@openparachute/agent 0.2.3-rc.2 → 0.2.3-rc.3

package/src/spawn-agent.test.ts

@@ -1,1218 +0,0 @@
-import { describe, test, expect, afterEach } from "bun:test";
-import { mkdtempSync, rmSync, readFileSync, statSync, writeFileSync, existsSync } from "node:fs";
-import { join } from "node:path";
-import { tmpdir } from "node:os";
-// SHARED spawn helpers (live tree).
-import {
-  buildAgentChildEnv,
-  mergeSandboxLaunchEnv,
-  SANDBOX_ENV_ALLOWLIST,
-  resolveAgentCwd,
-  seedAgentHome,
-  sessionWorkspace,
-  shellJoin,
-  persistSpec,
-  readPersistedSpec,
-  specFilePath,
-} from "./spawn-agent.ts";
-// PARKED interactive spawner (the interactive backend retired 2026-06-19; its
-// spawner + tmux launcher live in src/_parked/interactive-spawn.ts now — these tests
-// still exercise that parked code so it stays buildable for the future revival).
-import {
-  spawnAgent,
-  buildAgentClaudeArgs,
-  buildLaunchScript,
-  confirmDevChannelsPrompt,
-  DEV_CHANNELS_PROMPT_MARKER,
-  DEV_CHANNELS_READY_MARKER,
-  realTmuxLauncher,
-  sessionName,
-  type SpawnAgentDeps,
-  type TmuxLauncher,
-} from "./_parked/interactive-spawn.ts";
-import type { SandboxEngine } from "./sandbox/index.ts";
-import type { SandboxRuntimeConfig } from "@anthropic-ai/sandbox-runtime";
-import type { AgentSpec } from "./sandbox/types.ts";
-import { channelEntryKey, vaultEntryKey } from "./agent-mcp-config.ts";
-import {
-  setDefaultClaudeCredential,
-  setChannelClaudeCredential,
-} from "./credentials.ts";
-
-let sessionsDir: string;
-afterEach(() => {
-  if (sessionsDir) rmSync(sessionsDir, { recursive: true, force: true });
-});
-
-// ---- fakes -----------------------------------------------------------------
-
-/** A recording tmux launcher. */
-function recordingTmux(existing = new Set<string>()): TmuxLauncher & {
-  launched: Array<{
-    name: string;
-    argv: string[];
-    env: Record<string, string | undefined>;
-    cwd: string;
-    scriptDir?: string;
-  }>;
-  confirmed: string[];
-} {
-  const launched: Array<{
-    name: string;
-    argv: string[];
-    env: Record<string, string | undefined>;
-    cwd: string;
-    scriptDir?: string;
-  }> = [];
-  const confirmed: string[] = [];
-  return {
-    launched,
-    confirmed,
-    async hasSession(name) {
-      return existing.has(name);
-    },
-    async newSession(opts) {
-      launched.push(opts);
-    },
-    async confirmDevChannelsPrompt(session) {
-      confirmed.push(session);
-      return "confirmed";
-    },
-  };
-}
-
-/** A fake sandbox engine — records config, returns a deterministic wrap. */
-function fakeEngine(): SandboxEngine & { initializedWith: SandboxRuntimeConfig | null } {
-  const rec = {
-    initializedWith: null as SandboxRuntimeConfig | null,
-    isSupportedPlatform: () => true,
-    isSandboxingEnabled: () => true,
-    async initialize(cfg: SandboxRuntimeConfig) {
-      rec.initializedWith = cfg;
-    },
-    async wrapWithSandboxArgv(command: string) {
-      // Emulate the real shape: a bash -c wrapper carrying the command + proxy env.
-      return {
-        argv: ["/bin/bash", "-c", `SBX ${command}`],
-        // Include a TMPDIR the engine would set — spawnAgent must OVERRIDE it with
-        // a workspace-writable path (the override regression guard below).
-        env: { SANDBOX_RUNTIME: "1", HTTPS_PROXY: "http://localhost:5555", TMPDIR: "/tmp/claude" },
-      };
-    },
-    async reset() {},
-  };
-  return rec;
-}
-
-/** A fake mint hub: returns a distinct token per scope so we can tell them apart. */
-function fakeMintFetch(): typeof fetch {
-  let n = 0;
-  return (async (_url: string | URL | Request, init?: RequestInit) => {
-    const body = JSON.parse(String(init?.body ?? "{}")) as { scope: string };
-    n += 1;
-    const token = `TOK-${n}-${body.scope.replace(/[^a-z]/gi, "").slice(0, 6)}`;
-    return new Response(
-      JSON.stringify({ jti: `j${n}`, token, expires_at: "2026-09-01T00:00:00Z", scope: body.scope }),
-      { status: 200, headers: { "content-type": "application/json" } },
-    );
-  }) as unknown as typeof fetch;
-}
-
-function baseDeps(over: Partial<SpawnAgentDeps> = {}): SpawnAgentDeps {
-  return {
-    hubOrigin: "https://hub.example.com",
-    managerBearer: "MANAGER",
-    channelUrl: "http://127.0.0.1:1941",
-    vaultUrl: "http://127.0.0.1:1940",
-    sessionsDir,
-    runtimeReadOnly: ["/cfg/.claude"],
-    // Stub the credential resolver so the test never touches a real store; the
-    // assertion below checks this exact token lands in CLAUDE_CODE_OAUTH_TOKEN.
-    resolveClaudeToken: () => "OAUTH-CRED-PLACEHOLDER",
-    sandboxEngine: fakeEngine(),
-    tmux: recordingTmux(),
-    fetchFn: fakeMintFetch(),
-    parentEnv: {
-      PATH: "/usr/bin",
-      HOME: "/home/op",
-      ANTHROPIC_API_KEY: "sk-ant-SHOULD-NOT-LEAK",
-      CLAUDE_API_KEY: "also-should-not-leak",
-      SECRET_THING: "do-not-pass",
-    },
-    claudeBin: "claude",
-    ...over,
-  };
-}
-
-// ---- pure-helper tests -----------------------------------------------------
-
-describe("buildAgentChildEnv — scrub, inject OAuth, NEVER ANTHROPIC_API_KEY", () => {
-  test("injects CLAUDE_CODE_OAUTH_TOKEN as the session auth", () => {
-    const env = buildAgentChildEnv({ PATH: "/usr/bin", HOME: "/h" }, "THE-OAUTH-TOKEN");
-    expect(env.CLAUDE_CODE_OAUTH_TOKEN).toBe("THE-OAUTH-TOKEN");
-  });
-
-  test("SECURITY: ANTHROPIC_API_KEY is NOT passed through (would route to API billing)", () => {
-    const env = buildAgentChildEnv(
-      { PATH: "/usr/bin", HOME: "/h", ANTHROPIC_API_KEY: "sk-ant-x", CLAUDE_API_KEY: "y" },
-      "tok",
-    );
-    expect(env.ANTHROPIC_API_KEY).toBeUndefined();
-    expect(env.CLAUDE_API_KEY).toBeUndefined();
-  });
-
-  test("scrubs unrelated parent env (only the allowlist + locale pass)", () => {
-    const env = buildAgentChildEnv(
-      { PATH: "/usr/bin", HOME: "/h", SECRET_THING: "nope", LC_ALL: "en_US.UTF-8" },
-      "tok",
-    );
-    expect(env.SECRET_THING).toBeUndefined();
-    expect(env.PATH).toBe("/usr/bin");
-    expect(env.HOME).toBe("/h");
-    expect(env.LC_ALL).toBe("en_US.UTF-8");
-  });
-
-  test("provides a default PATH if the parent had none", () => {
-    const env = buildAgentChildEnv({}, "tok");
-    expect(env.PATH).toBe("/usr/local/bin:/usr/bin:/bin");
-  });
-
-  test("INJECTION: the per-channel env reaches the child (gh/git see the token)", () => {
-    const env = buildAgentChildEnv(
-      { PATH: "/usr/bin", HOME: "/h" },
-      "tok",
-      { GH_TOKEN: "ghp_X", CLOUDFLARE_API_TOKEN: "cf_Y" },
-    );
-    expect(env.GH_TOKEN).toBe("ghp_X");
-    expect(env.CLOUDFLARE_API_TOKEN).toBe("cf_Y");
-  });
-
-  test("INJECTION: a channel-set var can NOT clobber CLAUDE_CODE_OAUTH_TOKEN (auth wins)", () => {
-    // Even if the store somehow carried CLAUDE_CODE_OAUTH_TOKEN, the managed token
-    // set last must win — and the denylist drop means it never even lands.
