@clipboard-health/groundcrew 4.12.0 → 4.13.0

package/dist/commands/resumeWorkspace.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"resumeWorkspace.d.ts","sourceRoot":"","sources":["../../src/commands/resumeWorkspace.ts"],"names":[],"mappings":"AAEA,OAAO,EAAc,KAAK,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAcnE,MAAM,WAAW,sBAAsB;IACrC,MAAM,EAAE,MAAM,CAAC;CAChB;AA6HD,wBAAsB,eAAe,CACnC,MAAM,EAAE,cAAc,EACtB,OAAO,EAAE,sBAAsB,GAC9B,OAAO,CAAC,IAAI,CAAC,CA6Df;AAED,wBAAsB,kBAAkB,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAGtE"}
+{"version":3,"file":"resumeWorkspace.d.ts","sourceRoot":"","sources":["../../src/commands/resumeWorkspace.ts"],"names":[],"mappings":"AAEA,OAAO,EAAc,KAAK,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAenE,MAAM,WAAW,sBAAsB;IACrC,MAAM,EAAE,MAAM,CAAC;CAChB;AA6HD,wBAAsB,eAAe,CACnC,MAAM,EAAE,cAAc,EACtB,OAAO,EAAE,sBAAsB,GAC9B,OAAO,CAAC,IAAI,CAAC,CA0Ff;AAED,wBAAsB,kBAAkB,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAGtE"}

package/dist/commands/resumeWorkspace.js

@@ -4,6 +4,7 @@ import { loadConfig } from "../lib/config.js";
 import { openAgentWorkspace, prepareAgentLaunch } from "../lib/agentLaunch.js";
 import { buildLaunchCommand } from "../lib/launchCommand.js";
 import { readRunState, recordRunState } from "../lib/runState.js";
+import { buildAndStageSrtLaunch } from "../lib/srtLaunch.js";
 import { removeStagedPrompt, stageBuildSecrets, stagePromptText, stageWorkspaceLaunchCommand, } from "../lib/stagedLaunch.js";
 import { errorMessage, log } from "../lib/util.js";
 import { workspaces } from "../lib/workspaces.js";
@@ -119,6 +120,26 @@ export async function resumeWorkspace(config, options) {
         text: renderResumePrompt(context),
     });
     const secretsFile = stageBuildSecrets(stagedPrompt.directory);
+    // Resume must stage srt settings exactly like setup, or `buildLaunchCommand`
+    // throws under the srt runner — and a relocating agent (codex) needs its
+    // config home re-seeded so it authenticates on the resumed launch.
+    let srtPrepareSettingsFile;
+    let srtAgentSettingsFile;
+    let srtSettingsDir;
+    let srtAgentConfigDirEnv;
+    if (runner === "srt") {
+        const staged = buildAndStageSrtLaunch({
+            config,
+            repository: context.repository,
+            ticket,
+            worktreeDir: context.worktree.dir,
+            definition,
+        });
+        srtPrepareSettingsFile = staged.prepareFile;
+        srtAgentSettingsFile = staged.agentFile;
+        srtSettingsDir = staged.directory;
+        srtAgentConfigDirEnv = staged.agentConfigDirEnv;
+    }
     const launchCommand = buildLaunchCommand({
         definition,
         promptFile: stagedPrompt.file,
@@ -126,6 +147,10 @@ export async function resumeWorkspace(config, options) {
         secretsFile,
         runner,
         sandboxName,
+        srtPrepareSettingsFile,
+        srtAgentSettingsFile,
+        srtSettingsDir,
+        srtAgentConfigDirEnv,
     });
     const launchCmd = stageWorkspaceLaunchCommand(stagedPrompt.directory, launchCommand);
     try {
@@ -140,6 +165,11 @@ export async function resumeWorkspace(config, options) {
     }
     catch (error) {
         removeStagedPrompt(stagedPrompt.directory);
+        // The launch command tears down the settings dir after srt exits; on the
+        // pre-launch failure path it never ran, so clean it up here.
+        if (srtSettingsDir !== undefined) {
+            removeStagedPrompt(srtSettingsDir);
+        }
         throw error;
     }
     recordRunState({

package/dist/commands/setupWorkspace.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"setupWorkspace.d.ts","sourceRoot":"","sources":["../../src/commands/setupWorkspace.ts"],"names":[],"mappings":"AAEA,OAAO,EAAoC,KAAK,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAsBzF,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,wEAAwE;IACxE,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,qBAAqB;IACpC,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,aAAa,CAAC;CACxB;AAED,MAAM,WAAW,wBAAwB;IACvC,MAAM,CAAC,EAAE,WAAW,CAAC;CACtB;AAyDD,wBAAsB,cAAc,CAClC,MAAM,EAAE,cAAc,EACtB,OAAO,EAAE,qBAAqB,EAC9B,UAAU,GAAE,wBAA6B,GACxC,OAAO,CAAC,IAAI,CAAC,CAuIf;AA8ID,wBAAsB,iBAAiB,CACrC,MAAM,EAAE,MAAM,EACd,OAAO,GAAE;IAAE,MAAM,CAAC,EAAE,OAAO,CAAA;CAAO,GACjC,OAAO,CAAC,IAAI,CAAC,CA4Cf"}
+{"version":3,"file":"setupWorkspace.d.ts","sourceRoot":"","sources":["../../src/commands/setupWorkspace.ts"],"names":[],"mappings":"AACA,OAAO,EAAc,KAAK,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAmBnE,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,wEAAwE;IACxE,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,qBAAqB;IACpC,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,aAAa,CAAC;CACxB;AAED,MAAM,WAAW,wBAAwB;IACvC,MAAM,CAAC,EAAE,WAAW,CAAC;CACtB;AAuBD,wBAAsB,cAAc,CAClC,MAAM,EAAE,cAAc,EACtB,OAAO,EAAE,qBAAqB,EAC9B,UAAU,GAAE,wBAA6B,GACxC,OAAO,CAAC,IAAI,CAAC,CA0If;AA8ID,wBAAsB,iBAAiB,CACrC,MAAM,EAAE,MAAM,EACd,OAAO,GAAE;IAAE,MAAM,CAAC,EAAE,OAAO,CAAA;CAAO,GACjC,OAAO,CAAC,IAAI,CAAC,CA4Cf"}

