Post-merge follow-ups for #706 (Sandbox→Box Part 1): client regen + staging migration + CodeQL

[DorianZheng]

Tracking the post-merge follow-ups for #706 (squash 490d093b, "rename Sandbox → Box, Part 1: apps/api epicenter"), which was admin-merged while WIP. These items shipped to main in a known-incomplete state and must be closed out before a production deploy / dependent parts.

🔴 P0 — verify before any deploy that auto-runs migrations

• Run DDL migration apps/api/src/migrations/post-deploy/1781016743403-migration.ts on staging. It renames table sandbox→box (+ sandbox_last_activity/sandbox_usage_periods/_archive), columns sandboxId→boxId and organization.sandbox_*/max_*_per_sandbox, enum sandbox_state_enum→box_state_enum, and ~16 sandbox_*_idx/idx_sandbox_* indexes. Never run against a real DB. Verify up() and down() on a staging clone; confirm the partial-index enum-cast predicates survive the ALTER TYPE … RENAME. Update 2026-06-10: fix(api,e2e): finish Sandbox → Box rename — 3 schema gaps + fixture column names #720 added catch-up migration 1781072797240 (3 schema gaps the original missed, incl. runner.currentStartedBoxes) — verify both, in order.

🔴 P0 — generated SDKs mismatch the live server

• Regenerate api-client, api-client-go, and analytics-api-client (api-client/api-client-go in chore(apps): restore Daytona API-client regen machinery + regenerate clients #716; analytics in chore(apps): rename analytics-api-client Sandbox -> Box via in-repo swagger spec #721 via committed in-repo spec; toolbox-api-client — found stale + its regen target broken — in chore(apps,e2e): sweep Sandbox→Box rename leftovers — regen toolbox client, fix dead env vars + stale refs #723, now drift-gated) from the (already-correct) api spec. They still declare WebhookEvent = "sandbox.created" etc., while the server now emits box.created → consumer mismatch. Source is correct; this is mechanical regen (nx run-many --target=generate:api-client).
  • Pin the generator to 7.12.0 (main's committed clients are 7.12.0; an ad-hoc regen produced 7.23.0, which adds unrelated AWS-SigV4 / Set-serialization scaffolding). Add an openapitools.json pin so the regen diff stays rename-only.
• Regenerate cli cobra docs (apps/cli/docs, apps/cli/hack/docs) + daemon swaggo docs (stale sandbox descriptions). (done in docs(cli,daemon): regenerate cobra docs and toolbox swagger after rename #718)
• Note: runner-api-client + runner swagger were already regenerated in the PR (so apps/api compiles).

🟠 P1 — CI / governance

• CodeQL alert triage — ~101 open alerts (45 go/path-injection mostly apps/runner, 32 actions/missing-workflow-permissions, 6 go/clear-text-logging, rest singletons incl. go/zipslip, go/insecure-hostkeycallback). Dismiss pre-existing/false-positives, fix real ones. (Correction: "CodeQL is red on main" was a misread — default setup was green; the red was ci(codeql): switch to advanced setup so fork PRs are scanned #708's advanced-setup workflow lying dormant behind an unset variable. Cutover executed 2026-06-10: default setup disabled, CODEQL_ADVANCED_SETUP_ENABLED=true, 6/6 languages green on main, fork-PR scanning live.)
• Confirm e2e passes on main.

🟡 follow-ups flagged during review

• Confirm the runnerAdapter ToolboxApi removal (part 4, b20fc6cb) was intentional — it was declared+initialized but never called on main (dead code), so removal looks safe; just confirm nothing external relied on it.
• This is Part 1 of N — runner/cli/dashboard wire + DB consumers; ensure the remaining installments land coherently (webhook event names, env vars, RBAC values were renamed in source).

Verification already complete (for reference)

• ✅ Source rename verified rename-only across all 937 changed files (94-agent normalize-and-classify sweep): 0 hidden logic changes attributable to the rename.

[DorianZheng]

Status update — client/docs regen items are done; here is the precise state of every checkbox.

