feat(opencomputer): add agent-browser, gh, ttyd, bun to template image#838
Conversation
📝 WalkthroughWalkthroughThis PR updates the OpenComputer sandbox image template to add build-time tooling, restore sandbox home ownership after install, include Bun in the runtime PATH, and bump the sandbox version. ChangesSandbox image tooling update
Sequence Diagram(s)sequenceDiagram
participant build_template as build-template.ts
participant ttyd as ttyd
participant bun_installer as Bun installer
participant agent_browser as agent-browser install
participant sandbox_home as SANDBOX_HOME
build_template->>ttyd: download ttyd and verify sha256
build_template->>bun_installer: install Bun into ${BUN_INSTALL_DIR}
build_template->>agent_browser: run agent-browser install with PATH
build_template->>sandbox_home: chown recursively to sandbox:sandbox
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Summary
PR #838, feat(opencomputer): add agent-browser, gh, ttyd, bun to template image, by @ColeMurray updates one file (packages/opencomputer-infra/src/build-template.ts) with 29 additions and 3 deletions. The changes line up with the runtime expectations for /usr/bin/gh, ttyd, and bun, and the ownership fix is a useful guard for root-run installer outputs.
Critical Issues
None found.
Suggestions
- Reliability
packages/opencomputer-infra/src/build-template.ts:160- Left one inline note: the GitHub CLI install is best-effort, but the keyring/source setup before it is still strict, so keyring download or repo setup failures can still fail the image build before the fallback applies.
Nitpicks
None.
Positive Feedback
- The new tool versions for
agent-browserandttydare explicit constants, which keeps the image definition readable. - The
ttydbinary download is checksum-verified before installation. - Adding
BUN_INSTALL_DIRtoPATHmatches the runtimebun runusage for the ttyd proxy.
Questions
None.
Verdict
Approve. I did not run a real OpenComputer template build because this environment is on main and does not have the required OpenComputer API flow, but the diff itself looks sound aside from the non-blocking reliability suggestion above.
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@packages/opencomputer-infra/src/build-template.ts`:
- Around line 193-197: The sandbox ownership fix in buildTemplate is happening
too early, before addRuntimeDir copies files into
SANDBOX_APP_DIR/sandbox_runtime. Move the chown step in build-template.ts to
after addRuntimeDir (or run it again at the end) so the newly copied runtime
files under SANDBOX_HOME are also re-owned by sandbox:sandbox.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: b9a4aea4-2ee1-4aa7-8203-e5118535c058
📒 Files selected for processing (1)
packages/opencomputer-infra/src/build-template.ts
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
packages/opencomputer-infra/src/build-template.ts (1)
174-174: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick winPin the Bun installer before running it as root.
https://bun.sh/installis mutable, and this command executes it throughsudo bash. Bun’s docs support pinning to a release tag (bun-vX.Y.Z); use that instead of the unversioned installer.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@packages/opencomputer-infra/src/build-template.ts` at line 174, The Bun install step in buildTemplate currently runs the mutable https://bun.sh/install script as root, so update that command to use a pinned Bun release tag instead of the unversioned installer. Adjust the install string in buildTemplate to reference a specific bun-vX.Y.Z release URL while keeping the existing BUN_INSTALL_DIR and sudo/bash flow intact.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In `@packages/opencomputer-infra/src/build-template.ts`:
- Line 174: The Bun install step in buildTemplate currently runs the mutable
https://bun.sh/install script as root, so update that command to use a pinned
Bun release tag instead of the unversioned installer. Adjust the install string
in buildTemplate to reference a specific bun-vX.Y.Z release URL while keeping
the existing BUN_INSTALL_DIR and sudo/bash flow intact.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 4b37a817-fa08-486f-b807-0a3640fe00c0
📒 Files selected for processing (1)
packages/opencomputer-infra/src/build-template.ts
## What Makes Terraform build and manage the OpenComputer base snapshot, the same way it already builds the Modal, Vercel, and Daytona base images. ## Why OpenComputer (#818) was the **only** sandbox provider whose base image wasn't built by Terraform. Every other provider computes a source hash and runs a build script via `null_resource`: | Provider | Source hash | Build module | |---|---|---| | Modal | `data.external.modal_source_hash` | `module.modal_app` | | Vercel | `data.external.vercel_source_hash` | `module.vercel_sandbox_infra` | | Daytona | `data.external.daytona_source_hash` | `module.daytona_infra` | | **OpenComputer** | — (none) | — (none) | Instead, `opencomputer_template` was a hand-set secret pointing at a snapshot you had to build manually with `npm run build:opencomputer-template`. This brings it to parity. ## How New `terraform/modules/opencomputer-infra` (mirrors `vercel-sandbox-infra`): - **`opencomputer.tf`** — `data.external.opencomputer_source_hash` hashes `packages/sandbox-runtime/{pyproject.toml,src}` + `packages/opencomputer-infra/src/build-template.ts`, then