package/dist/commands/setupWorkspace.js

@@ -1,17 +1,15 @@
 import { rmSync } from "node:fs";
-import path from "node:path";
 import { loadConfig } from "../lib/config.js";
 import { openAgentWorkspace, prepareAgentLaunch } from "../lib/agentLaunch.js";
 import { createBoard } from "../lib/board.js";
 import { buildSources, sourcesFromConfig } from "../lib/buildSources.js";
-import { collectAllowedDomains } from "../lib/clearanceHosts.js";
-import { buildLaunchCommand, inferAgentCommandName } from "../lib/launchCommand.js";
+import { buildLaunchCommand } from "../lib/launchCommand.js";
 import { resolvePrepareWorktreeCommand } from "../lib/repositoryHooks.js";
 import { recordRunState } from "../lib/runState.js";
-import { buildSrtSettings } from "../lib/srtPolicy.js";
-import { stageBuildSecrets, stagePromptFromTemplate, stageSrtSettings, stageWorkspaceLaunchCommand, } from "../lib/stagedLaunch.js";
+import { buildAndStageSrtLaunch } from "../lib/srtLaunch.js";
+import { stageBuildSecrets, stagePromptFromTemplate, stageWorkspaceLaunchCommand, } from "../lib/stagedLaunch.js";
 import { naturalIdFromCanonical } from "../lib/ticketSource.js";
-import { debug, errorMessage, log, okMark, readEnvironmentVariable } from "../lib/util.js";
+import { debug, errorMessage, log, okMark } from "../lib/util.js";
 import { workspaces } from "../lib/workspaces.js";
 import { isWorktreeAlreadyExistsError, worktrees } from "../lib/worktrees.js";
 function stagePrompt(input) {
@@ -28,33 +26,6 @@ function stagePrompt(input) {
         },
     });
 }
-/**
- * Generate the srt policies for this launch and stage them to temp settings
- * files. The agent identity comes from the model `cmd`; the git common dir is
- * the parent clone's `.git` (the worktree lives beside it); the egress
- * allowlist is translated from the existing clearance env so srt and safehouse
- * share one source of truth. Only called when `local.runner` resolves to `srt`.
- *
- * Two policies: the `prepare` policy is profile-neutral (empty agent → no
- * `~/.claude`/`~/.codex` grants) so the repo-controlled prepareWorktree hook
- * can't touch the agent's credentials; the `agent` policy carries the agent's
- * credential profile.
- */
-function buildAndStageSrtSettings(input) {
-    const repoDir = path.resolve(input.config.workspace.projectDir, input.repository);
-    const base = {
-        worktreeDir: input.worktreeDir,
-        gitCommonDir: path.join(repoDir, ".git"),
-        allowedDomains: collectAllowedDomains({
-            hosts: readEnvironmentVariable("CLEARANCE_ALLOW_HOSTS"),
-            files: readEnvironmentVariable("CLEARANCE_ALLOW_HOSTS_FILES"),
-        }),
-    };
-    return stageSrtSettings(input.ticket, {
-        prepare: buildSrtSettings({ ...base, agent: "" }),
-        agent: buildSrtSettings({ ...base, agent: inferAgentCommandName(input.definition.cmd) }),
-    });
-}
 export async function setupWorkspace(config, options, runOptions = {}) {
     const { ticket, repository, model } = options;
     const { signal } = runOptions;
@@ -112,8 +83,9 @@ export async function setupWorkspace(config, options, runOptions = {}) {
         const secretsFile = prepareWorktreeCommand === undefined ? undefined : stageBuildSecrets(promptDir);
         let srtPrepareSettingsFile;
         let srtAgentSettingsFile;
+        let srtAgentConfigDirEnv;
         if (runner === "srt") {
-            const staged = buildAndStageSrtSettings({
+            const staged = buildAndStageSrtLaunch({
                 config,
                 repository,
                 ticket,
@@ -123,6 +95,7 @@ export async function setupWorkspace(config, options, runOptions = {}) {
             srtPrepareSettingsFile = staged.prepareFile;
             srtAgentSettingsFile = staged.agentFile;
             srtSettingsDir = staged.directory;
+            srtAgentConfigDirEnv = staged.agentConfigDirEnv;
         }
         const launchCommand = buildLaunchCommand({
             definition,
@@ -135,6 +108,7 @@ export async function setupWorkspace(config, options, runOptions = {}) {
             srtPrepareSettingsFile,
             srtAgentSettingsFile,
             srtSettingsDir,
+            srtAgentConfigDirEnv,
         });
         const launchCmd = stageWorkspaceLaunchCommand(promptDir, launchCommand);
         debug("Opening workspace...");

package/dist/lib/launchCommand.d.ts

@@ -83,6 +83,18 @@ interface LaunchCommandArguments {
      * `runner === "srt"`; torn down by the launch command after srt exits.
      */
     srtSettingsDir?: string | undefined;
+    /**
+     * Env var that points the agent at its relocated, writable config home
+     * (e.g. `{ name: "CODEX_HOME", value: "<settingsDir>/codex-home" }`).
+     * Injected into the agent wrap's `env -i` (with an explicit value, not a
+     * host-env passthrough) so the agent writes state to the staged dir instead
+     * of its read-only real home. Only the agent wrap gets it — the prepare wrap
+     * runs the repo hook, not the agent. Undefined for read-only agents (claude).
+     */
+    srtAgentConfigDirEnv?: {
+        name: string;
+        value: string;
+    } | undefined;
 }
 /**
  * Build the shell command that runs inside the workspace. The prompt is

package/dist/lib/launchCommand.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"launchCommand.d.ts","sourceRoot":"","sources":["../../src/lib/launchCommand.ts"],"names":[],"mappings":"AAIA,OAAO,EAGL,KAAK,WAAW,EAChB,KAAK,eAAe,EACrB,MAAM,aAAa,CAAC;AAGrB,OAAO,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAE9C;;;;;;;;;GASG;AACH,wBAAgB,6BAA6B,CAAC,OAAO,GAAE,MAAwB,GAAG,MAAM,CAcvF;AAID;;;;;;;;;;GAUG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,GAAE,MAAwB,GAAG,MAAM,CAgB3E;AAED;;;GAGG;AACH,wBAAgB,WAAW,CAAC,QAAQ,EAAE;IAAE,GAAG,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;CAAE,GAAG,MAAM,CAMvF;AAqMD;;;;GAIG;AACH,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CA8B9D;AAED,UAAU,sBAAsB;IAC9B,UAAU,EAAE,eAAe,CAAC;IAC5B,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB;;;;;;OAMG;IACH,WAAW,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IACjC;;;;OAIG;IACH,sBAAsB,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAC5C;;;;OAIG;IACH,MAAM,EAAE,WAAW,CAAC;IACpB;;;;;OAKG;IACH,WAAW,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IACjC;;;;OAIG;IACH,sBAAsB,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAC5C;;;OAGG;IACH,oBAAoB,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAC1C;;;OAGG;IACH,cAAc,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;CACrC;AAED;;;;;;;GAOG;AACH,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,sBAAsB,GAAG,MAAM,CA6B7E"}
+{"version":3,"file":"launchCommand.d.ts","sourceRoot":"","sources":["../../src/lib/launchCommand.ts"],"names":[],"mappings":"AAIA,OAAO,EAGL,KAAK,WAAW,EAChB,KAAK,eAAe,EACrB,MAAM,aAAa,CAAC;AAGrB,OAAO,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAE9C;;;;;;;;;GASG;AACH,wBAAgB,6BAA6B,CAAC,OAAO,GAAE,MAAwB,GAAG,MAAM,CAcvF;AAID;;;;;;;;;;GAUG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,GAAE,MAAwB,GAAG,MAAM,CAgB3E;AAED;;;GAGG;AACH,wBAAgB,WAAW,CAAC,QAAQ,EAAE;IAAE,GAAG,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;CAAE,GAAG,MAAM,CAMvF;AAqMD;;;;GAIG;AACH,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CA8B9D;AAED,UAAU,sBAAsB;IAC9B,UAAU,EAAE,eAAe,CAAC;IAC5B,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB;;;;;;OAMG;IACH,WAAW,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IACjC;;;;OAIG;IACH,sBAAsB,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAC5C;;;;OAIG;IACH,MAAM,EAAE,WAAW,CAAC;IACpB;;;;;OAKG;IACH,WAAW,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IACjC;;;;OAIG;IACH,sBAAsB,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAC5C;;;OAGG;IACH,oBAAoB,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAC1C;;;OAGG;IACH,cAAc,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IACpC;;;;;;;OAOG;IACH,oBAAoB,CAAC,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,GAAG,SAAS,CAAC;CACpE;AAED;;;;;;;GAOG;AACH,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,sBAAsB,GAAG,MAAM,CA6B7E"}

