@exulu/backend 1.61.1 → 1.61.3

package/dist/{chunk-MPV7HBV6.js → chunk-PFKAWGB6.js}

@@ -744,7 +744,7 @@ var ExuluTool = class {
       });
       providerapikey = resolved.apiKey;
     }
-    const { convertExuluToolsToAiSdkTools: convertExuluToolsToAiSdkTools2 } = await import("./convert-exulu-tools-to-ai-sdk-tools-CULC37U6.js");
+    const { convertExuluToolsToAiSdkTools: convertExuluToolsToAiSdkTools2 } = await import("./convert-exulu-tools-to-ai-sdk-tools-VRZ45OGI.js");
     const tools = await convertExuluToolsToAiSdkTools2(
       [this],
       [],
@@ -1767,22 +1767,45 @@ var createUppyRoutes = async (app, config) => {
     } else {
       prefix += "global";
     }
+    console.log("[EXULU] bucket", config.fileUploads.s3Bucket);
     console.log("[EXULU] prefix", prefix);
-    const command = new ListObjectsV2Command({
-      Bucket: config.fileUploads.s3Bucket,
-      Prefix: prefix,
-      MaxKeys: 9,
-      ...req.query.continuationToken && {
-        ContinuationToken: req.query.continuationToken
-      }
-    });
-    const response = await client.send(command);
+    let response;
     if (req.query.search) {
-      const search = req.query.search;
+      const search = req.query.search.toLowerCase();
       console.log("[EXULU] Filtering files by search query", req.query.search);
-      response.Contents = response.Contents?.filter(
-        (content) => content?.Key?.toLowerCase().includes(search.toLowerCase())
-      );
+      const matched = [];
+      let token;
+      do {
+        const page = await client.send(
+          new ListObjectsV2Command({
+            Bucket: config.fileUploads.s3Bucket,
+            Prefix: prefix,
+            ...token && { ContinuationToken: token }
+          })
+        );
+        for (const obj of page.Contents ?? []) {
+          if (obj.Key?.toLowerCase().includes(search)) {
+            matched.push(obj);
+          }
+        }
+        token = page.IsTruncated ? page.NextContinuationToken : void 0;
+      } while (token);
+      response = {
+        $metadata: {},
+        Contents: matched,
+        KeyCount: matched.length,
+        IsTruncated: false
+      };
+    } else {
+      const command = new ListObjectsV2Command({
+        Bucket: config.fileUploads.s3Bucket,
+        Prefix: prefix,
+        MaxKeys: 9,
+        ...req.query.continuationToken && {
+          ContinuationToken: req.query.continuationToken
+        }
+      });
+      response = await client.send(command);
     }
     res.json({
       ...response,
@@ -6442,6 +6465,42 @@ var getAllExuluVariables = async () => {
 };
 var execAsync2 = promisify2(exec2);
 var EXEC_MAX_BUFFER = 32 * 1024 * 1024;
+var sandboxProbePromise;
+function probeSandboxSupport() {
+  if (sandboxProbePromise) return sandboxProbePromise;
+  sandboxProbePromise = (async () => {
+    if (process.platform === "darwin") return { canSandbox: true };
+    if (process.platform !== "linux") {
+      return { canSandbox: false, reason: `Unsupported platform: ${process.platform}` };
+    }
+    return await new Promise((resolve3) => {
+      const child = spawn2("bwrap", ["--dev-bind", "/", "/", "--", "/bin/true"]);
+      let stderr = "";
+      child.stderr.on("data", (chunk) => {
+        stderr += chunk.toString();
+      });
+      child.on("error", (err) => {
+        resolve3({ canSandbox: false, reason: `bwrap not executable: ${err.message}` });
+      });
+      child.on("exit", (code) => {
+        if (code === 0) resolve3({ canSandbox: true });
+        else resolve3({ canSandbox: false, reason: stderr.trim() || `bwrap exited ${code}` });
+      });
+    });
+  })();
+  return sandboxProbePromise;
+}
+var SANDBOX_FALLBACK_INSTRUCTIONS = 'Skill sandboxing is running in DEGRADED mode: bwrap cannot create user namespaces on this host, so commands\nexecute directly. The container remains the isolation boundary and resolveSessionPath still scopes\nreadFile/writeFile to the session directory at the JS layer, but bash commands are NOT kernel-sandboxed.\n\nTo restore full sandboxing on Ubuntu 23.10+ / 24.04+ hosts (kernel 6.5+):\n  sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0\n  echo "kernel.apparmor_restrict_unprivileged_userns=0" | sudo tee /etc/sysctl.d/60-userns.conf\n  sudo sysctl --system\n\nOn Debian hosts where the same symptom appears:\n  sudo sysctl -w kernel.unprivileged_userns_clone=1\n\nSet EXULU_REQUIRE_SANDBOX=1 to fail startup instead of degrading.';
+var degradedModeLogged = false;
+function logDegradedModeOnce(reason) {
+  if (degradedModeLogged) return;
+  degradedModeLogged = true;
+  console.warn(
+    `[SKILLS] ${SANDBOX_FALLBACK_INSTRUCTIONS}
+
+Probe error: ${reason ?? "(no detail)"}`
+  );
+}
 var sandboxCache = /* @__PURE__ */ new Map();
 async function downloadSkill(skill, skillsDirectory, config) {
   const version = skill.current_version ?? 1;
@@ -6581,6 +6640,20 @@ async function createSessionSandbox(sessionId, skills, config, userId) {
   if (userId && config.fileUploads && !dirExisted) {
     await restoreArtifactsFromS3(sessionDir, sessionId, userId, config);
   }
+  const probe = await probeSandboxSupport();
+  const useDirectExec = !probe.canSandbox;
+  if (useDirectExec) {
+    if (process.env.EXULU_REQUIRE_SANDBOX === "1") {
+      throw new Error(
+        `[SKILLS] Sandbox required (EXULU_REQUIRE_SANDBOX=1) but unavailable.
+
+${SANDBOX_FALLBACK_INSTRUCTIONS}
+
+Probe error: ${probe.reason ?? "(no detail)"}`
+      );
+    }
+    logDegradedModeOnce(probe.reason);
+  }
   const baselineSandboxConfig = {
     network: {
       allowedDomains: [],
@@ -6596,7 +6669,9 @@ async function createSessionSandbox(sessionId, skills, config, userId) {
       denyWrite: []
     }
   };
-  await SandboxManager.initialize(baselineSandboxConfig);
+  if (!useDirectExec) {
+    await SandboxManager.initialize(baselineSandboxConfig);
+  }
   const npmGlobalRoot = await getNpmGlobalRoot();
   const sessionSandboxConfig = {
     network: {
@@ -6632,8 +6707,12 @@ async function createSessionSandbox(sessionId, skills, config, userId) {
     ...process.env,
     ...npmGlobalRoot ? { NODE_PATH: npmGlobalRoot } : {}
   };
+  const wrapIfNeeded = async (command) => {
+    if (useDirectExec) return command;
+    return SandboxManager.wrapWithSandbox(command, void 0, sessionSandboxConfig);
+  };
   const runWrapped = async (command) => {
-    const wrapped = await SandboxManager.wrapWithSandbox(command, void 0, sessionSandboxConfig);
+    const wrapped = await wrapIfNeeded(command);
     try {
       const { stdout, stderr } = await execAsync2(wrapped, {
         maxBuffer: EXEC_MAX_BUFFER,
@@ -6710,10 +6789,8 @@ async function createSessionSandbox(sessionId, skills, config, userId) {
   async function writeFilesInternal(files) {
     const results = [];
     for (const file of files) {
-      const wrapped = await SandboxManager.wrapWithSandbox(
-        `mkdir -p ${shellQuote(dirname(file.path))} && cat > ${shellQuote(file.path)}`,
-        void 0,
-        sessionSandboxConfig
+      const wrapped = await wrapIfNeeded(
+        `mkdir -p ${shellQuote(dirname(file.path))} && cat > ${shellQuote(file.path)}`
       );
       await new Promise((resolveSpawn, rejectSpawn) => {
         const child = spawn2("/bin/bash", ["-c", wrapped]);
@@ -6868,10 +6945,12 @@ ${lines.join("\n")}`;
   const handle = {
     sessionDir,
     tools: wrappedTools,
-    wrapCommand: (command) => SandboxManager.wrapWithSandbox(command, void 0, sessionSandboxConfig),
+    wrapCommand: (command) => wrapIfNeeded(command),
     cleanup: async () => {
       sandboxCache.delete(sessionId);
-      await SandboxManager.reset();
+      if (!useDirectExec) {
+        await SandboxManager.reset();
+      }
       await rm(sessionDir, { recursive: true, force: true });
     }
   };

