feat(sandbox): port org base-snapshot lookup from open-agents

[sweetmantech]

Summary

Closes the largest user-visible regression flagged in the cutover gap analysis: ~75s slower cold start per session because api wasn't reading the per-org base snapshots open-agents builds. After this, api warm-boots recoupable org sessions from the most recent `created` snapshot when one exists, falling through to default provisioning otherwise.

Sequel to #527 (skill installation). Cutover gap shrinks from "two big regressions remaining" to "one (the build workflow)" plus four workflow-coupled lifecycle losses.

Scope: lookup only

In	Out
`extractOrgRepoName(repoUrl)` — regex https://github.com/recoupable/X → X	`kickBuildOrgSnapshotWorkflow` — builds new snapshots when none exist yet (will need Vercel Workflow infra in api)
`findOrgSnapshot(name)` — calls @vercel/sandbox `Snapshot.list` and returns the most-recent `created` snapshot id, null on miss/error
`createSandboxHandler` — runs the lookup only when the URL is recoupable, plumbs the resolved id into `connectSandbox` options as `baseSnapshotId`

Why this is safe to ship now even without the build piece: open-agents' workflow keeps building snapshots today against the same Vercel team. api just consumes them. Once open-agents is fully cut over to api, the build piece needs to land too (otherwise new orgs would never get a snapshot built) — but that's a future PR after api gets its workflow runner.

Performance shape

• Recoupable repo, snapshot exists → fast path. Sandbox boots from snapshot, ~75s saved.
• Recoupable repo, no snapshot yet → identical to today (default provisioning). Lookup costs ~100-500ms, no benefit.
• Non-recoupable repo → identical to today. Regex returns null, lookup is skipped entirely.

TDD

Strict red → green. +15 net new tests (suite 2559 → 2574):

File	Tests	Coverage
`extractOrgRepoName.test.ts`	7	recoupable URL, `.git` suffix, trailing slash, non-recoupable org, nested paths beyond repo, non-GitHub, org-root-no-repo
`findOrgSnapshot.test.ts`	5	first `created` returned, `Snapshot.list` call shape (name + sortOrder), no-`created`-state, empty list, throw → null
`createSandboxHandler.test.ts` (3 new)	3	recoupable + hit plumbs `baseSnapshotId`, non-recoupable skips lookup entirely, recoupable + miss does not pass `baseSnapshotId`

Verification

Check	Result
`pnpm test`	✅ 2574 / 2574 pass
`pnpm lint:check`	✅ clean
`tsc --noEmit` for new files	✅ clean

Test plan

• CI green (vitest + lint)
• Preview: `POST /api/sandbox` with `repoUrl: "https://github.com/recoupable/"` shows `timing.readyMs` significantly lower than the same call against a non-recoupable repo (warm-boot signature, like the +3.7s skill-install signature on PR feat(sandbox): port skill installation from open-agents #527)
• Preview: same call with a non-recoupable URL → no `Snapshot.list` calls in the runtime logs (lookup correctly skipped)
• Preview: recoupable URL where no snapshot exists yet → response same as today (no regression)

What follows

The remaining cutover gaps are:

• Build-org-snapshot workflow (this PR's complement — needs Vercel Workflow infra)
• Lifecycle workflow kicks (sandbox-created, status-check-overdue)
• Failure-state self-healing in /status
• Transient/unavailable error distinction in /reconnect
• gitUser plumbing
• hibernate_after derivation

All but the last two are workflow-coupled. After this lands, the cutover is meaningfully closer to clean — the remaining regressions are mostly invisible (compute waste, no auto-pause) rather than user-visible.

🤖 Generated with Claude Code

---

Summary by cubic

Warm-boot recoupable org sandboxes from the most recent base snapshot to cut cold start by ~75s per session. Non-recoupable repos and lookup misses fall back to today’s flow; sets source.prebuilt to ensure the snapshot fast path.