package/dist/lib/launchCommand.js

@@ -473,7 +473,14 @@ function buildSrtLaunchCommand(arguments_) {
     const baseline = SRT_ENV_BASELINE.map((name) => `${name}="$${name}"`).join(" ");
     const prepareForward = arguments_.secretsFile === undefined ? "" : srtForwardedEnv(BUILD_SECRET_NAMES);
     const prepareWrap = `env -i ${baseline}${prepareForward} ${prepareTarget}`;
-    const agentWrap = `env -i ${baseline}${srtForwardedEnv(arguments_.definition.preLaunchEnv ?? [])} ${agentTarget}`;
+    // The relocated config-home env (e.g. CODEX_HOME) is an explicit value, not a
+    // `VAR="$VAR"` host passthrough — groundcrew computed the staged path, it is
+    // not in the launch shell's env. The name is a fixed identifier; the value is
+    // single-quoted. Only the agent wrap gets it.
+    const agentConfigDirAssignment = arguments_.srtAgentConfigDirEnv === undefined
+        ? ""
+        : ` ${arguments_.srtAgentConfigDirEnv.name}=${shellSingleQuote(arguments_.srtAgentConfigDirEnv.value)}`;
+    const agentWrap = `env -i ${baseline}${agentConfigDirAssignment}${srtForwardedEnv(arguments_.definition.preLaunchEnv ?? [])} ${agentTarget}`;
     // One EXIT trap wipes both the settings dir and the prompt dir, covering
     // every failure window between here and the post-wrap cleanup.
     const cleanup = `rm -rf ${shellSingleQuote(arguments_.srtSettingsDir)}; rm -rf ${shellSingleQuote(promptDir)}`;

package/dist/lib/srtLaunch.d.ts

@@ -0,0 +1,47 @@
+import type { ModelDefinition, ResolvedConfig } from "./config.ts";
+export interface StagedSrtLaunch {
+    /** Dedicated temp dir holding the settings files (and any relocated config home). */
+    directory: string;
+    /** Profile-neutral policy for the prepareWorktree wrap (no agent credentials). */
+    prepareFile: string;
+    /** Full agent policy for the agent wrap. */
+    agentFile: string;
+    /**
+     * Env var pointing the agent at its relocated, writable config home (codex's
+     * `CODEX_HOME`). Threaded into the agent wrap by `buildLaunchCommand`.
+     * Undefined for read-only agents (claude), which run with a read-only home.
+     */
+    agentConfigDirEnv?: {
+        name: string;
+        value: string;
+    };
+}
+/**
+ * Generate the srt policies for a launch and stage them, plus — for agents that
+ * cannot run with a read-only config home (codex) — a relocated, writable
+ * config dir seeded with the minimal files the agent needs to authenticate and
+ * keep its config. Shared by `setupWorkspace` (fresh runs) and `resumeWorkspace`
+ * (resumes) so both behave identically under the srt runner.
+ *
+ * Two policies, distinct surfaces:
+ * - the `prepare` policy is profile-neutral (empty agent → no `~/.claude` /
+ *   `~/.codex` grants, no relocated home) so the repo-controlled prepareWorktree
+ *   hook can't touch the agent's credentials;
+ * - the `agent` policy carries the agent's read-only config profile and, when
+ *   the agent relocates, the writable relocated home.
+ *
+ * The relocated home lives **inside** the settings dir but is the only thing
+ * under it granted to the sandbox — the settings JSON siblings are never
+ * read-granted, so the agent can't read or rewrite its own policy. The launch
+ * command tears the whole dir down after srt exits.
+ */
+export declare function buildAndStageSrtLaunch(input: {
+    config: ResolvedConfig;
+    repository: string;
+    ticket: string;
+    worktreeDir: string;
+    definition: ModelDefinition;
+    /** Defaults to `os.homedir()`. Injected in tests to seed from a fixture home. */
+    homeDir?: string;
+}): StagedSrtLaunch;
+//# sourceMappingURL=srtLaunch.d.ts.map

package/dist/lib/srtLaunch.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"srtLaunch.d.ts","sourceRoot":"","sources":["../../src/lib/srtLaunch.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAKnE,MAAM,WAAW,eAAe;IAC9B,qFAAqF;IACrF,SAAS,EAAE,MAAM,CAAC;IAClB,kFAAkF;IAClF,WAAW,EAAE,MAAM,CAAC;IACpB,4CAA4C;IAC5C,SAAS,EAAE,MAAM,CAAC;IAClB;;;;OAIG;IACH,iBAAiB,CAAC,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC;CACrD;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,sBAAsB,CAAC,KAAK,EAAE;IAC5C,MAAM,EAAE,cAAc,CAAC;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,eAAe,CAAC;IAC5B,iFAAiF;IACjF,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB,GAAG,eAAe,CA8ClB"}

package/dist/lib/srtLaunch.js

@@ -0,0 +1,84 @@
+import { copyFileSync, existsSync, mkdirSync, mkdtempSync, writeFileSync } from "node:fs";
+import os from "node:os";
+import path from "node:path";
+import { collectAllowedDomains } from "./clearanceHosts.js";
+import { inferAgentCommandName } from "./launchCommand.js";
+import { agentConfigRelocation, buildSrtSettings } from "./srtPolicy.js";
+import { readEnvironmentVariable } from "./util.js";
+/**
+ * Generate the srt policies for a launch and stage them, plus — for agents that
+ * cannot run with a read-only config home (codex) — a relocated, writable
+ * config dir seeded with the minimal files the agent needs to authenticate and
+ * keep its config. Shared by `setupWorkspace` (fresh runs) and `resumeWorkspace`
+ * (resumes) so both behave identically under the srt runner.
+ *
+ * Two policies, distinct surfaces:
+ * - the `prepare` policy is profile-neutral (empty agent → no `~/.claude` /
+ *   `~/.codex` grants, no relocated home) so the repo-controlled prepareWorktree
+ *   hook can't touch the agent's credentials;
+ * - the `agent` policy carries the agent's read-only config profile and, when
+ *   the agent relocates, the writable relocated home.
+ *
+ * The relocated home lives **inside** the settings dir but is the only thing
+ * under it granted to the sandbox — the settings JSON siblings are never
+ * read-granted, so the agent can't read or rewrite its own policy. The launch
+ * command tears the whole dir down after srt exits.
+ */
+export function buildAndStageSrtLaunch(input) {
+    const agent = inferAgentCommandName(input.definition.cmd);
+    const homeDir = input.homeDir ?? os.homedir();
+    const repoDir = path.resolve(input.config.workspace.projectDir, input.repository);
+    const base = {
+        worktreeDir: input.worktreeDir,
+        gitCommonDir: path.join(repoDir, ".git"),
+        allowedDomains: collectAllowedDomains({
+            hosts: readEnvironmentVariable("CLEARANCE_ALLOW_HOSTS"),
+            files: readEnvironmentVariable("CLEARANCE_ALLOW_HOSTS_FILES"),
+        }),
+    };
+    const directory = mkdtempSync(path.join(os.tmpdir(), `groundcrew-srt-${input.ticket}-`));
+    const relocation = agentConfigRelocation(agent);
+    let relocatedConfigDir;
+    let agentConfigDirEnv;
+    if (relocation !== undefined) {
+        relocatedConfigDir = path.join(directory, `${agent}-home`);
+        mkdirSync(relocatedConfigDir, { recursive: true });
+        seedRelocatedConfigDir({
+            sourceDir: path.join(homeDir, relocation.sourceHomeRelativeDir),
+            seedFiles: relocation.seedFiles,
+            relocatedConfigDir,
+        });
+        agentConfigDirEnv = { name: relocation.configDirEnv, value: relocatedConfigDir };
+    }
+    const prepare = buildSrtSettings({ ...base, agent: "" });
+    const agentSettings = buildSrtSettings({
+        ...base,
+        agent,
+        ...(relocatedConfigDir === undefined ? {} : { relocatedConfigDir }),
+    });
+    const prepareFile = path.join(directory, "prepare-settings.json");
+    const agentFile = path.join(directory, "agent-settings.json");
+    writeFileSync(prepareFile, `${JSON.stringify(prepare, undefined, 2)}\n`);
+    writeFileSync(agentFile, `${JSON.stringify(agentSettings, undefined, 2)}\n`);
+    return {
+        directory,
+        prepareFile,
+        agentFile,
+        ...(agentConfigDirEnv === undefined ? {} : { agentConfigDirEnv }),
+    };
+}
+/**
+ * Copy the agent's minimal credential/config files into the relocated home.
+ * Best-effort per file: a missing source (e.g. the user isn't logged into the
+ * agent, or has no config) is skipped rather than aborting the launch — the
+ * agent then reports its own "not logged in" state, which is the correct signal.
+ */
+function seedRelocatedConfigDir(input) {
+    for (const file of input.seedFiles) {
+        const source = path.join(input.sourceDir, file);
+        if (!existsSync(source)) {
+            continue;
+        }
+        copyFileSync(source, path.join(input.relocatedConfigDir, file));
+    }
+}

package/dist/lib/srtPolicy.d.ts

@@ -10,14 +10,30 @@
  *   region (`/Users` on macOS, `/home` + `/root` on Linux) so the agent cannot
  *   read `~/.ssh`, `~/.aws`, shell history, or unrelated repos; `allowRead`
  *   then re-opens exactly the worktree, the repo's git metadata, the language
- *   toolchains needed to *run* the agent, and the agent's own credential dirs.
- *   srt skips non-existent allow/deny paths, so listing a toolchain that isn't
- *   installed is harmless.
- * - **Writes** are allow-only in srt, so a narrow `allowWrite` (worktree, git
- *   metadata, npm cache, the agent's own state) is the primary defense against
- *   the toolchain-persistence vector (agent-safehouse#102). `denyWrite` is
- *   belt-and-suspenders over global toolchain bins; it uses **literal paths
- *   only** because bubblewrap silently ignores globs on Linux.
+ *   toolchains needed to *run* the agent, the agent's own config/credential
+ *   dirs, and — on macOS, for keychain-authenticated agents (claude) — the user
+ *   keychain dir (`~/Library/Keychains`) so the agent can authenticate under
+ *   the home mask. srt skips non-existent allow/deny paths, so listing a path
+ *   that isn't present (a Linux keychain dir, an uninstalled toolchain) is
+ *   harmless.
+ * - **Writes** are allow-only in srt. Two STAFF-1305 structural fixes shape it:
+ *   1. **Agent state (work item 1).** The host-CLI persistence vector (planting
+ *      hooks, `mcpServers`, commands, plugins, … that execute on the user's
+ *      next host run) is closed per agent. **claude** runs with a writable
+ *      `~/.claude` (its Bash tool creates `session-env`/scratch state there) but
+ *      every fixed-path executable/instruction surface — including
+ *      `~/.claude.json` (`mcpServers`) and the bundled `chrome` binary — is
+ *      denied; claude tolerates those write denials. **codex** hard-fails with a
+ *      read-only home, so it is pointed at a relocated, per-launch writable
+ *      config dir (`CODEX_HOME`, see {@link agentConfigRelocation}) and its real
+ *      `~/.codex` is never write-granted at all.
+ *   2. **Git (work item 2).** The git common dir is granted write as a **narrow
+ *      allowlist** of exactly the paths `status/diff/add/commit/push/gc` write —
+ *      never wholesale — so the per-worktree gitdir redirection files, sibling
+ *      worktree gitdirs, and the repo `config`/`hooks` stay unwritable.
+ *   `denyWrite` is belt-and-suspenders over global toolchain bins and the agent
+ *   homes; it uses **literal paths only** because bubblewrap silently ignores
+ *   globs on Linux.
  * - **Network** is allow-only and sourced from the existing clearance
  *   allowlist (see {@link ./clearanceHosts.ts}); local binding and unix sockets
  *   stay off (the docker socket and the DNS-exfil vector in srt#88).
@@ -32,14 +48,22 @@ export interface BuildSrtSettingsInput {
     worktreeDir: string;
     /**
      * Absolute path to the repo's git common dir (the parent clone's `.git`).
-     * The worktree's per-worktree git dir lives under it, so granting it
-     * read + write covers `git status/diff/add/commit/branch`.
+     * Granted read wholesale, but write only as a narrow allowlist of the paths
+     * the git workflow actually touches (see `GIT_COMMON_WRITE_PATHS`).
      */
     gitCommonDir: string;
     /** Agent identity (e.g. "claude", "codex") used to pick the credential profile. */
     agent: string;
     /** srt `network.allowedDomains`, already translated from the clearance allowlist. */
     allowedDomains: readonly string[];
+    /**
+     * Absolute path to the agent's relocated, writable config/state home for this
+     * launch (codex's `CODEX_HOME`). When set it is granted read + write so the
+     * agent persists session state there instead of its real home, which stays
+     * read-only. claude does not relocate (its macOS keychain credential is bound
+     * to the default config dir), so this is omitted for it.
+     */
+    relocatedConfigDir?: string;
     /** Defaults to `process.platform`. Injected in tests to exercise both deny-read roots. */
     platform?: NodeJS.Platform;
     /** Defaults to `os.homedir()`. Injected in tests. */
@@ -47,5 +71,35 @@ export interface BuildSrtSettingsInput {
     /** Defaults to `process.execPath`; used to locate the global node_modules to deny writes to. */
     nodeExecPath?: string;
 }
+/**
+ * How an agent that cannot run with a read-only config home is pointed at a
+ * relocated, per-launch writable home instead. The launch stages a temp dir,
+ * seeds it with the minimal files the agent needs to authenticate + keep its
+ * config, exports `configDirEnv` to that dir, and grants it write — so the real
+ * home (which holds the persistence surfaces) is never written.
+ *
+ * Empirically (STAFF-1305 live validation, macOS): codex hard-fails to launch
+ * with a read-only `~/.codex` ("failed to initialize in-process app-server
+ * client") and authenticates from a file (`auth.json`), so relocating
+ * `CODEX_HOME` + seeding `auth.json`/`config.toml` both unblocks it and closes
+ * persistence. claude is deliberately absent: its macOS keychain credential is
+ * bound to the default config dir, so relocating `CLAUDE_CONFIG_DIR` breaks
+ * auth — claude instead runs with a writable home whose executable surfaces are
+ * denied (see `AGENT_SRT_PROFILES`).
+ */
+export interface AgentConfigRelocation {
+    /** Env var that points the agent at a relocated config home. */
+    configDirEnv: string;
+    /** Home-relative dir the seed files are copied from (the agent's real home). */
+    sourceHomeRelativeDir: string;
+    /** Files (relative to `sourceHomeRelativeDir`) seeded into the relocated home. */
+    seedFiles: readonly string[];
+}
+/**
+ * Return the config-relocation spec for an agent, or `undefined` when the agent
+ * runs with a writable real home + deny-list and does not relocate (claude,
+ * unknown agents).
+ */
+export declare function agentConfigRelocation(agent: string): AgentConfigRelocation | undefined;
 export declare function buildSrtSettings(input: BuildSrtSettingsInput): SandboxRuntimeConfig;
 //# sourceMappingURL=srtPolicy.d.ts.map

package/dist/lib/srtPolicy.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"srtPolicy.d.ts","sourceRoot":"","sources":["../../src/lib/srtPolicy.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAMH,OAAO,EAEL,KAAK,oBAAoB,EAC1B,MAAM,+BAA+B,CAAC;AAEvC,MAAM,WAAW,qBAAqB;IACpC,oEAAoE;IACpE,WAAW,EAAE,MAAM,CAAC;IACpB;;;;OAIG;IACH,YAAY,EAAE,MAAM,CAAC;IACrB,mFAAmF;IACnF,KAAK,EAAE,MAAM,CAAC;IACd,qFAAqF;IACrF,cAAc,EAAE,SAAS,MAAM,EAAE,CAAC;IAClC,0FAA0F;IAC1F,QAAQ,CAAC,EAAE,MAAM,CAAC,QAAQ,CAAC;IAC3B,qDAAqD;IACrD,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,gGAAgG;IAChG,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AA2ID,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,qBAAqB,GAAG,oBAAoB,CA6GnF"}
+{"version":3,"file":"srtPolicy.d.ts","sourceRoot":"","sources":["../../src/lib/srtPolicy.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2CG;AAMH,OAAO,EAEL,KAAK,oBAAoB,EAC1B,MAAM,+BAA+B,CAAC;AAEvC,MAAM,WAAW,qBAAqB;IACpC,oEAAoE;IACpE,WAAW,EAAE,MAAM,CAAC;IACpB;;;;OAIG;IACH,YAAY,EAAE,MAAM,CAAC;IACrB,mFAAmF;IACnF,KAAK,EAAE,MAAM,CAAC;IACd,qFAAqF;IACrF,cAAc,EAAE,SAAS,MAAM,EAAE,CAAC;IAClC;;;;;;OAMG;IACH,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,0FAA0F;IAC1F,QAAQ,CAAC,EAAE,MAAM,CAAC,QAAQ,CAAC;IAC3B,qDAAqD;IACrD,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,gGAAgG;IAChG,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;;;;;;;;;;GAeG;AACH,MAAM,WAAW,qBAAqB;IACpC,gEAAgE;IAChE,YAAY,EAAE,MAAM,CAAC;IACrB,gFAAgF;IAChF,qBAAqB,EAAE,MAAM,CAAC;IAC9B,kFAAkF;IAClF,SAAS,EAAE,SAAS,MAAM,EAAE,CAAC;CAC9B;AAED;;;;GAIG;AACH,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,MAAM,GAAG,qBAAqB,GAAG,SAAS,CAEtF;AAsMD,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,qBAAqB,GAAG,oBAAoB,CAuHnF"}

package/dist/lib/srtPolicy.js

@@ -10,14 +10,30 @@
  *   region (`/Users` on macOS, `/home` + `/root` on Linux) so the agent cannot
  *   read `~/.ssh`, `~/.aws`, shell history, or unrelated repos; `allowRead`
  *   then re-opens exactly the worktree, the repo's git metadata, the language
- *   toolchains needed to *run* the agent, and the agent's own credential dirs.
- *   srt skips non-existent allow/deny paths, so listing a toolchain that isn't
- *   installed is harmless.
- * - **Writes** are allow-only in srt, so a narrow `allowWrite` (worktree, git
- *   metadata, npm cache, the agent's own state) is the primary defense against
- *   the toolchain-persistence vector (agent-safehouse#102). `denyWrite` is
- *   belt-and-suspenders over global toolchain bins; it uses **literal paths
- *   only** because bubblewrap silently ignores globs on Linux.
+ *   toolchains needed to *run* the agent, the agent's own config/credential
+ *   dirs, and — on macOS, for keychain-authenticated agents (claude) — the user
+ *   keychain dir (`~/Library/Keychains`) so the agent can authenticate under
+ *   the home mask. srt skips non-existent allow/deny paths, so listing a path
+ *   that isn't present (a Linux keychain dir, an uninstalled toolchain) is
+ *   harmless.
+ * - **Writes** are allow-only in srt. Two STAFF-1305 structural fixes shape it:
+ *   1. **Agent state (work item 1).** The host-CLI persistence vector (planting
+ *      hooks, `mcpServers`, commands, plugins, … that execute on the user's
+ *      next host run) is closed per agent. **claude** runs with a writable
+ *      `~/.claude` (its Bash tool creates `session-env`/scratch state there) but
+ *      every fixed-path executable/instruction surface — including
+ *      `~/.claude.json` (`mcpServers`) and the bundled `chrome` binary — is
+ *      denied; claude tolerates those write denials. **codex** hard-fails with a
+ *      read-only home, so it is pointed at a relocated, per-launch writable
+ *      config dir (`CODEX_HOME`, see {@link agentConfigRelocation}) and its real
+ *      `~/.codex` is never write-granted at all.
+ *   2. **Git (work item 2).** The git common dir is granted write as a **narrow
+ *      allowlist** of exactly the paths `status/diff/add/commit/push/gc` write —
+ *      never wholesale — so the per-worktree gitdir redirection files, sibling
+ *      worktree gitdirs, and the repo `config`/`hooks` stay unwritable.
+ *   `denyWrite` is belt-and-suspenders over global toolchain bins and the agent
+ *   homes; it uses **literal paths only** because bubblewrap silently ignores
+ *   globs on Linux.
  * - **Network** is allow-only and sourced from the existing clearance
  *   allowlist (see {@link ./clearanceHosts.ts}); local binding and unix sockets
  *   stay off (the docker socket and the DNS-exfil vector in srt#88).
@@ -31,25 +47,33 @@ import path from "node:path";
 import process from "node:process";
 import { SandboxRuntimeConfigSchema, } from "@anthropic-ai/sandbox-runtime";
 /**
- * Per-agent credential/config paths re-opened under the home deny-read mask.
- * Deliberately narrow — no blanket `~/.config`, which would re-expose
- * unrelated apps' secrets. Extend via config in a later phase; an unknown
- * agent gets no extra home access and must be granted paths explicitly.
+ * Return the config-relocation spec for an agent, or `undefined` when the agent
+ * runs with a writable real home + deny-list and does not relocate (claude,
+ * unknown agents).
+ */
+export function agentConfigRelocation(agent) {
+    return AGENT_CONFIG_RELOCATIONS[agent.toLowerCase()];
+}
+/**
+ * Per-agent credential/config profiles. Deliberately narrow — no blanket
+ * `~/.config`, which would re-expose unrelated apps' secrets. An unknown agent
+ * gets no extra home access and must be granted paths explicitly.
  *
- * `writePaths` keep the agent's mutable state writable (sessions, history,
- * todos, projects, caches, sqlite — a large, version-volatile set that an
- * allowlist would break on the next agent release); `denyPaths` re-close the
- * small, enumerable executable/instruction surfaces within them. The agent
- * does not write those during a task, so denying them degrades gracefully. The
- * lists below were validated against the real `~/.claude` / `~/.codex` layout;
- * srt's own mandatory deny additionally covers `.claude/commands`/`agents`.
- * Drift across agent versions is tracked for the live-validation pass.
+ * claude keeps a writable home (`writePaths`) with the executable surfaces
+ * re-closed (`denyPaths`) because its macOS keychain credential is bound to the
+ * default config dir, so it cannot be relocated. codex has no `writePaths`: it
+ * relocates (see `AGENT_CONFIG_RELOCATIONS`), so its real `~/.codex` is
+ * read-only and no per-surface deny-list is needed there.
  */
 const AGENT_SRT_PROFILES = {
     claude: {
         readPaths: [".claude", ".claude.json"],
-        writePaths: [".claude", ".claude.json"],
+        writePaths: [".claude"],
         denyPaths: [
+            // The mcpServers config — claude spawns these commands on every startup,
+            // the sharpest host-RCE persistence vector. claude tolerates this being
+            // read-only (validated live; it does not write it during a task).
+            ".claude.json",
             ".claude/settings.json",
             ".claude/settings.local.json",
             ".claude/commands",
@@ -59,27 +83,35 @@ const AGENT_SRT_PROFILES = {
             ".claude/hooks",
             ".claude/statusline.sh",
             ".claude/CLAUDE.md",
+            // Bundled browser binary — replaceable with a malicious one that runs when
+            // claude next drives a browser on the host.
+            ".claude/chrome",
             // ~/.claude is itself a git repo; deny the executable surfaces within its
             // gitdir (commits, if any, still write objects/refs).
             ".claude/.git/hooks",
             ".claude/.git/config",
         ],
+        usesMacosKeychain: true,
     },
     codex: {
+        // Read-only: codex relocates its writable home (CODEX_HOME), so the real
+        // ~/.codex never needs write and no per-surface deny-list is required.
         readPaths: [".codex"],
-        writePaths: [".codex"],
-        denyPaths: [
-            ".codex/config.toml",
-            ".codex/hooks.json",
-            ".codex/AGENTS.md",
-            ".codex/plugins",
-            ".codex/skills",
-            ".codex/rules",
-            ".codex/.git/hooks",
-            ".codex/.git/config",
-        ],
+        writePaths: [],
+        denyPaths: [],
+    },
+};
+const AGENT_CONFIG_RELOCATIONS = {
+    codex: {
+        configDirEnv: "CODEX_HOME",
+        sourceHomeRelativeDir: ".codex",
+        // auth.json carries the ChatGPT OAuth tokens (codex reads creds from a file,
+        // not the keychain); config.toml preserves the user's codex configuration.
+        seedFiles: ["auth.json", "config.toml"],
     },
 };
+/** macOS user keychain dir, re-opened read-only for keychain-authenticated agents. */
+const MACOS_KEYCHAIN_READ_PATH = "Library/Keychains";
 /**
  * Language toolchains and version managers re-opened read-only so the agent's
  * runtime (and any installed CLIs) can execute even though they live under the
@@ -113,14 +145,49 @@ const TOOLCHAIN_READ_ROOTS = [
     "go/bin",
     "go/pkg",
 ];
+/**
+ * The git common dir is granted write only at these relative subpaths — never
+ * wholesale — so the agent's `status/diff/add/commit/push` + `gc`/`pack-refs`
+ * work while the persistence/tamper surfaces stay unwritable by *omission*
+ * (macOS Seatbelt is deny-beats-allow, so a denied parent cannot be re-allowed
+ * for a child — the allowlist is the only correct shape). Closed by not being
+ * listed: `config`, `hooks`, `modules`, and **sibling** worktree gitdirs under
+ * `worktrees/<other>` (cross-ticket tamper). This worktree's own gitdir is
+ * granted separately and its redirection files carved back out (see
+ * `gitCommonWriteDenies`).
+ *
+ * Enumerated against a live run under srt (STAFF-1305): `objects` (loose +
+ * packs + commit-graph), `refs` + `logs` (branch + remote-tracking refs and
+ * their reflogs — granted whole because `gc` packs/deletes refs across *all*
+ * branches, so scoping to the current branch would break `gc`), `packed-refs`
+ * (+ `.lock`/`.new` temps), `info` (`update-server-info`), and the root-level
+ * `gc.pid`/`HEAD`/`ORIG_HEAD`/`FETCH_HEAD` (+ `.lock` temps) that `gc`'s
+ * repo-global reflog expiry touches. None are code-execution surfaces.
+ */
+const GIT_COMMON_WRITE_PATHS = [
+    "objects",
+    "refs",
+    "logs",
+    "info",
+    "packed-refs",
+    "packed-refs.lock",
+    "packed-refs.new",
+    "gc.pid",
+    "gc.pid.lock",
+    "HEAD",
+    "HEAD.lock",
+    "ORIG_HEAD",
+    "FETCH_HEAD",
+];
 /**
  * Every agent credential/state home dir. A profile that does NOT own one of
- * these must deny writes to it — both as cross-agent defense (the codex profile
- * shouldn't write `~/.claude`) and to override srt's hardcoded default write
- * path `~/.claude/debug`, which `getDefaultWritePaths()` adds to every policy.
- * Without this, that default re-opens `~/.claude/debug` (and, on Linux, makes
- * it readable via the write bind) even under the profile-neutral prepare
- * policy. `denyWrite` wins over `allowWrite`, so denying the home dir overrides
+ * these (it isn't in the profile's `writePaths`) must deny writes to it — both
+ * as cross-agent defense (the codex profile shouldn't write `~/.claude`) and to
+ * override srt's hardcoded default write path `~/.claude/debug`, which
+ * `getDefaultWritePaths()` adds to every policy. Without this, that default
+ * re-opens `~/.claude/debug` (and, on Linux, makes it readable via the write
+ * bind) even under the profile-neutral prepare policy and the relocating codex
+ * profile. `denyWrite` wins over `allowWrite`, so denying the home dir overrides
  * the default.
  */
 const ALL_AGENT_HOME_DIRS = [".claude", ".codex"];
@@ -156,6 +223,8 @@ export function buildSrtSettings(input) {
         denyPaths: [],
     };
     const underHome = (relativePath) => path.join(homeDir, relativePath);
+    const underGit = (relativePath) => path.join(input.gitCommonDir, relativePath);
+    const worktreeBasename = path.basename(input.worktreeDir);
     // `<nodeBin>/../` is the node prefix; nvm/Volta-managed nodes keep their
     // global modules at `<prefix>/lib/node_modules` and shims at `<prefix>/bin`.
     const nodePrefix = path.dirname(path.dirname(nodeExecPath));
@@ -167,6 +236,12 @@ export function buildSrtSettings(input) {
     // Linux (the worktree, if it lives under /mnt, is re-allowed below since
     // allowRead wins over denyRead).
     const denyRead = platform === "darwin" ? ["/Users"] : ["/home", "/root", "/mnt"];
+    // macOS keychain re-open for keychain-authenticated agents. Home-relative so
+    // it is a no-op on Linux (the path does not exist there; srt skips it), where
+    // these agents read credentials from a file under their (readable) home.
+    const keychainRead = platform === "darwin" && profile.usesMacosKeychain === true
+        ? [underHome(MACOS_KEYCHAIN_READ_PATH)]
+        : [];
     const allowRead = unique([
         input.worktreeDir,
         input.gitCommonDir,
@@ -174,43 +249,43 @@ export function buildSrtSettings(input) {
         ...TOOLCHAIN_READ_ROOTS.map(underHome),
         ...GIT_READ_PATHS.map(underHome),
         ...profile.readPaths.map(underHome),
+        ...keychainRead,
+        ...(input.relocatedConfigDir === undefined ? [] : [input.relocatedConfigDir]),
     ]);
     const allowWrite = unique([
         input.worktreeDir,
-        input.gitCommonDir,
         underHome(".npm"),
+        // Narrow git allowlist — never the whole common dir (see GIT_COMMON_WRITE_PATHS).
+        ...GIT_COMMON_WRITE_PATHS.map(underGit),
+        underGit(path.join("worktrees", worktreeBasename)),
         ...profile.writePaths.map(underHome),
+        // The agent's relocated, writable config home (codex). Absent for agents
+        // that write their real home behind a deny-list (claude).
+        ...(input.relocatedConfigDir === undefined ? [] : [input.relocatedConfigDir]),
     ]);
     const denyWrite = unique([
         nodeGlobalModules,
         nodeBinDir,
         ...TOOLCHAIN_WRITE_DENY.map(underHome),
         // Carve the agent's executable/config surfaces back out of its writable
-        // state dir so a prompted agent can't plant a hook/command/plugin that runs
-        // on the user's next host invocation (denyWrite wins over allowWrite).
+        // state dir so a prompted agent can't plant a hook/command/plugin/mcpServer
+        // that runs on the user's next host invocation (denyWrite wins over
+        // allowWrite).
         ...profile.denyPaths.map(underHome),
         // Deny agent home dirs this profile does not own — counters srt's default
-        // `~/.claude/debug` write path for the neutral prepare policy and the codex
-        // profile, and keeps profiles from writing each other's credentials.
+        // `~/.claude/debug` write path for the neutral prepare policy and the
+        // relocating codex profile, and keeps profiles from writing each other's
+        // credentials.
         ...ALL_AGENT_HOME_DIRS.filter((dir) => !profile.writePaths.includes(dir)).map(underHome),
-        // Narrow the broad gitCommonDir write grant: the agent commits objects and
-        // refs but must never rewrite the repo's config or install hooks (a
-        // persistence vector). srt's mandatory deny is anchored at the cwd `.git`,
-        // which for a worktree is a file pointing elsewhere — so guard the common
-        // dir's config/hooks explicitly.
-        path.join(input.gitCommonDir, "config"),
-        path.join(input.gitCommonDir, "hooks"),
-        // Nested git persistence surfaces the top-level config/hooks deny misses:
-        // submodule gitdirs (`.git/modules/**/{config,hooks}`) and this worktree's
-        // per-worktree `config.worktree`. Commits never write these. (Cross-worktree
-        // isolation + full git-write scoping are tracked for live validation —
-        // STAFF-1305.)
-        path.join(input.gitCommonDir, "modules"),
-        path.join(input.gitCommonDir, "worktrees", path.basename(input.worktreeDir), "config.worktree"),
-        // The worktree's `.git` is a pointer *file* (`gitdir: …`). Deny writing it
-        // so the agent can't redirect the gitdir to a writable fake with its own
-        // config/hooks (e.g. `core.fsmonitor`) that runs when git next operates in
-        // this worktree on the host. git sets this pointer once at creation.
+        // Carve the per-worktree git redirection + config files back out of the
+        // granted worktree gitdir: `commondir`/`gitdir` redirect git to a fake
+        // common dir with its own hooks/config, and `config.worktree` can set
+        // `core.*` hooks that run when git next operates here on the host. git
+        // writes these once at worktree creation, never during a task.
+        ...gitCommonWriteDenies(input.gitCommonDir, worktreeBasename),
+        // The worktree's `.git` is a pointer *file* (`gitdir: …`). Deny writing it so
+        // the agent can't redirect the gitdir to a writable fake with its own
+        // config/hooks. git sets this pointer once at creation.
         path.join(input.worktreeDir, ".git"),
     ]);
     const settings = {
@@ -246,6 +321,20 @@ export function buildSrtSettings(input) {
     }
     return settings;
 }
+/**
+ * Files inside this worktree's granted gitdir that must stay unwritable: the
+ * `commondir`/`gitdir` redirection pointers and the per-worktree
+ * `config.worktree`. Returned as denies so they override the gitdir's
+ * `allowWrite` grant.
+ */
+function gitCommonWriteDenies(gitCommonDir, worktreeBasename) {
+    const worktreeGitDir = path.join(gitCommonDir, "worktrees", worktreeBasename);
+    return [
+        path.join(worktreeGitDir, "commondir"),
+        path.join(worktreeGitDir, "gitdir"),
+        path.join(worktreeGitDir, "config.worktree"),
+    ];
+}
 function unique(values) {
     return [...new Set(values)];
 }