package/dist/{convert-exulu-tools-to-ai-sdk-tools-CULC37U6.js → convert-exulu-tools-to-ai-sdk-tools-VRZ45OGI.js}

@@ -1,6 +1,6 @@
 import {
   convertExuluToolsToAiSdkTools
-} from "./chunk-MPV7HBV6.js";
+} from "./chunk-PFKAWGB6.js";
 export {
   convertExuluToolsToAiSdkTools
 };

package/dist/index.cjs

@@ -1847,22 +1847,45 @@ var init_uppy = __esm({
         } else {
           prefix += "global";
         }
+        console.log("[EXULU] bucket", config.fileUploads.s3Bucket);
         console.log("[EXULU] prefix", prefix);
-        const command = new import_client_s3.ListObjectsV2Command({
-          Bucket: config.fileUploads.s3Bucket,
-          Prefix: prefix,
-          MaxKeys: 9,
-          ...req.query.continuationToken && {
-            ContinuationToken: req.query.continuationToken
-          }
-        });
-        const response = await client2.send(command);
+        let response;
         if (req.query.search) {
-          const search = req.query.search;
+          const search = req.query.search.toLowerCase();
           console.log("[EXULU] Filtering files by search query", req.query.search);
-          response.Contents = response.Contents?.filter(
-            (content) => content?.Key?.toLowerCase().includes(search.toLowerCase())
-          );
+          const matched = [];
+          let token;
+          do {
+            const page = await client2.send(
+              new import_client_s3.ListObjectsV2Command({
+                Bucket: config.fileUploads.s3Bucket,
+                Prefix: prefix,
+                ...token && { ContinuationToken: token }
+              })
+            );
+            for (const obj of page.Contents ?? []) {
+              if (obj.Key?.toLowerCase().includes(search)) {
+                matched.push(obj);
+              }
+            }
+            token = page.IsTruncated ? page.NextContinuationToken : void 0;
+          } while (token);
+          response = {
+            $metadata: {},
+            Contents: matched,
+            KeyCount: matched.length,
+            IsTruncated: false
+          };
+        } else {
+          const command = new import_client_s3.ListObjectsV2Command({
+            Bucket: config.fileUploads.s3Bucket,
+            Prefix: prefix,
+            MaxKeys: 9,
+            ...req.query.continuationToken && {
+              ContinuationToken: req.query.continuationToken
+            }
+          });
+          response = await client2.send(command);
         }
         res.json({
           ...response,
@@ -2294,6 +2317,39 @@ var init_variable = __esm({
 });
 
 // ee/invoke-skills/create-sandbox.ts
+function probeSandboxSupport() {
+  if (sandboxProbePromise) return sandboxProbePromise;
+  sandboxProbePromise = (async () => {
+    if (process.platform === "darwin") return { canSandbox: true };
+    if (process.platform !== "linux") {
+      return { canSandbox: false, reason: `Unsupported platform: ${process.platform}` };
+    }
+    return await new Promise((resolve7) => {
+      const child = (0, import_node_child_process3.spawn)("bwrap", ["--dev-bind", "/", "/", "--", "/bin/true"]);
+      let stderr = "";
+      child.stderr.on("data", (chunk) => {
+        stderr += chunk.toString();
+      });
+      child.on("error", (err) => {
+        resolve7({ canSandbox: false, reason: `bwrap not executable: ${err.message}` });
+      });
+      child.on("exit", (code) => {
+        if (code === 0) resolve7({ canSandbox: true });
+        else resolve7({ canSandbox: false, reason: stderr.trim() || `bwrap exited ${code}` });
+      });
+    });
+  })();
+  return sandboxProbePromise;
+}
+function logDegradedModeOnce(reason) {
+  if (degradedModeLogged) return;
+  degradedModeLogged = true;
+  console.warn(
+    `[SKILLS] ${SANDBOX_FALLBACK_INSTRUCTIONS}
+
+Probe error: ${reason ?? "(no detail)"}`
+  );
+}
 async function downloadSkill(skill, skillsDirectory, config) {
   const version = skill.current_version ?? 1;
   if (!skill.current_version) {
@@ -2432,6 +2488,20 @@ async function createSessionSandbox(sessionId, skills, config, userId) {
   if (userId && config.fileUploads && !dirExisted) {
     await restoreArtifactsFromS3(sessionDir, sessionId, userId, config);
   }
+  const probe = await probeSandboxSupport();
+  const useDirectExec = !probe.canSandbox;
+  if (useDirectExec) {
+    if (process.env.EXULU_REQUIRE_SANDBOX === "1") {
+      throw new Error(
+        `[SKILLS] Sandbox required (EXULU_REQUIRE_SANDBOX=1) but unavailable.
+
+${SANDBOX_FALLBACK_INSTRUCTIONS}
+
+Probe error: ${probe.reason ?? "(no detail)"}`
+      );
+    }
+    logDegradedModeOnce(probe.reason);
+  }
   const baselineSandboxConfig = {
     network: {
       allowedDomains: [],
@@ -2447,7 +2517,9 @@ async function createSessionSandbox(sessionId, skills, config, userId) {
       denyWrite: []
     }
   };
-  await import_sandbox_runtime.SandboxManager.initialize(baselineSandboxConfig);
+  if (!useDirectExec) {
+    await import_sandbox_runtime.SandboxManager.initialize(baselineSandboxConfig);
+  }
   const npmGlobalRoot = await getNpmGlobalRoot();
   const sessionSandboxConfig = {
     network: {
@@ -2483,8 +2555,12 @@ async function createSessionSandbox(sessionId, skills, config, userId) {
     ...process.env,
     ...npmGlobalRoot ? { NODE_PATH: npmGlobalRoot } : {}
   };
+  const wrapIfNeeded = async (command) => {
+    if (useDirectExec) return command;
+    return import_sandbox_runtime.SandboxManager.wrapWithSandbox(command, void 0, sessionSandboxConfig);
+  };
   const runWrapped = async (command) => {
-    const wrapped = await import_sandbox_runtime.SandboxManager.wrapWithSandbox(command, void 0, sessionSandboxConfig);
+    const wrapped = await wrapIfNeeded(command);
     try {
       const { stdout, stderr } = await execAsync2(wrapped, {
         maxBuffer: EXEC_MAX_BUFFER,
@@ -2561,10 +2637,8 @@ async function createSessionSandbox(sessionId, skills, config, userId) {
   async function writeFilesInternal(files) {
     const results = [];
     for (const file of files) {
-      const wrapped = await import_sandbox_runtime.SandboxManager.wrapWithSandbox(
-        `mkdir -p ${shellQuote((0, import_node_path3.dirname)(file.path))} && cat > ${shellQuote(file.path)}`,
-        void 0,
-        sessionSandboxConfig
+      const wrapped = await wrapIfNeeded(
+        `mkdir -p ${shellQuote((0, import_node_path3.dirname)(file.path))} && cat > ${shellQuote(file.path)}`
       );
       await new Promise((resolveSpawn, rejectSpawn) => {
         const child = (0, import_node_child_process3.spawn)("/bin/bash", ["-c", wrapped]);
@@ -2719,17 +2793,19 @@ ${lines.join("\n")}`;
   const handle = {
     sessionDir,
     tools: wrappedTools,
-    wrapCommand: (command) => import_sandbox_runtime.SandboxManager.wrapWithSandbox(command, void 0, sessionSandboxConfig),
+    wrapCommand: (command) => wrapIfNeeded(command),
     cleanup: async () => {
       sandboxCache.delete(sessionId);
-      await import_sandbox_runtime.SandboxManager.reset();
+      if (!useDirectExec) {
+        await import_sandbox_runtime.SandboxManager.reset();
+      }
       await (0, import_promises.rm)(sessionDir, { recursive: true, force: true });
     }
   };
   sandboxCache.set(sessionId, { handle, installedSkills });
   return handle;
 }
-var import_sandbox_runtime, import_promises, import_node_fs3, import_node_path3, import_node_child_process3, import_node_util2, import_bash_tool, import_ai, import_zod4, import_crypto_js2, getAllExuluVariables, execAsync2, EXEC_MAX_BUFFER, sandboxCache;
+var import_sandbox_runtime, import_promises, import_node_fs3, import_node_path3, import_node_child_process3, import_node_util2, import_bash_tool, import_ai, import_zod4, import_crypto_js2, getAllExuluVariables, execAsync2, EXEC_MAX_BUFFER, sandboxProbePromise, SANDBOX_FALLBACK_INSTRUCTIONS, degradedModeLogged, sandboxCache;
 var init_create_sandbox = __esm({
   "ee/invoke-skills/create-sandbox.ts"() {
     "use strict";
@@ -2776,6 +2852,8 @@ var init_create_sandbox = __esm({
     };
     execAsync2 = (0, import_node_util2.promisify)(import_node_child_process3.exec);
     EXEC_MAX_BUFFER = 32 * 1024 * 1024;
+    SANDBOX_FALLBACK_INSTRUCTIONS = 'Skill sandboxing is running in DEGRADED mode: bwrap cannot create user namespaces on this host, so commands\nexecute directly. The container remains the isolation boundary and resolveSessionPath still scopes\nreadFile/writeFile to the session directory at the JS layer, but bash commands are NOT kernel-sandboxed.\n\nTo restore full sandboxing on Ubuntu 23.10+ / 24.04+ hosts (kernel 6.5+):\n  sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0\n  echo "kernel.apparmor_restrict_unprivileged_userns=0" | sudo tee /etc/sysctl.d/60-userns.conf\n  sudo sysctl --system\n\nOn Debian hosts where the same symptom appears:\n  sudo sysctl -w kernel.unprivileged_userns_clone=1\n\nSet EXULU_REQUIRE_SANDBOX=1 to fail startup instead of degrading.';
+    degradedModeLogged = false;
     sandboxCache = /* @__PURE__ */ new Map();
   }
 });
@@ -14290,7 +14368,6 @@ ${skillsList}
 
 When a tool execution is not approved by the user, do not retry it unless explicitly asked by the user. ' +
     'Inform the user that the action was not performed.`;
-    import_fs2.default.writeFileSync("system-prompt.txt", system);
     console.log("[EXULU] Tools", currentTools?.map((x) => x.name));
     console.log("[EXULU] Skills", currentSkills?.map((x) => x.name));
     const tools = await convertExuluToolsToAiSdkTools(

package/dist/index.js

@@ -53,7 +53,7 @@ import {
   vectorSearch,
   waitForLiteLLMReady,
   withRetry
-} from "./chunk-MPV7HBV6.js";
+} from "./chunk-PFKAWGB6.js";
 import {
   findLiteLLMModel
 } from "./chunk-ILAHW4UT.js";
@@ -6497,7 +6497,6 @@ ${skillsList}
 
 When a tool execution is not approved by the user, do not retry it unless explicitly asked by the user. ' +
     'Inform the user that the action was not performed.`;
-    fs2.writeFileSync("system-prompt.txt", system);
     console.log("[EXULU] Tools", currentTools?.map((x) => x.name));
     console.log("[EXULU] Skills", currentSkills?.map((x) => x.name));
     const tools = await convertExuluToolsToAiSdkTools(

package/ee/invoke-skills/create-sandbox.ts

@@ -60,6 +60,69 @@ const execAsync = promisify(exec);
 // Sandbox commands can be very long (long deny lists) — bump default buffer.
 const EXEC_MAX_BUFFER = 32 * 1024 * 1024;
 
+/**
+ * Probe whether bwrap can actually create a user namespace on this host.
+ * SRT's own dependency check only verifies bwrap is installed, not that the
+ * kernel will let it run — and the latter is what Ubuntu 24.04 (kernel 6.8+
+ * with `kernel.apparmor_restrict_unprivileged_userns=1`) and Debian hosts with
+ * `kernel.unprivileged_userns_clone=0` deny.
+ *
+ * Memoized for the process lifetime: the answer is host-level state that
+ * doesn't change without a sysctl flip + restart.
+ */
+type SandboxProbeResult = { canSandbox: boolean; reason?: string };
+let sandboxProbePromise: Promise<SandboxProbeResult> | undefined;
+
+function probeSandboxSupport(): Promise<SandboxProbeResult> {
+    if (sandboxProbePromise) return sandboxProbePromise;
+    sandboxProbePromise = (async () => {
+        if (process.platform === 'darwin') return { canSandbox: true };
+        if (process.platform !== 'linux') {
+            return { canSandbox: false, reason: `Unsupported platform: ${process.platform}` };
+        }
+        return await new Promise<SandboxProbeResult>((resolve) => {
+            // Minimal bwrap invocation: bind / read-only and exit. If the host
+            // refuses unprivileged user namespaces, this returns
+            // "Operation not permitted" — same path SRT would hit on every command.
+            const child = spawn('bwrap', ['--dev-bind', '/', '/', '--', '/bin/true']);
+            let stderr = '';
+            child.stderr.on('data', (chunk) => { stderr += chunk.toString(); });
+            child.on('error', (err) => {
+                resolve({ canSandbox: false, reason: `bwrap not executable: ${err.message}` });
+            });
+            child.on('exit', (code) => {
+                if (code === 0) resolve({ canSandbox: true });
+                else resolve({ canSandbox: false, reason: stderr.trim() || `bwrap exited ${code}` });
+            });
+        });
+    })();
+    return sandboxProbePromise;
+}
+
+const SANDBOX_FALLBACK_INSTRUCTIONS =
+    'Skill sandboxing is running in DEGRADED mode: bwrap cannot create user namespaces on this host, so commands\n' +
+    'execute directly. The container remains the isolation boundary and resolveSessionPath still scopes\n' +
+    'readFile/writeFile to the session directory at the JS layer, but bash commands are NOT kernel-sandboxed.\n' +
+    '\n' +
+    'To restore full sandboxing on Ubuntu 23.10+ / 24.04+ hosts (kernel 6.5+):\n' +
+    '  sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0\n' +
+    '  echo "kernel.apparmor_restrict_unprivileged_userns=0" | sudo tee /etc/sysctl.d/60-userns.conf\n' +
+    '  sudo sysctl --system\n' +
+    '\n' +
+    'On Debian hosts where the same symptom appears:\n' +
+    '  sudo sysctl -w kernel.unprivileged_userns_clone=1\n' +
+    '\n' +
+    'Set EXULU_REQUIRE_SANDBOX=1 to fail startup instead of degrading.';
+
+let degradedModeLogged = false;
+function logDegradedModeOnce(reason: string | undefined): void {
+    if (degradedModeLogged) return;
+    degradedModeLogged = true;
+    console.warn(
+        `[SKILLS] ${SANDBOX_FALLBACK_INSTRUCTIONS}\n\nProbe error: ${reason ?? '(no detail)'}`,
+    );
+}
+
 // This is called on every session where a skill is enabled
 // each sandbox setup includes the skill files from the enabled
 // skills, and uses the Anthropic Sandbox Runtime (SRT) to
@@ -380,6 +443,19 @@ export async function createSessionSandbox(
         await restoreArtifactsFromS3(sessionDir, sessionId, userId, config)
     }
 