-    const env = buildAgentChildEnv(
-      { PATH: "/usr/bin" },
-      "THE-REAL-OAUTH",
-      { CLAUDE_CODE_OAUTH_TOKEN: "ATTACKER-SWAP", GH_TOKEN: "ghp_X" },
-    );
-    expect(env.CLAUDE_CODE_OAUTH_TOKEN).toBe("THE-REAL-OAUTH");
-    expect(env.GH_TOKEN).toBe("ghp_X");
-  });
-
-  test("INJECTION: a channel-set var can NOT clobber a structural passthrough (PATH/HOME)", () => {
-    const env = buildAgentChildEnv(
-      { PATH: "/real/path", HOME: "/real/home" },
-      "tok",
-      { PATH: "/evil", HOME: "/evil" },
-    );
-    expect(env.PATH).toBe("/real/path");
-    expect(env.HOME).toBe("/real/home");
-  });
-
-  test("INJECTION: denylisted keys (API keys) are dropped defensively with a warning", () => {
-    const warnings: string[] = [];
-    const orig = console.warn;
-    console.warn = (...a: unknown[]) => warnings.push(a.map(String).join(" "));
-    try {
-      const env = buildAgentChildEnv(
-        { PATH: "/usr/bin" },
-        "tok",
-        { ANTHROPIC_API_KEY: "sk-ant-SMUGGLED", CLAUDE_API_KEY: "y", GH_TOKEN: "ghp_X" },
-      );
-      expect(env.ANTHROPIC_API_KEY).toBeUndefined();
-      expect(env.CLAUDE_API_KEY).toBeUndefined();
-      expect(env.GH_TOKEN).toBe("ghp_X"); // the legit var still passes
-      expect(warnings.some((w) => w.includes("ANTHROPIC_API_KEY") && w.includes("denylisted"))).toBe(true);
-    } finally {
-      console.warn = orig;
-    }
-  });
-
-  test("INJECTION: an empty channel env is a no-op (back-compat default arg)", () => {
-    const env = buildAgentChildEnv({ PATH: "/usr/bin" }, "tok");
-    expect(env.CLAUDE_CODE_OAUTH_TOKEN).toBe("tok");
-    expect(env.PATH).toBe("/usr/bin");
-  });
-});
-
-describe("mergeSandboxLaunchEnv — the scrub WINS over the engine's returned env", () => {
-  // The REAL `wrapWithSandboxArgv` returns `env: process.env` (the FULL daemon env) on
-  // macOS/Linux; on Windows it returns `{...process.env, ...proxy}`. So `wrapped.env` is
-  // essentially the whole daemon env. The old `{ ...childEnv, ...wrapped.env, ...homeEnv }`
-  // spread let that OVERRIDE the scrubbed childEnv — re-admitting the daemon's ambient
-  // ANTHROPIC_API_KEY/secrets into the sandboxed turn (isolation/billing leak).
-
-  const childEnv = buildAgentChildEnv({ PATH: "/usr/bin", HOME: "/h" }, "THE-OAUTH-TOKEN");
-  // A representative `wrapped.env` = the daemon's process.env + the sandbox/proxy vars.
-  const wrappedEnv = {
-    ANTHROPIC_API_KEY: "sk-ant-DAEMON-AMBIENT",
-    CLAUDE_API_KEY: "daemon-ambient",
-    CLAUDE_CODE_OAUTH_TOKEN: "WRONG-DAEMON-TOKEN",
-    SECRET_THING: "daemon-secret",
-    PATH: "/daemon/bin",
-    SANDBOX_RUNTIME: "1",
-    HTTP_PROXY: "http://localhost:5555",
-    HTTPS_PROXY: "http://localhost:5555",
-    NO_PROXY: "localhost,127.0.0.1",
-    NODE_EXTRA_CA_CERTS: "/tmp/claude/ca.pem",
-    TMPDIR: "/tmp/claude",
-  };
-  const homeEnv: Record<string, string> = { CLAUDE_CONFIG_DIR: "/sess/.claude" };
-
-  test("LEAK CLOSED: the daemon's ambient secrets in wrapped.env never reach the launch env", () => {
-    const env = mergeSandboxLaunchEnv(childEnv, wrappedEnv, homeEnv);
-    expect(env.ANTHROPIC_API_KEY).toBeUndefined();
-    expect(env.CLAUDE_API_KEY).toBeUndefined();
-    expect(env.SECRET_THING).toBeUndefined();
-  });
-
-  test("MANAGED AUTH WINS: CLAUDE_CODE_OAUTH_TOKEN is the scrubbed value, not the engine env's wrong one", () => {
-    const env = mergeSandboxLaunchEnv(childEnv, wrappedEnv, homeEnv);
-    expect(env.CLAUDE_CODE_OAUTH_TOKEN).toBe("THE-OAUTH-TOKEN");
-  });
-
-  test("EGRESS PRESERVED: the allowlisted sandbox/proxy vars survive (the proxy keeps working)", () => {
-    const env = mergeSandboxLaunchEnv(childEnv, wrappedEnv, homeEnv);
-    expect(env.SANDBOX_RUNTIME).toBe("1");
-    expect(env.HTTP_PROXY).toBe("http://localhost:5555");
-    expect(env.HTTPS_PROXY).toBe("http://localhost:5555");
-    expect(env.NO_PROXY).toBe("localhost,127.0.0.1");
-    expect(env.NODE_EXTRA_CA_CERTS).toBe("/tmp/claude/ca.pem");
-  });
-
-  test("the scrubbed PATH wins (PATH is not in the sandbox allowlist)", () => {
-    const env = mergeSandboxLaunchEnv(childEnv, wrappedEnv, homeEnv);
-    expect(env.PATH).toBe("/usr/bin"); // childEnv's, not the engine env's /daemon/bin
-  });
-
-  test("homeEnv wins last (CLAUDE_CONFIG_DIR/XDG/TMP overrides)", () => {
-    const env = mergeSandboxLaunchEnv(childEnv, wrappedEnv, homeEnv);
-    expect(env.CLAUDE_CONFIG_DIR).toBe("/sess/.claude");
-  });
-
-  test("the allowlist never contains the Claude-auth trio (defense-in-depth)", () => {
-    expect(SANDBOX_ENV_ALLOWLIST.has("ANTHROPIC_API_KEY")).toBe(false);
-    expect(SANDBOX_ENV_ALLOWLIST.has("CLAUDE_API_KEY")).toBe(false);
-    expect(SANDBOX_ENV_ALLOWLIST.has("CLAUDE_CODE_OAUTH_TOKEN")).toBe(false);
-  });
-});
-
-describe("buildAgentClaudeArgs", () => {
-  test("interactive claude (no -p) with strict MCP config + dev-channels for the first channel", () => {
-    const argv = buildAgentClaudeArgs({
-      mcpConfigPath: "/ws/.mcp.json",
-      firstChannelEntryKey: "agent-aaron-dev",
-    });
-    expect(argv).toContain("--strict-mcp-config");
-    expect(argv).toContain("--mcp-config");
-    expect(argv).toContain("/ws/.mcp.json");
-    expect(argv).toContain("--dangerously-load-development-channels=server:agent-aaron-dev");
-    // Autonomous: no human answers tool prompts; the sandbox is the containment.
-    expect(argv).toContain("--dangerously-skip-permissions");
-    // NOT headless: no `-p`.
-    expect(argv).not.toContain("-p");
-  });
-  test("no systemPromptFile → neither system-prompt flag (today's behavior)", () => {
-    const argv = buildAgentClaudeArgs({ mcpConfigPath: "/ws/.mcp.json", firstChannelEntryKey: "agent-c" });
-    expect(argv).not.toContain("--append-system-prompt-file");
-    expect(argv).not.toContain("--system-prompt-file");
-  });
-  test("systemPromptFile (append, default) → --append-system-prompt-file <path>", () => {
-    const argv = buildAgentClaudeArgs({
-      mcpConfigPath: "/ws/.mcp.json",
-      firstChannelEntryKey: "agent-c",
-      systemPromptFile: "/ws/system-prompt.txt",
-      systemPromptMode: "append",
-    });
-    expect(argv).toContain("--append-system-prompt-file");
-    expect(argv[argv.indexOf("--append-system-prompt-file") + 1]).toBe("/ws/system-prompt.txt");
-    expect(argv).not.toContain("--system-prompt-file");
-  });
-  test("systemPromptFile (replace) → --system-prompt-file <path>", () => {
-    const argv = buildAgentClaudeArgs({
-      mcpConfigPath: "/ws/.mcp.json",
-      firstChannelEntryKey: "agent-c",
-      systemPromptFile: "/ws/system-prompt.txt",
-      systemPromptMode: "replace",
-    });
-    expect(argv).toContain("--system-prompt-file");
-    expect(argv).not.toContain("--append-system-prompt-file");
-  });
-});
-
-describe("shellJoin", () => {
-  test("leaves safe args bare, quotes args with spaces", () => {
-    expect(shellJoin(["claude", "--mcp-config", "/a/b.json"])).toBe("claude --mcp-config /a/b.json");
-    expect(shellJoin(["echo", "a b"])).toBe("echo 'a b'");
-  });
-});
-
-describe("seedAgentHome — the per-session writable HOME (stability keystone)", () => {
-  test("seeds from the operator config (inherits first-run state), strips projects+oauthAccount, trusts the workspace", () => {
-    const ws = mkdtempSync(join(tmpdir(), "seed-home-"));
-    const opDir = mkdtempSync(join(tmpdir(), "seed-op-"));
-    const opPath = join(opDir, ".claude.json");
-    // A realistic operator config: completed first-run flags + history + account.
-    writeFileSync(opPath, JSON.stringify({
-      hasCompletedOnboarding: true,
-      theme: "dark",
-      numStartups: 536,
-      sonnet45MigrationComplete: true,
-      oauthAccount: { email: "op@example.com", secret: "DO-NOT-COPY" },
-      projects: { "/some/other/proj": { hasTrustDialogAccepted: true } },
-    }));
-    try {
-      const env = seedAgentHome(ws, { mcpServers: ["agent-uni-dev", "vault-default"], operatorConfigPath: opPath });
-      // Config + temp are redirected to per-session dirs INSIDE the workspace.
-      // (HOME is deliberately NOT overridden — claude finds its real install there.)
-      expect(env.HOME).toBeUndefined();
-      expect(env.CLAUDE_CONFIG_DIR).toBe(join(ws, "home", ".claude"));
-      expect(env.TMPDIR).toBe(join(ws, "tmp"));
-      expect(env.CLAUDE_CODE_TMPDIR).toBe(join(ws, "tmp"));
-      const seed = JSON.parse(readFileSync(join(ws, "home", ".claude", ".claude.json"), "utf8")) as Record<string, unknown>;
-      // Inherits the operator's completed first-run state (onboarding, theme, migrations).
-      expect(seed.hasCompletedOnboarding).toBe(true);
-      expect(seed.theme).toBe("dark");
-      expect(seed.sonnet45MigrationComplete).toBe(true);
-      // Strips the account; replaces project history with ONLY this workspace, trusted.
-      expect(seed.oauthAccount).toBeUndefined();
-      const projects = seed.projects as Record<string, { hasTrustDialogAccepted: boolean; hasCompletedProjectOnboarding: boolean }>;
-      expect(Object.keys(projects)).toEqual([ws]);
-      expect(projects[ws]!.hasTrustDialogAccepted).toBe(true);
-      expect(projects[ws]!.hasCompletedProjectOnboarding).toBe(true);
-      // Our configured MCP servers are pre-approved (no "trust this MCP server" prompt).
-      expect((projects[ws] as { enabledMcpjsonServers?: string[] }).enabledMcpjsonServers).toEqual([
-        "agent-uni-dev",
-        "vault-default",
-      ]);
-    } finally {
-      rmSync(ws, { recursive: true, force: true });
-      rmSync(opDir, { recursive: true, force: true });
-    }
-  });
-
-  test("falls back to the minimal seed when the operator has no config", () => {
-    const ws = mkdtempSync(join(tmpdir(), "seed-home-noop-"));
-    try {
-      seedAgentHome(ws, { operatorConfigPath: join(ws, "does-not-exist.json") });
-      const seed = JSON.parse(readFileSync(join(ws, "home", ".claude", ".claude.json"), "utf8")) as {
-        hasCompletedOnboarding: boolean;
-        projects: Record<string, { hasTrustDialogAccepted: boolean }>;
-      };
-      expect(seed.hasCompletedOnboarding).toBe(true);
-      expect(seed.projects[ws]!.hasTrustDialogAccepted).toBe(true);
-    } finally {
-      rmSync(ws, { recursive: true, force: true });
-    }
-  });
-
-  test("projectRoot override → the SHARED working dir is the pre-trusted project, not the private home", () => {
-    const ws = mkdtempSync(join(tmpdir(), "seed-home-projroot-"));
-    const noop = join(ws, "no-operator.json");
-    try {
-      // The cwd (a shared working dir) is pre-trusted; the seed still lives UNDER ws.
-      seedAgentHome(ws, { operatorConfigPath: noop, projectRoot: "/Users/op/Code/repo", mcpServers: ["vault-default"] });
-      const seed = JSON.parse(readFileSync(join(ws, "home", ".claude", ".claude.json"), "utf8")) as {
-        projects: Record<string, { hasTrustDialogAccepted: boolean }>;
-      };
-      // The PROJECT (pre-trusted) is the shared working dir, NOT the private ws.
-      expect(Object.keys(seed.projects)).toEqual(["/Users/op/Code/repo"]);
-      expect(seed.projects["/Users/op/Code/repo"]!.hasTrustDialogAccepted).toBe(true);
-    } finally {
-      rmSync(ws, { recursive: true, force: true });
-    }
-  });
-
-  test("idempotent — an existing seed is left as-is (claude owns it after first boot)", () => {
-    const ws = mkdtempSync(join(tmpdir(), "seed-home-idem-"));
-    const noop = join(ws, "no-operator.json");
-    try {
-      seedAgentHome(ws, { operatorConfigPath: noop });
-      const path = join(ws, "home", ".claude", ".claude.json");
-      writeFileSync(path, JSON.stringify({ hasCompletedOnboarding: true, mine: true }));
-      seedAgentHome(ws, { operatorConfigPath: noop }); // second call must not clobber
-      expect(JSON.parse(readFileSync(path, "utf8")).mine).toBe(true);
-    } finally {
-      rmSync(ws, { recursive: true, force: true });
-    }
-  });
-});
-
-// ---- full wiring tests -----------------------------------------------------
-
-describe("spawnAgent — full wiring with stubs (no real token)", () => {
-  test("creates the tmux session, writes a strict MCP config, injects OAuth, omits ANTHROPIC_API_KEY", async () => {
-    sessionsDir = mkdtempSync(join(tmpdir(), "spawn-agent-"));
-    const tmux = recordingTmux();
-    const engine = fakeEngine();
-    const spec: AgentSpec = {
-      name: "aaron-dev",
-      channels: ["aaron-dev"],
-      vault: { name: "default", access: "read", tags: ["agent/message"] },
-      network: "restricted", // exercise the egress floor; scoped reads are the default (step 6)
-    };
-    const res = await spawnAgent(spec, baseDeps({ tmux, sandboxEngine: engine }));
-
-    // 1. tmux session created with the spec's name.
-    expect(res.alreadyRunning).toBe(false);
-    expect(res.session).toBe(sessionName("aaron-dev"));
-    expect(tmux.launched).toHaveLength(1);
-    const launch = tmux.launched[0]!;
-    expect(launch.name).toBe("aaron-dev-agent");
-
-    // 1b. The dev-channels consent gate is auto-answered for THIS session after the
-    // launch (channel#70) — otherwise the headless spawn hangs at the prompt forever.
-    expect(tmux.confirmed).toEqual(["aaron-dev-agent"]);
-    expect(res.devChannelsPrompt).toBe("confirmed");
-
-    // 2. The launched argv is the sandbox wrapper carrying the claude command.
-    expect(launch.argv[0]).toBe("/bin/bash");
-    expect(launch.argv[2]).toContain("SBX claude");
-    expect(launch.argv[2]).toContain("--strict-mcp-config");
-
-    // 3. The injected env has CLAUDE_CODE_OAUTH_TOKEN and NO ANTHROPIC_API_KEY.
-    expect(launch.env.CLAUDE_CODE_OAUTH_TOKEN).toBe("OAUTH-CRED-PLACEHOLDER");
-    expect(launch.env.ANTHROPIC_API_KEY).toBeUndefined();
-    expect(launch.env.CLAUDE_API_KEY).toBeUndefined();
-    // ...and the sandbox proxy env layered on top.
-    expect(launch.env.SANDBOX_RUNTIME).toBe("1");
-    expect(launch.env.HTTPS_PROXY).toBe("http://localhost:5555");
-
-    // 3b. TMPDIR (+ claude-specific + generic) point at a WRITABLE dir inside the
-    // workspace, OVERRIDING the sandbox engine's own TMPDIR — without this claude
-    // can't create its scratch dir and dies "Claude Code could not start: EPERM".
-    const wsTmp = join(res.workspace, "tmp");
-    expect(launch.env.TMPDIR).toBe(wsTmp);
-    expect(launch.env.CLAUDE_CODE_TMPDIR).toBe(wsTmp);
-    expect(launch.env.TMP).toBe(wsTmp);
-    expect(launch.env.TEMP).toBe(wsTmp);
-    // ...and the dir is actually created on disk (writable, where the child looks).
-    expect(statSync(wsTmp).isDirectory()).toBe(true);
-
-    // 4. The MCP config has the right entries with DISTINCT tokens (one per aud).
-    const parsed = JSON.parse(res.mcpConfigJson) as {
-      mcpServers: Record<string, { url: string; headers?: { Authorization: string } }>;
-    };
-    const chKey = channelEntryKey("aaron-dev");
-    const vKey = vaultEntryKey("default");
-    expect(parsed.mcpServers[chKey]!.url).toBe("http://127.0.0.1:1941/mcp/aaron-dev");
-    expect(parsed.mcpServers[vKey]!.url).toBe("http://127.0.0.1:1940/vault/default/mcp");
-    const chAuth = parsed.mcpServers[chKey]!.headers!.Authorization;
-    const vAuth = parsed.mcpServers[vKey]!.headers!.Authorization;
-    expect(chAuth).toMatch(/^Bearer TOK-/);
-    expect(vAuth).toMatch(/^Bearer TOK-/);
-    expect(chAuth).not.toBe(vAuth); // distinct tokens, distinct auds
-
-    // 5. The on-disk config is 0600 (it inlines tokens).
-    const mcpPath = join(res.workspace, ".mcp.json");
-    expect(statSync(mcpPath).mode & 0o777).toBe(0o600);
-    expect(readFileSync(mcpPath, "utf8")).toBe(res.mcpConfigJson);
-
-    // 6. The sandbox config carried the egress floor + scoped reads.
-    expect(engine.initializedWith!.network.allowedDomains).toContain("api.anthropic.com");
-    expect(engine.initializedWith!.network.allowedDomains).toContain("hub.example.com");
-    expect(engine.initializedWith!.filesystem.allowWrite).toContain(res.workspace);
-  });
-
-  test("a spec with systemPrompt writes system-prompt.txt 0600 + passes the -file flag in the launch argv", async () => {
-    sessionsDir = mkdtempSync(join(tmpdir(), "spawn-agent-sysprompt-"));
-    const tmux = recordingTmux();
-    const spec: AgentSpec = {
-      name: "eng",
-      channels: ["eng"],
-      systemPrompt: "You are the eng channel's assistant.",
-      systemPromptMode: "append",
-    };
-    const res = await spawnAgent(spec, baseDeps({ tmux }));
-
-    // The prompt file is written 0600 with the exact text.
-    const promptPath = join(res.workspace, "system-prompt.txt");
-    expect(statSync(promptPath).mode & 0o777).toBe(0o600);
-    expect(readFileSync(promptPath, "utf8")).toBe("You are the eng channel's assistant.");
-    // The launched claude command carries --append-system-prompt-file <path>.
-    const cmd = tmux.launched[0]!.argv[2]!;
-    expect(cmd).toContain("--append-system-prompt-file");
-    expect(cmd).toContain(promptPath);
-  });
-
-  test("a spec with NO systemPrompt writes no prompt file + no system-prompt flag", async () => {
-    sessionsDir = mkdtempSync(join(tmpdir(), "spawn-agent-nosysprompt-"));
-    const tmux = recordingTmux();
-    const res = await spawnAgent({ name: "bare", channels: ["bare"] }, baseDeps({ tmux }));
-    expect(existsSync(join(res.workspace, "system-prompt.txt"))).toBe(false);
-    expect(tmux.launched[0]!.argv[2]!).not.toContain("system-prompt-file");
-  });
-
-  test("mints ONE token per channel for a multi-channel spec", async () => {
-    sessionsDir = mkdtempSync(join(tmpdir(), "spawn-agent-multi-"));
-    const spec: AgentSpec = { name: "multi", channels: ["a", "b"] };
-    const res = await spawnAgent(spec, baseDeps());
-    expect(Object.keys(res.tokens)).toContain("a");
-    expect(Object.keys(res.tokens)).toContain("b");
-    expect(res.tokens.a!.token).not.toBe(res.tokens.b!.token);
-    const parsed = JSON.parse(res.mcpConfigJson) as { mcpServers: Record<string, unknown> };
-    expect(parsed.mcpServers[channelEntryKey("a")]).toBeDefined();
-    expect(parsed.mcpServers[channelEntryKey("b")]).toBeDefined();
-  });
-
-  test("tag-scoped vault: the scoped_tags permission rides the vault mint request", async () => {
-    sessionsDir = mkdtempSync(join(tmpdir(), "spawn-agent-vault-"));
-    const calls: Array<Record<string, unknown>> = [];
-    const fetchFn = (async (_u: string | URL | Request, init?: RequestInit) => {
-      const body = JSON.parse(String(init?.body ?? "{}")) as Record<string, unknown>;
-      calls.push(body);
-      return new Response(
-        JSON.stringify({ jti: "j", token: `T-${calls.length}`, expires_at: "", scope: body.scope }),
-        { status: 200, headers: { "content-type": "application/json" } },
-      );
-    }) as unknown as typeof fetch;
-
-    const spec: AgentSpec = {
-      name: "weaver",
-      channels: ["c"],
-      vault: { name: "default", access: "read", tags: ["agent/message"] },
-    };
-    await spawnAgent(spec, baseDeps({ fetchFn }));
-    const vaultCall = calls.find((c) => String(c.scope).startsWith("vault:"));
-    expect(vaultCall).toBeDefined();
-    expect(vaultCall!.scope).toBe("vault:default:read");
-    expect(vaultCall!.permissions).toEqual({ scoped_tags: ["agent/message"] });
-  });
-
-  test("idempotent: an already-running session is a no-op", async () => {
-    sessionsDir = mkdtempSync(join(tmpdir(), "spawn-agent-idem-"));
-    const tmux = recordingTmux(new Set(["arm-agent"]));
-    const res = await spawnAgent({ name: "arm", channels: ["c"] }, baseDeps({ tmux }));
-    expect(res.alreadyRunning).toBe(true);
-    expect(tmux.launched).toHaveLength(0);
-    // No launch → the dev-channels gate is NOT touched (guards against someone
-    // moving the confirm call above the early-return — channel#70).
-    expect(tmux.confirmed).toHaveLength(0);
-    expect(res.devChannelsPrompt).toBeUndefined();
-  });
-
-  test("a spec with no channels is rejected", async () => {
-    sessionsDir = mkdtempSync(join(tmpdir(), "spawn-agent-noch-"));
-    await expect(spawnAgent({ name: "x", channels: [] }, baseDeps())).rejects.toThrow(/no channels/);
-  });
-
-  test("SECURITY: an over-broad mint (hub 400) aborts the launch — no tmux session created", async () => {
-    sessionsDir = mkdtempSync(join(tmpdir(), "spawn-agent-deny-"));
-    const tmux = recordingTmux();
-    const fetchFn = (async () =>
-      new Response(
-        JSON.stringify({ error: "invalid_scope", error_description: "not grantable by this bearer" }),
-        { status: 400, headers: { "content-type": "application/json" } },
-      )) as unknown as typeof fetch;
-    await expect(
-      spawnAgent({ name: "x", channels: ["c"] }, baseDeps({ tmux, fetchFn })),
-    ).rejects.toThrow(/mint refused/);
-    // The attenuation failure happened BEFORE any tmux launch.
-    expect(tmux.launched).toHaveLength(0);
-  });
-
-  test("SECURITY: an adversarial spec.name is rejected BEFORE any fs/tmux/mint side effect", async () => {
-    sessionsDir = mkdtempSync(join(tmpdir(), "spawn-agent-name-"));
-    for (const bad of ["..", "a/b", "a b", "../escape", ".", "a..b", "x;rm", ""]) {
-      const tmux = recordingTmux();
-      let minted = false;
-      const fetchFn = (async () => {
-        minted = true;
-        return new Response("{}", { status: 200 });
-      }) as unknown as typeof fetch;
-      await expect(
-        spawnAgent({ name: bad, channels: ["c"] }, baseDeps({ tmux, fetchFn })),
-      ).rejects.toThrow(/slug/);
-      // No side effects: no tmux launch, no mint attempt.
-      expect(tmux.launched).toHaveLength(0);
-      expect(minted).toBe(false);
-    }
-  });
-
-  test("a valid slug name is accepted (dashes + underscores ok)", async () => {
-    sessionsDir = mkdtempSync(join(tmpdir(), "spawn-agent-okname-"));
-    const res = await spawnAgent({ name: "aaron_dev-2", channels: ["c"] }, baseDeps());
-    expect(res.alreadyRunning).toBe(false);
-    expect(res.session).toBe("aaron_dev-2-agent");
-  });
-
-  test("ENV INJECTION: the resolved per-channel env reaches the tmux launch env (Claude auth intact)", async () => {
-    sessionsDir = mkdtempSync(join(tmpdir(), "spawn-agent-env-"));
-    const tmux = recordingTmux();
-    const deps = baseDeps({
-      tmux,
-      // The wake channel is the first channel ("aaron-dev") — env resolves on it.
-      resolveChannelEnv: (ch): Record<string, string> =>
-        ch === "aaron-dev" ? { GH_TOKEN: "ghp_INJECTED", CLOUDFLARE_API_TOKEN: "cf_INJECTED" } : {},
-    });
-    await spawnAgent({ name: "aaron-dev", channels: ["aaron-dev"] }, deps);
-    expect(tmux.launched).toHaveLength(1);
-    const env = tmux.launched[0]!.env;
-    // The injected vars reach the child…
-    expect(env.GH_TOKEN).toBe("ghp_INJECTED");
-    expect(env.CLOUDFLARE_API_TOKEN).toBe("cf_INJECTED");
-    // …Claude auth is the stub placeholder (not clobbered), and no API key leaked.
-    expect(env.CLAUDE_CODE_OAUTH_TOKEN).toBe("OAUTH-CRED-PLACEHOLDER");
-    expect(env.ANTHROPIC_API_KEY).toBeUndefined();
-  });
-
-  test("ENV INJECTION: a denylisted key planted in the resolver is dropped at launch", async () => {
-    sessionsDir = mkdtempSync(join(tmpdir(), "spawn-agent-env-deny-"));
-    const tmux = recordingTmux();
-    const deps = baseDeps({
-      tmux,
-      resolveChannelEnv: () => ({ ANTHROPIC_API_KEY: "sk-ant-SMUGGLED", GH_TOKEN: "ghp_OK" }),
-    });
-    await spawnAgent({ name: "x", channels: ["c"] }, deps);
-    const env = tmux.launched[0]!.env;
-    expect(env.GH_TOKEN).toBe("ghp_OK");
-    expect(env.ANTHROPIC_API_KEY).toBeUndefined(); // dropped defensively in buildAgentChildEnv
-  });
-
-  test("SPEC PERSISTENCE: spawn writes spec.json so a restart can reproduce the launch", async () => {
-    sessionsDir = mkdtempSync(join(tmpdir(), "spawn-agent-spec-"));
-    const spec: AgentSpec = {
-      name: "weaver",
-      channels: [{ name: "weave", access: "read" }],
-      vault: { name: "default", access: "read", tags: ["agent/message"] },
-      network: "restricted",
-      egress: ["registry.npmjs.org"],
-    };
-    const res = await spawnAgent(spec, baseDeps());
-    // The persisted spec round-trips to the exact spec the launch used.
-    const recovered = readPersistedSpec(res.workspace);
-    expect(recovered).toEqual(spec);
-    // And it's at the conventional path.
-    expect(specFilePath(res.workspace)).toBe(join(res.workspace, "spec.json"));
-  });
-
-  test("read-only channel mints agent:read ONLY (not read+write)", async () => {
-    sessionsDir = mkdtempSync(join(tmpdir(), "spawn-agent-roch-"));
-    const scopes: string[] = [];
-    const fetchFn = (async (_u: string | URL | Request, init?: RequestInit) => {
-      const body = JSON.parse(String(init?.body ?? "{}")) as { scope: string };
-      scopes.push(body.scope);
-      return new Response(
-        JSON.stringify({ jti: "j", token: `T-${scopes.length}`, expires_at: "", scope: body.scope }),
-        { status: 200, headers: { "content-type": "application/json" } },
-      );
-    }) as unknown as typeof fetch;
-
-    const spec: AgentSpec = {
-      name: "watcher",
-      channels: [
-        { name: "readonly-ch", access: "read" },
-        { name: "rw-ch", access: "write" },
-        "bare-ch", // bare string = write (back-compat)
-      ],
-    };
-    await spawnAgent(spec, baseDeps({ fetchFn }));
-    expect(scopes).toContain("agent:read"); // the read-only channel
-    expect(scopes.filter((s) => s === "agent:read")).toHaveLength(1);
-    expect(scopes.filter((s) => s === "agent:read agent:write")).toHaveLength(2); // rw + bare
-  });
-
-  test("CONCURRENCY: two concurrent spawnAgent calls produce correct, independent MCP configs + wrapping", async () => {
-    sessionsDir = mkdtempSync(join(tmpdir(), "spawn-agent-conc-"));
-    // Independent engines/tmux per call so we can assert no cross-clobber. Each
-    // mint hub returns a token namespaced to the spec so configs are tellable apart.
-    function depsForArm(arm: string) {
-      let n = 0;
-      const fetchFn = (async (_u: string | URL | Request, init?: RequestInit) => {
-        const body = JSON.parse(String(init?.body ?? "{}")) as { scope: string };
-        n += 1;
-        return new Response(
-          JSON.stringify({ jti: `${arm}-${n}`, token: `${arm}-TOK-${n}`, expires_at: "", scope: body.scope }),
-          { status: 200, headers: { "content-type": "application/json" } },
-        );
-      }) as unknown as typeof fetch;
-      return baseDeps({ tmux: recordingTmux(), sandboxEngine: fakeEngine(), fetchFn });
-    }
-
-    const [a, b] = await Promise.all([
-      spawnAgent({ name: "arm-a", channels: ["ca"] }, depsForArm("A")),
-      spawnAgent({ name: "arm-b", channels: ["cb"] }, depsForArm("B")),
-    ]);
-
-    // Each got its OWN channel entry + token — no clobber across the race.
-    const pa = JSON.parse(a.mcpConfigJson) as { mcpServers: Record<string, { url: string; headers?: { Authorization: string } }> };
-    const pb = JSON.parse(b.mcpConfigJson) as { mcpServers: Record<string, { url: string; headers?: { Authorization: string } }> };
-    expect(pa.mcpServers[channelEntryKey("ca")]!.url).toBe("http://127.0.0.1:1941/mcp/ca");
-    expect(pb.mcpServers[channelEntryKey("cb")]!.url).toBe("http://127.0.0.1:1941/mcp/cb");
-    expect(pa.mcpServers[channelEntryKey("ca")]!.headers!.Authorization).toBe("Bearer A-TOK-1");
-    expect(pb.mcpServers[channelEntryKey("cb")]!.headers!.Authorization).toBe("Bearer B-TOK-1");
-    // Independent sandbox configs (each carries its own workspace allowWrite).
-    expect(a.wrapped.config.filesystem.allowWrite).toContain(a.workspace);
-    expect(b.wrapped.config.filesystem.allowWrite).toContain(b.workspace);
-    expect(a.workspace).not.toBe(b.workspace);
-  });
-
-  test("CONCURRENCY: the init→wrap window is serialized (never two engines in it at once)", async () => {
-    sessionsDir = mkdtempSync(join(tmpdir(), "spawn-agent-serial-"));
-    // An engine whose initialize overlaps wrap by an await; if the lock didn't
-    // hold, two would be "in the window" simultaneously and maxActive would be >1.
-    let active = 0;
-    let maxActive = 0;
-    function slowEngine(): SandboxEngine {
-      return {
-        isSupportedPlatform: () => true,
-        isSandboxingEnabled: () => true,
-        async initialize() {
-          active += 1;
-          maxActive = Math.max(maxActive, active);
-          await Bun.sleep(15);
-        },
-        async wrapWithSandboxArgv(command: string) {
-          await Bun.sleep(15);
-          active -= 1;
-          return { argv: ["/bin/bash", "-c", command], env: {} };
-        },
-        async reset() {},
-      };
-    }
-    await Promise.all([
-      spawnAgent({ name: "s-a", channels: ["c"] }, baseDeps({ sandboxEngine: slowEngine(), tmux: recordingTmux() })),
-      spawnAgent({ name: "s-b", channels: ["c"] }, baseDeps({ sandboxEngine: slowEngine(), tmux: recordingTmux() })),
-      spawnAgent({ name: "s-c", channels: ["c"] }, baseDeps({ sandboxEngine: slowEngine(), tmux: recordingTmux() })),
-    ]);
-    expect(maxActive).toBe(1);
-  });
-});
-
-// ---- the workspace seam (working-directory axis) ---------------------------
-// design 2026-06-16-agent-filesystem-and-sharing.md — a `workspace` host path is
-// the agent's cwd + an rw working-root; the credential-bearing private home
-// (.mcp.json / system-prompt.txt / spec.json / seeded CLAUDE_CONFIG_DIR) STAYS in
-// the per-agent sessions/<name> dir, never written into the shared workspace.
-
-describe("resolveAgentCwd — cwd is the workspace when set, else the private dir", () => {
-  test("workspace set → that path; the private dir is untouched as the cwd", () => {
-    expect(resolveAgentCwd({ name: "a", channels: ["c"], workspace: "/ws/repo" }, "/private/a")).toBe("/ws/repo");
-  });
-  test("workspace unset → the private dir (today's behavior)", () => {
-    expect(resolveAgentCwd({ name: "a", channels: ["c"] }, "/private/a")).toBe("/private/a");
-  });
-  test("a blank workspace falls back to the private dir", () => {
-    expect(resolveAgentCwd({ name: "a", channels: ["c"], workspace: "" }, "/private/a")).toBe("/private/a");
-  });
-});
-
-describe("spawnAgent — workspace seam (interactive): cwd = workspace, secrets stay private", () => {
-  test("workspace SET → tmux cwd is the workspace; .mcp.json/system-prompt/spec/home stay in the PRIVATE dir; workspace is in the sandbox rw set", async () => {
-    sessionsDir = mkdtempSync(join(tmpdir(), "spawn-ws-set-"));
-    const workspaceDir = mkdtempSync(join(tmpdir(), "shared-workdir-"));
-    const tmux = recordingTmux();
-    const engine = fakeEngine();
-    try {
-      const spec: AgentSpec = {
-        name: "worker",
-        channels: ["worker"],
-        workspace: workspaceDir,
-        systemPrompt: "You work in the repo.",
-      };
-      const res = await spawnAgent(spec, baseDeps({ tmux, sandboxEngine: engine }));
-      const privateDir = sessionWorkspace(sessionsDir, "worker");
-      // res.workspace is still the PRIVATE session dir (the home of secrets).
-      expect(res.workspace).toBe(privateDir);
-
-      // 1. The tmux session's cwd is the SHARED workspace, NOT the private dir.
-      const launch = tmux.launched[0]!;
-      expect(launch.cwd).toBe(workspaceDir);
-      // …and the launch script (private) is written to the PRIVATE dir, never the shared one.
-      expect(launch.scriptDir).toBe(privateDir);
-
-      // 2. SECRETS-STAY-PRIVATE invariant: .mcp.json / system-prompt.txt / spec.json /
-      // the seeded home all live UNDER the private dir, and NONE under the workspace.
-      expect(existsSync(join(privateDir, ".mcp.json"))).toBe(true);
-      expect(existsSync(join(privateDir, "system-prompt.txt"))).toBe(true);
-      expect(existsSync(join(privateDir, "spec.json"))).toBe(true);
-      expect(existsSync(join(privateDir, "home", ".claude", ".claude.json"))).toBe(true);
-      // The workspace dir is NOT littered with any private artifact.
-      expect(existsSync(join(workspaceDir, ".mcp.json"))).toBe(false);
-      expect(existsSync(join(workspaceDir, "system-prompt.txt"))).toBe(false);
-      expect(existsSync(join(workspaceDir, "spec.json"))).toBe(false);
-      expect(existsSync(join(workspaceDir, ".launch.sh"))).toBe(false);
-      expect(existsSync(join(workspaceDir, "home"))).toBe(false);
-
-      // 3. --mcp-config / --append-system-prompt-file point at the PRIVATE absolute
-      // paths (unaffected by the cwd change).
-      const cmd = launch.argv[2]!;
-      expect(cmd).toContain(join(privateDir, ".mcp.json"));
-      expect(cmd).toContain(join(privateDir, "system-prompt.txt"));
-
-      // 4. The workspace IS an rw working-root in the sandbox (read + write).
-      expect(engine.initializedWith!.filesystem.allowWrite).toContain(workspaceDir);
-      expect(engine.initializedWith!.filesystem.allowWrite).toContain(privateDir);
-      expect(engine.initializedWith!.filesystem.allowRead).toContain(workspaceDir);
-
-      // 5. CLAUDE_CONFIG_DIR / TMPDIR still point at the PRIVATE home (not the workspace).
-      expect(launch.env.CLAUDE_CONFIG_DIR).toBe(join(privateDir, "home", ".claude"));
-      expect(launch.env.TMPDIR).toBe(join(privateDir, "tmp"));
-
-      // 6. The seeded project (pre-trusted) is the agent's CWD (the shared workspace).
-      const seed = JSON.parse(
-        readFileSync(join(privateDir, "home", ".claude", ".claude.json"), "utf8"),
-      ) as { projects: Record<string, unknown> };
-      expect(Object.keys(seed.projects)).toEqual([workspaceDir]);
-    } finally {
-      rmSync(workspaceDir, { recursive: true, force: true });
-    }
-  });
-
-  test("workspace UNSET → cwd is the private dir (unchanged); workspace not in the rw set beyond the private dir", async () => {
-    sessionsDir = mkdtempSync(join(tmpdir(), "spawn-ws-unset-"));
-    const tmux = recordingTmux();
-    const engine = fakeEngine();
-    const res = await spawnAgent({ name: "plain", channels: ["plain"] }, baseDeps({ tmux, sandboxEngine: engine }));
-    const launch = tmux.launched[0]!;
-    // The cwd is the private session dir (today's behavior, exactly).
-    expect(launch.cwd).toBe(res.workspace);
-    expect(launch.scriptDir).toBe(res.workspace);
-    // The only writable dir is the private session dir.
-    expect(engine.initializedWith!.filesystem.allowWrite).toEqual([res.workspace]);
-    // The pre-trusted project is the private dir (no shared working dir).
-    const seed = JSON.parse(
-      readFileSync(join(res.workspace, "home", ".claude", ".claude.json"), "utf8"),
-    ) as { projects: Record<string, unknown> };
-    expect(Object.keys(seed.projects)).toEqual([res.workspace]);
-  });
-
-  test("SECRETS-STAY-PRIVATE: .mcp.json (scoped tokens) is NEVER written into a shared workspace dir", async () => {
-    sessionsDir = mkdtempSync(join(tmpdir(), "spawn-ws-secrets-"));
-    const workspaceDir = mkdtempSync(join(tmpdir(), "shared-secrets-"));
-    try {
-      const spec: AgentSpec = {
-        name: "secretkeeper",
-        channels: ["secretkeeper"],
-        vault: { name: "default", access: "read" },
-        workspace: workspaceDir,
-      };
-      await spawnAgent(spec, baseDeps({ tmux: recordingTmux() }));
-      // The shared workspace holds NO .mcp.json (the file that inlines the minted
-      // vault/channel tokens). It only ever lives in the per-agent private dir.
-      expect(existsSync(join(workspaceDir, ".mcp.json"))).toBe(false);
-      // Belt-and-suspenders: no file under the shared workspace contains the minted
-      // token marker the fake hub stamps (TOK-).
-      const privateMcp = readFileSync(join(sessionWorkspace(sessionsDir, "secretkeeper"), ".mcp.json"), "utf8");
-      expect(privateMcp).toContain("Bearer TOK-"); // the secret IS in the private file…
-      // …and the shared dir has no such file at all (asserted above) — so the token
-      // never crosses into the shareable dir.
