@poolzin/pool-bot 2026.2.10 → 2026.2.17

package/dist/agents/pi-tools.policy.js

@@ -1,63 +1,42 @@
 import { getChannelDock } from "../channels/dock.js";
 import { resolveChannelGroupToolsPolicy } from "../config/group-policy.js";
+import { resolveThreadParentSessionKey } from "../sessions/session-key-utils.js";
+import { normalizeMessageChannel } from "../utils/message-channel.js";
 import { resolveAgentConfig, resolveAgentIdFromSessionKey } from "./agent-scope.js";
+import { compileGlobPatterns, matchesAnyGlobPattern } from "./glob-pattern.js";
+import { pickSandboxToolPolicy } from "./sandbox-tool-policy.js";
 import { expandToolGroups, normalizeToolName } from "./tool-policy.js";
-import { normalizeMessageChannel } from "../utils/message-channel.js";
-import { resolveThreadParentSessionKey } from "../sessions/session-key-utils.js";
-function compilePattern(pattern) {
-    const normalized = normalizeToolName(pattern);
-    if (!normalized)
-        return { kind: "exact", value: "" };
-    if (normalized === "*")
-        return { kind: "all" };
-    if (!normalized.includes("*"))
-        return { kind: "exact", value: normalized };
-    const escaped = normalized.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-    return {
-        kind: "regex",
-        value: new RegExp(`^${escaped.replaceAll("\\*", ".*")}$`),
-    };
-}
-function compilePatterns(patterns) {
-    if (!Array.isArray(patterns))
-        return [];
-    return expandToolGroups(patterns)
-        .map(compilePattern)
-        .filter((pattern) => pattern.kind !== "exact" || pattern.value);
-}
-function matchesAny(name, patterns) {
-    for (const pattern of patterns) {
-        if (pattern.kind === "all")
-            return true;
-        if (pattern.kind === "exact" && name === pattern.value)
-            return true;
-        if (pattern.kind === "regex" && pattern.value.test(name))
-            return true;
-    }
-    return false;
-}
 function makeToolPolicyMatcher(policy) {
-    const deny = compilePatterns(policy.deny);
-    const allow = compilePatterns(policy.allow);
+    const deny = compileGlobPatterns({
+        raw: expandToolGroups(policy.deny ?? []),
+        normalize: normalizeToolName,
+    });
+    const allow = compileGlobPatterns({
+        raw: expandToolGroups(policy.allow ?? []),
+        normalize: normalizeToolName,
+    });
     return (name) => {
         const normalized = normalizeToolName(name);
-        if (matchesAny(normalized, deny))
+        if (matchesAnyGlobPattern(normalized, deny)) {
             return false;
-        if (allow.length === 0)
+        }
+        if (allow.length === 0) {
             return true;
-        if (matchesAny(normalized, allow))
+        }
+        if (matchesAnyGlobPattern(normalized, allow)) {
             return true;
-        if (normalized === "apply_patch" && matchesAny("exec", allow))
+        }
+        if (normalized === "apply_patch" && matchesAnyGlobPattern("exec", allow)) {
             return true;
+        }
         return false;
     };
 }
-const DEFAULT_SUBAGENT_TOOL_DENY = [
-    // Session management - main agent orchestrates
-    "sessions_list",
-    "sessions_history",
-    "sessions_send",
-    "sessions_spawn",
+/**
+ * Tools always denied for sub-agents regardless of depth.
+ * These are system-level or interactive tools that sub-agents should never use.
+ */
+const SUBAGENT_TOOL_DENY_ALWAYS = [
     // System admin - dangerous from subagent
     "gateway",
     "agents_list",
@@ -69,85 +48,95 @@ const DEFAULT_SUBAGENT_TOOL_DENY = [
     // Memory - pass relevant info in spawn prompt instead
     "memory_search",
     "memory_get",
+    // Direct session sends - subagents communicate through announce chain
+    "sessions_send",
 ];
-export function resolveSubagentToolPolicy(cfg) {
+/**
+ * Additional tools denied for leaf sub-agents (depth >= maxSpawnDepth).
+ * These are tools that only make sense for orchestrator sub-agents that can spawn children.
+ */
+const SUBAGENT_TOOL_DENY_LEAF = ["sessions_list", "sessions_history", "sessions_spawn"];
+/**
+ * Build the deny list for a sub-agent at a given depth.
+ *
+ * - Depth 1 with maxSpawnDepth >= 2 (orchestrator): allowed to use sessions_spawn,
+ *   subagents, sessions_list, sessions_history so it can manage its children.
