feat(git): add just-git sandbox command with optional network access

[Hazzng]

Summary

• Register a sandbox git command backed by just-git, with remote transport gated on the existing network runtime flag.
• Export deployment-wide GITHUB_TOKEN (plus GIT_HTTP_USER/GIT_HTTP_PASSWORD) and optional git author/committer identity into every sandbox shell env.
• Expose network on MCP sandbox_create and in the OpenAPI sandbox schema so agents can opt in to curl and git clone/fetch/push over HTTPS.

Test plan

• pnpm test:unit — git-command.test.ts, mcp.test.ts
• pnpm test:integration — git-network.integration.test.ts (just-git in-memory server)
• Manual: create sandbox with network: true, git clone a repo, commit, and push with server GITHUB_TOKEN set

Made with Cursor

---

Summary by cubic

Add a sandbox git command via just-git. Remote clone/fetch/push and Bash curl are available only when a sandbox is created with network: true; GITHUB_TOKEN is exported only to those network-enabled sandboxes, while optional git author/committer defaults are exported to all. The network flag is exposed via MCP and OpenAPI (sandbox schema now includes a required network field).

• New Features

  • Register git in sandboxes; local init/add/commit works offline, remote operations are gated by network.
  • Export GITHUB_TOKEN as GITHUB_TOKEN, GIT_HTTP_USER=x-access-token, and GIT_HTTP_PASSWORD=<token> only for network:true sandboxes; optional GIT_AUTHOR_*/GIT_COMMITTER_* defaults are included for all. Per-exec env can override.
  • sandbox_create accepts network: true; MCP responses and sandbox_list include network. OpenAPI adds network to the sandbox schema (required). When enabled, curl, git remote HTTPS, and js-exec fetch are available.

• Migration

  • Optionally set GITHUB_TOKEN in the server environment to enable authenticated GitHub HTTPS and API calls inside network-enabled sandboxes.
  • Agents should pass network: true when creating sandboxes to use curl and git remote operations; otherwise sandboxes remain air‑gapped.
  • Update API clients/types to handle the new network field on sandbox objects (now required in the OpenAPI schema).

^{Written for commit 0a74211. Summary will update on new commits.}

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 2fd94f4e-78cc-4cc8-8d1e-83e59d1418c7

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/git-ops

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Hazzng]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[cubic-dev-ai]

1 issue found and verified against the latest diff

<sub>Reply with feedback, questions, or to request a fix.

Fix all with cubic | Re-trigger cubic</sub>

[cubic-dev-ai]

2 issues found across 9 files (changes from recent commits).

<sub>Tip: Review your code locally with the cubic CLI to iterate faster.

Fix all with cubic | Re-trigger cubic</sub>