-    } finally {
-      rmSync(workspaceDir, { recursive: true, force: true });
-    }
-  });
-
-  test("two agents can SHARE one workspace dir (allowed, not solved) — each keeps its OWN private home", async () => {
-    sessionsDir = mkdtempSync(join(tmpdir(), "spawn-ws-shared-"));
-    const shared = mkdtempSync(join(tmpdir(), "shared-by-two-"));
-    try {
-      const tmuxA = recordingTmux();
-      const tmuxB = recordingTmux();
-      await spawnAgent({ name: "agent-a", channels: ["a"], workspace: shared }, baseDeps({ tmux: tmuxA }));
-      await spawnAgent({ name: "agent-b", channels: ["b"], workspace: shared }, baseDeps({ tmux: tmuxB }));
-      // Both cwd into the SAME shared dir…
-      expect(tmuxA.launched[0]!.cwd).toBe(shared);
-      expect(tmuxB.launched[0]!.cwd).toBe(shared);
-      // …but each has its OWN private home (distinct .mcp.json under distinct dirs).
-      const aPriv = sessionWorkspace(sessionsDir, "agent-a");
-      const bPriv = sessionWorkspace(sessionsDir, "agent-b");
-      expect(aPriv).not.toBe(bPriv);
-      expect(existsSync(join(aPriv, ".mcp.json"))).toBe(true);
-      expect(existsSync(join(bPriv, ".mcp.json"))).toBe(true);
-      // The shared dir holds NEITHER agent's secrets.
-      expect(existsSync(join(shared, ".mcp.json"))).toBe(false);
-    } finally {
-      rmSync(shared, { recursive: true, force: true });
-    }
-  });
-});
-
-// ---- credential wiring (Stream 3 — resolve from the per-channel store) -------
-
-describe("spawnAgent — resolves the Claude credential from the per-channel store", () => {
-  let storeDir: string;
-  afterEach(() => {
-    if (storeDir) rmSync(storeDir, { recursive: true, force: true });
-  });
-
-  // The wiring under test reads `credentials.ts` keyed on the WAKE channel (the
-  // first channel). These tests use the REAL resolver (no `resolveClaudeToken`
-  // stub) against a throwaway store, proving the end-to-end resolve→inject path.
-  function depsWithRealResolver(): SpawnAgentDeps {
-    const d = baseDeps();
-    delete (d as { resolveClaudeToken?: unknown }).resolveClaudeToken;
-    return d;
-  }
-
-  test("injects the PER-CHANNEL override when the wake channel has one", async () => {
-    sessionsDir = mkdtempSync(join(tmpdir(), "spawn-agent-cred-ovr-"));
-    storeDir = mkdtempSync(join(tmpdir(), "channel-creds-ovr-"));
-    setDefaultClaudeCredential("oat_DEFAULT", storeDir);
-    setChannelClaudeCredential("aaron-dev", "oat_AARON-OVERRIDE", storeDir);
-
-    const tmux = recordingTmux();
-    const deps = { ...depsWithRealResolver(), tmux, resolveClaudeToken: (ch: string) => resolveAgainst(storeDir, ch) };
-    const res = await spawnAgent({ name: "aaron-dev", channels: ["aaron-dev"] }, deps);
-    expect(res.alreadyRunning).toBe(false);
-    // The override (not the default) lands in CLAUDE_CODE_OAUTH_TOKEN.
-    expect(tmux.launched[0]!.env.CLAUDE_CODE_OAUTH_TOKEN).toBe("oat_AARON-OVERRIDE");
-    expect(tmux.launched[0]!.env.ANTHROPIC_API_KEY).toBeUndefined();
-  });
-
-  test("falls back to the DEFAULT/operator token when the wake channel has no override", async () => {
-    sessionsDir = mkdtempSync(join(tmpdir(), "spawn-agent-cred-def-"));
-    storeDir = mkdtempSync(join(tmpdir(), "channel-creds-def-"));
-    setDefaultClaudeCredential("oat_DEFAULT", storeDir);
-
-    const tmux = recordingTmux();
-    const deps = { ...baseDeps(), tmux, resolveClaudeToken: (ch: string) => resolveAgainst(storeDir, ch) };
-    const res = await spawnAgent({ name: "other", channels: ["unconfigured-ch"] }, deps);
-    expect(res.alreadyRunning).toBe(false);
-    expect(tmux.launched[0]!.env.CLAUDE_CODE_OAUTH_TOKEN).toBe("oat_DEFAULT");
-  });
-
-  test("resolves on the WAKE channel (first), not a later one", async () => {
-    sessionsDir = mkdtempSync(join(tmpdir(), "spawn-agent-cred-wake-"));
-    storeDir = mkdtempSync(join(tmpdir(), "channel-creds-wake-"));
-    setDefaultClaudeCredential("oat_DEFAULT", storeDir);
-    setChannelClaudeCredential("first", "oat_FIRST", storeDir);
-    setChannelClaudeCredential("second", "oat_SECOND", storeDir);
-
-    const tmux = recordingTmux();
-    const deps = { ...baseDeps(), tmux, resolveClaudeToken: (ch: string) => resolveAgainst(storeDir, ch) };
-    await spawnAgent({ name: "multi", channels: ["first", "second"] }, deps);
-    // The wake channel is the first → its override is the session's auth.
-    expect(tmux.launched[0]!.env.CLAUDE_CODE_OAUTH_TOKEN).toBe("oat_FIRST");
-  });
-
-  test("SECURITY: an unconfigured store ABORTS the launch BEFORE any mint/tmux side effect", async () => {
-    sessionsDir = mkdtempSync(join(tmpdir(), "spawn-agent-cred-none-"));
-    storeDir = mkdtempSync(join(tmpdir(), "channel-creds-none-")); // empty store
-    const tmux = recordingTmux();
-    let minted = false;
-    const fetchFn = (async () => {
-      minted = true;
-      return new Response("{}", { status: 200 });
-    }) as unknown as typeof fetch;
-    const deps = { ...baseDeps(), tmux, fetchFn, resolveClaudeToken: (ch: string) => resolveAgainst(storeDir, ch) };
-    await expect(
-      spawnAgent({ name: "x", channels: ["ghost"] }, deps),
-    ).rejects.toThrow(/no Claude credential/);
-    // No session launched, no token minted.
-    expect(tmux.launched).toHaveLength(0);
-    expect(minted).toBe(false);
-  });
-});
-
-// Resolve against a specific store dir (the real resolver hard-wires the default
-// state dir; this test helper threads the throwaway dir through, exercising the
-// SAME `resolveClaudeCredential` the production resolver calls).
-function resolveAgainst(storeDir: string, channel: string): string {
-  const { resolveClaudeCredential } = require("./credentials.ts") as typeof import("./credentials.ts");
-  return resolveClaudeCredential(channel, storeDir);
-}
-
-// ---- buildLaunchScript (the tmux-buffer fix) -------------------------------
-
-describe("buildLaunchScript — script body per argv shape, token-free", () => {
-  test("macOS `/bin/bash -c <cmd>` shape: the body IS the command", () => {
-    const script = buildLaunchScript(["/bin/bash", "-c", "sandbox-exec -p '...' claude --foo"]);
-    expect(script.startsWith("#!/bin/bash\nset -euo pipefail\n")).toBe(true);
-    expect(script).toContain("sandbox-exec -p '...' claude --foo");
-    // No `exec <bash> -c` re-wrapping for this canonical shape.
-    expect(script).not.toContain("exec /bin/bash");
-  });
-
-  test("general argv (Linux bubblewrap shape): exec's the quoted argv", () => {
-    const script = buildLaunchScript(["bwrap", "--ro-bind", "/usr", "/usr", "claude", "--mcp-config", "/ws/.mcp.json"]);
-    expect(script.startsWith("#!/bin/bash\nset -euo pipefail\n")).toBe(true);
-    expect(script).toContain("exec bwrap --ro-bind /usr /usr claude --mcp-config /ws/.mcp.json");
-  });
-});
-
-describe("realTmuxLauncher — launch-script indirection (tmux can't take the ~84KB profile inline)", () => {
-  /** A recording spawnFn matching the `Bun.spawn` shape the launcher awaits. */
-  function recordingSpawn(): {
-    fn: typeof Bun.spawn;
-    calls: string[][];
-  } {
-    const calls: string[][] = [];
-    const fn = ((argv: string[]) => {
-      calls.push(argv);
-      return {
-        exited: Promise.resolve(0),
-        stderr: new Response("").body,
-      };
-    }) as unknown as typeof Bun.spawn;
-    return { fn, calls };
-  }
-
-  test("a >100KB wrapped command is NOT passed inline — tmux gets a short script-path argv; the script is written 0600 with the command; token rides env via -e", async () => {
-    const workspace = mkdtempSync(join(tmpdir(), "launch-script-"));
-    try {
-      // A wrapped argv whose command embeds a giant (>100KB) profile inline — the
-      // exact shape that overran tmux's buffer in the integration smoke.
