Merge pull request #8 from Cloud-Exit/feature/config-edit

ipc fix; claude code fix; new config edit feature

Author: thecodeassassin

README.md

@@ -219,7 +219,15 @@ The first access in a session prompts for the vault password. Subsequent reads o
 | `codex`     | OpenAI's Codex CLI           | None (downloaded)|
 | `opencode`  | OpenCode AI assistant        | None (binary download)  |
 
-All agents are installed inside the container. Existing host config (`~/.claude`, etc.) is imported once into managed storage on first run. Use `exitbox import <agent>` (or `exitbox import all`) to re-seed from host config. Use `--workspace` to target a specific workspace.
+All agents are installed inside the container. Existing host config (`~/.claude`, etc.) is imported once into managed storage on first run. Use `exitbox config import <agent>` (or `exitbox config import all`) to re-seed from host config. Use `--workspace` to target a specific workspace. Use `--config`/`-c` to import a specific config file. Use `exitbox config edit <agent>` to open the agent's primary config file in your editor:
+
+```bash
+exitbox config import codex -c config.toml          # Import a config file into Codex workspace
+exitbox config import opencode -c opencode.json     # Import OpenCode config file
+exitbox config import codex -c config.toml -w work  # Import into specific workspace
+exitbox config edit claude                           # Edit Claude settings.json in $EDITOR
+exitbox config edit codex -w work                    # Edit Codex config.toml for 'work' workspace
+```
 
 ## Installation
 
@@ -363,6 +371,8 @@ exitbox update            # Update ExitBox to the latest version
 exitbox aliases           # Print shell aliases for ~/.bashrc
 exitbox agents list       # List enabled agents and their status
 exitbox agents config <agent>  # Open agent config in $EDITOR
+exitbox config import <agent|all>  # Import agent config from host
+exitbox config edit <agent>        # Open agent config file in $EDITOR
 ```
 
 ### Config Generation
@@ -463,7 +473,7 @@ Agents are automatically informed about vault commands and these rules via sandb
 - **Development stacks**: Each workspace can have its own set of development profiles (languages/tools). The setup wizard or `exitbox workspaces add` lets you pick the stack for each workspace.
 - **Per-project auto-detection**: Workspaces can be scoped to a directory. When you run an agent from that directory, ExitBox automatically uses the matching workspace.
 - **Default workspace**: Set via `exitbox setup` or `exitbox workspaces default`. Used when no directory-scoped workspace matches.
-- **Credential import**: When creating a workspace, you can import credentials from the host or copy them from an existing workspace. You can also import later with `exitbox import <agent> --workspace <name>`.
+- **Credential import**: When creating a workspace, you can import credentials from the host or copy them from an existing workspace. You can also import later with `exitbox config import <agent> --workspace <name>`.
 
 #### Workspace Resolution Order
 
@@ -571,9 +581,10 @@ exitbox run -w work claude         # Use a specific workspace for this session
 exitbox run --full-git-support claude    # Mount host .gitconfig and SSH agent
 exitbox run --ollama claude              # Use host Ollama for local models
 exitbox run --memory 16g --cpus 8 claude # Custom resource limits
+exitbox run --version 1.0.123 claude   # Pin specific agent version
 ```
 
-All flags have long forms: `-f`/`--no-firewall`, `-r`/`--read-only`, `-v`/`--verbose`, `-n`/`--no-env`, `--resume [SESSION|TOKEN]`, `--no-resume`, `--name`, `-i`/`--include-dir`, `-t`/`--tools`, `-a`/`--allow-urls`, `-u`/`--update`, `-w`/`--workspace`, `--full-git-support`, `--ollama`, `--memory`, `--cpus`.
+All flags have long forms: `-f`/`--no-firewall`, `-r`/`--read-only`, `-v`/`--verbose`, `-n`/`--no-env`, `--resume [SESSION|TOKEN]`, `--no-resume`, `--name`, `-i`/`--include-dir`, `-t`/`--tools`, `-a`/`--allow-urls`, `-u`/`--update`, `-w`/`--workspace`, `--full-git-support`, `--ollama`, `--memory`, `--cpus`, `--version`.
 