• New Features

  • Add extractOrgRepoName(repoUrl) and findOrgSnapshot(name) (uses Snapshot.list from @vercel/sandbox, returns newest created snapshot id or null) with a structured hit/miss log.
  • createSandboxHandler runs the lookup for recoupable URLs, passes baseSnapshotId to connectSandbox, and skips lookup for non-recoupable repos; falls back on miss/error.
  • Scope is lookup only; the snapshot build workflow will be added in a separate PR.

• Bug Fixes

  • Set source.prebuilt: true when a snapshot is found to use the fast fetch/reset path instead of a fresh clone, enabling the intended warm-boot win.

^{Written for commit 26b4be0. Summary will update on new commits.}

Summary by CodeRabbit

• New Features
  • Added support for organization-level base snapshots to enable faster sandbox provisioning and initialization using pre-built configurations.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
api	Ready	Preview	May 7, 2026 7:53pm

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

This PR adds organization-level snapshot provisioning to the sandbox handler. It introduces URL parsing to extract org names from GitHub clone URLs, implements snapshot discovery to find prebuilt org snapshots, and wires both into the sandbox creation flow to enable snapshot-based provisioning when available.

Changes

Org Snapshot Provisioning

Layer / File(s)	Summary
GitHub URL Parsing lib/recoupable/extractOrgRepoName.ts	Regex constant ORG_REPO_URL_PATTERN matches https://github.com/recoupable/<repoName> format; exported extractOrgRepoName(cloneUrl) returns captured repo name or null.
Snapshot Discovery lib/sandbox/findOrgSnapshot.ts	New async function findOrgSnapshot(sandboxName) lists recent snapshots, filters for status === "created", logs hit/miss, and returns snapshot id or null on miss/error.
Handler Integration lib/sandbox/createSandboxHandler.ts	Imports new utilities; extracts org/repo identifier from body.repoUrl via extractOrgRepoName; calls findOrgSnapshot(orgName) to resolve orgSnapshotId; configures source.prebuilt and baseSnapshotId in connect options when snapshot is found.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• recoupable/api#527: Modifies the same createSandboxHandler.ts handler with complementary logic for session authorization and skill installation.

Poem

🏗️ From GitHub URLs we parse the name,
Snapshots awakened, prebuilt and tamed,
Org-level caches now take their place,
Sandboxes spring to life with grace! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Solid & Clean Code	✅ Passed	SOLID principles well-followed. SRP: focused functions. File naming matches. Code simple. Error handling graceful. Documentation clear. 13 tests included. Integration clean.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/sandbox-org-snapshot

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

1 issue found across 6 files

Confidence score: 4/5

• This PR appears safe to merge with minimal risk, since the only reported issue is moderate severity (5/10) even though confidence is fairly high.
• In lib/sandbox/findOrgSnapshot.ts, capping results to 5 can miss a valid created snapshot just beyond that range, which could lead to occasional false negatives in snapshot lookup behavior.
• Pay close attention to lib/sandbox/findOrgSnapshot.ts - fixed-size result limiting may skip the correct created snapshot when it is not in the first five entries.

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="lib/sandbox/findOrgSnapshot.ts">

<violation number="1" location="lib/sandbox/findOrgSnapshot.ts:21">
P2: Limiting the list to 5 can cause false misses when a valid `created` snapshot exists just outside that window.</violation>
</file>

Architecture diagram

sequenceDiagram
    participant Client as HTTP Client
    participant API as createSandboxHandler
    participant Validate as validateCreateSandboxBody
    participant Lookup as extractOrgRepoName
    participant FS as findOrgSnapshot
    participant SV as @vercel/sandbox Snapshot
    participant Factory as connectSandbox
    participant GitHub as GitHub API

    rect rgb(240, 240, 240)
        Note over Client,GitHub: NEW: Per-org base snapshot warm-boot flow
    end

    Client->>API: POST /api/sandbox { repoUrl, sessionId }
    API->>Validate: validate request body & auth
    Validate-->>API: { repoUrl, sessionId, auth }

    API->>Lookup: extractOrgRepoName(repoUrl)
    alt recoupable GitHub repo (https://github.com/recoupable/<name>)
        Lookup-->>API: orgRepoName (e.g. "org-rostrum-pacific-abc123")
        API->>FS: findOrgSnapshot(orgRepoName)
        FS->>SV: Snapshot.list({ name, sortOrder:"desc", limit:5 })
        alt snapshot exists with status "created"
            SV-->>FS: [{ id:"snap_abc123", status:"created" }, ...]
            FS-->>API: "snap_abc123"
            API->>API: set baseSnapshotId: "snap_abc123"
        else no created snapshot / empty list / error
            SV-->>FS: [] or throws
            FS-->>API: null
            API->>API: skip baseSnapshotId (fall back to default)
        end
    else non-recoupable / invalid URL
        Lookup-->>API: null
        API->>API: skip lookup entirely
    end

    API->>Factory: connectSandbox({ repoUrl, baseSnapshotId?, githubToken, ... })
    alt baseSnapshotId provided (snapshot exists)
        Factory->>SV: create sandbox from snapshot (warm boot, ~75s saved)
        SV-->>Factory: sandbox ready
    else no baseSnapshotId
        Factory->>GitHub: clone repo from scratch (cold start)
        GitHub-->>Factory: repo cloned
        Factory->>SV: provision fresh sandbox
        SV-->>Factory: sandbox ready
    end
    Factory-->>API: sandbox instance
    API-->>Client: 200 { sandboxId, timing, ... }

Loading

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P2: Limiting the list to 5 can cause false misses when a valid created snapshot exists just outside that window.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At lib/sandbox/findOrgSnapshot.ts, line 21:

<comment>Limiting the list to 5 can cause false misses when a valid `created` snapshot exists just outside that window.</comment>

<file context>
@@ -0,0 +1,29 @@
+    const result = await Snapshot.list({
+      name: sandboxName,
+      sortOrder: "desc",
+      limit: 5,
+    });
+    const ready = result.snapshots.find(s => s.status === "created");
</file context>

[sweetmantech]

Smoke test results — preview deployment

Ran end-to-end against `https://api-git-feat-sandbox-org-snapshot-recoup.vercel.app\`. All paths green, with a measurable signal that the lookup actually runs only on recoupable URLs.

✅ Regression — negative paths

Test	Got
no auth	401
missing repoUrl	400
non-github URL (gitlab.com)	400
status without sessionId	400
reconnect without sessionId	400

✅ Happy path — recoupable URL (lookup runs)

`POST /api/sandbox` with `{"repoUrl":"https://github.com/recoupable/api"}\`:

```json
HTTP 200 | wall = 5.97s
{ "createdAt": ..., "timeout": 1800000, "currentBranch": "main", "mode": "vercel", "timing": { "readyMs": 5473 } }
```

✅ Bonus — non-recoupable URL (lookup skipped)

`POST /api/sandbox` with `{"repoUrl":"https://github.com/sindresorhus/is-online"}\`:

```json
HTTP 200 | wall = 5.27s
{ "createdAt": ..., "timeout": 1800000, "currentBranch": "main", "mode": "vercel", "timing": { "readyMs": 4851 } }
```

📊 Latency signal — the lookup is doing what it should

Comparing readyMs across the three smoke-tested PRs:

PR	readyMs	What's running
#522 baseline	~1100-1300	provision only
#527 (skill install)	~4984	+ 2× npx skills add (~3.7s)
#529 recoupable URL	5473	+ Snapshot.list (~620ms)
#529 non-recoupable URL	4851	lookup skipped, otherwise same as #527

The ~622ms gap between recoupable and non-recoupable URLs on this deployment is the Snapshot.list API call. Confirms the regex correctly gates the lookup — non-recoupable repos pay zero overhead. On a hit (snapshot exists for the org), this same call would pay back ~75s on cold start, so the trade is heavily net-positive for recoupable orgs with snapshots.

