Feat/chatpage v1

.github/workflows/build-dmg.yml

@@ -0,0 +1,59 @@
+name: Build Universal DMG
+
+on:
+  workflow_dispatch:
+
+permissions:
+  contents: write
+
+env:
+  CARGO_TERM_COLOR: always
+
+jobs:
+  build-universal:
+    name: Build macOS Universal
+    runs-on: macos-latest
+    steps:
+      - uses: actions/checkout@v5
+
+      - name: Install Rust stable with both targets
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          targets: aarch64-apple-darwin,x86_64-apple-darwin
+
+      - name: Install pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 9
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: "22"
+          cache: pnpm
+          cache-dependency-path: crates/cratebay-gui/pnpm-lock.yaml
+
+      - name: Cargo cache
+        uses: Swatinem/rust-cache@v2
+        with:
+          key: build-universal
+
+      - name: Install frontend dependencies
+        working-directory: crates/cratebay-gui
+        run: pnpm install --frozen-lockfile
+
+      - name: Build Tauri Universal app
+        uses: tauri-apps/tauri-action@v0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          projectPath: crates/cratebay-gui
+          args: --target universal-apple-darwin
+
+      - name: Upload Universal DMG
+        uses: actions/upload-artifact@v4
+        with:
+          name: CrateBay-macos-universal
+          path: |
+            target/universal-apple-darwin/release/bundle/dmg/*.dmg
+          if-no-files-found: error

.github/workflows/release.yml

@@ -85,11 +85,21 @@ jobs:
             target: x86_64-unknown-linux-gnu
             cli-artifact: cratebay-linux-x86_64
             ext: ""
+          - name: Linux-aarch64
+            os: ubuntu-latest
+            target: aarch64-unknown-linux-gnu
+            cli-artifact: cratebay-linux-aarch64
+            ext: ""
           - name: Windows-x86_64
             os: windows-latest
             target: x86_64-pc-windows-msvc
             cli-artifact: cratebay-windows-x86_64
             ext: ".exe"
+          - name: Windows-aarch64
+            os: windows-latest
+            target: aarch64-pc-windows-msvc
+            cli-artifact: cratebay-windows-aarch64
+            ext: ".exe"
 
     steps:
       - uses: actions/checkout@v5
@@ -122,6 +132,14 @@ jobs:
           key: release-${{ matrix.target }}
 
       # -- Build CLI --
+      - name: Install cross-compilation dependencies (Linux aarch64)
+        if: matrix.target == 'aarch64-unknown-linux-gnu'
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y gcc-aarch64-linux-gnu
+          echo '[target.aarch64-unknown-linux-gnu]' >> ~/.cargo/config.toml
+          echo 'linker = "aarch64-linux-gnu-gcc"' >> ~/.cargo/config.toml
+
       - name: Build CLI (release)
         run: cargo build --release --target ${{ matrix.target }} -p cratebay-cli
 
@@ -156,10 +174,18 @@ jobs:
             os: ubuntu-latest
             target: x86_64-unknown-linux-gnu
             artifact: cratebay-gui-linux-x86_64
+          - name: Linux-aarch64
+            os: ubuntu-latest
+            target: aarch64-unknown-linux-gnu
+            artifact: cratebay-gui-linux-aarch64
           - name: Windows-x86_64
             os: windows-latest
             target: x86_64-pc-windows-msvc
             artifact: cratebay-gui-windows-x86_64
+          - name: Windows-aarch64
+            os: windows-latest
+            target: aarch64-pc-windows-msvc
+            artifact: cratebay-gui-windows-aarch64
 
     steps:
       - uses: actions/checkout@v5
@@ -227,6 +253,22 @@ jobs:
             qemu-system-x86 \
             squashfs-tools
 
+      - name: Install cross-compilation dependencies (Linux aarch64)
+        if: matrix.target == 'aarch64-unknown-linux-gnu'
+        run: |
+          sudo dpkg --add-architecture arm64
+          sudo apt-get update
+          sudo apt-get install -y \
+            gcc-aarch64-linux-gnu \
+            libgtk-3-dev:arm64 \
+            libwebkit2gtk-4.1-dev:arm64 \
+            libappindicator3-dev:arm64 \
+            librsvg2-dev:arm64 \
+            patchelf
+          echo '[target.aarch64-unknown-linux-gnu]' >> ~/.cargo/config.toml
+          echo 'linker = "aarch64-linux-gnu-gcc"' >> ~/.cargo/config.toml
+          export PKG_CONFIG_SYSROOT_DIR=/usr/aarch64-linux-gnu
+
       - name: Install Zig (Linux only)
         if: runner.os == 'Linux'
         run: bash scripts/install-zig.sh
@@ -259,28 +301,61 @@ jobs:
         working-directory: crates/cratebay-gui
         run: pnpm install --frozen-lockfile
 