 ## Available Profiles
 
@@ -640,6 +651,7 @@ workspaces:
 agents:
   claude:
     enabled: true
+    version: "1.0.123"    # pin agent version (omit for latest)
   codex:
     enabled: false
   opencode:
@@ -719,7 +731,7 @@ ExitBox enforces default resource limits to prevent runaway agents:
 
 ### What Gets Mounted
 
-ExitBox uses **managed config** (import-only) with per-workspace isolation. On first run, host config is copied into the active workspace's managed directory. Host originals are never modified. Use `exitbox import <agent>` to re-seed from host config at any time, optionally with `--workspace <name>` to target a specific workspace.
+ExitBox uses **managed config** (import-only) with per-workspace isolation. On first run, host config is copied into the active workspace's managed directory. Host originals are never modified. Use `exitbox config import <agent>` to re-seed from host config at any time, optionally with `--workspace <name>` to target a specific workspace.
 
 All managed paths follow the pattern `~/.config/exitbox/profiles/global/<workspace>/<agent>/`. For example, with workspace `default` and agent `claude`:
 

cmd/config_cmd.go

@@ -0,0 +1,237 @@
+// ExitBox - Multi-Agent Container Sandbox
+// Copyright (C) 2026 Cloud Exit B.V.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package cmd
+
+import (
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+
+	"github.com/cloud-exit/exitbox/internal/agent"
+	"github.com/cloud-exit/exitbox/internal/config"
+	"github.com/cloud-exit/exitbox/internal/profile"
+	"github.com/cloud-exit/exitbox/internal/ui"
+	"github.com/spf13/cobra"
+)
+
+func newConfigCmd() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "config",
+		Short: "Manage agent configuration",
+		Long:  "Import or edit agent configuration files for a workspace.",
+	}
+
+	cmd.AddCommand(newConfigImportCmd())
+	cmd.AddCommand(newConfigEditCmd())
+	return cmd
+}
+
+func newConfigImportCmd() *cobra.Command {
+	var workspace string
+	var configFile string
+
+	cmd := &cobra.Command{
+		Use:   "import <agent|all>",
+		Short: "Import agent config from host",
+		Long: `Import agent configuration and credentials from the host into a workspace.
+
+By default, imports into the active workspace. Use --workspace to target
+a specific workspace. Use --config to import a specific config file instead
+of the entire host config directory.
+
+Examples:
+  exitbox config import claude                    Import Claude config into active workspace
+  exitbox config import all                       Import all agent configs into active workspace
+  exitbox config import claude -w work            Import Claude config into 'work' workspace
+  exitbox config import all --workspace personal  Import all configs into 'personal' workspace
+  exitbox config import codex -c config.toml      Import a config file into Codex workspace
+  exitbox config import opencode -c opencode.json Import OpenCode config file
+  exitbox config import codex -c config.toml -w work  Import into specific workspace`,
+		Args: cobra.ExactArgs(1),
+		Run: func(cmd *cobra.Command, args []string) {
+			target := args[0]
+
+			// Validate --config flag constraints.
+			if configFile != "" {
+				if target == "all" {
+					ui.Errorf("Cannot use --config with 'all'; specify a single agent")
+				}
+				if _, err := os.Stat(configFile); err != nil {
+					ui.Errorf("Config file not found: %s", configFile)
+				}
+			}
+
+			var agents []string
+			if target == "all" {
+				agents = agent.AgentNames
+			} else {
+				if !agent.IsValidAgent(target) {
+					ui.Errorf("Unknown agent: %s", target)
+				}
+				agents = []string{target}
+			}
+
+			// Resolve target workspace.
+			cfg := config.LoadOrDefault()
+			workspaceName := resolveConfigWorkspace(cfg, workspace)
+
+			importedAny := false
+			for _, name := range agents {
+				a := agent.Get(name)
+				if a == nil {
+					continue
+				}
+
+				dst := profile.WorkspaceAgentDir(workspaceName, name)
+				if err := os.MkdirAll(dst, 0755); err != nil {
+					ui.Warnf("Failed to create workspace dir for %s: %v", name, err)
+					continue
+				}
+
+				if configFile != "" {
+					// Import a specific file.
+					if err := a.ImportFile(configFile, dst); err != nil {
+						ui.Warnf("Failed to import file into %s: %v", name, err)
+						continue
+					}
+					ui.Successf("Imported %s → %s workspace '%s'",
+						configFile, name, workspaceName)
+					importedAny = true
+				} else {
+					// Import entire host config directory.
+					src, err := a.DetectHostConfig()
+					if err != nil {
+						ui.Warnf("No host config found for %s", name)
+						continue
+					}
+					if err := a.ImportConfig(src, dst); err != nil {
+						ui.Warnf("Failed to import %s config: %v", name, err)
+						continue
+					}
+					ui.Successf("Imported %s config from %s → workspace '%s'",
+						name, src, workspaceName)
+					importedAny = true
+				}
+			}
+
+			if !importedAny {
+				if configFile != "" {
+					ui.Warn("Config file was not imported.")
+				} else {
+					ui.Warn("No configs were imported.")
+				}
+			}
+		},
+	}
+
+	cmd.Flags().StringVarP(&workspace, "workspace", "w", "", "Target workspace (default: active workspace)")
+	cmd.Flags().StringVarP(&configFile, "config", "c", "", "Import a specific config file (e.g. config.toml, opencode.json)")
+	return cmd
+}
+
+func newConfigEditCmd() *cobra.Command {
+	var workspace string
+
+	cmd := &cobra.Command{
+		Use:   "edit <agent>",
+		Short: "Open agent config file in $EDITOR",
+		Long: `Opens the agent's primary config file in your $EDITOR (or vi).
+
+Creates the file if it doesn't exist.
+
+Examples:
+  exitbox config edit claude           Edit Claude settings.json
+  exitbox config edit codex            Edit Codex config.toml
+  exitbox config edit opencode -w work Edit OpenCode config in 'work' workspace`,
+		Args: cobra.ExactArgs(1),
+		Run: func(cmd *cobra.Command, args []string) {
+			name := args[0]
+			if !agent.IsValidAgent(name) {
+				ui.Errorf("Unknown agent: %s", name)
+			}
+
+			a := agent.Get(name)
+			if a == nil {
+				ui.Errorf("Agent not found: %s", name)
+			}
+
+			cfg := config.LoadOrDefault()
+			workspaceName := resolveConfigWorkspace(cfg, workspace)
+			wsDir := profile.WorkspaceAgentDir(workspaceName, name)
+			p := a.ConfigFilePath(wsDir)
+
+			// Create parent dirs + empty file if it doesn't exist.
+			if _, err := os.Stat(p); os.IsNotExist(err) {
+				if mkErr := os.MkdirAll(filepath.Dir(p), 0755); mkErr != nil {
+					ui.Errorf("Failed to create directory: %v", mkErr)
+				}
+				if wErr := os.WriteFile(p, []byte{}, 0644); wErr != nil {
+					ui.Errorf("Failed to create config file: %v", wErr)
+				}
+			}
+
+			editor := os.Getenv("EDITOR")
+			if editor == "" {
+				editor = "vi"
+			}
+			c := exec.Command(editor, p)
+			c.Stdin = os.Stdin
+			c.Stdout = os.Stdout
+			c.Stderr = os.Stderr
+			if err := c.Run(); err != nil {
+				ui.Errorf("Editor exited with error: %v", err)
+			}
+		},
+	}
+
+	cmd.Flags().StringVarP(&workspace, "workspace", "w", "", "Workspace name (default: active workspace)")
+	return cmd
+}
+
+// resolveConfigWorkspace determines which workspace to target.
+func resolveConfigWorkspace(cfg *config.Config, override string) string {
+	if override != "" {
+		w := profile.FindWorkspace(cfg, override)
+		if w == nil {
+			available := profile.WorkspaceNames(cfg)
+			if len(available) > 0 {
+				ui.Errorf("Unknown workspace '%s'. Available: %s", override, strings.Join(available, ", "))
+			} else {
+				ui.Errorf("Unknown workspace '%s'. No workspaces configured. Run 'exitbox setup' first.", override)
+			}
+		}
+		return w.Name
+	}
+
+	// Use the active/default workspace.
+	projectDir, _ := os.Getwd()
+	active, _ := profile.ResolveActiveWorkspace(cfg, projectDir, "")
+	if active != nil {
+		return active.Workspace.Name
+	}
+
+	// Fallback if no workspace exists at all.
+	if len(cfg.Workspaces.Items) > 0 {
+		return cfg.Workspaces.Items[0].Name
+	}
+	return "default"
+}
+
+func init() {
+	rootCmd.AddCommand(newConfigCmd())
+}

cmd/exitbox-allow/main.go

@@ -86,7 +86,12 @@ func main() {
 func requestAllow(socketPath, domain string) (bool, error) {
 	conn, err := net.Dial("unix", socketPath)
 	if err != nil {
-		return false, fmt.Errorf("IPC socket not available. Domain allow requests require firewall mode")
+		// Distinguish "socket missing" from "socket exists but connect denied"
+		// to help diagnose stale bind-mount scenarios.
+		if _, statErr := os.Stat(socketPath); statErr == nil {
+			return false, fmt.Errorf("IPC socket exists but connect failed (%v). The host exitbox process may have exited while this container is still running", err)
+		}
+		return false, fmt.Errorf("IPC socket not available (%v). Domain allow requests require firewall mode", err)
 	}
 	defer conn.Close()