Skip to content

feat(opencomputer): add agent-browser, gh, ttyd, bun to template image#838

Merged
ColeMurray merged 2 commits into
mainfrom
feat/opencomputer-image-deps
Jun 27, 2026
Merged

feat(opencomputer): add agent-browser, gh, ttyd, bun to template image#838
ColeMurray merged 2 commits into
mainfrom
feat/opencomputer-image-deps

Conversation

@ColeMurray

@ColeMurray ColeMurray commented Jun 27, 2026

Copy link
Copy Markdown
Owner

What

Adds the four runtime tools that the Vercel base image installs but the OpenComputer template (#818) dropped during its dnfapt port:

Tool Lands at Why
agent-browser 0.21.2 ${NPM_PREFIX}/bin + Chromium cache The image already apt-installs the full headless-Chromium shared-lib set (libnss3, libgbm1, …) + ffmpeg — but never installed the tool that uses them. They were dead weight.
gh (GitHub CLI) /usr/bin/gh The runtime's gh wrapper (entrypoint.py:62,280) targets /usr/bin/gh and silently no-ops without it. Installed via the official apt repo so it lands exactly where the wrapper expects.
ttyd 1.7.7 /usr/local/bin/ttyd Terminal support (checksum-verified binary, same pin as the Vercel image).
bun ${SANDBOX_HOME}/.bun Used by agent-browser and some opencode tooling.

Why

Code review of #818 found the OpenComputer build was modeled on vercel/bootstrap.ts but is an incomplete port: its apt package list is a 1:1 dnfapt translation of Vercel's browser libs, and its npm install -g line is Vercel's minus exactly the agent-browser token. The result shipped Chromium's worth of shared libs + ffmpeg with no consumer, and no gh. This brings the image to parity for basic testing.

Notes

  • Ownership fix: the npm/bun/agent-browser installs run as root (sudo) but write under the non-root sandbox user's HOME. Added a chown -R sandbox:sandbox ${SANDBOX_HOME} so the runtime can actually read/write those caches (otherwise agent-browser's Chromium cache is root-owned and unusable). This also addresses review finding B3.
  • Network-dependent steps (gh apt install, bun, agent-browser install) are best-effort (|| true), matching Vercel's robustness choices; ttyd is checksum-verified (strict).
  • Bumped SANDBOX_VERSION opencomputer-v1v2 (the real rebuild trigger is the content-hashed image.cacheKey(), which changes automatically with the new runCommands).

⚠️ Validation pending

I could not run build:opencomputer-template locally (needs the OpenComputer SDK + API). Before merge, please run a real template build and confirm in the built image:

  • gh --version, agent-browser --version, ttyd --version, bun --version
  • the sandbox:sandbox user/group assumption in the chown is correct for the OpenComputer base image (it's || true, so a wrong name is a no-op, not a build break — but then B3 isn't fixed).

Base

#818 is now merged to main, so this targets main directly with a clean deps-only diff. (Supersedes #837, which auto-closed during a base-branch retarget.)

Summary by CodeRabbit

  • New Features

    • Added/installed additional sandbox runtime tools, including GitHub CLI, ttyd, Bun, and agent-browser (with pinned versions).
    • Updated the runtime environment so Bun is available via the command path.
  • Bug Fixes

    • Improved post-build permissions to ensure sandbox files and caches remain accessible at runtime.
  • Changes

    • Updated the sandbox version identifier to the latest release.

@coderabbitai

coderabbitai Bot commented Jun 27, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

This PR updates the OpenComputer sandbox image template to add build-time tooling, restore sandbox home ownership after install, include Bun in the runtime PATH, and bump the sandbox version.

Changes

Sandbox image tooling update

Layer / File(s) Summary
Build-time constants
packages/opencomputer-infra/src/build-template.ts
Adds build-time constants for AGENT_BROWSER_VERSION, TTYD_VERSION/TTYD_SHA256, and BUN_INSTALL_DIR.
Tool installation
packages/opencomputer-infra/src/build-template.ts
Extends the image build to install gh, download and verify ttyd, install Bun, and run agent-browser install with an expanded PATH.
Runtime ownership and env
packages/opencomputer-infra/src/build-template.ts
Recursively chowns SANDBOX_HOME back to sandbox:sandbox, adds Bun's bin directory to runtime PATH, and changes SANDBOX_VERSION to opencomputer-v2.

