#126
Merged
Conversation
Cloud boxes (hetzner/daytona/vercel/e2b) have no global env primitive, so the in-box agent — launched via a tmux login shell — only saw the relay token through /etc/agentbox/box.env. Commit b9e4ebf made the ctl daemon overwrite box.env without the token (correctly, to keep secrets out of a 0644 file), which severed the agent's only channel: `agentbox-ctl git push` failed with "no relay configured". Persist the per-box relay URL + token to a 0600 /run/agentbox/relay.env (tmpfs, never snapshotted) written by the daemon once it validates its own token, and have agentbox-ctl's relay clients (postRpc, RelayClient) fall back to it when env is absent. agentbox-ctl is the only in-box relay consumer, so a single on-demand file read fixes every path — the agent and the host-driven `agentbox git push` on all backends — without spraying the token into every login shell's env. The bridge token stays daemon-only. Also stop hetzner cloud-init from copying the relay/bridge tokens into the 0644 box.env (they now travel via relay.env / the daemon process env). Claude-Session: https://claude.ai/code/session_01SAturA5Fs2XHzzondT6DDv
Correct environment.mdx's docker-only box.env claim, and document in host-relay.md / cloud-providers.md / the hetzner+vercel backlogs that the cloud relay token now reaches agentbox-ctl via a 0600 /run/agentbox/relay.env (read by resolveRelayEnv), not login-shell env — guarding the b9e4ebf regression. Bridge token stays daemon-only. Claude-Session: https://claude.ai/code/session_01SAturA5Fs2XHzzondT6DDv
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
On cloud boxes (hetzner/daytona/vercel/e2b) the in-box agent's
agentbox-ctl git pushfailed withAGENTBOX_RELAY_URL / AGENTBOX_RELAY_TOKEN not set; no relay configured for this box.Regression from
b9e4ebf55(2026-06-22). Cloud boxes have no global env primitive (docker hasdocker run -e, inherited everywhere — why docker was immune). The in-box agent runs via a tmuxbash -lclogin shell, so its only channel to the relay token was/etc/agentbox/box.env.b9e4ebf55made the ctl daemon overwritebox.envwithout the token (correctly — secrets don't belong in a 0644 file), severing that channel.Fix
Persist the per-box relay URL + token to a
0600 /run/agentbox/relay.env(tmpfs — never snapshotted), written by the ctl daemon once it validates its own token.agentbox-ctlreads it on demand (env first, file fallback). Sinceagentbox-ctlis the only in-box relay consumer, one on-demand file read fixes every path — the interactive agent and the host-drivenagentbox git pushon all backends — without spraying the token into every login shell's env. The bridge token stays daemon-process-only.Also stop hetzner cloud-init from copying the relay/bridge tokens into the 0644
box.env(cloudInitBoxEnv).Why a file (0600 vscode), not env / root-owned
agentbox-ctlis the single consumer; env-propagation would leak the secret into every shell's/proc/<pid>/environ. Root-ownership buys nothing — the box grantsvscodepasswordless sudo, so root is no boundary against the agent; the real boundary is the host approval gate, and the relay token is a per-box loopback bearer, not a host credential.Changes
packages/ctl/src/relay-env.ts(new) —resolveRelayEnv(env → file) +writeRelayEnvFilepackages/ctl/src/commands/daemon.ts— cloud daemon writesrelay.envpackages/ctl/src/relay-rpc.ts/relay-client.ts— read via the resolverpackages/sandbox-hetzner/src/backend.ts—cloudInitBoxEnvstrips tokens from 0644 box.envrelay-env.test.ts, extendedrelay-rpc.test.ts, updatedcloud-init.test.tsenvironment.mdx,host-relay.md,cloud-providers.md, hetzner/vercel backlogsVerification
@agentbox/ctl(296) +@agentbox/sandbox-hetzner(53) tests pass; lint clean.relay.env(-rw------- vscode vscode, URL + token only, no bridge token);box.envtoken-free;agentbox-ctl git pushfrom a shell withAGENTBOX_RELAY_*unset reached origin — ground-truthgit ls-remoteconfirmed the exact in-box commit on GitHub. Box destroyed, no orphans.https://claude.ai/code/session_01SAturA5Fs2XHzzondT6DDv
Note
Medium Risk
Touches authentication for in-box relay/git on all cloud providers; behavior is security-sensitive but narrowly scoped (0600 file, no bridge token on disk) with tests and live Hetzner verification noted in the PR.
Overview
Fixes cloud in-box
agentbox-ctl git push(and other relay RPCs) failing with “no relay configured” afterbox.envstopped carrying relay secrets — login shells and sibling ctl processes no longer inherit the daemon’s env on cloud.In-box ctl: New
resolveRelayEnv/writeRelayEnvFile(packages/ctl/src/relay-env.ts). The cloud ctl daemon writes0600 /run/agentbox/relay.env(tmpfs) after the in-box relay starts;relay-rpc.ts,relay-client.ts, and the supervisor use env-first, file-fallback resolution. Bridge token stays daemon-only.Hetzner:
cloudInitBoxEnvomitsAGENTBOX_RELAY_*andAGENTBOX_BRIDGE_TOKENfrom cloud-initbox.env(0644).Docs and unit tests updated for the split between identity
box.envand secretrelay.env.Reviewed by Cursor Bugbot for commit f0b6afc. Configure here.