+ * - Depth >= maxSpawnDepth (leaf): denied sessions_spawn and
+ *   session management tools. Still allowed subagents (for list/status visibility).
+ */
+function resolveSubagentDenyList(depth, maxSpawnDepth) {
+    const isLeaf = depth >= Math.max(1, Math.floor(maxSpawnDepth));
+    if (isLeaf) {
+        return [...SUBAGENT_TOOL_DENY_ALWAYS, ...SUBAGENT_TOOL_DENY_LEAF];
+    }
+    // Orchestrator sub-agent: only deny the always-denied tools.
+    // sessions_spawn, subagents, sessions_list, sessions_history are allowed.
+    return [...SUBAGENT_TOOL_DENY_ALWAYS];
+}
+export function resolveSubagentToolPolicy(cfg, depth) {
     const configured = cfg?.tools?.subagents?.tools;
-    const deny = [
-        ...DEFAULT_SUBAGENT_TOOL_DENY,
-        ...(Array.isArray(configured?.deny) ? configured.deny : []),
-    ];
+    const maxSpawnDepth = cfg?.agents?.defaults?.subagents?.maxSpawnDepth ?? 1;
+    const effectiveDepth = typeof depth === "number" && depth >= 0 ? depth : 1;
+    const baseDeny = resolveSubagentDenyList(effectiveDepth, maxSpawnDepth);
+    const deny = [...baseDeny, ...(Array.isArray(configured?.deny) ? configured.deny : [])];
     const allow = Array.isArray(configured?.allow) ? configured.allow : undefined;
     return { allow, deny };
 }
 export function isToolAllowedByPolicyName(name, policy) {
-    if (!policy)
+    if (!policy) {
         return true;
+    }
     return makeToolPolicyMatcher(policy)(name);
 }
 export function filterToolsByPolicy(tools, policy) {
-    if (!policy)
+    if (!policy) {
         return tools;
+    }
     const matcher = makeToolPolicyMatcher(policy);
     return tools.filter((tool) => matcher(tool.name));
 }
-function unionAllow(base, extra) {
-    if (!Array.isArray(extra) || extra.length === 0)
-        return base;
-    // If the user is using alsoAllow without an allowlist, treat it as additive on top of
-    // an implicit allow-all policy.
-    if (!Array.isArray(base) || base.length === 0) {
-        return Array.from(new Set(["*", ...extra]));
-    }
-    return Array.from(new Set([...base, ...extra]));
-}
-function pickToolPolicy(config) {
-    if (!config)
-        return undefined;
-    const allow = Array.isArray(config.allow)
-        ? unionAllow(config.allow, config.alsoAllow)
-        : Array.isArray(config.alsoAllow) && config.alsoAllow.length > 0
-            ? unionAllow(undefined, config.alsoAllow)
-            : undefined;
-    const deny = Array.isArray(config.deny) ? config.deny : undefined;
-    if (!allow && !deny)
-        return undefined;
-    return { allow, deny };
-}
 function normalizeProviderKey(value) {
     return value.trim().toLowerCase();
 }
 function resolveGroupContextFromSessionKey(sessionKey) {
     const raw = (sessionKey ?? "").trim();
-    if (!raw)
+    if (!raw) {
         return {};
+    }
     const base = resolveThreadParentSessionKey(raw) ?? raw;
     const parts = base.split(":").filter(Boolean);
     let body = parts[0] === "agent" ? parts.slice(2) : parts;
     if (body[0] === "subagent") {
         body = body.slice(1);
     }
-    if (body.length < 3)
+    if (body.length < 3) {
         return {};
+    }
     const [channel, kind, ...rest] = body;
-    if (kind !== "group" && kind !== "channel")
+    if (kind !== "group" && kind !== "channel") {
         return {};
+    }
     const groupId = rest.join(":").trim();
-    if (!groupId)
+    if (!groupId) {
         return {};
+    }
     return { channel: channel.trim().toLowerCase(), groupId };
 }
 function resolveProviderToolPolicy(params) {
     const provider = params.modelProvider?.trim();
-    if (!provider || !params.byProvider)
+    if (!provider || !params.byProvider) {
         return undefined;
+    }
     const entries = Object.entries(params.byProvider);
-    if (entries.length === 0)
+    if (entries.length === 0) {
         return undefined;
+    }
     const lookup = new Map();
     for (const [key, value] of entries) {
         const normalized = normalizeProviderKey(key);
-        if (!normalized)
+        if (!normalized) {
             continue;
+        }
         lookup.set(normalized, value);
     }
     const normalizedProvider = normalizeProviderKey(provider);
@@ -156,8 +145,9 @@ function resolveProviderToolPolicy(params) {
     const candidates = [...(fullModelId ? [fullModelId] : []), normalizedProvider];
     for (const key of candidates) {
         const match = lookup.get(key);
-        if (match)
+        if (match) {
             return match;
+        }
     }
     return undefined;
 }
@@ -179,10 +169,10 @@ export function resolveEffectiveToolPolicy(params) {
     });
     return {
         agentId,
-        globalPolicy: pickToolPolicy(globalTools),
-        globalProviderPolicy: pickToolPolicy(providerPolicy),
-        agentPolicy: pickToolPolicy(agentTools),
-        agentProviderPolicy: pickToolPolicy(agentProviderPolicy),
+        globalPolicy: pickSandboxToolPolicy(globalTools),
+        globalProviderPolicy: pickSandboxToolPolicy(providerPolicy),
+        agentPolicy: pickSandboxToolPolicy(agentTools),
+        agentProviderPolicy: pickSandboxToolPolicy(agentProviderPolicy),
         profile,
         providerProfile: agentProviderPolicy?.profile ?? providerPolicy?.profile,
         // alsoAllow is applied at the profile stage (to avoid being filtered out early).
@@ -199,17 +189,20 @@ export function resolveEffectiveToolPolicy(params) {
     };
 }
 export function resolveGroupToolPolicy(params) {
-    if (!params.config)
+    if (!params.config) {
         return undefined;
+    }
     const sessionContext = resolveGroupContextFromSessionKey(params.sessionKey);
     const spawnedContext = resolveGroupContextFromSessionKey(params.spawnedBy);
     const groupId = params.groupId ?? sessionContext.groupId ?? spawnedContext.groupId;
-    if (!groupId)
+    if (!groupId) {
         return undefined;
+    }
     const channelRaw = params.messageProvider ?? sessionContext.channel ?? spawnedContext.channel;
     const channel = normalizeMessageChannel(channelRaw);
-    if (!channel)
+    if (!channel) {
         return undefined;
+    }
     let dock;
     try {
         dock = getChannelDock(channel);
@@ -238,7 +231,7 @@ export function resolveGroupToolPolicy(params) {
             senderUsername: params.senderUsername,
             senderE164: params.senderE164,
         });
-    return pickToolPolicy(toolsConfig);
+    return pickSandboxToolPolicy(toolsConfig);
 }
 export function isToolAllowedByPolicies(name, policies) {
     return policies.every((policy) => isToolAllowedByPolicyName(name, policy));

package/dist/agents/pi-tools.schema.js

@@ -1,12 +1,15 @@
 import { cleanSchemaForGemini } from "./schema/clean-for-gemini.js";
 function extractEnumValues(schema) {
-    if (!schema || typeof schema !== "object")
+    if (!schema || typeof schema !== "object") {
         return undefined;
+    }
     const record = schema;
-    if (Array.isArray(record.enum))
+    if (Array.isArray(record.enum)) {
         return record.enum;
-    if ("const" in record)
+    }
+    if ("const" in record) {
         return [record.const];
+    }
     const variants = Array.isArray(record.anyOf)
         ? record.anyOf
         : Array.isArray(record.oneOf)
@@ -22,50 +25,61 @@ function extractEnumValues(schema) {
     return undefined;
 }
 function mergePropertySchemas(existing, incoming) {
-    if (!existing)
+    if (!existing) {
         return incoming;
-    if (!incoming)
+    }
+    if (!incoming) {
         return existing;
+    }
     const existingEnum = extractEnumValues(existing);
     const incomingEnum = extractEnumValues(incoming);
     if (existingEnum || incomingEnum) {
         const values = Array.from(new Set([...(existingEnum ?? []), ...(incomingEnum ?? [])]));
         const merged = {};
         for (const source of [existing, incoming]) {
-            if (!source || typeof source !== "object")
+            if (!source || typeof source !== "object") {
                 continue;
+            }
             const record = source;
             for (const key of ["title", "description", "default"]) {
-                if (!(key in merged) && key in record)
+                if (!(key in merged) && key in record) {
                     merged[key] = record[key];
+                }
             }
         }
         const types = new Set(values.map((value) => typeof value));
-        if (types.size === 1)
+        if (types.size === 1) {
             merged.type = Array.from(types)[0];
+        }
         merged.enum = values;
         return merged;
     }
     return existing;
 }
-export function normalizeToolParameters(tool) {
+export function normalizeToolParameters(tool, options) {
     const schema = tool.parameters && typeof tool.parameters === "object"
         ? tool.parameters
         : undefined;
-    if (!schema)
+    if (!schema) {
         return tool;
+    }
     // Provider quirks:
     // - Gemini rejects several JSON Schema keywords, so we scrub those.