Sequence Diagram(s)

sequenceDiagram
  participant build_template as build-template.ts
  participant ttyd as ttyd
  participant bun_installer as Bun installer
  participant agent_browser as agent-browser install
  participant sandbox_home as SANDBOX_HOME

  build_template->>ttyd: download ttyd and verify sha256
  build_template->>bun_installer: install Bun into ${BUN_INSTALL_DIR}
  build_template->>agent_browser: run agent-browser install with PATH
  build_template->>sandbox_home: chown recursively to sandbox:sandbox
Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 Hop, hop, the sandbox hums,
With gh and Bun where daylight comes.
ttyd sparkles, caches stay,
v2 moon-ears lead the way,
And bunny paws say, "Build away!"

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and concisely summarizes the main change: adding agent-browser, gh, ttyd, and bun to the OpenComputer template image.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/opencomputer-image-deps

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Comment thread packages/opencomputer-infra/src/build-template.ts Outdated
Comment thread packages/opencomputer-infra/src/build-template.ts
Comment thread packages/opencomputer-infra/src/build-template.ts Outdated
Comment thread packages/opencomputer-infra/src/build-template.ts Outdated

@open-inspect open-inspect Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Summary

PR #838, feat(opencomputer): add agent-browser, gh, ttyd, bun to template image, by @ColeMurray updates one file (packages/opencomputer-infra/src/build-template.ts) with 29 additions and 3 deletions. The changes line up with the runtime expectations for /usr/bin/gh, ttyd, and bun, and the ownership fix is a useful guard for root-run installer outputs.

Critical Issues

None found.

Suggestions

  • Reliability packages/opencomputer-infra/src/build-template.ts:160 - Left one inline note: the GitHub CLI install is best-effort, but the keyring/source setup before it is still strict, so keyring download or repo setup failures can still fail the image build before the fallback applies.

Nitpicks

None.

Positive Feedback

  • The new tool versions for agent-browser and ttyd are explicit constants, which keeps the image definition readable.
  • The ttyd binary download is checksum-verified before installation.
  • Adding BUN_INSTALL_DIR to PATH matches the runtime bun run usage for the ttyd proxy.

Questions

None.

Verdict

Approve. I did not run a real OpenComputer template build because this environment is on main and does not have the required OpenComputer API flow, but the diff itself looks sound aside from the non-blocking reliability suggestion above.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/opencomputer-infra/src/build-template.ts`:
- Around line 193-197: The sandbox ownership fix in buildTemplate is happening
too early, before addRuntimeDir copies files into
SANDBOX_APP_DIR/sandbox_runtime. Move the chown step in build-template.ts to
after addRuntimeDir (or run it again at the end) so the newly copied runtime
files under SANDBOX_HOME are also re-owned by sandbox:sandbox.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b9a4aea4-2ee1-4aa7-8203-e5118535c058

📥 Commits

Reviewing files that changed from the base of the PR and between 7c0a3ab and 6710380.

📒 Files selected for processing (1)
  • packages/opencomputer-infra/src/build-template.ts

Comment thread packages/opencomputer-infra/src/build-template.ts Outdated

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
packages/opencomputer-infra/src/build-template.ts (1)

174-174: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Pin the Bun installer before running it as root.

https://bun.sh/install is mutable, and this command executes it through sudo bash. Bun’s docs support pinning to a release tag (bun-vX.Y.Z); use that instead of the unversioned installer.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/opencomputer-infra/src/build-template.ts` at line 174, The Bun
install step in buildTemplate currently runs the mutable https://bun.sh/install
script as root, so update that command to use a pinned Bun release tag instead
of the unversioned installer. Adjust the install string in buildTemplate to
reference a specific bun-vX.Y.Z release URL while keeping the existing
BUN_INSTALL_DIR and sudo/bash flow intact.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@packages/opencomputer-infra/src/build-template.ts`:
- Line 174: The Bun install step in buildTemplate currently runs the mutable
https://bun.sh/install script as root, so update that command to use a pinned
Bun release tag instead of the unversioned installer. Adjust the install string
in buildTemplate to reference a specific bun-vX.Y.Z release URL while keeping
the existing BUN_INSTALL_DIR and sudo/bash flow intact.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4b37a817-fa08-486f-b807-0a3640fe00c0

📥 Commits

Reviewing files that changed from the base of the PR and between 6710380 and 9d5cee8.

