docs(portal): cover latest portal telemetry changes

CHANGELOG.md

@@ -8,7 +8,7 @@
 - Added `crabbox webvnc --daemon`/`--background` plus `--status`/`--stop` for background WebVNC bridges without tmux.
 - Added `crabbox media preview` for creating motion-trimmed GIF previews and optional trimmed MP4 clips from desktop recordings.
 - Added `crabbox code` and per-lease `/code/` portal URLs for authenticated code-server access on `--code` Linux leases.
-- Added per-lease portal detail pages with bridge status, pasteable commands, recent run links, and a stop action.
+- Added per-lease portal detail pages with bridge status, access-panel copy commands, recent run links, and a stop action.
 - Added portal run detail pages with command metadata, result summaries, dense viewport-fitted portal tables, provider/OS badges, active/ended/provider/target filters, sticky portal chrome, and copyable retained log previews.
 - Added admin portal visibility for non-owned runner leases, including `mine`/`system` filters and matching detail/code/VNC drilldowns for operator sessions.
 - Added latest lease telemetry snapshots for coordinator-backed Linux leases, including load, memory, disk, and uptime in `status --json` and the portal detail view.
@@ -33,6 +33,7 @@
 - Fixed portal command rows so their copy affordance copies the matching local command instead of only labelling the section.
 - Fixed portal Windows target badges to show compact `win` and `win (wsl2)` labels instead of `windows / normal`.
 - Fixed portal access and time columns to use compact capability icons, relative time labels, and sortable time metadata instead of wide action buttons and Zulu timestamps.
+- Fixed lease detail layout so local commands live inside the access panel instead of forcing a separate full-width commands section above recent runs.
 - Fixed Windows WebVNC credential handling so generated portal links preserve special characters and managed TightVNC sessions copy service passwords into the logged-in user's registry profile.
 - Fixed managed Linux browser setup so Chrome/Chromium launches skip first-run and default-browser prompts.
 - Fixed managed Linux browser cloud-init setup so Chrome/Chromium policy and wrapper generation cannot break YAML parsing.

README.md

@@ -80,6 +80,7 @@ For the full mental model, see [How Crabbox Works](docs/how-it-works.md). For th
 - **Cost guardrails.** Per-lease and monthly spend caps. Live pricing from EC2 Spot history or Hetzner server-type prices, with static fallbacks. `crabbox usage` summarizes spend by user, org, provider, and type.
 - **GitHub Actions hydration.** `crabbox actions hydrate` registers a leased box as an ephemeral Actions runner, so the repo's own workflow installs runtimes, services, and secrets. Crabbox does not parse Actions YAML.
 - **Interactive desktop and browser leases.** `--browser` provisions Chrome or Chromium for headless automation, `--desktop` provisions visible UI with tunnel-only VNC takeover on managed Linux, AWS native Windows, and AWS EC2 Mac targets, and QA systems such as Mantis own scenario logic, screenshots, and PR evidence. Hetzner Windows is not a managed target; use AWS for managed Windows or `provider: ssh` for an existing Windows host.
+- **Authenticated web portal.** Browser login opens owner-scoped lease and run views with searchable, paginated tables, compact provider/OS/access icons, relative sortable times, recent run logs/events, WebVNC, code-server, and Linux telemetry charts. Admin sessions can also see non-owned runner leases behind `mine`/`system` filters.
 - **Hardened coordinator auth.** GitHub browser login, owner-scoped leases, admin-only routes, optional GitHub team allowlists, Cloudflare Access JWT verification, and service-token support keep normal use and operator automation separate.
 - **OpenClaw plugin.** The repo root is a native OpenClaw plugin for box lifecycle operations: `crabbox_run`, `crabbox_warmup`, `crabbox_status`, `crabbox_list`, and `crabbox_stop`. Run inspection stays in the CLI and Crabbox skill.
 - **Operator surface.** `doctor`, `init`, `status`, `inspect`, `list`, `usage`, `history`, `logs`, `results`, `cache`, `admin`, `cleanup`, plus `--json` output where it matters.

docs/architecture.md

@@ -72,7 +72,7 @@ POST /v1/admin/leases/{id-or-slug}/delete
 
 Admin endpoints and `GET /v1/pool` require the separate admin token. GitHub browser-login tokens are user tokens for normal lease operations and are minted only after allowed GitHub org membership is verified. User-token list, exact-ID lookup, slug lookup, heartbeat, release, run history, logs, and usage are scoped to the token owner/org.
 
-Heartbeat bodies may include a `telemetry` object. The coordinator stores only the latest sanitized snapshot on the lease record. Current CLI snapshots include Linux load average, memory use, root-disk use, uptime, source, and capture timestamp.
+Heartbeat bodies may include a `telemetry` object. The coordinator stores the latest sanitized snapshot on the lease record and retains a bounded `telemetryHistory` ring of the latest 60 samples for portal trend charts. Current CLI snapshots include Linux load average, memory use, root-disk use, uptime, source, and capture timestamp. Completed run records may also store sanitized start/end telemetry snapshots so history can show resource deltas without keeping an unbounded time series.
 
 ## Durable Object State
 
@@ -81,8 +81,8 @@ Use one fleet Durable Object for MVP. It owns all atomic scheduling decisions.
 Core stored records:
 
 ```sql
-leases(id, slug, provider, cloud_id, region, owner, org, profile, class, server_type, server_id, server_name, provider_key, host, ssh_user, ssh_port, work_root, keep, ttl_seconds, idle_timeout_seconds, estimated_hourly_usd, max_estimated_usd, state, created_at, updated_at, last_touched_at, expires_at, released_at, ended_at)
-runs(id, lease_id, slug, owner, org, provider, class, server_type, command_json, state, exit_code, sync_ms, command_ms, duration_ms, log_bytes, log_truncated, results_json, started_at, ended_at)
+leases(id, slug, provider, cloud_id, region, owner, org, profile, class, server_type, server_id, server_name, provider_key, host, ssh_user, ssh_port, work_root, keep, ttl_seconds, idle_timeout_seconds, estimated_hourly_usd, max_estimated_usd, state, telemetry_json, telemetry_history_json, created_at, updated_at, last_touched_at, expires_at, released_at, ended_at)
+runs(id, lease_id, slug, owner, org, provider, class, server_type, command_json, state, exit_code, sync_ms, command_ms, duration_ms, log_bytes, log_truncated, results_json, telemetry_json, started_at, ended_at)
 runlog(run_id, bounded_stdout_stderr_capture)
 ```
 

docs/commands/code.md

@@ -48,6 +48,11 @@ Keep the local `crabbox code` process running while using the editor. The
 coordinator authenticates the browser through portal auth and authenticates the
 local bridge with a one-use, short-lived ticket.
 
+If the browser opens before the local bridge connects, the Code portal renders a
+waiting state with the exact `crabbox code --id <lease> --open` command, copy
+and reload controls, and bridge status. Once the bridge is connected, the page
+automatically opens the mapped workspace.
+
 Managed code-server starts with `Default Dark Modern` as the default theme. The
 bridge also chunks large HTTP responses and websocket frames so VS Code assets
 and extension-host traffic stay below coordinator websocket frame limits.
@@ -84,8 +89,9 @@ crabbox warmup --code
 
 The portal shows a bridge command
 
-The browser can reach the coordinator, but no local bridge is registered. Start
-`crabbox code --id <lease>` locally and keep it running.
+The browser can reach the coordinator, but no local bridge is registered. Use
+the command shown by the portal, or start `crabbox code --id <lease> --open`
+locally and keep it running.
 
 Check bridge health with:
 

docs/commands/status.md

@@ -34,4 +34,5 @@ status also prints the tailnet host/state. For coordinator-backed Linux leases
 that have received a recent heartbeat, status also includes the latest
 best-effort telemetry snapshot: load, memory, disk, uptime, and capture age.
 JSON status includes `telemetryHistory` when the coordinator has retained recent
-samples for portal trend charts.
+samples for portal trend charts. The retained history is bounded to the latest
+60 samples per lease.

docs/commands/webvnc.md

@@ -53,7 +53,8 @@ This keeps the security boundary the same as `crabbox vnc`:
 Use `--daemon` (or `--background`) to keep the bridge running without a tmux or
 foreground shell. Crabbox writes the bridge log and pid file under its local
 state directory and prints both paths. Use `--status` to print those paths
-again, and `--stop` to kill the background bridge for that lease.
+again, and `--stop` to kill the background bridge for that lease. Shutdown
+terminates both the daemon supervisor and the active child bridge process.
 
 `--network tailscale` changes only the SSH endpoint used for the local tunnel.
 The runner VNC service stays bound to loopback.

docs/features/coordinator.md

@@ -64,9 +64,11 @@ normal users. It defaults to active leases when any are active, and falls back t
 all visible leases when the active list is empty.
 
 `/portal/leases/{id-or-slug}` is the authenticated lease detail page. It shows
-the lease state, bridge status, compact provider/target badges, pasteable
-`ssh`, `run`, WebVNC, and code commands, a viewport-fitted recent runs grid with
-state filters, and a stop action for the visible lease.
+the lease state, bridge status, compact provider/target badges, latest Linux
+telemetry, access-panel copy commands for `ssh`, `run`, WebVNC, and code, a
+viewport-fitted recent runs grid with state filters, and a stop action for the
+visible lease. When multiple telemetry samples are present, the detail page
+adds load, memory, and disk sparklines plus stale/high-resource status pills.
 Portal run links mirror the `/v1/runs/...` resources but use the browser
 session cookie, so users can inspect logs and events without copying a bearer
 token into the browser. The run detail page at `/portal/runs/{run-id}` renders