+      # macOS: prepare cratebay-vz external binary with entitlements
+      - name: Prepare external binaries (macOS)
+        if: runner.os == 'macOS'
+        shell: bash
+        run: bash scripts/prepare-tauri-external-bins.sh "${{ matrix.target }}"
+
+      # Build sandbox bundle images (requires Docker)
+      - name: Build sandbox bundle images
+        if: runner.os == 'Linux' || runner.os == 'macOS'
+        shell: bash
+        run: |
+          if command -v docker >/dev/null 2>&1 && docker info >/dev/null 2>&1; then
+            bash scripts/build-bundle-images.sh
+          else
+            echo "SKIP: Docker not available, bundle images will not be included"
+          fi
+
       - name: Build Tauri app
         uses: tauri-apps/tauri-action@v0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           # macOS code signing (Apple Developer ID)
-          # Required secrets: APPLE_CERTIFICATE, APPLE_CERTIFICATE_PASSWORD,
-          #                   APPLE_SIGNING_IDENTITY, APPLE_ID, APPLE_PASSWORD,
-          #                   APPLE_TEAM_ID
           APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
           APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
           APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
           APPLE_ID: ${{ secrets.APPLE_ID }}
           APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
           APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
-          # Windows code signing (Authenticode / Azure Trusted Signing)
-          # Required secrets: WINDOWS_CERTIFICATE, WINDOWS_CERTIFICATE_PASSWORD
+          # Windows code signing
           WINDOWS_CERTIFICATE: ${{ secrets.WINDOWS_CERTIFICATE }}
           WINDOWS_CERTIFICATE_PASSWORD: ${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }}
         with:
           projectPath: crates/cratebay-gui
           args: --target ${{ matrix.target }}
 
+      # macOS: re-sign cratebay-vz with virtualization entitlements after Tauri bundling
+      - name: Sign cratebay-vz with virtualization entitlements (macOS)
+        if: runner.os == 'macOS'
+        shell: bash
+        run: |
+          VZ_BIN="target/${{ matrix.target }}/release/bundle/macos/CrateBay.app/Contents/MacOS/cratebay-vz"
+          if [ -f "$VZ_BIN" ]; then
+            identity="${APPLE_SIGNING_IDENTITY:--}"
+            codesign --force --sign "$identity" \
+              --options runtime \
+              --entitlements scripts/macos-entitlements.plist \
+              "$VZ_BIN"
+            # Re-sign the outer app bundle
+            APP_BUNDLE="target/${{ matrix.target }}/release/bundle/macos/CrateBay.app"
+            codesign --force --sign "$identity" --options runtime "$APP_BUNDLE"
+            echo "Re-signed cratebay-vz with virtualization entitlements"
+          fi
+        env:
+          APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
+
       - name: Verify release bundles
         shell: bash
         run: ./scripts/verify-release-artifacts.sh --mode ci --os "${{ runner.os }}" --target "${{ matrix.target }}"

AGENTS.md

@@ -1,6 +1,6 @@
 # AGENTS.md — CrateBay Project Guide
 
-> **Version**: 0.9.0 | **Branch**: `master` | **Last Updated**: 2026-03-29
+> **Version**: 0.9.0 | **Branch**: `feat/chatpage-v1` | **Last Updated**: 2026-04-01
 >
 > This file is the **entry point** for all AI Agents working on this project.
 > Detailed specs are in `docs/specs/` — load them on-demand based on your task (see Spec Loading Protocol below).
@@ -11,17 +11,26 @@
 
 ## Project Identity
 
-**CrateBay** is an open-source **local AI sandbox** — a secure, private container for AI agents to execute code.
+**CrateBay** is an open-source, cross-platform **container management tool with AI sandbox capabilities** — an alternative to Docker Desktop and OrbStack that is fully open-source, works on all platforms, and has built-in AI code execution.
 