📒 Files selected for processing (1)
  • packages/opencomputer-infra/src/build-template.ts

@ColeMurray ColeMurray merged commit d427b71 into main Jun 27, 2026
14 checks passed
@ColeMurray ColeMurray deleted the feat/opencomputer-image-deps branch June 27, 2026 05:56
ColeMurray added a commit that referenced this pull request Jun 27, 2026
## What

Makes Terraform build and manage the OpenComputer base snapshot, the
same way it already builds the Modal, Vercel, and Daytona base images.

## Why

OpenComputer (#818) was the **only** sandbox provider whose base image
wasn't built by Terraform. Every other provider computes a source hash
and runs a build script via `null_resource`:

| Provider | Source hash | Build module |
|---|---|---|
| Modal | `data.external.modal_source_hash` | `module.modal_app` |
| Vercel | `data.external.vercel_source_hash` |
`module.vercel_sandbox_infra` |
| Daytona | `data.external.daytona_source_hash` | `module.daytona_infra`
|
| **OpenComputer** | — (none) | — (none) |

Instead, `opencomputer_template` was a hand-set secret pointing at a
snapshot you had to build manually with `npm run
build:opencomputer-template`. This brings it to parity.

## How

New `terraform/modules/opencomputer-infra` (mirrors
`vercel-sandbox-infra`):

- **`opencomputer.tf`** — `data.external.opencomputer_source_hash`
hashes `packages/sandbox-runtime/{pyproject.toml,src}` +
`packages/opencomputer-infra/src/build-template.ts`, then calls the
module (both gated on `local.use_opencomputer_backend`, so it's a no-op
under Modal).
- **module** — a `null_resource` whose `triggers` include the source
hash + the build script's own hash, running
`scripts/build-base-snapshot.sh` → `npm run build:opencomputer-template`
on change. `build-template.ts` already content-addresses the image
(`image.cacheKey()`), so unchanged source is a cheap no-op.
- **deterministic name** —
`openinspect-runtime-${substr(source_hash,0,16)}`. Unlike Vercel (which
timestamps and resolves name→latest), OpenComputer references templates
by **exact name** (`createSandbox` sends `snapshot: <name>`), so the
managed name must be deterministic. A source change ⇒ new name ⇒ fresh,
immutable snapshot.
- **worker wiring** — `OPENCOMPUTER_TEMPLATE` now comes from
`module.opencomputer_infra[0].snapshot_name` when unpinned, or
`var.opencomputer_template` when set (mirrors
`vercel_base_snapshot_id`). The var's required-validation is relaxed to
make it an optional pin.
- **`terraform.yml`** — wires the `OPENCOMPUTER_*` secrets into the Plan
+ Apply env blocks (#818 added the variables but never the CI plumbing,
unlike the other three providers).

## Effect on operators

The managed build **replaces** the manual `build:opencomputer-template`
+ hand-set `OPENCOMPUTER_TEMPLATE` secret. To run OpenComputer you now
only set `SANDBOX_PROVIDER=opencomputer` + the
`OPENCOMPUTER_API_URL`/`OPENCOMPUTER_API_KEY` secrets; Terraform builds
the snapshot during apply and points the worker at it. Pinning a
specific snapshot via `OPENCOMPUTER_TEMPLATE` still works as an
override.

## Notes

- The build runs during `terraform apply` in CI, which already does `npm
ci` + Node for the existing Vercel/Modal/bot builds;
`var.opencomputer_api_key` is passed into the exec env.
- The source-hash path list is hardcoded (same as
`vercel.tf`/`modal.tf`) — moving `build-template.ts` or the runtime
later means updating it, or rebuilds stop triggering.
- Inert under the default `sandbox_provider = "modal"` (the data source
+ module are `count = 0`).

## Validation

- `terraform fmt -recursive -check` clean; **`terraform validate` →
Success**; workflow YAML parses; `bash -n` on the build script clean.
- I could **not** run a real OpenComputer build locally (needs the SDK +
API) — same caveat as #838. A first real apply with
`sandbox_provider=opencomputer` should confirm the snapshot builds and
the worker boots from it.

Builds on #818 (provider) and #838 (image deps).


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Added support for OpenComputer-backed production sandboxes with
automated managed snapshot creation and deterministic change detection
when source inputs change.
* Terraform plans/applies now automatically run for updates under the
OpenComputer infrastructure directory and receive OpenComputer settings
during execution.

* **Bug Fixes**
* Improved worker template selection by falling back to an automatically
generated snapshot name when no template is provided.
* Ensured OpenComputer infrastructure is applied in the correct order
for more reliable deployments.
* Relaxed template variable requirements to avoid unnecessary validation
failures.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant