Skip to main content

Provider API keys forwarded to sandboxes

Agent CLI tools running inside Daytona sandboxes can now authenticate with LLM providers automatically. Fabro collects the relevant API key environment variables (e.g. ANTHROPIC_API_KEY, OPENAI_API_KEY) and forwards them into the sandbox environment, so CLI agents like Claude and Codex can make API calls without manual credential setup. Previously, sandbox-based agents would fail to authenticate because API keys were only available on the Fabro server, not inside the sandbox.

Checkpoint pushing for Daytona runs

When a workflow runs on a Daytona sandbox, Fabro now pushes the run branch to origin after each checkpoint. Previously, commits on the run branch were lost when the sandbox was deleted, making it impossible to review intermediate work. This required upgrading the GitHub App token permission from contents:read to contents:write. Tokens are automatically refreshed before they expire.

GitHub App tokens for Daytona

Daytona sandboxes now authenticate git clones using GitHub App Installation Access Tokens (IATs) instead of the user’s gh CLI token. Each token is scoped to contents: read on the specific repository being cloned. Fabro automatically detects whether a repository is public or private. Public repositories are cloned without credentials. Private repositories get a short-lived, minimally-scoped IAT generated from the GitHub App configured during fabro install. When credentials are missing or misconfigured, Fabro provides specific error messages for each failure mode:
  • App not installed for the organization
  • Installation suspended
  • Repository not accessible to the app
  • Authentication failure (bad key or app ID)
API response shapes have changed. Flat fields are now nested into typed sub-objects (e.g. model_id becomes model.id), and relative time strings are replaced with ISO 8601 timestamps. Several endpoints were renamed: retrieveRunSvg is now retrieveRunGraph, listRunCompare is now retrieveRunDiff, and RunListItemStatus is now BoardColumn.To migrate:
  1. Regenerate your TypeScript client: cd lib/packages/fabro-api-client && bun run generate
  2. Update any code that reads flat fields to use the new nested paths
  3. Update any code that displays timestamps — the API now returns ISO 8601 strings instead of pre-formatted relative times

More

  • API responses now nest related fields into typed sub-objects (e.g. model_id becomes model.id) and return ISO 8601 timestamps instead of pre-formatted relative strings
  • /runs/{id}/retro now returns a structured RetroDetail schema instead of an untyped JSON blob; /retros supports new workflow and smoothness filter parameters
  • Adds pagination parameters to listRunQuestions, listRunStages, and listRunVerifications endpoints
  • Removes redundant API response types (StartRunResponse, CancelRunResponse, SteerRunResponse, SubmitAnswerResponse)
  • Filters preamble noise by excluding meta nodes, blank context values, and empty sections
  • Fixes 27 OpenAPI spec review items across verifications, insights, HITL, run outputs, workflows, and configuration
  • Fixed dry-run mode issues with stub scripts, runner working directory, and transition weights
  • Fixed GitHub App repo visibility check incorrectly treating 401/403 responses as public
  • Fixed duplicate .env variables when re-running fabro install