🔴 Generated SDKs mismatch the live server → DONE (#716, merged as 8f8629c2)

• api-client + api-client-go regenerated from the renamed spec: WebhookEvent now box.created / box.state.updated, sandboxIdOrName path vars → boxIdOrName, zero sandbox tokens in both clients.
• Correction to this issue's pin note: the generator is pinned to 7.23.0, not 7.12.0 — both committed clients were already 7.23.0 output (the 7.12.0 reading came from the analytics client, which is the only one still on 7.12.0).
• chore(apps): restore Daytona API-client regen machinery + regenerate clients #716 also restored the upstream (daytonaio/daytona) regen machinery this repo's import had dropped: apps/openapitools.json pin, apps/hack/{ts,go}-client postprocess + Go templates, fixed nx target paths, apps/api/.env.example (offline spec-gen env, SKIP_CONNECTIONS=true), committed apps/yarn.lock, and a CI drift gate (api-client-drift.yml) that regenerates and fails on diff — green on chore(apps): restore Daytona API-client regen machinery + regenerate clients #716 itself (2m01s). Clients can no longer go silently stale.
• analytics-api-client cannot be regenerated from this repo: its input (tmp/swagger.json) is the external analytics service's swagger — no in-repo producer; upstream excludes it from regen for the same reason (--exclude=analytics-api-client). Blocked until that service renames; suggest splitting to its own tracking line.

cli cobra docs + daemon swaggo docs → PR #718 open

• CLI Go + daemon toolbox source verified fully renamed before regenerating; regenerated docs now have zero sandbox tokens. generate-cli-docs.sh gains the prettier pass the daemon target already had (kills ~700 lines of quoting churn per regen). Note: these docs have no CI drift gate (unlike the API clients) — staleness will accumulate again; a sibling gate is a possible follow-up.

🔴 Staging migration 1781016743403 → still open, needs staging DB access (human-gated).

🟠 CodeQL → root-caused, action awaiting maintainer decision

• Default setup is scanning main successfully (recent runs green). The "red"/skip confusion: the ci(codeql): switch to advanced setup so fork PRs are scanned #708 advanced-setup workflow is intentionally dormant — if: vars.CODEQL_ADVANCED_SETUP_ENABLED == 'true' and the variable was never set, because default setup was never disabled. The fork-PR scanning gap ci(codeql): switch to advanced setup so fork PRs are scanned #708 was built to fix therefore still exists.
• Cutover runbook (from the workflow's own header): disable default setup → set CODEQL_ADVANCED_SETUP_ENABLED=true → workflow_dispatch a main scan → re-run open PRs' checks.
• Separate backlog: 100 open alerts — 45 go/path-injection (mostly apps/runner file controllers/volumes), 31 actions/missing-workflow-permissions, 6 go/clear-text-logging, the rest assorted JS/Py singletons. Triage (dismiss pre-existing/false-positive, fix real ones) is its own work item.

🟠 e2e on main → currently failing, not confirmable

• "E2E Integration Tests" failed on the last two main runs (Jun 9–10, on the go-sdk and eslint commits — unrelated to the rename or the client regen). Needs its own investigation before this box can be ticked.

🟡 runnerAdapter ToolboxApi removal → confirmed safe

• Zero references repo-wide (94-agent sweep at merge time + fresh greps during the client regen). The generated BoxLiteRESTAPI client surface was likewise consumer-less and was dropped in chore(apps): restore Daytona API-client regen machinery + regenerate clients #716 (that REST surface is spec-first via openapi/box.openapi.yaml, now @ApiExcludeController'd out of the product spec).

[DorianZheng]

analytics-api-client → PR #721 open (was: external-blocked).

Unblock mechanism: the generator input never existed in-repo (tmp/swagger.json from the external analytics service), so #721 commits the contract as apps/libs/analytics-api-client/swagger.json — reconstructed 1:1 from the committed client, sandbox→box renamed only — and regenerates with the pinned 7.23.0 (the analytics client was the last one still on 7.12.0 output). This flips the item from "blocked until the external service renames" to spec-first: the dashboard (#706 already calls Box-named methods, which did not exist in the committed client — it could not typecheck) compiles now, and any future analytics service implements the committed spec.

Also in #721: the api-client-drift gate now covers analytics (regen is byte-identical, verified with --skip-nx-cache), and eslint ignores **/.nx/** (lint tripped on nx-cached copies of generated code after a local regen).

Found while verifying, not fixed (pre-existing, separate follow-up): apps/dashboard/tsconfig.app.json maps @boxlite-ai/* to ../../libs/*, which points outside the workspace since the #460 flattening — raw tsc -p dashboard/ cannot resolve any @boxlite-ai/* import; the dashboard has no typecheck gate at all.

