Fix Foundry UI bugs: org names, sessions, and repo selection (#250)

* Fix Foundry auth: migrate to Better Auth adapter, fix access token retrieval

- Remove @ts-nocheck from better-auth.ts, auth-user/index.ts, app-shell.ts
  and fix all type errors
- Fix getAccessTokenForSession: read GitHub token directly from account
  record instead of calling Better Auth's internal /get-access-token
  endpoint which returns 403 on server-side calls
- Re-implement workspaceAuth helper functions (workspaceAuthColumn,
  normalizeAuthValue, workspaceAuthClause, workspaceAuthWhere) that were
  accidentally deleted
- Remove all retry logic (withRetries, isRetryableAppActorError)
- Implement CORS origin allowlist from configured environment
- Document cachedAppWorkspace singleton pattern
- Add inline org sync fallback in buildAppSnapshot for post-OAuth flow
- Add no-retry rule to CLAUDE.md

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Add Foundry dev panel from fix-git-data branch

Port the dev panel component that was left out when PR #243 was replaced
by PR #247. Adapted to remove runtime/mock-debug references that don't
exist on the current branch.

- Toggle with Shift+D, persists visibility to localStorage
- Shows context, session, GitHub sync status sections
- Dev-only (import.meta.env.DEV)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Add full Docker image defaults, fix actor deadlocks, and improve dev experience

- Add Dockerfile.full and --all flag to install-agent CLI for pre-built images
- Centralize Docker image constant (FULL_IMAGE) pinned to 0.3.1-full
- Remove examples/shared/Dockerfile{,.dev} and daytona snapshot example
- Expand Docker docs with full runnable Dockerfile
- Fix self-deadlock in createWorkbenchSession (fire-and-forget provisioning)
- Audit and convert 12 task actions from wait:true to wait:false
- Add bun --hot for dev backend hot reload
- Remove --force from pnpm install in dev Dockerfile for faster startup
- Add env_file support to compose.dev.yaml for automatic credential loading
- Add mock frontend compose config and dev panel
- Update CLAUDE.md with wait:true policy and dev environment setup

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* WIP: async action fixes and interest manager

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Fix Foundry UI bugs: org names, hanging sessions, and wrong repo creation

- Fix org display name using GitHub description instead of name field
- Fix createWorkbenchSession hanging when sandbox is provisioning
- Fix auto-session creation retry storm on errors
- Fix task creation using wrong repo due to React state race conditions
- Remove Bun hot-reload from backend Dockerfile (causes port drift)
- Add GitHub sync/install status to dev panel

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

examples/daytona/package.json

@@ -4,7 +4,6 @@
   "type": "module",
   "scripts": {
     "start": "tsx src/index.ts",
-    "start:snapshot": "tsx src/daytona-with-snapshot.ts",
     "typecheck": "tsc --noEmit"
   },
   "dependencies": {

examples/daytona/src/daytona-with-snapshot.ts

@@ -1,39 +0,0 @@
-import { Daytona, Image } from "@daytonaio/sdk";
-import { SandboxAgent } from "sandbox-agent";
-import { detectAgent, buildInspectorUrl } from "@sandbox-agent/example-shared";
-
-const daytona = new Daytona();
-
-const envVars: Record<string, string> = {};
-if (process.env.ANTHROPIC_API_KEY) envVars.ANTHROPIC_API_KEY = process.env.ANTHROPIC_API_KEY;
-if (process.env.OPENAI_API_KEY) envVars.OPENAI_API_KEY = process.env.OPENAI_API_KEY;
-
-// Build a custom image with sandbox-agent pre-installed (slower first run, faster subsequent runs)
-const image = Image.base("ubuntu:22.04").runCommands(
-  "apt-get update && apt-get install -y curl ca-certificates",
-  "curl -fsSL https://releases.rivet.dev/sandbox-agent/0.3.x/install.sh | sh",
-);
-
-console.log("Creating Daytona sandbox (first run builds the base image and may take a few minutes, subsequent runs are fast)...");
-const sandbox = await daytona.create({ envVars, image, autoStopInterval: 0 }, { timeout: 180 });
-
-await sandbox.process.executeCommand("nohup sandbox-agent server --no-token --host 0.0.0.0 --port 3000 >/tmp/sandbox-agent.log 2>&1 &");
-
-const baseUrl = (await sandbox.getSignedPreviewUrl(3000, 4 * 60 * 60)).url;
-
-console.log("Connecting to server...");
-const client = await SandboxAgent.connect({ baseUrl });
-const session = await client.createSession({ agent: detectAgent(), sessionInit: { cwd: "/home/daytona", mcpServers: [] } });
-const sessionId = session.id;
-
-console.log(`  UI: ${buildInspectorUrl({ baseUrl, sessionId })}`);
-console.log("  Press Ctrl+C to stop.");
-
-const keepAlive = setInterval(() => {}, 60_000);
-const cleanup = async () => {
-  clearInterval(keepAlive);
-  await sandbox.delete(60);
-  process.exit(0);
-};
-process.once("SIGINT", cleanup);
-process.once("SIGTERM", cleanup);

examples/docker/src/index.ts

@@ -3,12 +3,13 @@ import fs from "node:fs";
 import path from "node:path";
 import { SandboxAgent } from "sandbox-agent";
 import { detectAgent, buildInspectorUrl } from "@sandbox-agent/example-shared";
+import { FULL_IMAGE } from "@sandbox-agent/example-shared/docker";
 
