Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 0 additions & 4 deletions content/manuals/ai/sandboxes/agents/claude-code.md
Original file line number Diff line number Diff line change
Expand Up @@ -38,10 +38,6 @@ Claude Code requires either an Anthropic API key or a Claude subscription.
$ sbx secret set -g anthropic
```

Alternatively, export the `ANTHROPIC_API_KEY` environment variable in your
shell before running the sandbox. See
[Credentials](../security/credentials.md) for details on both methods.

**Claude subscription**: If no API key is set, use the `/login` command inside
Claude Code to authenticate via OAuth.

Expand Down
3 changes: 0 additions & 3 deletions content/manuals/ai/sandboxes/agents/codex.md
Original file line number Diff line number Diff line change
Expand Up @@ -52,9 +52,6 @@ so browser-based authentication works without any extra setup.
$ sbx secret set -g openai
```

Alternatively, export the `OPENAI_API_KEY` environment variable in your shell
before running the sandbox.

See [Credentials](../security/credentials.md) for more details.

## Configuration
Expand Down
4 changes: 0 additions & 4 deletions content/manuals/ai/sandboxes/agents/copilot.md
Original file line number Diff line number Diff line change
Expand Up @@ -36,10 +36,6 @@ Copilot requires a GitHub token with Copilot access. Store your token using
$ echo "$(gh auth token)" | sbx secret set -g github
```

Alternatively, export the `GH_TOKEN` or `GITHUB_TOKEN` environment variable in
your shell before running the sandbox. See
[Credentials](../security/credentials.md) for details on both methods.

## Configuration

Sandboxes don't pick up user-level configuration from your host. Only
Expand Down
4 changes: 0 additions & 4 deletions content/manuals/ai/sandboxes/agents/cursor.md
Original file line number Diff line number Diff line change
Expand Up @@ -38,10 +38,6 @@ Cursor supports two authentication methods: an API key or OAuth.
$ sbx secret set -g cursor
```

Alternatively, export the `CURSOR_API_KEY` environment variable in your shell
before running the sandbox. See
[Credentials](../security/credentials.md) for details on both methods.

**OAuth**: If no API key is set, Cursor prompts you to sign in interactively
on first run. The proxy intercepts the token exchange with
`api2.cursor.sh/auth/poll`, so credentials are managed by the host and aren't
Expand Down
6 changes: 0 additions & 6 deletions content/manuals/ai/sandboxes/agents/docker-agent.md
Original file line number Diff line number Diff line change
Expand Up @@ -38,12 +38,6 @@ $ sbx secret set -g openrouter
You only need to configure the providers you want to use. Docker Agent detects
available credentials and routes requests to the appropriate provider.

Alternatively, export the environment variables (`OPENAI_API_KEY`,
`ANTHROPIC_API_KEY`, `GOOGLE_API_KEY`, `XAI_API_KEY`, `NEBIUS_API_KEY`,
`MISTRAL_API_KEY`, `OPENROUTER_API_KEY`) in your shell before running the
sandbox. See
[Credentials](../security/credentials.md) for details on both methods.

## Configuration

Sandboxes don't pick up user-level configuration from your host. Only
Expand Down
4 changes: 0 additions & 4 deletions content/manuals/ai/sandboxes/agents/droid.md
Original file line number Diff line number Diff line change
Expand Up @@ -40,10 +40,6 @@ your Factory account.
$ sbx secret set -g droid
```

Alternatively, export the `FACTORY_API_KEY` environment variable in your shell
before running the sandbox. See
[Credentials](../security/credentials.md) for details on both methods.

**OAuth**: If no API key is set, Droid prompts you to authenticate
interactively on first run. The proxy handles the OAuth flow, so credentials
aren't stored inside the sandbox.
Expand Down
4 changes: 0 additions & 4 deletions content/manuals/ai/sandboxes/agents/gemini.md
Original file line number Diff line number Diff line change
Expand Up @@ -38,10 +38,6 @@ Gemini requires either a Google API key or a Google account with Gemini access.
$ sbx secret set -g google
```

Alternatively, export the `GEMINI_API_KEY` or `GOOGLE_API_KEY` environment
variable in your shell before running the sandbox. See
[Credentials](../security/credentials.md) for details on both methods.