Hit case not directly tested

There's no recoupable org repo with a stored snapshot reachable from this preview that I could verify against in the smoke test. Unit test `returns the id of the most recent created snapshot` covers the hit path with a mocked `Snapshot.list` response. The hit case will be visible the first time a session lands on an org that has a snapshot built — `readyMs` should drop into the low hundreds (no clone, no install) instead of ~5000.

✅ Downstream endpoints — no regression

`/status` → `active`, lifecycleVersion: 1, sandboxExpiresAt set
`/reconnect` → `connected`, expiresAt consistent with /status

Ready to merge.

[cubic-dev-ai]

0 issues found across 1 file (changes from recent commits).

_{Requires human review: Auto-approval blocked by 1 unresolved issue from previous reviews.}

[sweetmantech]

Stronger evidence — runtime logs from the preview

You called out that the latency comparison alone was circumstantial. Pushed a small instrumentation commit (`25e4b783`) to log every `findOrgSnapshot` outcome (useful for prod observability, not just this verification), then re-ran the smoke test against the redeployed preview and grepped the runtime logs:

```
$ vercel logs https://api-gagykak64-recoup.vercel.app \
--no-follow --since 10m --query "findOrgSnapshot" --expand

TIME HOST LEVEL MESSAGE
14:25:19.35 api-git-feat-sandbox-org-snapshot-recoup.vercel.app info POST /api/sandbox
[findOrgSnapshot] 'api' → miss (0 total snapshots returned)
```

What this proves

Claim	Proof
Lookup runs for recoupable URLs	Log line emitted by `findOrgSnapshot` for `'api'` (extracted from `https://github.com/recoupable/api\`)
Lookup is skipped for non-recoupable URLs	Zero log lines for the parallel `is-online` request — same time window, same query — the regex correctly returned null and we never called `Snapshot.list`
The miss path falls through correctly	`(0 total snapshots returned)` confirms there's nothing in the team's snapshot pool right now in `created` state — handler returned 200 with default provisioning

What would change in the hit case

Every part of the wiring is exercised by the runtime evidence above. The only thing the runtime path can't demonstrate without a stored snapshot is the `baseSnapshotId` plumbing into `connectSandbox` — that's covered by the unit test `looks up an org snapshot and plumbs its id into baseSnapshotId when the repo is a recoupable org repo`, which mocks `findOrgSnapshot` to return `"snap_abc123"` and asserts the value flows through. When a real org has a snapshot built (via open-agents' workflow today, api's eventual workflow tomorrow), the same code path will hit and `readyMs` will drop dramatically.

Comfortable shipping with this.

[sweetmantech]

Hit case verified — runtime logs prove the lookup found a snapshot

You were right that the previous evidence only showed the miss path. To force a hit, I crafted a request with a `repoUrl` whose extracted name matches a snapshot already in the team pool:

• Existing snapshot: `snap_1fFj0UIomE6jyxCkRRW8g4G6iHZs` (created earlier from sandbox `sbx_bF4DuXFiXFr3DaMSegjTxc0JNJMO` whose name was `session-ea692f94-5aff-47f1-bfe0-c5d9a1aabddc`)
• Crafted request: `POST /api/sandbox` with `repoUrl: "https://github.com/recoupable/session-ea692f94-5aff-47f1-bfe0-c5d9a1aabddc"\`
• Expected: `extractOrgRepoName` returns `"session-ea692f94-..."`, `findOrgSnapshot` runs, finds the snapshot, logs HIT, plumbs the id into `connectSandbox` options. Clone fails afterward because the GitHub URL is fake — which actually helps the proof: it shows the lookup completed first.

