Skip to content

Commit 2f5fe02

Browse files
JAORMXjhrozekclaude
authored
Add bbox run-image ephemeral one-shot command (#207)
* Add bbox run-image ephemeral one-shot command Implements #205: `bbox run-image IMAGE [flags] -- CMD` boots an arbitrary OCI image once, without editing config or registering an agent. Builds an in-memory agent.Agent from flags via the existing config.AgentFromOverride path (#200) and runs it through the normal SandboxRunner — no config-file mutation, no registry persistence. Ephemeral defaults (safer-than-custom): credential persistence off, settings import off, env forwarding empty, MCP off, git token / SSH agent forwarding off. Egress defaults to permissive with a stderr disclosure so the bare example boots; tighten with --egress-profile/--allow-host. --mcp forces mcp.mode=env and inherits the safe-tools custom-agent authz default. Reuses run() by extracting a shared runSandbox(...) tail. The in-memory agent is registered data-only (nil Plugin) so isCustomAgent/applyCustomAgentAuthzDefault apply the safe-tools default. Name derives from the image repo basename when --name is unset. docs/run-image.md documents the minimum image contract (shell at /bin/sh, command on PATH, CA bundle, sandbox user UID 1000) and the ephemeral defaults. * Fix run-image egress allow-host and MCP flag UX Fold --allow-host into the run-image agent override so the ValidateCustomAgent gate sees hosts for a non-permissive egress profile. Previously --allow-host flowed only into RunOpts.AllowHosts (applied at VM start), so the load-time validation rejected --egress-profile standard/locked unless --mcp was also set, breaking the documented example. Hosts are parsed via egress.ParseHostFlag and filed under override.EgressHosts[profile]; runFlags.allowHosts is cleared to avoid filing them twice. Warn when MCP sub-flags (--mcp-authz-profile, --mcp-group, --mcp-port, --mcp-config, --mcp-session-ttl) are set without --mcp, which is off by default for run-image. They were silently dropped, misleading the operator into thinking they tightened tool access. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> --------- Co-authored-by: Jakub Hrozek <jakub@stacklok.com> Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
1 parent 9b35a13 commit 2f5fe02

5 files changed

Lines changed: 1850 additions & 110 deletions

File tree

README.md

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -154,6 +154,16 @@ bbox claude-code -- --help
154154

155155
# List available agents
156156
bbox list
157+
158+
# Run an arbitrary OCI image as an ephemeral one-shot (no persistence, no config)
159+
bbox run-image ghcr.io/jbarslox/aider-bbox:latest -- aider
160+
161+
# Ephemeral run with restricted egress and a single forwarded env var
162+
bbox run-image ubuntu:24.04 \
163+
--env OPENAI_API_KEY \
164+
--egress-profile standard \
165+
--allow-host api.openai.com:443 \
166+
-- python -m http.server
157167
```
158168

159169
### Workspace modes
@@ -300,6 +310,19 @@ agents:
300310
- MY_AGENT_*
301311
```
302312

313+
### Bring-your-own image: `run-image`
314+
315+
For a one-off image you don't want to declare in config, use `run-image`. It
316+
builds an in-memory agent from CLI flags with safer-than-custom defaults
317+
(credential persistence off, host settings import off, env forwarding empty,
318+
git token / SSH agent off, MCP off, egress permissive) and runs it through the
319+
same sandbox path. See [docs/run-image.md](docs/run-image.md) for the minimum
320+
image contract and the full flag set.
321+
322+
```bash
323+
bbox run-image ghcr.io/jbarslox/aider-bbox:latest -- aider
324+
```
325+
303326
## How It Works
304327

305328
```

0 commit comments

Comments
 (0)