@electric-ax/agents 0.4.11 → 0.4.13

package/dist/index.cjs

@@ -27,6 +27,7 @@ const node_path = __toESM(require("node:path"));
 const node_url = __toESM(require("node:url"));
 const __electric_ax_agents_runtime = __toESM(require("@electric-ax/agents-runtime"));
 const __electric_ax_agents_runtime_tools = __toESM(require("@electric-ax/agents-runtime/tools"));
+const __electric_ax_agents_runtime_sandbox = __toESM(require("@electric-ax/agents-runtime/sandbox"));
 const node_fs = __toESM(require("node:fs"));
 const pino = __toESM(require("pino"));
 const zod = __toESM(require("zod"));
@@ -38,6 +39,7 @@ const sqlite_vec = __toESM(require("sqlite-vec"));
 const nanoid = __toESM(require("nanoid"));
 const __mariozechner_pi_ai = __toESM(require("@mariozechner/pi-ai"));
 const __electric_ax_agents_mcp = __toESM(require("@electric-ax/agents-mcp"));
+const undici = __toESM(require("undici"));
 
 //#region src/log.ts
 const LOG_LEVEL = process.env.ELECTRIC_AGENTS_LOG_LEVEL ?? `info`;
@@ -788,7 +790,8 @@ function createSpawnWorkerTool(ctx, modelConfig) {
 					wake: {
 						on: `runFinished`,
 						includeResponse: true
-					}
+					},
+					sandbox: `inherit`
 				});
 				const workerUrl = handle.entityUrl;
 				return {
@@ -887,6 +890,15 @@ async function fetchAvailableModelIds(provider) {
 function knownModelsForProvider(provider) {
 	return provider === __electric_ax_agents_runtime.MOONSHOT_PROVIDER ? (0, __electric_ax_agents_runtime.getMoonshotModels)() : (0, __mariozechner_pi_ai.getModels)(provider);
 }
+function resolveBuiltinModelContextWindow(modelConfig) {
+	const modelId = String(modelConfig.model);
+	if (modelConfig.provider === __electric_ax_agents_runtime.MOONSHOT_PROVIDER) return (0, __electric_ax_agents_runtime.getMoonshotModel)(modelId)?.contextWindow ?? null;
+	if (!modelConfig.provider) return null;
+	return knownModelsForProvider(modelConfig.provider).find((model) => model.id === modelId)?.contextWindow ?? null;
+}
+function resolveBuiltinModelSourceBudget(modelConfig) {
+	return resolveBuiltinModelContextWindow(modelConfig) ?? 1e5;
+}
 function choiceForKnownModel(provider, model) {
 	return {
 		provider,
@@ -1176,19 +1188,19 @@ function getToolName(tool) {
 	const name = tool.name;
 	return typeof name === `string` ? name : null;
 }
-function createHortonTools(workingDirectory, ctx, readSet, opts = {}) {
+function createHortonTools(sandbox, ctx, readSet, opts = {}) {
 	return [
-		(0, __electric_ax_agents_runtime_tools.createBashTool)(workingDirectory),
-		(0, __electric_ax_agents_runtime_tools.createReadFileTool)(workingDirectory, readSet),
-		(0, __electric_ax_agents_runtime_tools.createWriteTool)(workingDirectory, readSet),
-		(0, __electric_ax_agents_runtime_tools.createEditTool)(workingDirectory, readSet),
+		(0, __electric_ax_agents_runtime_tools.createBashTool)(sandbox),
+		(0, __electric_ax_agents_runtime_tools.createReadFileTool)(sandbox, readSet),
+		(0, __electric_ax_agents_runtime_tools.createWriteTool)(sandbox, readSet),
+		(0, __electric_ax_agents_runtime_tools.createEditTool)(sandbox, readSet),
 		__electric_ax_agents_runtime_tools.braveSearchTool,
-		...opts.modelCatalog && opts.modelConfig ? [(0, __electric_ax_agents_runtime_tools.createFetchUrlTool)({
+		...opts.modelCatalog && opts.modelConfig ? [(0, __electric_ax_agents_runtime_tools.createFetchUrlTool)(sandbox, {
 			catalog: opts.modelCatalog,
 			modelConfig: opts.modelConfig,
 			log: (message) => serverLog.info(message),
 			logPrefix: opts.logPrefix ?? `[horton]`
-		})] : [__electric_ax_agents_runtime_tools.fetchUrlTool],
+		})] : [(0, __electric_ax_agents_runtime_tools.createFetchUrlTool)(sandbox)],
 		createSpawnWorkerTool(ctx, opts.modelConfig),
 		(0, __electric_ax_agents_runtime_tools.createSendTool)(ctx.send, { selfEntityUrl: ctx.entityUrl }),
 		...opts.docsSearchTool ? [opts.docsSearchTool] : []