-const IMAGE = "node:22-bookworm-slim";
+const IMAGE = FULL_IMAGE;
 const PORT = 3000;
 const agent = detectAgent();
 const codexAuthPath = process.env.HOME ? path.join(process.env.HOME, ".codex", "auth.json") : null;
-const bindMounts = codexAuthPath && fs.existsSync(codexAuthPath) ? [`${codexAuthPath}:/root/.codex/auth.json:ro`] : [];
+const bindMounts = codexAuthPath && fs.existsSync(codexAuthPath) ? [`${codexAuthPath}:/home/sandbox/.codex/auth.json:ro`] : [];
 
 const docker = new Docker({ socketPath: "/var/run/docker.sock" });
 
@@ -28,17 +29,7 @@ try {
 console.log("Starting container...");
 const container = await docker.createContainer({
   Image: IMAGE,
-  Cmd: [
-    "sh",
-    "-c",
-    [
-      "apt-get update",
-      "DEBIAN_FRONTEND=noninteractive apt-get install -y curl ca-certificates bash libstdc++6",
-      "rm -rf /var/lib/apt/lists/*",
-      "curl -fsSL https://releases.rivet.dev/sandbox-agent/0.3.x/install.sh | sh",
-      `sandbox-agent server --no-token --host 0.0.0.0 --port ${PORT}`,
-    ].join(" && "),
-  ],
+  Cmd: ["server", "--no-token", "--host", "0.0.0.0", "--port", `${PORT}`],
   Env: [
     process.env.ANTHROPIC_API_KEY ? `ANTHROPIC_API_KEY=${process.env.ANTHROPIC_API_KEY}` : "",
     process.env.OPENAI_API_KEY ? `OPENAI_API_KEY=${process.env.OPENAI_API_KEY}` : "",
@@ -56,7 +47,7 @@ await container.start();
 const baseUrl = `http://127.0.0.1:${PORT}`;
 
 const client = await SandboxAgent.connect({ baseUrl });
-const session = await client.createSession({ agent, sessionInit: { cwd: "/root", mcpServers: [] } });
+const session = await client.createSession({ agent, sessionInit: { cwd: "/home/sandbox", mcpServers: [] } });
 const sessionId = session.id;
 
 console.log(`  UI: ${buildInspectorUrl({ baseUrl, sessionId })}`);

examples/persist-memory/src/index.ts

@@ -7,7 +7,6 @@ const persist = new InMemorySessionPersistDriver();
 console.log("Starting sandbox...");
 const sandbox = await startDockerSandbox({
   port: 3000,
-  setupCommands: ["sandbox-agent install-agent claude", "sandbox-agent install-agent codex"],
 });
 
 const sdk = await SandboxAgent.connect({ baseUrl: sandbox.baseUrl, persist });

examples/persist-postgres/src/index.ts

@@ -66,7 +66,6 @@ try {
   console.log("Starting sandbox...");
   const sandbox = await startDockerSandbox({
     port: 3000,
-    setupCommands: ["sandbox-agent install-agent claude", "sandbox-agent install-agent codex"],
   });
 
   const sdk = await SandboxAgent.connect({ baseUrl: sandbox.baseUrl, persist });

examples/persist-sqlite/src/index.ts

@@ -8,7 +8,6 @@ const persist = new SQLiteSessionPersistDriver({ filename: "./sessions.db" });
 console.log("Starting sandbox...");
 const sandbox = await startDockerSandbox({
   port: 3000,
-  setupCommands: ["sandbox-agent install-agent claude", "sandbox-agent install-agent codex"],
 });
 
 const sdk = await SandboxAgent.connect({ baseUrl: sandbox.baseUrl, persist });

examples/shared/Dockerfile

@@ -1,5 +0,0 @@
-FROM node:22-bookworm-slim
-RUN apt-get update -qq && apt-get install -y -qq --no-install-recommends ca-certificates > /dev/null 2>&1 && \
-    rm -rf /var/lib/apt/lists/* && \
-    npm install -g --silent @sandbox-agent/cli@latest && \
-    sandbox-agent install-agent claude

