20aea356cc
## Thinking Path > - Paperclip orchestrates AI agents for zero-human companies > - Test infrastructure across server, ui, packages/* runs on Vitest > - Dependabot opened a narrow bump (3.2.4 → 3.2.6), but the wider workspace is on 3.2.4 and the major-version bridge to v4 needs a coordinated change set across configs and tests > - Staying on 3.x indefinitely leaves us behind on Vitest 4 (perf, pool, and config improvements) and forces repeated patch-only dependabot churn > - This pull request upgrades Vitest to 4.1.8 across the workspace, updates `server/vitest.config.ts` and `scripts/run-vitest-stable.mjs` for the new API, and adjusts two UI tests for the new assertion semantics > - The benefit is a single, coherent Vitest 4 upgrade that supersedes #7570 and gets us on the supported major line ## What Changed - Bump `vitest` from `3.2.4` to `4.1.8` across root, `server`, `ui`, and all `packages/*` (including plugin examples and sandbox providers) - Update `server/vitest.config.ts` for Vitest 4 config surface - Update `scripts/run-vitest-stable.mjs` to match the new runner behavior - Adjust `ui/src/components/CommentThread.test.tsx` and `ui/src/components/MarkdownEditor.test.tsx` for Vitest 4 matcher/timing semantics - Refresh `pnpm-lock.yaml` ## Verification - `pnpm install` resolves cleanly with the new lockfile - `pnpm -w -r test` (server, ui, packages) runs under Vitest 4.1.8 ## Risks - Major-version Vitest bump: behavioral changes in pools, fake timers, and matcher strictness can surface flake. Test config and the two UI tests were updated to match v4 semantics; broader test runs should be watched on CI before merge. - Supersedes dependabot PR #7570 (3.2.4 → 3.2.6); that PR should be closed. ## Model Used - Claude (Anthropic) — `claude-opus-4-7`, extended thinking, tool use enabled ## Checklist - [x] I have included a thinking path that traces from project context to this change - [x] I have specified the model used (with version and capability details) - [x] I have checked ROADMAP.md and confirmed this PR does not duplicate planned core work - [ ] I have run tests locally and they pass - [ ] I have added or updated tests where applicable - [ ] If this change affects the UI, I have included before/after screenshots - [ ] I have updated relevant documentation to reflect my changes - [x] I have considered and documented any risks above - [x] I will address all Greptile and reviewer comments before requesting merge Closes #7570
@paperclipai/plugin-exe-dev
Published exe.dev sandbox provider plugin for Paperclip.
This package lives in the Paperclip monorepo, but it is intentionally excluded from the root pnpm workspace and shaped to publish and install like a standalone npm package. That lets operators install it from the Plugins page by package name without introducing root lockfile churn.
Install
From a Paperclip instance, install:
@paperclipai/plugin-exe-dev
Configuration
Configure exe.dev from Company Settings -> Environments, not from the plugin's instance settings page.
- Put the exe.dev API token on the sandbox environment itself.
- When you save an environment, Paperclip stores pasted API keys and pasted SSH private keys as company secrets.
EXE_API_KEYremains an optional host-level fallback when an environment omits the API token.- The current implementation provisions VMs through exe.dev's HTTPS API and runs commands through direct SSH to the created VM.
To use the provider successfully, the environment/host needs all of the following:
- An exe.dev API token that allows the lifecycle commands the provider uses:
new,ls, andrm.whoamiandhelpare recommended for manual debugging.restartis only needed if you extend the provider to restart retained VMs. - SSH access from the Paperclip host to the resulting
*.exe.xyzVMs. - An SSH private key that exe.dev already recognizes. You can either:
- paste the private key into the environment config via
sshPrivateKey - point
sshIdentityFileat an absolute host path - or leave both blank and rely on the host's default SSH agent/keychain
- paste the private key into the environment config via
- The matching public key must already be registered with exe.dev before the provider can execute commands inside the VM.
Operational notes:
- If exe.dev replies
Please complete registration by running: ssh exe.dev, the host key has not finished exe.dev onboarding yet. - Reusable leases keep the VM alive between runs. exe.dev does not expose a documented "stop and later resume" command in the public CLI docs, so
reuseLease: truemeans "retain the VM" rather than "suspend it." - The provisioning path uses
https://exe.dev/exec, which exe.dev documents as a command-style HTTPS API with a 30-second request timeout. Typicalnewcalls are expected to fit inside that limit; command execution itself does not use/exec. - Probes still create and delete a real exe.dev VM through
/exec, and so do thenew/rmcalls inside the normal acquire/release lifecycle. Treat all of those as real provisioning cost, not just probes. - exe.dev runs
--setup-scriptas the unprivilegedexedevuser, not as root. That user has passwordlesssudo, so any system-level steps in a customsetupScriptmust invokesudoexplicitly (for examplesudo apt-get install -y …). When you omitsetupScript, the plugin supplies a default that installs Node 20 via the official nodesource script — Paperclip's sandbox callback bridge is a Node program, so the VM needsnodeonPATHbefore the bridge can launch.
Local development
cd packages/plugins/sandbox-providers/exe-dev
pnpm install --ignore-workspace --no-lockfile
pnpm build
pnpm test
pnpm typecheck
These commands assume the repo root has already been installed once so the local @paperclipai/plugin-sdk workspace package is available to the compiler during development.
Package layout
src/manifest.tsdeclares the sandbox-provider driver metadatasrc/plugin.tsimplements the environment lifecycle hookspaperclipPlugin.manifestandpaperclipPlugin.workerpoint the host at the built plugin entrypoints indist/