**Google account**: If no API key is set, Gemini prompts you to sign in
interactively when it starts. Interactive authentication is scoped to the
sandbox and doesn't persist if you remove and recreate it.
Expand Down
5 changes: 0 additions & 5 deletions content/manuals/ai/sandboxes/agents/opencode.md
Original file line number Diff line number Diff line change
Expand Up @@ -48,11 +48,6 @@ $ sbx secret set -g openrouter
You only need to configure the providers you want to use. OpenCode detects
available credentials and offers those providers in the TUI.

You can also use environment variables (`OPENAI_API_KEY`, `ANTHROPIC_API_KEY`,
`GOOGLE_GENERATIVE_AI_API_KEY`, `XAI_API_KEY`, `GROQ_API_KEY`,
`AWS_ACCESS_KEY_ID`, `OPENROUTER_API_KEY`). See
[Credentials](../security/credentials.md) for details on both methods.

## Configuration

Sandboxes don't pick up user-level configuration from your host. Only
Expand Down
10 changes: 5 additions & 5 deletions content/manuals/ai/sandboxes/agents/shell.md
Original file line number Diff line number Diff line change
Expand Up @@ -33,13 +33,13 @@ $ sbx run shell -- -c "echo hi" # runs bash -l -c "echo hi"

When the first argument is a bare word, it replaces `-l` instead.

Set your API keys as environment variables so the sandbox proxy can inject
them into API requests automatically. Credentials are never stored inside
the VM:
Store credentials using [stored secrets](../security/credentials.md#stored-secrets)
before running the sandbox. The proxy injects them into outbound API requests;
credentials are never stored inside the VM:

```console
$ export ANTHROPIC_API_KEY=sk-ant-xxxxx
$ export OPENAI_API_KEY=sk-xxxxx
$ sbx secret set -g anthropic
$ sbx secret set -g openai
```

Once inside the shell, you can install agents using their standard methods,
Expand Down
38 changes: 19 additions & 19 deletions content/manuals/ai/sandboxes/customize/kit-examples.md
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ ruff-lint/
```

```yaml {title="ruff-lint/spec.yaml"}
schemaVersion: "1"
schemaVersion: "2"
kind: mixin
name: ruff-lint
displayName: Ruff
Expand Down Expand Up @@ -117,7 +117,7 @@ you'd set a custom environment variable; see the
[FAQ](../faq.md#how-do-i-set-custom-environment-variables-inside-a-sandbox).

```yaml {title="nvm/spec.yaml"}
schemaVersion: "1"
schemaVersion: "2"
kind: mixin
name: nvm
displayName: nvm
Expand Down Expand Up @@ -179,7 +179,7 @@ the kit and install each certificate before running
`update-ca-certificates`.

```yaml {title="internal-ca/spec.yaml"}
schemaVersion: "1"
schemaVersion: "2"
kind: mixin
name: internal-ca

Expand Down Expand Up @@ -280,7 +280,7 @@ docker-review/
```

```yaml {title="docker-review/spec.yaml"}
schemaVersion: "1"
schemaVersion: "2"
kind: mixin
name: docker-review
displayName: Dockerfile review skill
Expand Down Expand Up @@ -344,7 +344,7 @@ built-in `claude` agent but drops `--dangerously-skip-permissions` so
every tool call prompts for approval:

```yaml {title="claude-safe/spec.yaml"}
schemaVersion: "1"
schemaVersion: "2"
kind: sandbox
name: claude-safe
displayName: Claude Code (with approval prompts)
Expand All @@ -356,22 +356,22 @@ sandbox:
entrypoint:
run: [claude]

network:
serviceDomains:
api.anthropic.com: anthropic
console.anthropic.com: anthropic
serviceAuth:
anthropic:
headerName: x-api-key
valueFormat: "%s"
allowedDomains:
- "claude.com:443"
caps:
network:
allow:
- "claude.com:443"

credentials:
sources:
anthropic:
env:
- ANTHROPIC_API_KEY
- service: anthropic
apiKey:
name: ANTHROPIC_API_KEY
inject:
- domain: api.anthropic.com
header: x-api-key
format: "%s"
- domain: console.anthropic.com
header: x-api-key
format: "%s"
```

Launch with the kit's `name:` as the agent argument to `sbx run`:
Expand Down
Loading