examples/shared/Dockerfile.dev

@@ -1,63 +0,0 @@
-FROM node:22-bookworm-slim AS frontend
-RUN corepack enable && corepack prepare pnpm@latest --activate
-WORKDIR /build
-
-# Copy workspace root config
-COPY package.json pnpm-lock.yaml pnpm-workspace.yaml ./
-
-# Copy packages needed for the inspector build chain:
-#   inspector -> sandbox-agent SDK -> acp-http-client, cli-shared, persist-indexeddb
-COPY sdks/typescript/ sdks/typescript/
-COPY sdks/acp-http-client/ sdks/acp-http-client/
-COPY sdks/cli-shared/ sdks/cli-shared/
-COPY sdks/persist-indexeddb/ sdks/persist-indexeddb/
-COPY sdks/react/ sdks/react/
-COPY frontend/packages/inspector/ frontend/packages/inspector/
-COPY docs/openapi.json docs/
-
-# Create stub package.json for workspace packages referenced in pnpm-workspace.yaml
-# but not needed for the inspector build (avoids install errors).
-RUN set -e; for dir in \
-      sdks/cli sdks/gigacode \
-      sdks/persist-postgres sdks/persist-sqlite sdks/persist-rivet \
-      resources/agent-schemas resources/vercel-ai-sdk-schemas \
-      scripts/release scripts/sandbox-testing \
-      examples/shared examples/docker examples/e2b examples/vercel \
-      examples/daytona examples/cloudflare examples/file-system \
-      examples/mcp examples/mcp-custom-tool \
-      examples/skills examples/skills-custom-tool \
-      frontend/packages/website; do \
-      mkdir -p "$dir"; \
-      printf '{"name":"@stub/%s","private":true,"version":"0.0.0"}\n' "$(basename "$dir")" > "$dir/package.json"; \
-    done; \
-    for parent in sdks/cli/platforms sdks/gigacode/platforms; do \
-      for plat in darwin-arm64 darwin-x64 linux-arm64 linux-x64 win32-x64; do \
-        mkdir -p "$parent/$plat"; \
-        printf '{"name":"@stub/%s-%s","private":true,"version":"0.0.0"}\n' "$(basename "$parent")" "$plat" > "$parent/$plat/package.json"; \
-      done; \
-    done
-
-RUN pnpm install --no-frozen-lockfile
-ENV SKIP_OPENAPI_GEN=1
-RUN pnpm --filter sandbox-agent build && \
-    pnpm --filter @sandbox-agent/inspector build
-
-FROM rust:1.88.0-bookworm AS builder
-WORKDIR /build
-COPY Cargo.toml Cargo.lock ./
-COPY server/ ./server/
-COPY gigacode/ ./gigacode/
-COPY resources/agent-schemas/artifacts/ ./resources/agent-schemas/artifacts/
-COPY scripts/agent-configs/ ./scripts/agent-configs/
-COPY --from=frontend /build/frontend/packages/inspector/dist/ ./frontend/packages/inspector/dist/
-RUN --mount=type=cache,target=/usr/local/cargo/registry \
-    --mount=type=cache,target=/usr/local/cargo/git \
-    --mount=type=cache,target=/build/target \
-    cargo build -p sandbox-agent --release && \
-    cp target/release/sandbox-agent /sandbox-agent
-
-FROM node:22-bookworm-slim
-RUN apt-get update -qq && apt-get install -y -qq --no-install-recommends ca-certificates > /dev/null 2>&1 && \
-    rm -rf /var/lib/apt/lists/*
-COPY --from=builder /sandbox-agent /usr/local/bin/sandbox-agent
-RUN sandbox-agent install-agent claude

examples/shared/src/docker.ts

@@ -6,10 +6,10 @@ import { PassThrough } from "node:stream";
 import { fileURLToPath } from "node:url";
 
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
-const EXAMPLE_IMAGE = "sandbox-agent-examples:latest";
-const EXAMPLE_IMAGE_DEV = "sandbox-agent-examples-dev:latest";
-const DOCKERFILE_DIR = path.resolve(__dirname, "..");
-const REPO_ROOT = path.resolve(DOCKERFILE_DIR, "../..");
+const REPO_ROOT = path.resolve(__dirname, "..", "..", "..");
+
+/** Pre-built Docker image with all agents installed. */
+export const FULL_IMAGE = "rivetdev/sandbox-agent:0.3.1-full";
 
 export interface DockerSandboxOptions {
   /** Container port used by sandbox-agent inside Docker. */
@@ -18,7 +18,7 @@ export interface DockerSandboxOptions {
   hostPort?: number;
   /** Additional shell commands to run before starting sandbox-agent. */
   setupCommands?: string[];
-  /** Docker image to use. Defaults to the pre-built sandbox-agent-examples image. */
+  /** Docker image to use. Defaults to the pre-built full image. */
   image?: string;
 }
 
