VM SSH Sandbox#729
Conversation
DamianB-BitFlipper
requested review from
JannikSt,
JohannesHa,
burnpiro,
d42me,
kcoopermiller and
willccbb
as code owners
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit a310843. Configure here.
| " s.close()\n" | ||
| ) | ||
| proxy_cmd = f"{shlex.quote(python_exec)} -c {shlex.quote(proxy_script)}" | ||
| ssh_cmd.extend(["-o", f"ProxyCommand={proxy_cmd}"]) |
There was a problem hiding this comment.
VM proxy hangs after disconnect
Medium Severity
The inline VM ProxyCommand script stops its socket-to-stdout reader when the gateway closes the TCP connection, but it does not close stdout or end the stdin forwarding loop. OpenSSH can keep blocking on proxy stdout while the script blocks on stdin, so prime sandbox ssh may hang after the remote session ends until the user forces local input to EOF.
Reviewed by Cursor Bugbot for commit a310843. Configure here.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: a31084392f
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| with httpx.Client(timeout=30) as client: | ||
| client.post(authorize_url, json=payload, headers=headers).raise_for_status() | ||
| if is_vm_sandbox: | ||
| sandbox_client.authorize_ssh_session( |
There was a problem hiding this comment.
When users upgrade only prime while keeping any already-published prime-sandboxes 0.2.27, which is still allowed by packages/prime/pyproject.toml (prime-sandboxes>=0.2.27) and the SDK version in this commit remains 0.2.27, selecting a VM reaches this new call but the installed SandboxClient will not have authorize_ssh_session, so VM SSH exits with an AttributeError before authorizing the key. Please bump/release the SDK and raise the CLI dependency floor before relying on this method.
Useful? React with 👍 / 👎.
2 participants
Note
Medium Risk
Touches remote access (ephemeral keys, authorize endpoints, custom ProxyCommand) for a new runtime path; scope is CLI/SDK with tests and port-exposure VM guards unchanged.
Overview
Enables SSH into VM sandboxes through the SDK and
prime sandbox ssh, using the same create-then-authorize flow as containers but with VM-specific wiring.The prime-sandboxes client drops VM blocks on
create_ssh_session/close_ssh_session, documents that key registration is a separate step, and addsauthorize_ssh_session(plusAuthorizeSSHForVMResponse) forPOST .../ssh-session/{id}/authorize. Container callers still authorize against the SSH sidecar directly.The CLI includes VM sandboxes in the SSH picker, routes VM authorization through
authorize_ssh_sessioninstead of httpx to the sidecar, and for VMs setsProxyCommandto a small Python proxy that sendsPRIME-SSH-SESSION {session_id}before tunneling the SSH stream through the L4 gateway. Tests cover the new VM paths and updated picker behavior.Reviewed by Cursor Bugbot for commit a310843. Bugbot is set up for automated code reviews on this repo. Configure here.