     // - OpenAI rejects function tool schemas unless the *top-level* is `type: "object"`.
     //   (TypeBox root unions compile to `{ anyOf: [...] }` without `type`).
+    // - Anthropic (google-antigravity) expects full JSON Schema draft 2020-12 compliance.
     //
     // Normalize once here so callers can always pass `tools` through unchanged.
+    const isGeminiProvider = options?.modelProvider?.toLowerCase().includes("google") ||
+        options?.modelProvider?.toLowerCase().includes("gemini");
+    const isAnthropicProvider = options?.modelProvider?.toLowerCase().includes("anthropic") ||
+        options?.modelProvider?.toLowerCase().includes("google-antigravity");
     // If schema already has type + properties (no top-level anyOf to merge),
-    // still clean it for Gemini compatibility
+    // clean it for Gemini compatibility (but only if using Gemini, not Anthropic)
     if ("type" in schema && "properties" in schema && !Array.isArray(schema.anyOf)) {
         return {
             ...tool,
-            parameters: cleanSchemaForGemini(schema),
+            parameters: isGeminiProvider && !isAnthropicProvider ? cleanSchemaForGemini(schema) : schema,
         };
     }
     // Some tool schemas (esp. unions) may omit `type` at the top-level. If we see
@@ -74,9 +88,12 @@ export function normalizeToolParameters(tool) {
         (typeof schema.properties === "object" || Array.isArray(schema.required)) &&
         !Array.isArray(schema.anyOf) &&
         !Array.isArray(schema.oneOf)) {
+        const schemaWithType = { ...schema, type: "object" };
         return {
             ...tool,
-            parameters: cleanSchemaForGemini({ ...schema, type: "object" }),
+            parameters: isGeminiProvider && !isAnthropicProvider
+                ? cleanSchemaForGemini(schemaWithType)
+                : schemaWithType,
         };
     }
     const variantKey = Array.isArray(schema.anyOf)
@@ -84,18 +101,21 @@ export function normalizeToolParameters(tool) {
         : Array.isArray(schema.oneOf)
             ? "oneOf"
             : null;
-    if (!variantKey)
+    if (!variantKey) {
         return tool;
+    }
     const variants = schema[variantKey];
     const mergedProperties = {};
     const requiredCounts = new Map();
     let objectVariants = 0;
     for (const entry of variants) {
-        if (!entry || typeof entry !== "object")
+        if (!entry || typeof entry !== "object") {
             continue;
+        }
         const props = entry.properties;
-        if (!props || typeof props !== "object")
+        if (!props || typeof props !== "object") {
             continue;
+        }
         objectVariants += 1;
         for (const [key, value] of Object.entries(props)) {
             if (!(key in mergedProperties)) {
@@ -108,8 +128,9 @@ export function normalizeToolParameters(tool) {
             ? entry.required
             : [];
         for (const key of required) {
-            if (typeof key !== "string")
+            if (typeof key !== "string") {
                 continue;
+            }
             requiredCounts.set(key, (requiredCounts.get(key) ?? 0) + 1);
         }
     }
@@ -124,24 +145,30 @@ export function normalizeToolParameters(tool) {
                 .map(([key]) => key)
             : undefined;
     const nextSchema = { ...schema };
+    const flattenedSchema = {
+        type: "object",
+        ...(typeof nextSchema.title === "string" ? { title: nextSchema.title } : {}),
+        ...(typeof nextSchema.description === "string" ? { description: nextSchema.description } : {}),
+        properties: Object.keys(mergedProperties).length > 0 ? mergedProperties : (schema.properties ?? {}),
+        ...(mergedRequired && mergedRequired.length > 0 ? { required: mergedRequired } : {}),
+        additionalProperties: "additionalProperties" in schema ? schema.additionalProperties : true,
+    };
     return {
         ...tool,
         // Flatten union schemas into a single object schema:
         // - Gemini doesn't allow top-level `type` together with `anyOf`.
         // - OpenAI rejects schemas without top-level `type: "object"`.
+        // - Anthropic accepts proper JSON Schema with constraints.
         // Merging properties preserves useful enums like `action` while keeping schemas portable.