package/dist/lib/stagedLaunch.d.ts

@@ -1,4 +1,3 @@
-import type { SandboxRuntimeConfig } from "@anthropic-ai/sandbox-runtime";
 import { type ResolvedConfig } from "./config.ts";
 export interface StagedPrompt {
     directory: string;
@@ -28,27 +27,6 @@ export declare function stagePromptFromTemplate(input: {
  * has nothing to forward, leaving the launch command unchanged.
  */
 export declare function stageBuildSecrets(promptDir: string): string | undefined;
-export interface StagedSrtSettings {
-    directory: string;
-    /** Profile-neutral policy for the prepareWorktree wrap (no agent credentials). */
-    prepareFile: string;
-    /** Full agent policy for the agent wrap. */
-    agentFile: string;
-}
-/**
- * Stage the generated srt settings JSON in its own temp dir, separate from the
- * prompt dir (which the launch command wipes before the agent execs). The
- * launch command tears this dir down after srt exits.
- *
- * Two files: the repo-controlled prepareWorktree hook runs under the
- * profile-neutral `prepare` policy (no `~/.claude`/`~/.codex` grants), while
- * the agent runs under the full `agent` policy — so a malicious repo hook
- * cannot read or mutate the agent's credentials before the agent starts.
- */
-export declare function stageSrtSettings(ticket: string, settings: {
-    prepare: SandboxRuntimeConfig;
-    agent: SandboxRuntimeConfig;
-}): StagedSrtSettings;
 export declare function stageWorkspaceLaunchCommand(promptDir: string, command: string): string;
 export declare function removeStagedPrompt(directory: string): void;
 export {};