@@ -1242,11 +1254,10 @@ async function extractFirstUserMessage(ctx) {
 function messageSeq(message) {
 	return typeof message._seq === `number` ? message._seq : -1;
 }
-function readAgentsMd(workingDirectory) {
-	const agentsMdPath = node_path.default.join(workingDirectory, `AGENTS.md`);
+async function readAgentsMd(sandbox) {
+	const agentsMdPath = node_path.default.posix.join(sandbox.workingDirectory, `AGENTS.md`);
 	try {
-		if (!node_fs.default.existsSync(agentsMdPath) || !node_fs.default.statSync(agentsMdPath).isFile()) return null;
-		const content = node_fs.default.readFileSync(agentsMdPath, `utf8`);
+		const content = (await sandbox.readFile(agentsMdPath)).toString(`utf8`);
 		return [
 			`<context_file kind="instructions" path="${agentsMdPath}">`,
 			content,
@@ -1257,16 +1268,17 @@ function readAgentsMd(workingDirectory) {
 	}
 }
 function createAssistantHandler(options) {
-	const { workingDirectory, streamFn, docsSupport, docsSearchTool, skillsRegistry, modelCatalog, docsUrl } = options;
+	const { streamFn, docsSupport, docsSearchTool, skillsRegistry, modelCatalog, docsUrl } = options;
 	const hasSkills = Boolean(skillsRegistry && skillsRegistry.catalog.size > 0);
 	return async function assistantHandler(ctx, wake) {
 		const readSet = new Set();
-		const effectiveCwd = typeof ctx.args.workingDirectory === `string` && ctx.args.workingDirectory.trim().length > 0 ? ctx.args.workingDirectory : workingDirectory;
 		const modelConfig = resolveBuiltinModelConfig(modelCatalog, ctx.args);
-		const agentsMd = readAgentsMd(effectiveCwd);
+		const sourceBudget = resolveBuiltinModelSourceBudget(modelConfig);
+		const sandboxCwd = ctx.sandbox.workingDirectory;
+		const agentsMd = await readAgentsMd(ctx.sandbox);
 		const tools = [
 			...ctx.electricTools,
-			...createHortonTools(effectiveCwd, ctx, readSet, {
+			...createHortonTools(ctx.sandbox, ctx, readSet, {
 				docsSearchTool,
 				modelConfig,
 				modelCatalog,
@@ -1295,7 +1307,7 @@ function createAssistantHandler(options) {
 			}
 		})() : Promise.resolve();
 		if (docsSupport) ctx.useContext({
-			sourceBudget: 1e5,
+			sourceBudget,
 			sources: {
 				docs_toc: {
 					content: () => docsSupport.renderCompressedToc(),
@@ -1324,7 +1336,7 @@ function createAssistantHandler(options) {
 			}
 		});
 		else if (skillsRegistry && skillsRegistry.catalog.size > 0) ctx.useContext({
-			sourceBudget: 1e5,
+			sourceBudget,
 			sources: {
 				skills_catalog: {
 					content: () => skillsRegistry.renderCatalog(2e3),
@@ -1343,7 +1355,7 @@ function createAssistantHandler(options) {
 			}
 		});
 		else if (agentsMd) ctx.useContext({
-			sourceBudget: 1e5,
+			sourceBudget,
 			sources: {
 				conversation: {
 					content: () => ctx.timelineMessages(),
@@ -1357,7 +1369,7 @@ function createAssistantHandler(options) {
 			}
 		});
 		ctx.useAgent({
-			systemPrompt: buildHortonSystemPrompt(effectiveCwd, {
+			systemPrompt: buildHortonSystemPrompt(sandboxCwd, {
 				hasDocsSupport: Boolean(docsSupport),
 				hasSkills,
 				docsUrl,
@@ -1385,7 +1397,6 @@ function registerHorton(registry, options) {
 		serverLog.warn(`[horton-docs] warmup failed: ${error instanceof Error ? error.message : String(error)}`);
 	});
 	const assistantHandler = createAssistantHandler({
-		workingDirectory,
 		streamFn,
 		docsSupport,
 		docsSearchTool,
@@ -1401,6 +1412,15 @@ function registerHorton(registry, options) {
 	registry.define(`horton`, {
 		description: `Friendly capable assistant — chat, code, research, dispatch`,
 		creationSchema: hortonCreationSchema,
+		permissionGrants: [{
+			subject_kind: `principal_kind`,
+			subject_value: `user`,
+			permission: `spawn`
+		}, {
+			subject_kind: `principal_kind`,
+			subject_value: `user`,
+			permission: `manage`
+		}],
 		handler: assistantHandler
 	});
 	return [`horton`];
@@ -1442,26 +1462,29 @@ function parseWorkerArgs(value) {
 	if (typeof value.reasoningEffort === `string` && REASONING_EFFORT_VALUES.includes(value.reasoningEffort)) args.reasoningEffort = value.reasoningEffort;
 	return args;
 }
-function buildToolsForWorker(tools, workingDirectory, ctx, readSet) {
+function buildToolsForWorker(tools, sandbox, ctx, readSet, opts) {
 	const out = [];
 	for (const name of tools) switch (name) {
 		case `bash`:
-			out.push((0, __electric_ax_agents_runtime_tools.createBashTool)(workingDirectory));
+			out.push((0, __electric_ax_agents_runtime_tools.createBashTool)(sandbox));
 			break;
 		case `read`:
-			out.push((0, __electric_ax_agents_runtime_tools.createReadFileTool)(workingDirectory, readSet));
+			out.push((0, __electric_ax_agents_runtime_tools.createReadFileTool)(sandbox, readSet));
 			break;
 		case `write`:
-			out.push((0, __electric_ax_agents_runtime_tools.createWriteTool)(workingDirectory, readSet));
+			out.push((0, __electric_ax_agents_runtime_tools.createWriteTool)(sandbox, readSet));
 			break;
 		case `edit`:
-			out.push((0, __electric_ax_agents_runtime_tools.createEditTool)(workingDirectory, readSet));
+			out.push((0, __electric_ax_agents_runtime_tools.createEditTool)(sandbox, readSet));
 			break;
 		case `web_search`:
 			out.push(__electric_ax_agents_runtime_tools.braveSearchTool);
 			break;
 		case `fetch_url`:
-			out.push(__electric_ax_agents_runtime_tools.fetchUrlTool);
+			out.push((0, __electric_ax_agents_runtime_tools.createFetchUrlTool)(sandbox, {
+				catalog: opts.modelCatalog,
+				modelConfig: opts.modelConfig
+			}));
 			break;
 		case `spawn_worker`:
 			out.push(createSpawnWorkerTool(ctx));
@@ -1569,14 +1592,26 @@ function buildSharedStateTools(shared, schema, mode) {
 	return tools;
 }
 function registerWorker(registry, options) {
-	const { workingDirectory, streamFn, modelCatalog } = options;
+	const { streamFn, modelCatalog } = options;
 	registry.define(`worker`, {
 		description: `Internal — generic worker spawned by other agents. Configure via spawn args (systemPrompt + tools + optional sharedDb).`,
+		permissionGrants: [{
+			subject_kind: `principal_kind`,
+			subject_value: `user`,
+			permission: `spawn`
+		}, {
+			subject_kind: `principal_kind`,
+			subject_value: `user`,
+			permission: `manage`
+		}],
 		async handler(ctx) {
 			const args = parseWorkerArgs(ctx.args);
 			const readSet = new Set();
-			const builtinTools = buildToolsForWorker(args.tools, workingDirectory, ctx, readSet);
 			const modelConfig = resolveBuiltinModelConfig(modelCatalog, args);
+			const builtinTools = buildToolsForWorker(args.tools, ctx.sandbox, ctx, readSet, {
+				modelCatalog,
+				modelConfig
+			});
 			const sharedStateTools = [];
 			if (args.sharedDb) {
 				const shared = await ctx.observe((0, __electric_ax_agents_runtime.db)(args.sharedDb.id, args.sharedDb.schema));
@@ -1654,6 +1689,7 @@ async function createBuiltinAgentHandler(options) {
 		modelCatalog
 	});
 	typeNames.push(`worker`);
+	const sandboxProfiles = await buildBuiltinSandboxProfiles(cwd);
 	const runtime = (0, __electric_ax_agents_runtime.createRuntimeHandler)({
 		baseUrl: agentServerUrl,
 		serveEndpoint,
@@ -1664,7 +1700,8 @@ async function createBuiltinAgentHandler(options) {
 		idleTimeout: 5 * 6e4,
 		createElectricTools: createBuiltinElectricTools(createElectricTools),
 		publicUrl,
-		name: runtimeName ?? `builtin-agents`
+		name: runtimeName ?? `builtin-agents`,
+		sandboxProfiles
 	});
 	return {
 		handler: runtime.onEnter,
@@ -1688,6 +1725,97 @@ async function registerBuiltinAgentTypes(bootstrap) {
 	serverLog.info(`[builtin-agents] ${bootstrap.typeNames.length} built-in agent types ready: ${bootstrap.typeNames.join(`, `)}`);
 }
 const registerAgentTypes = registerBuiltinAgentTypes;
+/**
+* Guard so repeated `buildBuiltinSandboxProfiles` calls in one process don't
+* re-run the boot sweep.
+*/
+let dockerSweptOnBoot = false;
+function sweepOrphanedDockerSandboxesOnce(sweep) {
+	if (dockerSweptOnBoot) return;
+	dockerSweptOnBoot = true;
+	sweep().then((removed) => {
+		if (removed.length > 0) serverLog.info(`[builtin-agents] docker sandbox boot sweep removed ${removed.length} leftover container(s)`);
+	}).catch((err) => serverLog.warn(`[builtin-agents] docker sandbox boot sweep error: ${err instanceof Error ? err.message : String(err)}`));
+}
+/**
+* Built-in sandbox profiles. `local` is always available. `docker` is
+* gated on Docker being reachable so a user without Docker installed
+* sees only what works — the UI never offers a non-functional choice.
+*/
+async function buildBuiltinSandboxProfiles(workingDirectory) {
+	const profiles = [{
+		name: `local`,
+		label: `Local`,
+		description: `Runs on the host without isolation. Full filesystem access.`,
+		factory: ({ args }) => (0, __electric_ax_agents_runtime_sandbox.chooseDefaultSandbox)(resolveCwd(args, workingDirectory))
+	}];
+	try {
+		const { isDockerAvailable } = await import(`@electric-ax/agents-runtime/sandbox/docker`);
+		if (await isDockerAvailable()) {
+			const { dockerSandbox, sweepOrphanedDockerSandboxes } = await import(`@electric-ax/agents-runtime/sandbox/docker`);
+			sweepOrphanedDockerSandboxesOnce(sweepOrphanedDockerSandboxes);
+			profiles.push({
+				name: `docker`,
+				label: `Docker`,
+				description: `Runs in a hardened Docker container: dropped capabilities, no privilege escalation, and CPU/memory/process limits. The chosen working directory is mounted read-write and, by default, network egress is unrestricted (allow-all).`,
+				factory: ({ args, sandboxKey, persistent, owner, entityType, entityUrl }) => {
+					const cwd = readWorkingDirectoryArg(args);
+					return dockerSandbox({
+						initialNetworkPolicy: { mode: `allow-all` },
+						extraMounts: cwd ? [{
+							hostPath: cwd,
+							containerPath: `/work`,
+							readOnly: false
+						}] : void 0,
+						sandboxKey,
+						persistent,
+						owner,
+						entityType,
+						entityUrl
+					});
+				}
+			});
+		} else serverLog.info(`[builtin-agents] docker daemon not reachable — docker sandbox profile not registered`);
+	} catch (err) {
+		serverLog.warn(`[builtin-agents] failed to probe docker availability: ${err instanceof Error ? err.message : String(err)}`);
+	}
+	if (process.env.E2B_API_KEY) if (await (0, __electric_ax_agents_runtime_sandbox.isE2BAvailable)()) profiles.push({
+		name: `e2b`,
+		label: `E2B`,
+		description: `Runs in a remote E2B microVM. Persistent sandboxes survive across wakes and are reachable from any runner.`,
+		remote: true,
+		factory: ({ sandboxKey, persistent, owner }) => (0, __electric_ax_agents_runtime_sandbox.remoteSandbox)({
+			provider: `e2b`,
+			apiKey: process.env.E2B_API_KEY,
+			sandboxKey,
+			persistent,
+			owner,
+			initialNetworkPolicy: { mode: `allow-all` }
+		})
+	});
+	else serverLog.info(`[builtin-agents] E2B_API_KEY set but the "e2b" package is not installed — e2b sandbox profile not registered`);
+	console.log(`[builtin-agents] sandbox profiles advertised: ${profiles.map((p) => p.name).join(`, `)}`);
+	return profiles;
+}
+function readWorkingDirectoryArg(args) {
+	const v = args.workingDirectory;
+	return typeof v === `string` && v.trim().length > 0 ? v : null;
+}
+function resolveCwd(args, fallback) {
+	return readWorkingDirectoryArg(args) ?? fallback;
+}
+
+//#endregion
+//#region src/durable-streams-cache.ts
+const MEMORY_CACHE_SIZE_BYTES = 100 * 1024 * 1024;
+function installDurableStreamsFetchCache(options = {}) {
+	if (options === false) return;
+	const store = options.store === `sqlite` || options.sqliteLocation ? new undici.cacheStores.SqliteCacheStore({
+		location: options.sqliteLocation,
+		maxCount: options.maxCount
+	}) : new undici.cacheStores.MemoryCacheStore({ maxSize: MEMORY_CACHE_SIZE_BYTES });
+	(0, undici.setGlobalDispatcher)(new undici.Agent().compose(undici.interceptors.cache({ store })));
+}
 
 //#endregion
 //#region src/server.ts
@@ -1698,6 +1826,8 @@ var BuiltinAgentsServer = class {
 	mcpToolProviderName = null;
 	mcpApplyInFlight = new Set();
 	mcpStopping = false;
+	mcpExtras = [];
+	mcpLastJsonConfig = null;
 	pullWakeRunner = null;
 	options;
 	constructor(options) {
@@ -1707,8 +1837,70 @@ var BuiltinAgentsServer = class {
 	get mcpRegistry() {
 		return this._mcpRegistry;
 	}
+	/**
+	* Replace the in-memory `extras` list and re-apply the merged config
+	* against the last-known workspace `mcp.json` state. Workspace
+	* `mcp.json` still wins on name collision. No-op once `stop()` has
+	* latched `mcpStopping`.
+	*/
+	async setExtraMcpServers(extras) {
+		if (!this._mcpRegistry || this.mcpStopping) return;
+		this.mcpExtras = extras;
+		await this.applyMerged(this.mcpLastJsonConfig);
+	}
+	async wirePersistence(cfg) {
+		const servers = [];
+		for (const s of cfg.servers) if (s.transport === `http` && s.auth?.mode === `authorizationCode`) {
+			const persist = await (0, __electric_ax_agents_mcp.keychainPersistence)({ server: s.name });
+			servers.push({
+				...s,
+				auth: {
+					...s.auth,
+					...persist
+				}
+			});
+		} else servers.push(s);
+		return {
+			...cfg,
+			servers
+		};
+	}
+	mergeMcp(jsonCfg) {
+		const jsonServers = jsonCfg?.servers ?? [];
+		const jsonNames = new Set(jsonServers.map((s) => s.name));
+		const filteredExtras = this.mcpExtras.filter((s) => !jsonNames.has(s.name));
+		return {
+			servers: [...filteredExtras, ...jsonServers],
+			raw: jsonCfg?.raw
+		};
+	}
+	async runApply(jsonCfg) {
+		if (this.mcpStopping) return;
+		const registry = this._mcpRegistry;
+		if (!registry) return;
+		try {
+			const wired = await this.wirePersistence(this.mergeMcp(jsonCfg));
+			if (this.mcpStopping) return;
+			await registry.applyConfig(wired);
+		} catch (e) {
+			serverLog.error(`[mcp] applyConfig:`, e);
+			try {
+				this.options.onConfigError?.(e);
+			} catch (cbErr) {
+				serverLog.error(`[mcp] onConfigError callback failed:`, cbErr);
+			}
+		}
+	}
+	applyMerged(jsonCfg) {
+		this.mcpLastJsonConfig = jsonCfg;
+		const p = this.runApply(jsonCfg);
+		this.mcpApplyInFlight.add(p);
+		p.finally(() => this.mcpApplyInFlight.delete(p));
+		return p;
+	}
 	async start() {
 		if (this.bootstrap || this.pullWakeRunner) throw new Error(`Builtin agents runtime already started`);
+		installDurableStreamsFetchCache(this.options.durableStreamsFetchCache);
 		const pullWake = this.options.pullWake;
 		if (!pullWake?.runnerId) throw new Error(`Builtin agents require a pull-wake runner id`);
 		try {
@@ -1719,76 +1911,28 @@ var BuiltinAgentsServer = class {
 			});
 			this._mcpRegistry = mcpRegistry;
 			const mcpConfigPath = this.options.loadProjectMcpConfig ? node_path.default.resolve(this.options.workingDirectory ?? process.cwd(), `mcp.json`) : null;
-			const extras = this.options.extraMcpServers ?? [];
-			const wirePersistence = async (cfg) => {
-				const servers = [];
-				for (const s of cfg.servers) if (s.transport === `http` && s.auth?.mode === `authorizationCode`) {
-					const persist = await (0, __electric_ax_agents_mcp.keychainPersistence)({ server: s.name });
-					servers.push({
-						...s,
-						auth: {
-							...s.auth,
-							...persist
-						}
-					});
-				} else servers.push(s);
-				return {
-					...cfg,
-					servers
-				};
-			};
-			const merge = (jsonCfg) => {
-				const jsonServers = jsonCfg?.servers ?? [];
-				const jsonNames = new Set(jsonServers.map((s) => s.name));
-				const filteredExtras = extras.filter((s) => !jsonNames.has(s.name));
-				return {
-					servers: [...filteredExtras, ...jsonServers],
-					raw: jsonCfg?.raw
-				};
-			};
-			const onConfigError = this.options.onConfigError;
-			const runApply = async (jsonCfg) => {
-				if (this.mcpStopping) return;
-				try {
-					const wired = await wirePersistence(merge(jsonCfg));
-					if (this.mcpStopping) return;
-					await mcpRegistry.applyConfig(wired);
-				} catch (e) {
-					serverLog.error(`[mcp] applyConfig:`, e);
-					try {
-						onConfigError?.(e);
-					} catch (cbErr) {
-						serverLog.error(`[mcp] onConfigError callback failed:`, cbErr);
-					}
-				}
-			};
-			const applyMerged = (jsonCfg) => {
-				const p = runApply(jsonCfg);
-				this.mcpApplyInFlight.add(p);
-				p.finally(() => this.mcpApplyInFlight.delete(p));
-				return p;
-			};
+			this.mcpExtras = this.options.extraMcpServers ?? [];
 			if (mcpConfigPath) {
 				try {
 					const cfg = await (0, __electric_ax_agents_mcp.loadConfig)(mcpConfigPath, process.env);
-					applyMerged(cfg);
+					this.applyMerged(cfg);
 				} catch (err) {
 					if (err.code !== `ENOENT`) throw err;
-					if (extras.length === 0) serverLog.info(`[mcp] no ${mcpConfigPath} — starting with no servers`);
-					else serverLog.info(`[mcp] no ${mcpConfigPath} — starting with ${extras.length} server(s) from extras`);
-					applyMerged(null);
+					if (this.mcpExtras.length === 0) serverLog.info(`[mcp] no ${mcpConfigPath} — starting with no servers`);
+					else serverLog.info(`[mcp] no ${mcpConfigPath} — starting with ${this.mcpExtras.length} server(s) from extras`);
+					this.applyMerged(null);
 				}
 				try {
 					this.mcpWatcherCloser = await (0, __electric_ax_agents_mcp.watchConfig)(mcpConfigPath, {
-						onChange: (cfg) => void applyMerged(cfg),
+						onChange: (cfg) => void this.applyMerged(cfg),
 						onError: (e) => serverLog.error(`[mcp] config error:`, e)
 					});
 				} catch (e) {
 					serverLog.error(`[mcp] config watcher failed to start:`, e);
 				}
 			} else {
-				if (extras.length > 0) serverLog.info(`[mcp] starting with ${extras.length} server(s) from extras`);
-				applyMerged(null);
+				if (this.mcpExtras.length > 0) serverLog.info(`[mcp] starting with ${this.mcpExtras.length} server(s) from extras`);
+				this.applyMerged(null);
 			}
 			this.mcpToolProviderName = `mcp`;
