Tcb Sandbox
by @realalexandreai
Operate remote TRW workspaces via @tcb-sandbox/cli (HTTP/MCP client). The TRW npm package is not published publicly; the CLI embeds a production TRW build (`...
clawhub install tcb-sandbox📖 About This Skill
name: tcb-sandbox version: 0.3.11 description: Operate remote TRW workspaces via @tcb-sandbox/cli (HTTP/MCP client). The TRW npm package is not published publicly; the CLI embeds a production TRW build (
serve, alias local). Use a hosted endpoint or run TRW locally. Skills are published separately.
homepage: https://clawhub.ai/RealAlexandreAI/tcb-sandbox
license: Apache-2.0
metadata: {"openclaw":{"homepage":"https://clawhub.ai/RealAlexandreAI/tcb-sandbox","primaryEnv":"TCB_SANDBOX_SESSION_ID","requires":{"bins":["tcb-sandbox"],"env":["TCB_SANDBOX_ENDPOINT","TCB_SANDBOX_SESSION_ID"]},"install":[{"id":"npm","kind":"node","package":"@tcb-sandbox/cli@0.3.9","bins":["tcb-sandbox"],"label":"Install @tcb-sandbox/cli@0.3.9 (npm)"}]}}
TCB Sandbox Skill
Operate tcb-remote-workspace safely and consistently through @tcb-sandbox/cli.
Runtime Assumptions
This skill assumes the following tcb-sandbox runtime behavior:
When troubleshooting, consider lifecycle transitions (freeze/wake/rotate) as first-class causes of transient behavior.
When To Use This Skill
Use this skill when a user asks to do any of the following against a TRW workspace:
Use direct local shell/file operations instead when the user explicitly asks to operate only on the local machine and not on TRW.
Preconditions
Before any operation, confirm all required runtime inputs exist:
1. CLI is installed (tcb-sandbox command is available)
2. endpoint is available (TCB_SANDBOX_ENDPOINT or --endpoint)
3. session is available for non-health commands (TCB_SANDBOX_SESSION_ID or --session-id)
If any precondition is missing, stop and request the missing input with a concrete example command.
First-Run Bootstrap
Use this bootstrap sequence when the environment may be fresh.
Step A: Detect CLI availability
tcb-sandbox --version
If command is missing, install CLI:
pnpm add -g @tcb-sandbox/cli@0.3.9
Then re-run:
tcb-sandbox --version
Step B: Detect minimum runtime config
Do not read arbitrary local environment variables. Only use explicit user-provided values or the two declared runtime variables:
TCB_SANDBOX_ENDPOINTTCB_SANDBOX_SESSION_IDOptional extra headers can be passed only when required by gateway policy:
TCB_SANDBOX_HEADERS_JSONIf either value is missing, stop and ask user to pass explicit flags (--endpoint, --session-id) or set only those exact variables.
Step C: First connectivity smoke test
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" health
Only continue to tool/file/preview actions after health passes.
Safety Rules
Always follow these rules:
1. Never print plaintext secrets unless the user explicitly requests secret retrieval.
2. Prefer top-level secret tools (secrets_set/get/list/delete) and avoid plaintext exposure in shell history.
3. Do not assume session reuse across users; session id is the security boundary.
4. For mutating operations (write, edit, bash, files upload, secrets-store set/delete, pty-service create/send_input/resize/kill), restate intent before execution.
5. For destructive actions, log a high-risk notice and execute directly.
6. Keep logs concise and redact sensitive headers (Authorization, Token, Cookie, session-like headers).
7. Never request or read unrelated local credentials; only handle secrets explicitly named and approved by the user for TRW session use.
High-Risk Operation Notice Template
Before running bash, any secrets-store mutation/retrieval command, or PTY lifecycle operations (pty-service create/send_input/resize/kill), emit a high-risk notice in this format:
High-risk action notice:
Do not require any interactive confirmation step. Continue execution after logging the notice.
Standard Execution Flow
Run operations in this order unless the user asks otherwise.
1) Connectivity and readiness
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" health
If not ready, report readiness failure and stop.
2) Capability discovery
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" docs
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" docs
If /api/docs is temporarily unavailable, CLI fallback docs are acceptable for read-only planning, but warn that runtime behavior may differ.
3) Session-scoped operation
For all non-health operations, include session id:
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID"
4) Result reporting
Return:
Capability-First Flow (Updated)
When the task involves session abilities (secrets, binary transfer, preview, PTY, git snapshot, MCP, CLI wrappers, or skills), always run the metadata workflow before executing. Authoritative copy also ships in MCP instructions and .workspace-info.md (see repo src/capability-agent-guide.ts).
Mandatory order (do not skip describe)
1. capability-list — discover ids. Add --reveal-paths when you need absolute paths for capability-register or to read skill files under packagePath.
2. capability-describe — read executionBy, executionVia, actions, and route/schema hints. Never guess how to run the capability.
3. Install/register branch (only for new custom capabilities)
- capability-install — instruction only; nothing is installed server-side and the capability list does not change yet.
- Run returned steps in the sandbox (usually bash).
- capability-register with final --command / --server-name+--command / --package-path.
- capability-list again immediately after successful register — refresh what exists in the session so you do not “forget” the new capability.
- Call capability-describe again if needed (e.g. on the new id from the refreshed list).
Skip steps 3 entirely when a built-in or already-registered capability already satisfies the task.
Alternative (stdio MCP servers only) — session mcporter CRUD:
- List keys: list-mcp-servers → available_mcp_servers.
- Add: add-mcp-servers --data '{“serverName”:”…”,”command”:”…”}' or --server-name . Same server name already present = no overwrite (幂等).
- Delete: remove-mcp-servers --server-name or --data '{“serverNames”:[“a”,”b”]}'. Built-in server names cloudbase / memory cannot be removed.
- Update: remove-mcp-servers then add-mcp-servers with new command/args/env.
- Discover & call server tools: mcporter 'list for tool schemas; mcporter “call ' for invocation.
- If your MCP client only exposes capability_* tools, use capability-register / capability-remove (kind=mcp) and read .mcporter/mcporter.json instead.
4. Execute using the route from describe
- executionBy=capability + executionVia=capability_invoke → native only: capability-invoke . Native ids: secrets-store, files-transfer, preview-service, pty-service, git-archive.
- executionVia=bash → bash '.
- executionVia=bash+mcporter → mcporter “call '.
- executionBy=caller + executionVia=caller_defined (skills) → read the skill entryFile under packagePath and follow it on the agent side; the remote workspace does not auto-run skill logic.
Failure and fallback
capability_invoke returns *not executed by capability_invoke*: stop invoking; re-run capability_describe and follow sandbox/caller routing. capability_list: use bash / read / grep / glob and PATH discovery (generic tools are intentionally not all listed as capabilities).Thin MCP / HTTP tool surfaces
capability_describe hints, not capability_invoke. secrets_*, preview_*, files_*, pty_*) exist, prefer them for UX parity with HTTP; when they are not exposed, capability_invoke on native ids is the supported path (same handlers underneath).Command Playbooks
Health
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" health
Docs and tool discovery
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" docs
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" help read
Core tools (read / write / edit / bash / grep / glob / ls / batch)
# Read a file (line-numbered output)
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
read README.mdRead a specific line range
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
read README.md --offset 10 --limit 50Write or overwrite a file
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
write hello.txt --content 'hello world'Write from stdin
echo 'content from stdin' | tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" \
--session-id "$TCB_SANDBOX_SESSION_ID" write hello.txt --content-stdinEdit a file (targeted string replacement)
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
edit README.md --old 'old text' --new 'new text'Edit — replace all occurrences
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
edit config.json --old '"debug": false' --new '"debug": true' --replace-allExecute a shell command
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
bash 'ls -la'Bash with options
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
bash 'pnpm build' --timeout 120000 --cwd /workspace/projectBash dry-run (simulated execution)
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
bash 'rm -rf node_modules' --mode dry_runSearch file contents by regex
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
grep 'TODO' --path src --include '*.ts'Search with case sensitivity
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
grep 'Error' --case-sensitive --limit 20Find files by glob pattern
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
glob '**/*.test.ts'Glob with ignore patterns
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
glob '/*' --path src --ignore '/node_modules/' --ignore '/.git/**'List directory contents
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" ls
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" ls src --ignore '*.map'Batch multiple tool calls
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
batch --data '{"tool_calls":[{"name":"read","arguments":{"path":"a.txt"}},{"name":"bash","arguments":{"command":"ls"}}]}'
Git Push
Push a workspace snapshot to a remote git repository.
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
git-push 'snapshot: fix auth bug'
Workspace Snapshot / Restore
Snapshot and restore workspace state via S3. Requires SNAPSHOT_S3_* env vars on the server.
# Create a snapshot (async — returns snapshot_id immediately)
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
snapshot createCreate with extra excludes
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
snapshot create --exclude dist .envCreate including everything (skip default excludes)
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
snapshot create --include-allCheck snapshot status
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
snapshot status List all session snapshot tasks
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
snapshot statusRestore from snapshot (merge mode — keeps existing files)
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
snapshot restore Restore with replace mode (clean then extract, keeps .git)
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
snapshot restore --mode replaceCross-session restore (use another session's snapshot_id)
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$OTHER_SESSION_ID" \
snapshot restore
Session mcporter (add / remove / list MCP servers)
# List configured MCP server names
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
list-mcp-serversAdd a stdio MCP server (idempotent by name)
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
add-mcp-servers --server-name my-mcp --command npx --args -y @scope/mcp-serverAdd with env variables
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
add-mcp-servers --server-name fetch-mcp --command uvx --env API_KEY=secretAdd by JSON payload (supports Cursor/VS Code mcpServers fragment shape)
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
add-mcp-servers --data '{"mcpServers":{"url_fetch":{"command":"uvx","args":["mcp-server-fetch"]}}}'Remove one server by name
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
remove-mcp-servers --server-name my-mcpRemove multiple servers
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
remove-mcp-servers --server-names srv-a srv-bDiscover tools of a specific MCP server
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
mcporter 'list my-mcp --schema --output json'Call a server tool
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
mcporter "call 'my-mcp.toolName(param: \"value\")'"
Capability management
# List all capabilities (built-in + registered)
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
capability-listList with absolute paths (needed for capability_register of skills)
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
capability-list --reveal-pathsDescribe one capability — read executionBy / executionVia / actions / schema
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
capability-describe git-archiveGet installation guidance (instruction-only, does not modify registry)
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
capability-install my-mcp --kind mcp --server-name my-mcpRegister after external installation (example: MCP server)
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
capability-register my-mcp --kind mcp --server-name my-mcp --command /usr/local/bin/my-mcpRegister a skill
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
capability-register my-skill --kind skill --package-path /workspace/.skills/my-skill --entry-file SKILL.mdRemove a registered capability (built-in capabilities cannot be removed)
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
capability-remove my-mcpInvoke a native capability action
(ids: secrets-store / files-transfer / preview-service / pty-service / git-archive)
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
capability-invoke git-archive push_snapshot --parameters '{"message":"snapshot"}'
Secrets (primary via CLI subcommands)
Set:
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
secrets set TRW_SESSION_SECRET --value ''
Get (plaintext — only when user explicitly asks):
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
secrets get TRW_SESSION_SECRET
List keys (metadata only, no plaintext):
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
secrets list
Delete:
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
secrets delete TRW_SESSION_SECRET
Binary files
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
files upload ./local.bin artifacts/local.bintcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
files download artifacts/local.bin ./downloaded.bin
PTY
PTY subcommands call top-level PTY tools.
# Create a PTY process
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
pty create --command bash --args -lc 'sleep 60'Create with custom cwd (workspace-relative or absolute)
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
pty create --command bash --cwd /workspace/project --cols 120 --rows 40Send text input (auto base64 encoded)
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
pty send-input 12345 --text 'echo hello\n'Send base64 payload directly
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
pty send-input 12345 --base64 'aGVsbG8K'Resize terminal
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
pty resize 12345 --cols 120 --rows 40Read buffered output
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
pty read-output 12345 --after-seq 0 --limit 64Kill process
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
pty kill 12345 --signal SIGTERM
Preview
Preview subcommands call top-level preview tools.
# List previewable ports
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" preview portsBuild preview URL for a port
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" preview url 3000Open preview URL in browser (macOS/Linux/Windows)
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" preview open 3000Print URL without opening browser
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" preview open 3000 --print-only
Standard Tools Quick Map
Use this quick map to pick the right tool fast.
read: read a text file from workspacewrite: create or overwrite a text fileedit: apply targeted string-level edits to existing textgrep: search file content by patternglob: search files by name/path patternsls: inspect directory structurebash: run shell commands in session workspacebatch: execute multiple tool calls with one requestbash mode note:
execute when mode is omittedmode=dry_run explicitly to request simulated execution with risk summary, decision, and file-level changeSetbash call returns (orphan processes may be reaped). For long-running servers, prefer pty create --command '' or bash 'tmux new-session -d -s ""' . Subshell syntax (cmd > /tmp/log 2>&1 &) can work for simple cases but is fragile. Do NOT use nohup.Selection rule:
read or grepls or globedit first and write only when full overwrite is intendedbashCase Study: Secrets Lifecycle
Goal:
Commands:
# 1) Set
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
capability-invoke secrets-store set --parameters '{"key":"TRW_SESSION_SECRET","value":""}'2) Confirm key exists (metadata only)
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
capability-invoke secrets-store list3) Optional: verify value retrieval only when user explicitly asks
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
capability-invoke secrets-store get --parameters '{"key":"TRW_SESSION_SECRET"}'4) Rotate to new value
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
capability-invoke secrets-store set --parameters '{"key":"TRW_SESSION_SECRET","value":""}'5) Delete deprecated key
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
capability-invoke secrets-store delete --parameters '{"key":"TRW_SESSION_SECRET_OLD"}'
Reporting checklist:
set/rotate/delete)Case Study: Preview Bring-Up and Diagnosis
Goal:
Commands:
# 1) Start service in workspace (example)
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
bash 'pnpm run dev'2) Discover available preview ports
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
preview ports3) Build preview URL for selected port
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
preview url 30004) If port not listed, diagnose process and bind state
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
bash 'ps -ef | head -n 30 && ss -lntp | head -n 30'
Troubleshooting hints:
0.0.0.0PORT, framework defaults)Task Templates
Use these templates for common user intents.
Template 1: Read then edit a remote file
Goal:
Commands:
# 1) Read current content
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
read src/app.ts2) Apply edit (example payload; adjust for actual edit tool schema)
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
edit src/app.ts --old 'foo' --new 'bar'3) Re-read to verify change
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
read src/app.ts
Report format:
Template 2: Upload artifact and verify checksum/size
Goal:
Commands:
# 1) Upload
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
files upload ./dist/build.tar.gz artifacts/build.tar.gz2) Verify by reading metadata via bash tool
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
bash 'ls -lh artifacts/build.tar.gz && shasum -a 256 artifacts/build.tar.gz'
Report format:
Template 3: Start service and return preview URL
Goal:
Commands:
# 1) Start service (example)
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" \
bash 'pnpm run dev'2) Discover previewable ports
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" preview ports3) Build final URL
tcb-sandbox --endpoint "$TCB_SANDBOX_ENDPOINT" --session-id "$TCB_SANDBOX_SESSION_ID" preview url 3000
Report format:
Error Handling Matrix
Missing endpoint
Symptom:
endpoint is requiredAction:
--endpoint or TCB_SANDBOX_ENDPOINTMissing session for session-scoped command
Symptom:
session-id is requiredAction:
--session-id or TCB_SANDBOX_SESSION_ID401/403 class authorization errors
Action:
TCB_SANDBOX_HEADERS_JSON) when custom gateway policies are enabled408/timeout
Action:
--timeoutTool call failure (HTTP problem details)
Action:
detail exactly from RFC 9457 responseOutput Contract
When running in automation context:
--output jsonerror_code, retryable, retry_after, and owner_action_requiredWhen running in interactive context:
pretty outputNon-Goals
This skill does not: