Sync OpenSWE Documentation Files (#190)

This PR syncs documentation files from the OpenSWE repository.
  
  **Changes:**
  - Updated MDX files from `apps/docs/`
  - Target directory: `src/labs/swe/`
  - Updated images from `apps/docs/images/`
  - Target directory: `src/images/`
  - Source commit: f316685de3a4ad48a4d113662405b5868fae3aa1
  - Synced at 2025-08-19 23:54:13 UTC
  
  **Auto-generated by:** OpenSWE Documentation Sync Workflow

Co-authored-by: OpenSWE Bot <[email protected]>

Author: bracesproul

src/labs/swe/faq.mdx

@@ -16,6 +16,15 @@ description: Frequently Asked Questions
   Yes. When using Anthropic models, all input tokens are cached on Anthropic's servers.
 </Accordion>
 
+<Accordion title="Can I disable Open SWE from creating an issue when I submit a request?">
+  Yes. There's two ways to disable Open SWE from creating an issue when you submit a request:
+
+  1. Toggle the 'eye' icon in the main chat area when submitting a request.
+  2. In the configuration tab in settings, toggle the 'Should Create Issue' switch.
+
+  By default, it's set to `true`. By modifying this setting in the configuration tab, all runs will default to that setting. You may override this setting on a per-run basis by toggling the 'eye' icon in the main chat area.
+</Accordion>
+
 <Accordion title="My run failed midway through. What now?">
   We're sorry you're experiencing this! Open SWE will automatically commit any changes it makes to a draft pull request. Please check the draft pull request and make any necessary changes.
 

src/labs/swe/index.mdx

@@ -21,10 +21,7 @@ The agent can be used through a web interface or triggered automatically via Git
   <Card title="Setup" icon="robot" href="/labs/swe/setup/intro">
     How to set up Open SWE for development
   </Card>
-  <Card title="FAQ" icon="question" href="/labs/swe/faq">
-    Frequently asked questions
- </Card>
-  <Card title="Examples" icon="database" href="/labs/swe/usage/examples">
+  <Card title="Examples" icon="database" href="/labs/swe/examples">
     Examples of tasks you can try out
   </Card>
   <Card title="Usage" icon="database" href="/labs/swe/usage/intro">

src/labs/swe/secrets.mdx

@@ -3,73 +3,111 @@ title: "Secrets"
 description: "Environment variables & secrets access in dev environments"
 ---
 
-Open-SWE securely manages your API keys and environment variables with AES-256-GCM encryption.
+Open-SWE implements a secure, encrypted way to share user environment variables with the agent and pass them to the development server.
 
-## How Your API Keys Are Protected
+## Environment Variables & API Keys
 
-Your API keys are encrypted both in transit and at rest:
+### How API Keys Are Protected
 
-1. **Frontend**: Temporarily stored in browser localStorage
-2. **Transit**: Encrypted before sending to backend
-3. **Backend**: Stored encrypted in database
-4. **Runtime**: Decrypted only when needed
+Your API keys are protected with industry-standard AES-256-GCM encryption both in transit and at rest.
+
+**Storage Process:**
+1. **Frontend**: Temporarily stored in browser localStorage (plain text)
+2. **Transit**: Encrypted with AES-256-GCM before sending to backend
+3. **Backend**: Stored encrypted in LangGraph's database
+4. **Runtime**: Decrypted when necessary using server-side encryption keys
 
 <Accordion title="Technical Encryption Details">
+  **Encryption Details:**
   - **Algorithm**: [AES-256-GCM](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf) (authenticated encryption)
   - **Key Derivation**: SHA-256 hash of system `SECRETS_ENCRYPTION_KEY`
   - **IV Generation**: Random 12-byte initialization vector per encryption
   - **Authentication**: 16-byte authentication tag prevents tampering
 </Accordion>
 
-## Types of Environment Variables
+### System vs User Environment Variables
 
-**System Variables** (for self-hosting):
-- Examples: `DAYTONA_API_KEY`, `SECRETS_ENCRYPTION_KEY`, `GITHUB_APP_PRIVATE_KEY`
-- Access: Server-side only, never exposed to users or sandboxes
+Open-SWE handles two types of environment variables:
 
-**User Variables** (your personal keys):
-- Examples: `ANTHROPIC_API_KEY`, `MY_DATABASE_URL`, `STRIPE_TEST_KEY`
-- Access: Controlled via settings page, encrypted storage
+**System Environment Variables:**
+- **Purpose**: Environment variables required to run Open-SWE. If you're self-hosting, you can set LLM, infrastructure, and authentication keys
+- **Examples**: `DAYTONA_API_KEY`, `SECRETS_ENCRYPTION_KEY`, `GITHUB_APP_PRIVATE_KEY`
+- **Access**: Server-side only via `process.env`
+- **Security**: Never exposed to users or sandboxes
 
-## Sandbox Access Control
+**User-Defined Environment Variables:**
+- **Purpose**: Personal API keys and custom development variables
+- **Examples**: `ANTHROPIC_API_KEY`, `MY_DATABASE_URL`, `STRIPE_TEST_KEY`
+- **Access**: User-controlled via settings page in UI
+- **Security**: AES-256-GCM encrypted + explicit user consent required to pass them to the development server
 
-**By default, your API keys are never exposed to sandbox environments.** They're only used for LLM initialization and system setup.
+### When API Keys Are Exposed to Sandbox Environments
 
-To enable keys in development servers (for testing LangGraph agents, Next.js apps, etc.):
+Your API keys are **never automatically exposed** to sandbox environments. Exposure requires explicit user consent.
 
-1. Manually toggle "Include in Dev Server" for each key
-2. Key becomes available as environment variable in sandbox
-3. You control which keys are exposed
+You may wonder, why does the sandbox environment even need API keys? We've designed Open-SWE to be your junior dev. Part of development is testing code in real-time. **Open-SWE has the ability to spin up development servers that can run your LangGraph agents, Next.js apps, Flask servers, and more, all within the sandbox its running in.** If you think this option can be useful, please review what it means to pass your keys to the sandbox.
 
 <Note>
-  Use separate development API keys with limited permissions instead of production keys when enabling sandbox access.
+  Consider using separate development API keys with limited permissions instead of your production keys when enabling sandbox access. This reduces the impact of potential exposure while maintaining functionality.
 </Note>
 
-## Security & Isolation
+**Default Behavior (Secure):**
+- API keys are only used for LLM model initialization & setting up Daytona using your own key, if you passed it
+- Keys are NOT available as environment variables in sandboxes or accessible to LLMs
+- Each key has `allowedInDev: false` by default
+
+**When You Enable "Include in Dev Server":**
+- You manually toggle the switch for each API key
+- Key becomes available as an environment variable in sandbox
+- You maintain control over which keys are exposed
+
+## Sandbox Security & Isolation
+
+### Container Isolation
+
+Each user session runs in a completely isolated Daytona container with multiple security boundaries. These containers can modify the code in your repo on a new branch and don't exchange information across sessions.
+
+<Accordion title="Isolation Details">
+  **Container Isolation:**
+  - Separate container per user session
+  - No shared file systems between containers
+  - Container-level resource limits and quotas
+
+  **Process Isolation:**
+  - User environment variables vs system environment variables
+  - Sandboxed processes cannot access host system or code
 
-Each session runs in an isolated Daytona container that:
-- Cannot access other user sessions
-- Automatically deletes after 15 minutes of inactivity
-- Has no persistent storage across sessions
+  **Temporal Isolation:**
+  - Automatic deletion after 15 minutes of inactivity
+  - No persistent storage across sessions
+  - Fresh environment for each new session
 
-<Accordion title="Detailed Isolation Features">
-  - **Container**: Separate container per user session
-  - **File System**: No shared file systems between containers
-  - **Process**: Sandboxed processes cannot access host system
-  - **Network**: Containers cannot communicate with each other
-  - **Temporal**: Fresh environment for each session
+  **Network Isolation:**
+  - Containers cannot communicate with each other
 </Accordion>
 
+## Data Handling & Access Control
+
 <Warning>
-  When enabling "Include in Dev Server", the AI agent may inadvertently expose environment variables in generated code or logs. Only enable when necessary.
+  When enabling "Include in Dev Server" for API keys, you're expanding the attack surface of your credentials. AI agent may inadvertently expose environment variables in generated code or logs. Only use this feature when necessary for development server monitoring.
 </Warning>
 
-## Best Practices
+### Development Environment Exposure Risks
+
+You should only use this feature if you find it useful to monitor development servers. We recommend not using your main keys and having access control for keys that you pass to sandbox environments.
+
+While the Open-SWE UI and agent exchange these using encryption, **LLM may leave environment variables exposed in the code.**
 
-- Use minimum required permissions for each API key
+## Security Best Practices
+
+Our team loves using Open-SWE internally and we recommend the following best practices:
+
+- Use the minimum required permissions for each API key
 - Regularly rotate your API keys
-- Use separate development keys instead of production keys for sandbox access
-- Only enable "Include in Dev Server" when necessary
-- Never enable sandbox access for production database credentials
-- Review generated code for exposed environment variables before deploying
-- Monitor "Last Used" timestamps in settings
+- Only enable "Include in Dev Server" when necessary for specific tools
+- Monitor the "Last Used" timestamps in settings
+- Consider using separate development keys instead of production keys for sandbox environments
+- Never enable sandbox access for production database credentials or high-privilege API keys
+- Review generated code for accidentally exposed environment variables before deploying
+
+---

src/labs/swe/usage/intro.mdx

@@ -14,7 +14,7 @@ Open SWE provides two primary ways to interact with the coding agent, each desig
     Interactive chat interface with manual and auto modes for direct agent
     communication
   </Card>
-  <Card title="GitHub Webhooks" icon="webhook" href="/labs/swe/usage/github#github-webhook-integration">
+  <Card title="GitHub Webhooks" icon="webhook" href="/labs/swe/usage/webhook">
     Automated triggers through GitHub issue labels for seamless repository
     integration
   </Card>
@@ -42,7 +42,7 @@ You can explore Open SWE's capabilities using our hosted demo at [swe.langchain.
 <Tip>
   Start with the [Web Interface guide](/labs/swe/usage/ui) to understand Open
   SWE's core capabilities, then explore [GitHub
-  Webhooks](/labs/swe/usage/github#github-webhook-integration) for automated integration into your
+  Webhooks](/labs/swe/usage/webhook) for automated integration into your
   development workflow.
 </Tip>