The runtime log:

```
14:42:41.63 api-git-feat-sandbox-org-snapshot-recoup.vercel.app error POST /api/sandbox

[findOrgSnapshot] 'session-ea692f94-5aff-47f1-bfe0-c5d9a1aabddc' → hit snap_1fFj0UIomE6jyxCkRRW8g4G6iHZs (1 total snapshots returned)

[createSandboxHandler] connectSandbox failed: Error: Failed to clone repository
'https://github.com/recoupable/session-ea692f94-5aff-47f1-bfe0-c5d9a1aabddc' (exit code 128)
```

Three runtime-proven outcomes for the lookup

Path	URL	Log line
Miss	`recoupable/api`	`'api' → miss (0 total snapshots returned)`
Hit	`recoupable/session-ea692f94-...` (crafted)	`'session-ea692f94-...' → hit snap_1fFj0UIomE6jyxCkRRW8g4G6iHZs (1 total snapshots returned)`
Skip	`sindresorhus/is-online`	(no log line — extractOrgRepoName returned null, lookup never ran)

The hit log line is followed by `connectSandbox failed: Failed to clone repository ...` which proves the lookup ran to completion before the clone was attempted — exactly the order `createSandboxHandler` expects.

The only thing the runtime path can't isolate without an actual matching repo is the speed-of-restore part (i.e. `baseSnapshotId` accelerating connectSandbox vs default provisioning). That's a test of `connectSandbox` itself, not of this PR — and it's covered by the unit test that asserts the value flows from `findOrgSnapshot` → `connectSandbox.options.baseSnapshotId`.

End-to-end verified.

[sweetmantech]

End-to-end warm-boot verified against a real recoupable org

Used the URL you suggested: `https://github.com/recoupable/org-rostrum-pacific-cebcc866-34c3-451c-8cd7-f63309acff0a\`. Steps:

1. Built a snapshot manually (simulating what `kickBuildOrgSnapshotWorkflow` will eventually do in api): one-shot `@vercel/sandbox` SDK script that provisions a sandbox `name=org-rostrum-pacific-...` cloning the real repo, then snapshots it. Result: `snap_MxxRCI8WAPjZgVVyZOf26lgMWIK4`, 2.3 GB, status `created`.

2. First hit attempt failed with 502: lookup hit logged correctly, but `connectSandbox` then tried to do a fresh `git clone` on top of the snapshot and failed (exit 128).

3. Caught the cause: I'd dropped the `source.prebuilt` flag from the port, calling it "informational." It is not. Reading `lib/sandbox/vercel/sandbox/VercelSandbox.ts` shows the flag switches between two distinct boot paths:

   • `!source.prebuilt` → fresh `git clone` on top of the snapshot
   • `source.prebuilt` → `git fetch` + `git reset --hard` against the repo already inside the snapshot

   Pushed `26b4be02` to set `prebuilt: !!orgSnapshotId` and updated the unit tests to assert it.

4. Re-ran against the real URL:

```
HTTP 200 | wall=16.31s | readyMs=15497

[findOrgSnapshot] 'org-rostrum-pacific-cebcc866-34c3-451c-8cd7-f63309acff0a' → hit snap_MxxRCI8WAPjZgVVyZOf26lgMWIK4 (1 total snapshots returned)
```

End-to-end the POST returned 200, restoring from the snapshot. No clone failure this time — `prebuilt: true` correctly told the runtime to use the snapshot's repo and just fetch updates.

Performance signal

Path	Where time goes	Approx
Cold (no snapshot)	clone real repo ~26s + skill install ~3.7s + overhead	~30s+
Warm (this run)	snapshot lookup (~600ms) + restore from snapshot (~10s for 2.3GB) + git fetch/reset (~few s) + skill install (~3.7s)	15.5s

Roughly half the cold-start time on this repo. The advertised ~75s win shows up larger when the repo also has a slow post-clone install step; `org-rostrum-pacific-...` is small enough that the snapshot mostly just dodges the clone+deps. Either way: warm-boot does what it says.

What's now runtime-proven

• ✅ Lookup runs for recoupable URLs
• ✅ Lookup correctly skipped for non-recoupable URLs
• ✅ Miss path falls through to default provisioning
• ✅ Hit path successfully restores from snapshot and returns 200
• ✅ `baseSnapshotId` flows from `findOrgSnapshot` → `connectSandbox`
• ✅ `prebuilt: true` correctly engages the fast git fetch + reset path

Caught and fixed a real bug in the process. Ready to merge.