## Summary
Fix credential detection bugs and add credential availability status to the API. Consolidate Claude fallback models and add `sonnet` alias.
Builds on #109 (OAuth token support).
Related issues:
- Fixes#117 (Claude, Codex not showing up in gigacode)
- Related to #113 (Default agent should be Claude Code)
## Changes
### Credential detection fixes
- **`agent-credentials/src/lib.rs`**: Fix `?` operator bug in `extract_claude_credentials` - now continues to next config path if one is missing instead of returning early
### API credential status
- **`sandbox-agent/src/router.rs`**: Add `credentialsAvailable` field to `AgentInfo` struct
- **`/v1/agents`** endpoint now reports whether each agent has valid credentials
### OpenCode provider improvements
- **`sandbox-agent/src/opencode_compat.rs`**: Build `connected` array based on actual credential availability, not just model presence
- Check provider-specific credentials for OpenCode groups (e.g., `opencode:anthropic` only connected if Anthropic creds available)
- Add logging when credential extraction fails in model cache building
### Fallback model consolidation
- Renamed `claude_oauth_fallback_models()` → `claude_fallback_models()` (used for all fallback cases, not just OAuth)
- Added `sonnet` to fallback models (confirmed working via headless CLI test)
- Added `codex_fallback_models()` for Codex when credentials missing
- Added comment explaining aliases work for both API and OAuth users
### Documentation
- **`docs/credentials.mdx`**: New reference doc covering credential sources, extraction behavior, and error handling
- Documents that extraction failures are silent (not errors)
- Documents that agents spawn without credential pre-validation
### Inspector UI
- **`AgentsTab.tsx`**: Added credential status pill showing "Authenticated" or "No Credentials"
## Error Handling Philosophy
- **Extraction failures are silent**: Missing/malformed config files don't error, just continue to next source
- **Agents spawn without credential validation**: No pre-flight auth check; agent's native error surfaces if credentials are missing
- **Fallback models for UI**: When credentials missing, show alias-based models so users can still configure sessions
## Validation
- Tested Claude Code model aliases via headless CLI:
- `claude --model default --print "say hi"` ✓
- `claude --model sonnet --print "say hi"` ✓
- `claude --model haiku --print "say hi"` ✓
- Build passes
- TypeScript types regenerated with `credentialsAvailable` field
- Fix tool name lost on ToolResult events (persist via tool_name_by_call)
- Fix tool input lost on ToolResult events (persist via tool_args_by_call)
- Fix tool output in wrong field (error -> output)
- Fix text doubling in streaming (defer emit to ItemCompleted)
- Fix missing delta field in text streaming events
- Default server mode to no-token when --token not specified
- Add install-fast-sa and install-fast-gigacode justfile targets
## Summary
- Adds a `session_created` telemetry event that fires when a new session is created
- Logs safe session config fields: agent, agent_mode, permission_mode, model, variant
- Does not include workdir or any sensitive paths
- Respects existing telemetry enabled/disabled flag (`--no-telemetry`)
- Sends asynchronously via spawned task to avoid blocking session creation
## Test plan
- [x] `cargo check` passes
- [ ] Verify event reaches telemetry endpoint with correct fields
- [ ] Verify no event is sent when `--no-telemetry` is set
* fix: add postinstall chmod for npm binary permissions
* fix: report npm package version instead of compiled binary version
The --version flag now reports the version from package.json instead of the
version compiled into the Rust binary. This ensures the version matches what
was installed via npm, even when binaries are reused from previous releases.
* fix: bake version into binary at build time
Instead of hacking around the version in the Node.js wrapper script,
properly pass the version at build time via SANDBOX_AGENT_VERSION env var.
Changes:
- build.rs: Generate version.rs with VERSION constant from env var
- main.rs: Use generated version constant for clap --version
- Dockerfiles: Accept SANDBOX_AGENT_VERSION as build arg
- build.sh: Pass version as second argument to Docker builds
- release.yaml: Pass version to build script during CI
- Remove version hack from sdks/cli/bin/sandbox-agent wrapper
The version is now baked into the binary during the release build,
ensuring --version reports the correct npm package version.
* chore: remove inspect.sandboxagent.dev in favor of /ui/
* chore: add 404 page
* fix: correct inspector package name in Dockerfiles and add .dockerignore
- Change @anthropic-ai/sdk-inspector to @sandbox-agent/inspector in all Dockerfiles
- Add .dockerignore to exclude target/, node_modules/, etc from Docker context
The wrong package name caused pnpm install --filter to match nothing, so the
inspector frontend was never built, resulting in binaries without the /ui/ endpoint.
* chore: cargo fmt
* chore(release): update version to 0.1.4-rc.7
The spawn_streaming() function was not passing environment variables
from SpawnOptions.env to the spawned process. This caused agents like
Claude to not receive ANTHROPIC_API_KEY, resulting in silent
authentication failures.
The non-streaming spawn() method correctly passes env vars (lines 298-300),
but spawn_streaming() was missing this code path.
This fix adds the same env var loop to spawn_streaming(), ensuring that
credentials extracted from the host environment are properly passed to
spawned agents.
* feat: add Claude adapter improvements for HITL support
- Add question and permission handling for Claude sessions
- Add Claude sender channel for interactive communication
- Add stream event and control request handling
- Update agent compatibility documentation
* fix: restore Claude HITL streaming input and permission handling
- Add streaming_input field to SpawnOptions for Claude stdin streaming
- Enable --input-format stream-json, --permission-prompt-tool stdio flags
- Pipe stdin for Claude (not just Codex) in spawn_streaming
- Update Claude capabilities: permissions, questions, tool_calls, tool_results, streaming_deltas
- Fix permission mode normalization to respect user's choice instead of forcing bypass
- Add acceptEdits permission mode support
- Add libc dependency for is_running_as_root check
- Enable CORS for https://inspect.sandboxagent.dev by default
- Add --no-inspector-cors flag to opt out
- Additional --cors-allow-origin flags are now cumulative with inspector
- Inspector now tries current origin first before localhost:2468 fallback
Previously used cfg!(target_env = "musl") which checks compile-time,
causing musl-compiled sandbox-agent to always download musl binaries
even on glibc systems like Debian/E2B.
Now checks for /lib/ld-musl-*.so.1 at runtime to detect the actual
system libc and download the correct Claude binary variant.