package/dist/lib/stagedLaunch.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"stagedLaunch.d.ts","sourceRoot":"","sources":["../../src/lib/stagedLaunch.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,+BAA+B,CAAC;AAK1E,OAAO,EAAsB,KAAK,cAAc,EAAE,MAAM,aAAa,CAAC;AAItE,MAAM,WAAW,YAAY;IAC3B,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,MAAM,CAAC;CACd;AAED,UAAU,uBAAuB;IAC/B,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,gCAAgC,EAAE,MAAM,CAAC;CAC1C;AAWD,wBAAgB,eAAe,CAAC,KAAK,EAAE;IACrC,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;CACd,GAAG,YAAY,CAKf;AAED,wBAAgB,uBAAuB,CAAC,KAAK,EAAE;IAC7C,MAAM,EAAE,cAAc,CAAC;IACvB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,uBAAuB,CAAC;CACpC,GAAG,YAAY,CAMf;AAED;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAevE;AAED,MAAM,WAAW,iBAAiB;IAChC,SAAS,EAAE,MAAM,CAAC;IAClB,kFAAkF;IAClF,WAAW,EAAE,MAAM,CAAC;IACpB,4CAA4C;IAC5C,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;;;GASG;AACH,wBAAgB,gBAAgB,CAC9B,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE;IAAE,OAAO,EAAE,oBAAoB,CAAC;IAAC,KAAK,EAAE,oBAAoB,CAAA;CAAE,GACvE,iBAAiB,CAOnB;AAQD,wBAAgB,2BAA2B,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,CAEtF;AAED,wBAAgB,kBAAkB,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAE1D"}
+{"version":3,"file":"stagedLaunch.d.ts","sourceRoot":"","sources":["../../src/lib/stagedLaunch.ts"],"names":[],"mappings":"AAIA,OAAO,EAAsB,KAAK,cAAc,EAAE,MAAM,aAAa,CAAC;AAItE,MAAM,WAAW,YAAY;IAC3B,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,MAAM,CAAC;CACd;AAED,UAAU,uBAAuB;IAC/B,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,gCAAgC,EAAE,MAAM,CAAC;CAC1C;AAWD,wBAAgB,eAAe,CAAC,KAAK,EAAE;IACrC,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;CACd,GAAG,YAAY,CAKf;AAED,wBAAgB,uBAAuB,CAAC,KAAK,EAAE;IAC7C,MAAM,EAAE,cAAc,CAAC;IACvB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,uBAAuB,CAAC;CACpC,GAAG,YAAY,CAMf;AAED;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAevE;AAQD,wBAAgB,2BAA2B,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,CAEtF;AAED,wBAAgB,kBAAkB,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAE1D"}

package/dist/lib/stagedLaunch.js

@@ -46,24 +46,6 @@ export function stageBuildSecrets(promptDir) {
     writeFileSync(secretsFile, `${lines.join("\n")}\n`, { mode: 0o600 });
     return secretsFile;
 }
-/**
- * Stage the generated srt settings JSON in its own temp dir, separate from the
- * prompt dir (which the launch command wipes before the agent execs). The
- * launch command tears this dir down after srt exits.
- *
- * Two files: the repo-controlled prepareWorktree hook runs under the
- * profile-neutral `prepare` policy (no `~/.claude`/`~/.codex` grants), while
- * the agent runs under the full `agent` policy — so a malicious repo hook
- * cannot read or mutate the agent's credentials before the agent starts.
- */
-export function stageSrtSettings(ticket, settings) {
-    const directory = mkdtempSync(path.join(tmpdir(), `groundcrew-srt-${ticket}-`));
-    const prepareFile = path.join(directory, "prepare-settings.json");
-    const agentFile = path.join(directory, "agent-settings.json");
-    writeFileSync(prepareFile, `${JSON.stringify(settings.prepare, undefined, 2)}\n`);
-    writeFileSync(agentFile, `${JSON.stringify(settings.agent, undefined, 2)}\n`);
-    return { directory, prepareFile, agentFile };
-}
 function stageLaunchScript(promptDir, command) {
     const launcherFile = path.join(promptDir, "launch.sh");
     writeFileSync(launcherFile, `#!/usr/bin/env bash\n${command}\n`, { mode: 0o700 });

package/docs/runners.md

@@ -45,8 +45,8 @@ crew run --watch  # with local.runner: "srt" in crew.config.ts
 
 Groundcrew generates a per-launch policy itself (Safehouse's `.sb` profiles have no equivalent here):
 
-- **Reads**: the home region (`/Users` on macOS, `/home`+`/root`+`/mnt` on Linux — `/mnt` covers WSL's Windows drive mounts) is denied, then the worktree, the repo's git metadata, the language toolchains needed to run the agent, and the agent's own credential dirs (`~/.claude`, `~/.codex`, …) are re-opened. The agent cannot read `~/.ssh`, `~/.aws`, shell history, or unrelated repos.
-- **Writes**: allow-only — the worktree, git metadata, the npm cache, and the agent's state dir. Global toolchain bins (`~/.cargo/bin`, global `node_modules`, the npx cache, …) are never writable, and the agent's own executable/config surfaces (`~/.claude/settings.json` and its hooks, `commands/`, `agents/`, `plugins/`, `skills/`; `~/.codex/config.toml`) are denied even though the surrounding state dir is writable — both close the host-CLI persistence vector.
+- **Reads**: the home region (`/Users` on macOS, `/home`+`/root`+`/mnt` on Linux — `/mnt` covers WSL's Windows drive mounts) is denied, then the worktree, the repo's git metadata, the language toolchains needed to run the agent, and the agent's own config dirs (`~/.claude`, `~/.codex`, …) are re-opened. On macOS the user keychain dir (`~/Library/Keychains`) is also re-opened read-only so keychain-authenticated agents (claude) can sign in under the home mask. The agent cannot read `~/.ssh`, `~/.aws`, shell history, or unrelated repos.
+- **Writes**: allow-only, and the host-CLI persistence vector (planting hooks, `mcpServers`, `commands/`, `plugins/`, … that run on the user's next host invocation) is closed per agent. **claude** keeps a writable `~/.claude` (its Bash tool needs scratch/session state there) but every fixed-path executable/instruction surface — `~/.claude.json` (`mcpServers`), `settings.json` and its hooks, `commands/`, `agents/`, `plugins/`, `skills/`, `statusline.sh`, `CLAUDE.md`, the bundled `chrome` binary, `.git/{hooks,config}` — is denied; claude tolerates those write denials. **codex** hard-fails with a read-only home, so it is pointed at a per-launch relocated config dir (`CODEX_HOME`) seeded with its credentials, leaving the real `~/.codex` entirely unwritten. The git common dir is granted as a **narrow allowlist** of only what `status/diff/add/commit/push/gc` write (`objects`, `refs`, `logs`, `packed-refs`, this worktree's gitdir, …) — never wholesale, so the repo `config`/`hooks`, the per-worktree gitdir redirection files, and **sibling worktree gitdirs** stay unwritable. Global toolchain bins (`~/.cargo/bin`, global `node_modules`, the npx cache, …) are never writable either.
 - **Environment**: each `srt` invocation runs under a sanitized env (`env -i` + a benign baseline). Unlike safehouse and sdx, the `srt` CLI inherits the host env, so without this an ambient `AWS_*`, `GITHUB_TOKEN`, etc. would reach the agent and bypass the read mask. Credentials the agent legitimately needs from the environment must be forwarded explicitly via the model's `preLaunchEnv` (the same opt-in pass-list safehouse uses).
 - **Network**: allow-only, **reused from the same Clearance allowlist** (`CLEARANCE_ALLOW_HOSTS` / `CLEARANCE_ALLOW_HOSTS_FILES`, including the shipped `clearance-allow-hosts`) so there is one source of truth. Local binding and unix sockets stay off (never the Docker socket).
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@clipboard-health/groundcrew",
-  "version": "4.12.0",
+  "version": "4.13.0",
   "description": "Linear-driven orchestrator that launches AI coding agents in git worktrees, with workspace lifecycle and usage tracking.",
   "keywords": [
     "agent",
@@ -84,7 +84,7 @@
     "@types/node": "25.9.1",
     "@typescript/native-preview": "7.0.0-dev.20260527.2",
     "@vitest/coverage-v8": "4.1.7",
-    "cspell": "10.0.0",
+    "cspell": "10.0.1",
     "dependency-cruiser": "17.4.3",
     "husky": "9.1.7",
     "jscpd": "4.2.4",