 			(0, __electric_ax_agents_runtime.registerToolProvider)({
@@ -1896,6 +2040,7 @@ var BuiltinAgentsServer = class {
 	async registerPullWakeRunner(pullWake) {
 		const headers = new Headers(typeof pullWake.headers === `function` ? await pullWake.headers() : pullWake.headers);
 		headers.set(`content-type`, `application/json`);
+		const profiles = this.bootstrap?.runtime.sandboxProfileDescriptors ?? [];
 		const response = await fetch((0, __electric_ax_agents_runtime.appendPathToUrl)(this.options.agentServerUrl, `/_electric/runners`), {
 			method: `POST`,
 			headers,
@@ -1904,7 +2049,8 @@ var BuiltinAgentsServer = class {
 				owner_principal: pullWake.ownerPrincipal,
 				label: pullWake.label ?? `Built-in agents`,
 				kind: `local`,
-				admin_status: `enabled`
+				admin_status: `enabled`,
+				sandbox_profiles: profiles
 			})
 		});
 		if (!response.ok) throw new Error(`Failed to register pull-wake runner ${pullWake.runnerId}: ${response.status} ${await response.text()}`);

package/dist/index.d.cts

@@ -2,6 +2,7 @@ import { AgentConfig, AgentTool, AvailableProvider, DispatchPolicy, EntityRegist
 import { AgentTool as AgentTool$1, StreamFn } from "@mariozechner/pi-agent-core";
 import { IncomingMessage, ServerResponse } from "node:http";
 import { ListedEntry as McpListedEntry, McpConfig, McpServerConfig, McpServerConfig as McpServerConfig$1, Registry, Registry as McpRegistry, RegistrySnapshot, RegistrySubscriber } from "@electric-ax/agents-mcp";
+import { Sandbox } from "@electric-ax/agents-runtime/sandbox";
 import { ChangeEvent } from "@durable-streams/state";
 import { braveSearchTool } from "@electric-ax/agents-runtime/tools";
 
@@ -35,12 +36,26 @@ declare function createAgentHandler(agentServerUrl: string, workingDirectory?: s
 declare function registerBuiltinAgentTypes(bootstrap: AgentHandlerResult): Promise<void>;
 declare const registerAgentTypes: typeof registerBuiltinAgentTypes;
 
+//#endregion
+//#region src/durable-streams-cache.d.ts
+type DurableStreamsFetchCacheOptions = false | {
+  store?: `memory` | `sqlite`;
+  sqliteLocation?: string;
+  maxCount?: number;
+};
+
 //#endregion
 //#region src/server.d.ts
 interface BuiltinAgentsServerOptions {
   agentServerUrl: string;
   workingDirectory?: string;
   mockStreamFn?: StreamFn;
+  /**
+   * Configure the process-wide HTTP cache used by Undici-backed fetch calls.
+   * Defaults to a 100 MiB in-memory cache. Pass `false` to leave the global
+   * dispatcher unchanged.
+   */
+  durableStreamsFetchCache?: DurableStreamsFetchCacheOptions;
   /** Pull-wake runner configuration for built-in agents. */
   pullWake: {
     runnerId: string;
@@ -91,11 +106,24 @@ declare class BuiltinAgentsServer {
   private mcpToolProviderName;
   private mcpApplyInFlight;
   private mcpStopping;
+  private mcpExtras;
+  private mcpLastJsonConfig;
   private pullWakeRunner;
   readonly options: BuiltinAgentsServerOptions;
   constructor(options: BuiltinAgentsServerOptions);
   /** Embedded MCP registry. `null` until `start()` has run. */
   get mcpRegistry(): Registry | null;
+  /**
+   * Replace the in-memory `extras` list and re-apply the merged config
+   * against the last-known workspace `mcp.json` state. Workspace
+   * `mcp.json` still wins on name collision. No-op once `stop()` has
+   * latched `mcpStopping`.