calls the module (both gated on `local.use_opencomputer_backend`, so it's a no-op under Modal). - **module** — a `null_resource` whose `triggers` include the source hash + the build script's own hash, running `scripts/build-base-snapshot.sh` → `npm run build:opencomputer-template` on change. `build-template.ts` already content-addresses the image (`image.cacheKey()`), so unchanged source is a cheap no-op. - **deterministic name** — `openinspect-runtime-${substr(source_hash,0,16)}`. Unlike Vercel (which timestamps and resolves name→latest), OpenComputer references templates by **exact name** (`createSandbox` sends `snapshot: <name>`), so the managed name must be deterministic. A source change ⇒ new name ⇒ fresh, immutable snapshot. - **worker wiring** — `OPENCOMPUTER_TEMPLATE` now comes from `module.opencomputer_infra[0].snapshot_name` when unpinned, or `var.opencomputer_template` when set (mirrors `vercel_base_snapshot_id`). The var's required-validation is relaxed to make it an optional pin. - **`terraform.yml`** — wires the `OPENCOMPUTER_*` secrets into the Plan + Apply env blocks (#818 added the variables but never the CI plumbing, unlike the other three providers). ## Effect on operators The managed build **replaces** the manual `build:opencomputer-template` + hand-set `OPENCOMPUTER_TEMPLATE` secret. To run OpenComputer you now only set `SANDBOX_PROVIDER=opencomputer` + the `OPENCOMPUTER_API_URL`/`OPENCOMPUTER_API_KEY` secrets; Terraform builds the snapshot during apply and points the worker at it. Pinning a specific snapshot via `OPENCOMPUTER_TEMPLATE` still works as an override. ## Notes - The build runs during `terraform apply` in CI, which already does `npm ci` + Node for the existing Vercel/Modal/bot builds; `var.opencomputer_api_key` is passed into the exec env. - The source-hash path list is hardcoded (same as `vercel.tf`/`modal.tf`) — moving `build-template.ts` or the runtime later means updating it, or rebuilds stop triggering. - Inert under the default `sandbox_provider = "modal"` (the data source + module are `count = 0`). ## Validation - `terraform fmt -recursive -check` clean; **`terraform validate` → Success**; workflow YAML parses; `bash -n` on the build script clean. - I could **not** run a real OpenComputer build locally (needs the SDK + API) — same caveat as #838. A first real apply with `sandbox_provider=opencomputer` should confirm the snapshot builds and the worker boots from it. Builds on #818 (provider) and #838 (image deps). <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added support for OpenComputer-backed production sandboxes with automated managed snapshot creation and deterministic change detection when source inputs change. * Terraform plans/applies now automatically run for updates under the OpenComputer infrastructure directory and receive OpenComputer settings during execution. * **Bug Fixes** * Improved worker template selection by falling back to an automatically generated snapshot name when no template is provided. * Ensured OpenComputer infrastructure is applied in the correct order for more reliable deployments. * Relaxed template variable requirements to avoid unnecessary validation failures. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
What
Adds the four runtime tools that the Vercel base image installs but the OpenComputer template (#818) dropped during its
dnf→aptport:0.21.2${NPM_PREFIX}/bin+ Chromium cachelibnss3,libgbm1, …) +ffmpeg— but never installed the tool that uses them. They were dead weight./usr/bin/ghentrypoint.py:62,280) targets/usr/bin/ghand silently no-ops without it. Installed via the official apt repo so it lands exactly where the wrapper expects.1.7.7/usr/local/bin/ttyd${SANDBOX_HOME}/.bunWhy
Code review of #818 found the OpenComputer build was modeled on
vercel/bootstrap.tsbut is an incomplete port: its apt package list is a 1:1dnf→apttranslation of Vercel's browser libs, and itsnpm install -gline is Vercel's minus exactly theagent-browsertoken. The result shipped Chromium's worth of shared libs + ffmpeg with no consumer, and nogh. This brings the image to parity for basic testing.Notes
npm/bun/agent-browserinstalls run as root (sudo) but write under the non-root sandbox user's HOME. Added achown -R sandbox:sandbox ${SANDBOX_HOME}so the runtime can actually read/write those caches (otherwise agent-browser's Chromium cache is root-owned and unusable). This also addresses review finding B3.ghapt install,bun,agent-browser install) are best-effort (|| true), matching Vercel's robustness choices;ttydis checksum-verified (strict).SANDBOX_VERSIONopencomputer-v1→v2(the real rebuild trigger is the content-hashedimage.cacheKey(), which changes automatically with the newrunCommands).I could not run
build:opencomputer-templatelocally (needs the OpenComputer SDK + API). Before merge, please run a real template build and confirm in the built image:gh --version,agent-browser --version,ttyd --version,bun --versionsandbox:sandboxuser/group assumption in thechownis correct for the OpenComputer base image (it's|| true, so a wrong name is a no-op, not a build break — but then B3 isn't fixed).Base
#818 is now merged to
main, so this targetsmaindirectly with a clean deps-only diff. (Supersedes #837, which auto-closed during a base-branch retarget.)Summary by CodeRabbit
New Features
Bug Fixes
Changes