Dataface Tasks
    Heartbeat snapshot (JSON)

    Harden cbox sandbox bootstrap with PATH, pre-commit, and git auth health checks

    IDM1-INFRA-009
    Statusdone
    Priorityp0
    Milestonem1-ft-analytics-analyst-pilot
    Ownerhead-of-engineering

    Problem

    CBox sandboxes repeatedly fail at runtime due to missing or misconfigured environment dependencies — pre-commit not found errors, intermittent git fetch/push auth failures despite gh being authenticated, and ambiguous bootstrap states where it's unclear whether uv sync completed successfully. These failures surface late (during commit or push), wasting the entire sandbox execution up to that point. There are no startup health checks to catch these issues early, and failure messages are not machine-readable, making automated manager recovery difficult. The lack of standardized bootstrap and health verification is the single largest source of sandbox reliability issues.

    Context

    Possible Solutions

    Plan

    Implementation Progress

    • Ensure sandbox startup consistently provisions runtime dependencies (uv sync / project install path) before task execution.
    • Ensure sandbox shell PATH includes the expected project interpreter and hook tooling (python, pre-commit) without manual prefixing.
    • Run gh auth setup-git (or equivalent deterministic setup) at startup and verify git HTTPS auth works for fetch/push operations.
    • Add startup health checks that fail fast with actionable remediation when toolchain/auth checks fail.

    • Add regression tests for bootstrap + auth check behavior in cbox CLI/runtime.

    • python -V, pre-commit --version, and representative git fetch succeed in sandbox startup checks for authenticated repos.

    • PR workflow no longer fails first attempt due to missing PATH/pre-commit or git credential mismatch.
    • Failures surface concise, machine-readable error reasons suitable for manager automation.

    • Behavior is documented in canonical cbox docs and wrapper docs.

    • Coordinate with lifecycle observability work (M1-INFRA-008) for clear blocked-state reporting.

    • Keep canonical behavior synced in:
    • docs/agent/cbox.md
    • .cursor/rules/cbox.mdc
    • libs/cbox/CLAUDE.md

    • libs/cbox/CLAUDE_MD_TEMPLATE.md

    • Motivation: repeated observed failures across active sessions (pre-commit not found, intermittent git fetch/push auth errors while gh is authenticated, ambiguous bootstrap state).

    Closure Notes (2026-03-04)

    All deliverables were implemented incrementally across prior PRs and are verified on main:

    Component Location
    Bootstrap deps (uv sync with timeout, frozen fallback, minimal bootstrap) libs/cbox/entrypoint.sh:71-127
    PATH setup (.venv/bin prepended) libs/cbox/Dockerfile:64, cbox/cli.py:988
    Git HTTPS auth (gh auth setup-git) libs/cbox/entrypoint.sh:129-134
    4 startup health probes (python, pre-commit, uv, git_auth) cbox/cli.py:975-1050
    Health check types + formatter cbox/health.py
    Health check integration in launch flow cbox/cli.py:2474
    Regression tests (31 passing) test_health.py, test_entrypoint_bootstrap.py, test_sandbox_start.py
    Canonical docs docs/agent/cbox.md:85-115
    Rule wrapper .cursor/rules/cbox.mdc:26-27
    Template docs libs/cbox/CLAUDE_MD_TEMPLATE.md:167-180, libs/cbox/CLAUDE.md:41-44

    Review Feedback

    • [ ] Review cleared