[DorianZheng]

Status update 2026-06-10 (afternoon) — three items moved, one new finding.

🟢 Generated SDKs — fully closed

• analytics-api-client → chore(apps): rename analytics-api-client Sandbox -> Box via in-repo swagger spec #721 merged (committed swagger.json as the in-repo contract, regenerated at pinned 7.23.0, drift-gated).
• New finding: toolbox-api-client was also stale (4 generated "sandbox entrypoint" doc-comments; daemon swagger itself was clean since docs(cli,daemon): regenerate cobra docs and toolbox swagger after rename #718) and its regen target had been broken since the apps/ flattening — -i apps/daemon/... resolves to apps/apps/daemon/... because the nx workspace root is apps/. Fixed in chore(apps,e2e): sweep Sandbox→Box rename leftovers — regen toolbox client, fix dead env vars + stale refs #723 (merged): client regenerated 7.12.0→7.23.0, target paths fixed (same latent bug in runner-api-client + nx.json cache inputs), and the drift gate now covers it via --excludeTaskDependencies (committed daemon swagger = contract). Remaining ungated: daemon-Go-source↔swagger (the cli/daemon-docs sibling gate noted earlier).
• chore(apps,e2e): sweep Sandbox→Box rename leftovers — regen toolbox client, fix dead env vars + stale refs #723 also swept the last functional rename leftovers outside apps/api: e2e bootstrap.sh + infra-local wrote dead ADMIN_MAX_*_PER_SANDBOX env vars (API reads _PER_BOX, default 0 — admin quotas silently unset), stack-reset.sh ran TRUNCATE TABLE sandbox against the renamed table, /api/sandbox → /api/box. Sweep is grep-clean; what remains repo-wide is historical migrations (correct as-is) and OS-isolation "sandbox" (jailer — different concept).

🟢 CodeQL cutover — executed (replaces "awaiting maintainer decision")

Default setup disabled → CODEQL_ADVANCED_SETUP_ENABLED=true → dispatched run 27261268547 green across all 6 languages → fork-PR scanning live (#708's gap closed; verified end-to-end on #723's PR checks). Rollback = re-enable default setup + delete the variable. Gotchas for the record: gh run rerun does not re-evaluate if: vars.* skips (re-runs replay the original context); pre-cutover PRs pick up scans on their next push. Remaining work on this item is only the ~101-alert triage backlog (counts in the updated issue body).

🔴 e2e on main — root-caused twice; now an API crash-loop, under investigation

The "failing on unrelated commits" framing was wrong in an interesting way:

1. The boxlite-e2e EC2 runner was stopped (user-initiated, 05:32 GMT today) → 11 runs queued → each main merge's concurrency group cancelled its queued predecessor → main never actually executed e2e post-rename. Every prior "red" was a cancellation artifact.
2. Runner restarted 10:14 GMT; queue draining. The first main run to truly execute (27269218853, chore(apps,e2e): sweep Sandbox→Box rename leftovers — regen toolbox client, fix dead env vars + stale refs #723's merge commit) failed in bootstrap: boxlite-api.service crash-loops at startup (systemd status=1/FAILURE, restart counter climbing), /api/health never answers, test:e2e:setup aborts after 90s. The API's underlying exception isn't in the workflow log excerpt — extracting it from the runner's journal is the active investigation. Until then this checkbox stays open; note fix(api,e2e): finish Sandbox → Box rename — 3 schema gaps + fixture column names #720 (schema gaps + fixtures) and chore(apps,e2e): sweep Sandbox→Box rename leftovers — regen toolbox client, fix dead env vars + stale refs #723 (bootstrap env) are already in, so this is a distinct failure.

🔴 Staging migration — scope grew to two migrations

#720 added catch-up migration 1781072797240 for three pieces 1781016743403 missed. Verify both, in order, up() and down() (issue body updated). Still human-gated on staging DB access.

🟡 "Part 1 of N" — effectively complete

Token sweep on current main: runner/cli/daemon/dashboard/proxy at zero sandbox tokens (content and path names — box_sync.go, CREATE_BOX journal types, etc.); apps/api's remaining 404 tokens are all historical migrations, which must keep old names. With #723, the feared remaining installments have all landed; no Part 2-6 needed.