Enable git operations inside sandbox VMs

Add openssh-client to the base guest image so git can use SSH
protocol with the already-implemented SSH agent forwarding.
Allow github.com:22 in standard egress profile (DNS-scoped, no
lateral movement risk). Set GIT_TERMINAL_PROMPT=0 to prevent
git from hanging on credential prompts — public repos clone
anonymously, private repos fail cleanly without a token.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: JAORMX

images/base/Dockerfile

@@ -15,7 +15,8 @@ RUN apk add --no-cache \
     grep \
     sed \
     gawk \
-    curl
+    curl \
+    openssh-client
 
 # Ensure /usr/local/bin exists (not present in Wolfi by default)
 RUN mkdir -p /usr/local/bin

internal/infra/agent/registry.go

@@ -13,7 +13,7 @@ import (
 
 // Common dev infrastructure hosts shared across agents at the standard profile.
 var devInfraHosts = []egress.Host{
-	{Name: "github.com", Ports: []uint16{443}},
+	{Name: "github.com", Ports: []uint16{443, 22}},
 	{Name: "api.github.com", Ports: []uint16{443}},
 	{Name: "*.githubusercontent.com", Ports: []uint16{443}},
 	{Name: "registry.npmjs.org", Ports: []uint16{443}},

pkg/sandbox/sandbox.go

@@ -314,6 +314,13 @@ func (s *SandboxRunner) Prepare(ctx context.Context, agentName string, opts RunO
 		}
 	}
 
+	// Prevent git from hanging on interactive credential prompts inside the VM.
+	// Public repos work anonymously; private repos fail cleanly without a token.
+	if envVars == nil {
+		envVars = make(map[string]string)
+	}
+	envVars["GIT_TERMINAL_PROMPT"] = "0"
+
 	// Determine if a GitHub token is available for credential helper injection.
 	hasGitToken := opts.GitTokenEnabled && (envVars["GITHUB_TOKEN"] != "" || envVars["GH_TOKEN"] != "")
 

pkg/sandbox/sandbox_test.go

@@ -218,7 +218,7 @@ func TestSandboxRunner_Run(t *testing.T) {
 	assert.Equal(t, uint32(2), vmRunner.startCfg.CPUs)
 	assert.Equal(t, uint32(2048), vmRunner.startCfg.Memory)
 	assert.Equal(t, "/tmp/workspace", vmRunner.startCfg.WorkspacePath)
-	assert.Equal(t, map[string]string{"TEST_KEY": "secret123"}, vmRunner.startCfg.EnvVars)
+	assert.Equal(t, map[string]string{"TEST_KEY": "secret123", "GIT_TERMINAL_PROMPT": "0"}, vmRunner.startCfg.EnvVars)
 
 	// Verify terminal session was started.
 	assert.Equal(t, "127.0.0.1", sessionRunner.runOpts.Host)
@@ -693,7 +693,7 @@ func TestSandboxRunner_Prepare_Success(t *testing.T) {
 	assert.Equal(t, "sandbox-test-agent", sb.VMConfig.Name)
 	assert.Equal(t, snapshotDir, sb.WorkspacePath)
 	assert.NotNil(t, sb.Snapshot)
-	assert.Equal(t, map[string]string{"TEST_KEY": "secret123"}, sb.EnvVars)
+	assert.Equal(t, map[string]string{"TEST_KEY": "secret123", "GIT_TERMINAL_PROMPT": "0"}, sb.EnvVars)
 	assert.Equal(t, snapshot.NopMatcher, sb.DiffMatcher)
 	assert.Equal(t, snapshotDir, vmRunner.startCfg.WorkspacePath)
 	assert.True(t, cloner.createCalled)