-- **MCP Server** (`cratebay-mcp`) — let any AI (Claude, Cursor, Windsurf, your own) run code safely
-- **Zero cost** — runs locally in a lightweight VM, no cloud fees
+- **Desktop App** (`cratebay-gui`) — manage containers, images, and AI chat with code execution
+- **MCP Server** (`cratebay-mcp`) — let any AI (Claude, Cursor, Windsurf) run code safely via MCP protocol
+- **CLI** (`cratebay-cli`) — headless container and sandbox operations
 - **Built-in runtime** — no Docker installation required (macOS: VZ.framework, Linux: KVM, Windows: WSL2)
+- **Zero cost** — runs locally in a lightweight VM, no cloud fees
 - **Platforms**: macOS, Windows, Linux
 - **License**: MIT
 
-**Core value proposition**: CrateBay replaces cloud sandboxes (E2B, Modal) with a local, free, privacy-first alternative specifically designed for AI agents.
+**Core value proposition**: CrateBay combines the container management of Docker Desktop/OrbStack with AI sandbox capabilities (like E2B/Modal) — all open-source, cross-platform, and free.
+
+**vs Docker Desktop**: open-source, cross-platform, built-in AI
+**vs OrbStack**: open-source, cross-platform (not macOS only), built-in AI
+**vs E2B/Modal**: local execution, zero cost, full privacy
 
-**User journey**: Install → Configure MCP → Tell Claude "run this code" → CrateBay handles isolation, execution, result delivery.
+**User journeys**:
+1. **GUI user**: Open CrateBay → Chat with AI → AI runs code in sandboxes → manage containers/images visually
+2. **MCP user**: Configure Claude Desktop/Cursor → AI calls sandbox_run_code → CrateBay handles execution
+3. **CLI user**: `cratebay container create` / `cratebay mcp export` for headless workflows
 
 ---
 
@@ -52,32 +61,48 @@ Non-goals for routine development:
 
 ## Product Direction (CRITICAL — AI Agents MUST follow)
 
-**CrateBay = Local AI Sandbox.** All development decisions must serve this positioning.
+**CrateBay = Open-source container management + AI Sandbox.** Two pillars, both important.
 
-### Primary user flow
+### Pillar 1: Container Management (like Docker Desktop / OrbStack)
 
 ```
-User installs CrateBay → Configures MCP in Claude/Cursor/Windsurf
-→ AI says "sandbox_run_code(python, 'print(1+1)')" → CrateBay returns "2"
+User opens CrateBay → Manages containers, images, volumes
+→ Full lifecycle: create, start, stop, delete, inspect, logs
+→ Built-in runtime: no Docker installation required
+```
+
+### Pillar 2: AI Sandbox (like E2B / Modal, but local)
+
+```
+Route A (GUI): User opens ChatPage → Chats with AI → AI runs code in sandboxes
+Route B (MCP): User configures Claude/Cursor → AI calls sandbox_run_code via MCP
 ```
 
 ### Priority order for all development work
 
-1. **MCP Server (`cratebay-mcp`)** — the primary product interface. `sandbox_run_code` is the #1 feature.
-2. **Built-in Runtime** — zero-config VM that makes the sandbox work without Docker.
-3. **CLI (`cratebay-cli`)** — headless sandbox operations for CI/automation.
-4. **Desktop App (GUI)** — visual dashboard for sandbox monitoring and settings. **NOT the primary interface.**
+1. **Built-in Runtime** — zero-config VM that powers both container management and AI sandbox.
+2. **Desktop App (GUI)** — container management UI + AI ChatPage with code execution.
+3. **MCP Server (`cratebay-mcp`)** — external AI integration via MCP protocol.
+4. **CLI (`cratebay-cli`)** — headless operations for CI/automation.
 
 ### What NOT to do
 
-- Do NOT treat the GUI ChatPage as the core product entry. MCP Server is the entry.
-- Do NOT spend time on GUI polish before MCP tools are complete.
-- Do NOT add features unrelated to code execution (e.g., UI theming, animation, cosmetic changes).
-- Do NOT optimize for "container management" — optimize for "AI runs code safely".
+- Do NOT remove container/image management features — they are core functionality.
+- Do NOT add features unrelated to containers or code execution.
+- Do NOT optimize for a single use case — both container management and AI sandbox matter.
+
+### Navigation structure (4 pages)
+
+```
+Chat       — AI chat with sandbox code execution
+Containers — Container lifecycle management
+Images     — Image management (pull, remove, inspect)
+Settings   — LLM providers, MCP servers, Runtime, Appearance, About
+```
 
 ### Execution plan
 
-See `docs/ROADMAP.md` for the v2.1-Alpha release plan (Phase 1-5).
+See `docs/ROADMAP.md` for the release plan.
 See `docs/progress.md` Quick Resume section for what to do next.
 
 ---
@@ -348,9 +373,9 @@ When a feature is completed, the responsible agent MUST check:
 
 ## Current Development Stage
 
-**Current**: v0.9.0 — MCP Sandbox core complete. Next: ChatPage polish + UI optimization → v1.0.0.
+**Current**: v0.9.0 — ChatPage v1.0 complete (sandbox tools + provider config + UI upgrade). Next: merge to master → v1.0.0.
 
-**Completed**: Phase 1 (docs) + Phase 2 (skeleton + core + frontend + runtime + MCP + tests + GUI polish).
+**Completed**: Phase 1 (docs) + Phase 2 (core + frontend + runtime + MCP + tests) + ChatPage v1.0 (sandbox Agent Tools, provider config, UI components, MCP→Settings merge, system image protection).
 
 See [docs/progress.md](docs/progress.md) for detailed progress and [docs/ROADMAP.md](docs/ROADMAP.md) for the release plan.
 

README.md

@@ -1,18 +1,17 @@
 # CrateBay
 
-Open-source local AI sandbox. Run code safely on your machine — no cloud, no cost.
+Open-source, cross-platform container management with built-in AI sandbox.
 
-CrateBay gives any AI agent (Claude, Cursor, Windsurf, your own) a secure sandbox to execute code, install packages, and manage files — all running locally inside a lightweight VM. No Docker installation required.
+CrateBay is an alternative to Docker Desktop and OrbStack — fully open-source, works on macOS/Windows/Linux, and has built-in AI code execution capabilities. Manage containers and images through a desktop GUI, or let AI agents run code safely in local sandboxes via MCP protocol.
 
 ## Why CrateBay?
 
-AI agents need a safe place to run code. Cloud sandboxes (E2B, Modal) charge per minute and send your code off-machine. CrateBay runs everything locally:
-
-- **Zero cost** — no cloud bills, no usage limits
-- **Private** — code never leaves your machine
-- **Fast** — local VM, no network round-trip
-- **Works with any AI** — MCP protocol, works with Claude Desktop, Cursor, Windsurf, and any MCP-compatible client
+- **Open source** — MIT licensed, free forever. Docker Desktop is proprietary; OrbStack is macOS-only
+- **Cross-platform** — macOS, Windows, Linux. No platform lock-in
+- **Built-in AI** — Chat with AI that can execute code in sandboxes. No other container tool does this
 - **No Docker required** — built-in VM runtime (macOS: Virtualization.framework, Linux: KVM, Windows: WSL2)
+- **MCP compatible** — connect Claude Desktop, Cursor, Windsurf to run code via MCP protocol
+- **Zero cost** — no cloud bills, no usage limits, code never leaves your machine
 
 ## How It Works
 
@@ -139,18 +138,19 @@ cratebay sandbox stop <id>
 
 ## Compared To
 
-| | CrateBay | E2B | Docker Desktop |
-|---|---|---|---|
-| Runs locally | Yes | No (cloud) | Yes |
-| AI-native (MCP) | Yes | API only | No |
-| Cost | Free | $0.01/min | Free / $5+/mo |
-| Privacy | Code stays local | Code on cloud | Code stays local |
-| No Docker required | Yes (built-in VM) | N/A | Requires Docker |
-| Open source | MIT | Partial | No |
+| | CrateBay | Docker Desktop | OrbStack | E2B |
+|---|---|---|---|---|
+| Open source | MIT | No | No | Partial |
+| Cross-platform | macOS/Win/Linux | macOS/Win/Linux | macOS only | Cloud |
+| Container mgmt | Yes | Yes | Yes | No |
+| AI chat + sandbox | Yes | No | No | API only |
+| MCP support | Yes | No | No | No |
+| Cost | Free | Free / $5+/mo | Free / $8/mo | $0.01/min |
+| No Docker needed | Yes (built-in VM) | Is Docker | Requires Docker | N/A |
 
 ## Status
 
-v0.9.0 — Core sandbox infrastructure complete, working toward v1.0 release.
+v0.9.0 → v1.0.0 — Container management + AI ChatPage with sandbox execution.
 
 See [docs/progress.md](docs/progress.md) for detailed development status and [docs/ROADMAP.md](docs/ROADMAP.md) for the release plan.