-      const bigProfile = "X".repeat(100_000);
-      const bigCommand = `sandbox-exec -p '${bigProfile}' claude --strict-mcp-config --mcp-config ${join(workspace, ".mcp.json")}`;
-      const wrappedArgv = ["/bin/bash", "-c", bigCommand];
-      expect(bigCommand.length).toBeGreaterThan(100_000);
-
-      const { fn, calls } = recordingSpawn();
-      const launcher = realTmuxLauncher(fn);
-      await launcher.newSession({
-        name: "big-agent",
-        argv: wrappedArgv,
-        env: { CLAUDE_CODE_OAUTH_TOKEN: "OAUTH-SECRET", SANDBOX_RUNTIME: "1" },
-        cwd: workspace,
-      });
-
-      // (a) the argv handed to tmux is SHORT — a script path, not the 100KB inline.
-      expect(calls).toHaveLength(1);
-      const tmuxArgv = calls[0]!;
-      const scriptPath = join(workspace, ".launch.sh");
-      expect(tmuxArgv[tmuxArgv.length - 2]).toBe("/bin/bash");
-      expect(tmuxArgv[tmuxArgv.length - 1]).toBe(scriptPath);
-      // The 100KB profile is NOWHERE on the tmux command line.
-      expect(tmuxArgv.some((a) => a.length > 50_000)).toBe(false);
-      expect(tmuxArgv.join(" ")).not.toContain(bigProfile);
-
-      // (b) the launch script is written, mode 0600, and contains the wrapped command.
-      expect(statSync(scriptPath).mode & 0o777).toBe(0o600);
-      const body = readFileSync(scriptPath, "utf8");
-      expect(body.startsWith("#!/bin/bash\nset -euo pipefail\n")).toBe(true);
-      expect(body).toContain(bigCommand);
-
-      // (c) env still passed via `-e KEY=VAL`.
-      expect(tmuxArgv).toContain("-e");
-      expect(tmuxArgv).toContain("CLAUDE_CODE_OAUTH_TOKEN=OAUTH-SECRET");
-      expect(tmuxArgv).toContain("SANDBOX_RUNTIME=1");
-
-      // SECURITY: the secret rides the ENV, never the script body.
-      expect(body).not.toContain("OAUTH-SECRET");
-    } finally {
-      rmSync(workspace, { recursive: true, force: true });
-    }
-  });
-});
-
-describe("confirmDevChannelsPrompt — auto-answer the dev-channels consent gate (channel#70)", () => {
-  /**
-   * A recording spawnFn whose `tmux capture-pane` returns configurable pane text and
-   * whose `tmux send-keys` is recorded. Mirrors the `recordingSpawn` shape above but
-   * with a per-argv stdout (capture must return the pane content).
-   */
-  function recordingSpawn(paneText: string): {
-    fn: typeof Bun.spawn;
-    calls: string[][];
-  } {
-    const calls: string[][] = [];
-    const fn = ((argv: string[]) => {
-      calls.push(argv);
-      const isCapture = argv.includes("capture-pane");
-      return {
-        exited: Promise.resolve(0),
-        stdout: new Response(isCapture ? paneText : "").body,
-        stderr: new Response("").body,
-      };
-    }) as unknown as typeof Bun.spawn;
-    return { fn, calls };
-  }
-
-  const noSleep = async () => {};
-
-  test("prompt marker present → returns 'confirmed' AND sends Enter to the pane", async () => {
-    const pane = `WARNING: Loading development channels\n❯ 1. ${DEV_CHANNELS_PROMPT_MARKER}\n  2. Exit`;
-    const { fn, calls } = recordingSpawn(pane);
-    const result = await confirmDevChannelsPrompt("aaron-agent", {
-      spawnFn: fn,
-      timeoutMs: 5_000,
-      intervalMs: 10,
-      sleepFn: noSleep,
-    });
-    expect(result).toBe("confirmed");
-    // A `tmux send-keys -t aaron-agent Enter` call was recorded.
-    const sendKeys = calls.find((c) => c.includes("send-keys"));
-    expect(sendKeys).toBeDefined();
-    expect(sendKeys).toEqual(["tmux", "send-keys", "-t", "aaron-agent", "Enter"]);
-  });
-
-  test("ready marker present (no prompt) → returns 'already-running', NO send-keys", async () => {
-    const pane = `Welcome to Claude Code\n  ${DEV_CHANNELS_READY_MARKER} · /help for help`;
-    const { fn, calls } = recordingSpawn(pane);
-    const result = await confirmDevChannelsPrompt("aaron-agent", {
-      spawnFn: fn,
-      timeoutMs: 5_000,
-      intervalMs: 10,
-      sleepFn: noSleep,
-    });
-    expect(result).toBe("already-running");
-    expect(calls.some((c) => c.includes("send-keys"))).toBe(false);
-  });
-
-  test("neither marker, tiny timeout + no-op sleep → returns 'timeout', NO throw, NO send-keys", async () => {
-    const { fn, calls } = recordingSpawn("just some unrelated pane output\n$ ");
-    const result = await confirmDevChannelsPrompt("aaron-agent", {
-      spawnFn: fn,
-      timeoutMs: 1,
-      intervalMs: 1,
-      sleepFn: noSleep,
-    });
-    expect(result).toBe("timeout");
-    expect(calls.some((c) => c.includes("send-keys"))).toBe(false);
-    // It DID poll at least once (the do-while guarantees a capture even at timeoutMs<=interval).
-    expect(calls.some((c) => c.includes("capture-pane"))).toBe(true);
-  });
-
-  test("a capture subprocess that throws degrades to timeout, never throws", async () => {
-    const fn = (() => {
-      throw new Error("tmux not found");
-    }) as unknown as typeof Bun.spawn;
-    const result = await confirmDevChannelsPrompt("aaron-agent", {
-      spawnFn: fn,
-      timeoutMs: 1,
-      intervalMs: 1,
-      sleepFn: noSleep,
-    });
-    expect(result).toBe("timeout");
-  });
-
-  test("prompt seen but send-keys throws → degrades to timeout (does NOT lie 'confirmed'), never throws", async () => {
-    const pane = `❯ 1. ${DEV_CHANNELS_PROMPT_MARKER}\n  2. Exit`;
-    // capture-pane succeeds (returns the prompt); send-keys throws.
-    const fn = ((argv: string[]) => {
-      if (argv.includes("send-keys")) throw new Error("send-keys failed");
-      return {
-        exited: Promise.resolve(0),
-        stdout: new Response(pane).body,
-        stderr: new Response("").body,
-      };
-    }) as unknown as typeof Bun.spawn;
-    const result = await confirmDevChannelsPrompt("aaron-agent", {
-      spawnFn: fn,
-      timeoutMs: 1,
-      intervalMs: 1,
-      sleepFn: noSleep,
-    });
-    expect(result).toBe("timeout");
-  });
-});
-
-describe("persistSpec / readPersistedSpec — spawn-spec recovery for restart", () => {
-  test("round-trips a spec; readPersistedSpec returns null for a missing/garbage file", () => {
-    const ws = mkdtempSync(join(tmpdir(), "spec-rt-"));
-    try {
-      expect(readPersistedSpec(ws)).toBeNull(); // nothing written yet
-      const spec: AgentSpec = { name: "a", channels: ["c"], filesystem: "full" };
-      persistSpec(ws, spec);
-      expect(readPersistedSpec(ws)).toEqual(spec);
-      // Written 0600 (matches the secret-bearing .mcp.json discipline; the workspace
-      // dir is only umask-tight, so the file perm is the real guard).
-      expect(statSync(specFilePath(ws)).mode & 0o777).toBe(0o600);
-      // Corrupt it -> null (the restart path treats this as "no spec").
-      writeFileSync(specFilePath(ws), "{not json");
-      expect(readPersistedSpec(ws)).toBeNull();
-    } finally {
-      rmSync(ws, { recursive: true, force: true });
-    }
-  });
-});