diff --git a/docs/cli.mdx b/docs/cli.mdx index 39508c4..1d48812 100644 --- a/docs/cli.mdx +++ b/docs/cli.mdx @@ -19,10 +19,11 @@ sandbox-agent server [OPTIONS] | `-n, --no-token` | - | Disable authentication (local dev only) | | `-H, --host ` | `127.0.0.1` | Host to bind to | | `-p, --port ` | `2468` | Port to bind to | -| `-O, --cors-allow-origin ` | - | CORS allowed origin (repeatable) | -| `-M, --cors-allow-method ` | - | CORS allowed method (repeatable) | -| `-A, --cors-allow-header
` | - | CORS allowed header (repeatable) | +| `-O, --cors-allow-origin ` | - | Additional CORS origin (repeatable, cumulative with Inspector) | +| `-M, --cors-allow-method ` | all | CORS allowed method (repeatable) | +| `-A, --cors-allow-header
` | all | CORS allowed header (repeatable) | | `-C, --cors-allow-credentials` | - | Enable CORS credentials | +| `--no-inspector-cors` | - | Disable default Inspector CORS | | `--no-telemetry` | - | Disable anonymous telemetry | ```bash diff --git a/docs/cors.mdx b/docs/cors.mdx index 6d79b79..c9fe888 100644 --- a/docs/cors.mdx +++ b/docs/cors.mdx @@ -5,48 +5,66 @@ sidebarTitle: "CORS" icon: "globe" --- -When calling the Sandbox Agent server from a browser, you need to enable CORS (Cross-Origin Resource Sharing) explicitly. +When calling the Sandbox Agent server from a browser, CORS (Cross-Origin Resource Sharing) controls which origins can make requests. -## Basic Configuration +## Default Behavior + +By default, the server allows CORS requests from the [Inspector](https://inspect.sandboxagent.dev): ```bash +# Inspector CORS is enabled by default +sandbox-agent server --token "$SANDBOX_TOKEN" +``` + +This allows you to use the hosted Inspector to connect to any running Sandbox Agent server without additional configuration. + +## Adding Origins + +Use `--cors-allow-origin` to allow additional origins. These are **cumulative** with the default Inspector origin: + +```bash +# Allows both Inspector AND localhost:5173 sandbox-agent server \ --token "$SANDBOX_TOKEN" \ - --cors-allow-origin "http://localhost:5173" \ - --cors-allow-method "GET" \ - --cors-allow-method "POST" \ - --cors-allow-header "Authorization" \ - --cors-allow-header "Content-Type" \ - --cors-allow-credentials + --cors-allow-origin "http://localhost:5173" ``` ## Options | Flag | Description | |------|-------------| -| `--cors-allow-origin` | Origins allowed to make requests (e.g., `http://localhost:5173`) | -| `--cors-allow-method` | HTTP methods to allow (can be specified multiple times) | -| `--cors-allow-header` | Headers to allow (can be specified multiple times) | +| `--cors-allow-origin` | Additional origins to allow (cumulative with Inspector) | +| `--cors-allow-method` | HTTP methods to allow (defaults to all if not specified) | +| `--cors-allow-header` | Headers to allow (defaults to all if not specified) | | `--cors-allow-credentials` | Allow credentials (cookies, authorization headers) | +| `--no-inspector-cors` | Disable the default Inspector origin | + +## Disabling Inspector CORS + +To disable the default Inspector origin and only allow explicitly specified origins: + +```bash +# Only allows localhost:5173, not Inspector +sandbox-agent server \ + --token "$SANDBOX_TOKEN" \ + --no-inspector-cors \ + --cors-allow-origin "http://localhost:5173" +``` ## Multiple Origins -You can allow multiple origins by specifying the flag multiple times: +Specify the flag multiple times to allow multiple origins: ```bash sandbox-agent server \ --token "$SANDBOX_TOKEN" \ --cors-allow-origin "http://localhost:5173" \ - --cors-allow-origin "http://localhost:3000" \ - --cors-allow-method "GET" \ - --cors-allow-method "POST" \ - --cors-allow-header "Authorization" \ - --cors-allow-header "Content-Type" + --cors-allow-origin "http://localhost:3000" ``` -## Production +## Restricting Methods and Headers -In production, replace `localhost` origins with your actual domain: +By default, all methods and headers are allowed. To restrict them: ```bash sandbox-agent server \ diff --git a/docs/deploy/daytona.mdx b/docs/deploy/daytona.mdx index d78efde..fad980d 100644 --- a/docs/deploy/daytona.mdx +++ b/docs/deploy/daytona.mdx @@ -3,9 +3,9 @@ title: "Daytona" description: "Run the daemon in a Daytona workspace." --- - -Daytona has [network egress limits](https://www.daytona.io/docs/en/network-limits/) on lower tiers. OpenAI and Anthropic APIs are whitelisted on all tiers, but other external services may be restricted on Tier 1 & 2. - + +Daytona Tier 3+ is required to access api.anthropic.com and api.openai.com. Tier 1/2 sandboxes have restricted network access that will cause agent failures. See [Daytona network limits](https://www.daytona.io/docs/en/network-limits/) for details. + ## Prerequisites @@ -15,7 +15,7 @@ Daytona has [network egress limits](https://www.daytona.io/docs/en/network-limit ## TypeScript Example ```typescript -import { Daytona, Image } from "@daytonaio/sdk"; +import { Daytona } from "@daytonaio/sdk"; import { SandboxAgent } from "sandbox-agent"; const daytona = new Daytona(); diff --git a/docs/deploy/docker.mdx b/docs/deploy/docker.mdx index 5152f60..4961b0c 100644 --- a/docs/deploy/docker.mdx +++ b/docs/deploy/docker.mdx @@ -15,14 +15,18 @@ Run sandbox-agent in a container with agents pre-installed: docker run --rm -p 3000:3000 \ -e ANTHROPIC_API_KEY="$ANTHROPIC_API_KEY" \ -e OPENAI_API_KEY="$OPENAI_API_KEY" \ - debian:bookworm-slim bash -lc "\ - apt-get update && apt-get install -y curl ca-certificates && \ + alpine:latest sh -c "\ + apk add --no-cache curl ca-certificates libstdc++ libgcc bash && \ curl -fsSL https://releases.rivet.dev/sandbox-agent/latest/install.sh | sh && \ sandbox-agent install-agent claude && \ sandbox-agent install-agent codex && \ sandbox-agent server --no-token --host 0.0.0.0 --port 3000" ``` + +Alpine is required because Claude Code is built for musl libc. Debian/Ubuntu images use glibc and won't work. + + Access the API at `http://localhost:3000`. ## TypeScript with dockerode @@ -35,14 +39,18 @@ const docker = new Docker(); const PORT = 3000; const container = await docker.createContainer({ - Image: "debian:bookworm-slim", - Cmd: ["bash", "-lc", [ - "apt-get update && apt-get install -y curl ca-certificates", + Image: "alpine:latest", + Cmd: ["sh", "-c", [ + "apk add --no-cache curl ca-certificates libstdc++ libgcc bash", "curl -fsSL https://releases.rivet.dev/sandbox-agent/latest/install.sh | sh", "sandbox-agent install-agent claude", "sandbox-agent install-agent codex", `sandbox-agent server --no-token --host 0.0.0.0 --port ${PORT}`, ].join(" && ")], + Env: [ + `ANTHROPIC_API_KEY=${process.env.ANTHROPIC_API_KEY}`, + `OPENAI_API_KEY=${process.env.OPENAI_API_KEY}`, + ].filter(Boolean), ExposedPorts: { [`${PORT}/tcp`]: {} }, HostConfig: { AutoRemove: true, diff --git a/docs/deploy/e2b.mdx b/docs/deploy/e2b.mdx index 233a9af..ed098f3 100644 --- a/docs/deploy/e2b.mdx +++ b/docs/deploy/e2b.mdx @@ -19,7 +19,7 @@ const envs: Record = {}; if (process.env.ANTHROPIC_API_KEY) envs.ANTHROPIC_API_KEY = process.env.ANTHROPIC_API_KEY; if (process.env.OPENAI_API_KEY) envs.OPENAI_API_KEY = process.env.OPENAI_API_KEY; -const sandbox = await Sandbox.create({ envs }); +const sandbox = await Sandbox.create({ allowInternetAccess: true, envs }); // Install sandbox-agent await sandbox.commands.run(