+    // Probe whether bwrap can actually create namespaces on this host. On a
+    // failure, either throw (strict mode) or degrade to direct exec.
+    const probe = await probeSandboxSupport();
+    const useDirectExec = !probe.canSandbox;
+    if (useDirectExec) {
+        if (process.env.EXULU_REQUIRE_SANDBOX === '1') {
+            throw new Error(
+                `[SKILLS] Sandbox required (EXULU_REQUIRE_SANDBOX=1) but unavailable.\n\n${SANDBOX_FALLBACK_INSTRUCTIONS}\n\nProbe error: ${probe.reason ?? '(no detail)'}`,
+            );
+        }
+        logDegradedModeOnce(probe.reason);
+    }
+
     // SRT's `SandboxManager.initialize()` is a one-shot singleton (see
     // node_modules/@anthropic-ai/sandbox-runtime/.../sandbox-manager.js:187-191);
     // the first config wins and later calls are no-ops. That's incompatible
@@ -402,7 +478,9 @@ export async function createSessionSandbox(
         },
     }
 
-    await SandboxManager.initialize(baselineSandboxConfig)
+    if (!useDirectExec) {
+        await SandboxManager.initialize(baselineSandboxConfig)
+    }
 
     // Resolve the global node_modules directory so skill-generated scripts
     // can `require()` packages installed via `npm install -g <pkg>` (e.g. the
@@ -487,13 +565,21 @@ export async function createSessionSandbox(
         ...(npmGlobalRoot ? { NODE_PATH: npmGlobalRoot } : {}),
     }
 
+    // Either wrap a command with bwrap/sandbox-exec or return it unchanged when
+    // the host can't sandbox. In degraded mode the container itself is the
+    // isolation boundary; resolveSessionPath still scopes readFile/writeFile.
+    const wrapIfNeeded = async (command: string): Promise<string> => {
+        if (useDirectExec) return command;
+        return SandboxManager.wrapWithSandbox(command, undefined, sessionSandboxConfig);
+    };
+
     // wrapWithSandbox only constructs the sandbox-exec invocation string —
     // it does NOT run it. We have to shell out ourselves and capture the
     // real stdout/stderr/exitCode. The third arg passes the per-session
     // policy so the kernel only allows this session's dir, not whatever
     // baseline the singleton was initialized with.
     const runWrapped = async (command: string): Promise<{ stdout: string; stderr: string; exitCode: number }> => {
-        const wrapped = await SandboxManager.wrapWithSandbox(command, undefined, sessionSandboxConfig);
+        const wrapped = await wrapIfNeeded(command);
         try {
             const { stdout, stderr } = await execAsync(wrapped, {
                 maxBuffer: EXEC_MAX_BUFFER,
@@ -618,10 +704,8 @@ export async function createSessionSandbox(
         for (const file of files) {
             // Pipe content via stdin so arbitrary file content (quotes, $, etc.)
             // doesn't need to be escaped into the shell command.
-            const wrapped = await SandboxManager.wrapWithSandbox(
+            const wrapped = await wrapIfNeeded(
                 `mkdir -p ${shellQuote(dirname(file.path))} && cat > ${shellQuote(file.path)}`,
-                undefined,
-                sessionSandboxConfig,
             )
             await new Promise<void>((resolveSpawn, rejectSpawn) => {
                 const child = spawn('/bin/bash', ['-c', wrapped])
@@ -855,11 +939,12 @@ export async function createSessionSandbox(
     const handle: SessionSandboxHandle = {
         sessionDir,
         tools: wrappedTools,
-        wrapCommand: (command: string) =>
-            SandboxManager.wrapWithSandbox(command, undefined, sessionSandboxConfig),
+        wrapCommand: (command: string) => wrapIfNeeded(command),
         cleanup: async () => {
             sandboxCache.delete(sessionId)
-            await SandboxManager.reset()
+            if (!useDirectExec) {
+                await SandboxManager.reset()
+            }
             await rm(sessionDir, { recursive: true, force: true })
         },
     }

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@exulu/backend",
   "author": "Qventu Bv.",
-  "version": "1.61.1",
+  "version": "1.61.3",
   "main": "./dist/index.js",
   "private": false,
   "publishConfig": {