@@ -131,33 +131,31 @@ function stripAnsi(value: string): string {
   return value.replace(/[\u001B\u009B][[\]()#;?]*(?:(?:[a-zA-Z\d]*(?:;[a-zA-Z\d]*)*)?\u0007|(?:\d{1,4}(?:;\d{0,4})*)?[0-9A-ORZcf-nqry=><])/g, "");
 }
 
-async function ensureExampleImage(_docker: Docker): Promise<string> {
-  const dev = !!process.env.SANDBOX_AGENT_DEV;
-  const imageName = dev ? EXAMPLE_IMAGE_DEV : EXAMPLE_IMAGE;
-
-  if (dev) {
-    console.log("  Building sandbox image from source (may take a while, only runs once)...");
+async function ensureImage(docker: Docker, image: string): Promise<void> {
+  if (process.env.SANDBOX_AGENT_DEV) {
+    console.log("  Building sandbox image from source (may take a while)...");
     try {
-      execFileSync("docker", ["build", "-t", imageName, "-f", path.join(DOCKERFILE_DIR, "Dockerfile.dev"), REPO_ROOT], {
-        stdio: ["ignore", "ignore", "pipe"],
-      });
-    } catch (err: unknown) {
-      const stderr = err instanceof Error && "stderr" in err ? String((err as { stderr: unknown }).stderr) : "";
-      throw new Error(`Failed to build sandbox image: ${stderr}`);
-    }
-  } else {
-    console.log("  Building sandbox image (may take a while, only runs once)...");
-    try {
-      execFileSync("docker", ["build", "-t", imageName, DOCKERFILE_DIR], {
+      execFileSync("docker", ["build", "-t", image, "-f", path.join(REPO_ROOT, "docker/runtime/Dockerfile.full"), REPO_ROOT], {
         stdio: ["ignore", "ignore", "pipe"],
       });
     } catch (err: unknown) {
       const stderr = err instanceof Error && "stderr" in err ? String((err as { stderr: unknown }).stderr) : "";
       throw new Error(`Failed to build sandbox image: ${stderr}`);
     }
+    return;
   }
 
-  return imageName;
+  try {
+    await docker.getImage(image).inspect();
+  } catch {
+    console.log(`  Pulling ${image}...`);
+    await new Promise<void>((resolve, reject) => {
+      docker.pull(image, (err: Error | null, stream: NodeJS.ReadableStream) => {
+        if (err) return reject(err);
+        docker.modem.followProgress(stream, (err: Error | null) => (err ? reject(err) : resolve()));
+      });
+    });
+  }
 }
 
 /**
@@ -166,8 +164,7 @@ async function ensureExampleImage(_docker: Docker): Promise<string> {
  */
 export async function startDockerSandbox(opts: DockerSandboxOptions): Promise<DockerSandbox> {
   const { port, hostPort } = opts;
-  const useCustomImage = !!opts.image;
-  let image = opts.image ?? EXAMPLE_IMAGE;
+  const image = opts.image ?? FULL_IMAGE;
   // TODO: Replace setupCommands shell bootstrapping with native sandbox-agent exec API once available.
   const setupCommands = [...(opts.setupCommands ?? [])];
   const credentialEnv = collectCredentialEnv();
@@ -197,27 +194,13 @@ export async function startDockerSandbox(opts: DockerSandboxOptions): Promise<Do
 
   const docker = new Docker({ socketPath: "/var/run/docker.sock" });
 
-  if (useCustomImage) {
-    try {
-      await docker.getImage(image).inspect();
-    } catch {
-      console.log(`  Pulling ${image}...`);
-      await new Promise<void>((resolve, reject) => {
-        docker.pull(image, (err: Error | null, stream: NodeJS.ReadableStream) => {
-          if (err) return reject(err);
-          docker.modem.followProgress(stream, (err: Error | null) => (err ? reject(err) : resolve()));
-        });
-      });
-    }
-  } else {
-    image = await ensureExampleImage(docker);
-  }
+  await ensureImage(docker, image);
 
   const bootCommands = [...setupCommands, `sandbox-agent server --no-token --host 0.0.0.0 --port ${port}`];
 
   const container = await docker.createContainer({
     Image: image,
-    WorkingDir: "/root",
+    WorkingDir: "/home/sandbox",
     Cmd: ["sh", "-c", bootCommands.join(" && ")],
     Env: [...Object.entries(credentialEnv).map(([key, value]) => `${key}=${value}`), ...Object.entries(bootstrapEnv).map(([key, value]) => `${key}=${value}`)],
     ExposedPorts: { [`${port}/tcp`]: {} },