+   */
+  setExtraMcpServers(extras: ReadonlyArray<McpServerConfig$1>): Promise<void>;
+  private wirePersistence;
+  private mergeMcp;
+  private runApply;
+  private applyMerged;
   start(): Promise<string>;
   stop(): Promise<void>;
   private registerPullWakeRunner;
@@ -167,7 +195,7 @@ declare function buildHortonSystemPrompt(workingDirectory: string, opts?: {
   modelProvider?: string;
   modelId?: string;
 }): string;
-declare function createHortonTools(workingDirectory: string, ctx: HandlerContext, readSet: Set<string>, opts?: {
+declare function createHortonTools(sandbox: Sandbox, ctx: HandlerContext, readSet: Set<string>, opts?: {
   docsSearchTool?: AgentTool$1;
   modelConfig?: ReturnType<typeof resolveBuiltinModelConfig>;
   modelCatalog?: BuiltinModelCatalog;

package/dist/index.d.ts

@@ -1,5 +1,6 @@
 import { AgentConfig, AgentTool, AvailableProvider, DispatchPolicy, EntityRegistry, HandlerContext, HeadersProvider, ProcessWakeConfig, PullWakeRunnerConfig, RuntimeHandler, SkillsRegistry, WakeEvent } from "@electric-ax/agents-runtime";
 import { braveSearchTool } from "@electric-ax/agents-runtime/tools";
+import { Sandbox } from "@electric-ax/agents-runtime/sandbox";
 import { ListedEntry as McpListedEntry, McpConfig, McpServerConfig, McpServerConfig as McpServerConfig$1, Registry, Registry as McpRegistry, RegistrySnapshot, RegistrySubscriber } from "@electric-ax/agents-mcp";
 import { AgentTool as AgentTool$1, StreamFn } from "@mariozechner/pi-agent-core";
 import { IncomingMessage, ServerResponse } from "node:http";
@@ -35,12 +36,26 @@ declare function createAgentHandler(agentServerUrl: string, workingDirectory?: s
 declare function registerBuiltinAgentTypes(bootstrap: AgentHandlerResult): Promise<void>;
 declare const registerAgentTypes: typeof registerBuiltinAgentTypes;
 
+//#endregion
+//#region src/durable-streams-cache.d.ts
+type DurableStreamsFetchCacheOptions = false | {
+  store?: `memory` | `sqlite`;
+  sqliteLocation?: string;
+  maxCount?: number;
+};
+
 //#endregion
 //#region src/server.d.ts
 interface BuiltinAgentsServerOptions {
   agentServerUrl: string;
   workingDirectory?: string;
   mockStreamFn?: StreamFn;
+  /**
+   * Configure the process-wide HTTP cache used by Undici-backed fetch calls.
+   * Defaults to a 100 MiB in-memory cache. Pass `false` to leave the global
+   * dispatcher unchanged.
+   */
+  durableStreamsFetchCache?: DurableStreamsFetchCacheOptions;
   /** Pull-wake runner configuration for built-in agents. */
   pullWake: {
     runnerId: string;
@@ -91,11 +106,24 @@ declare class BuiltinAgentsServer {
   private mcpToolProviderName;
   private mcpApplyInFlight;
   private mcpStopping;
+  private mcpExtras;
+  private mcpLastJsonConfig;
   private pullWakeRunner;
   readonly options: BuiltinAgentsServerOptions;
   constructor(options: BuiltinAgentsServerOptions);
   /** Embedded MCP registry. `null` until `start()` has run. */
   get mcpRegistry(): Registry | null;
+  /**
+   * Replace the in-memory `extras` list and re-apply the merged config
+   * against the last-known workspace `mcp.json` state. Workspace
+   * `mcp.json` still wins on name collision. No-op once `stop()` has
+   * latched `mcpStopping`.
+   */
+  setExtraMcpServers(extras: ReadonlyArray<McpServerConfig$1>): Promise<void>;
+  private wirePersistence;
+  private mergeMcp;
+  private runApply;
+  private applyMerged;
   start(): Promise<string>;
   stop(): Promise<void>;
   private registerPullWakeRunner;
@@ -167,7 +195,7 @@ declare function buildHortonSystemPrompt(workingDirectory: string, opts?: {
   modelProvider?: string;
   modelId?: string;
 }): string;
-declare function createHortonTools(workingDirectory: string, ctx: HandlerContext, readSet: Set<string>, opts?: {
+declare function createHortonTools(sandbox: Sandbox, ctx: HandlerContext, readSet: Set<string>, opts?: {
   docsSearchTool?: AgentTool$1;
   modelConfig?: ReturnType<typeof resolveBuiltinModelConfig>;
   modelCatalog?: BuiltinModelCatalog;