-        parameters: cleanSchemaForGemini({
-            type: "object",
-            ...(typeof nextSchema.title === "string" ? { title: nextSchema.title } : {}),
-            ...(typeof nextSchema.description === "string"
-                ? { description: nextSchema.description }
-                : {}),
-            properties: Object.keys(mergedProperties).length > 0 ? mergedProperties : (schema.properties ?? {}),
-            ...(mergedRequired && mergedRequired.length > 0 ? { required: mergedRequired } : {}),
-            additionalProperties: "additionalProperties" in schema ? schema.additionalProperties : true,
-        }),
+        parameters: isGeminiProvider && !isAnthropicProvider
+            ? cleanSchemaForGemini(flattenedSchema)
+            : flattenedSchema,
     };
 }
+/**
+ * @deprecated Use normalizeToolParameters with modelProvider instead.
+ * This function should only be used for Gemini providers.
+ */
 export function cleanToolSchemaForGemini(schema) {
     return cleanSchemaForGemini(schema);
 }

package/dist/agents/sandbox/validate-sandbox-security.js

@@ -0,0 +1,157 @@
+/**
+ * Sandbox security validation — blocks dangerous Docker configurations.
+ *
+ * Threat model: local-trusted config, but protect against foot-guns and config injection.
+ * Enforced at runtime when creating sandbox containers.
+ */
+import { existsSync, realpathSync } from "node:fs";
+import { posix } from "node:path";
+// Targeted denylist: host paths that should never be exposed inside sandbox containers.
+// Exported for reuse in security audit collectors.
+export const BLOCKED_HOST_PATHS = [
+    "/etc",
+    "/private/etc",
+    "/proc",
+    "/sys",
+    "/dev",
+    "/root",
+    "/boot",
+    // Directories that commonly contain (or alias) the Docker socket.
+    "/run",
+    "/var/run",
+    "/private/var/run",
+    "/var/run/docker.sock",
+    "/private/var/run/docker.sock",
+    "/run/docker.sock",
+];
+const BLOCKED_NETWORK_MODES = new Set(["host"]);
+const BLOCKED_SECCOMP_PROFILES = new Set(["unconfined"]);
+const BLOCKED_APPARMOR_PROFILES = new Set(["unconfined"]);
+/**
+ * Parse the host/source path from a Docker bind mount string.
+ * Format: `source:target[:mode]`
+ */
+export function parseBindSourcePath(bind) {
+    const trimmed = bind.trim();
+    const firstColon = trimmed.indexOf(":");
+    if (firstColon <= 0) {
+        // No colon or starts with colon — treat as source.
+        return trimmed;
+    }
+    return trimmed.slice(0, firstColon);
+}
+/**
+ * Normalize a POSIX path: resolve `.`, `..`, collapse `//`, strip trailing `/`.
+ */
+export function normalizeHostPath(raw) {
+    const trimmed = raw.trim();
+    return posix.normalize(trimmed).replace(/\/+$/, "") || "/";
+}
+/**
+ * String-only blocked-path check (no filesystem I/O).
+ * Blocks:
+ * - binds that target blocked paths (equal or under)
+ * - binds that cover the system root (mounting "/" is never safe)
+ * - non-absolute source paths (relative / volume names) because they are hard to validate safely
+ */
+export function getBlockedBindReason(bind) {
+    const sourceRaw = parseBindSourcePath(bind);
+    if (!sourceRaw.startsWith("/")) {
+        return { kind: "non_absolute", sourcePath: sourceRaw };
+    }
+    const normalized = normalizeHostPath(sourceRaw);
+    return getBlockedReasonForSourcePath(normalized);
+}
+export function getBlockedReasonForSourcePath(sourceNormalized) {
+    if (sourceNormalized === "/") {
+        return { kind: "covers", blockedPath: "/" };
+    }
+    for (const blocked of BLOCKED_HOST_PATHS) {
+        if (sourceNormalized === blocked || sourceNormalized.startsWith(blocked + "/")) {
+            return { kind: "targets", blockedPath: blocked };
+        }
+    }
+    return null;
+}
+function tryRealpathAbsolute(path) {
+    if (!path.startsWith("/")) {
+        return path;
+    }
+    if (!existsSync(path)) {
+        return path;
+    }
+    try {
+        // Use native when available (keeps platform semantics); normalize for prefix checks.
+        return normalizeHostPath(realpathSync.native(path));
+    }
+    catch {
+        return path;
+    }
+}
+function formatBindBlockedError(params) {
+    if (params.reason.kind === "non_absolute") {
+        return new Error(`Sandbox security: bind mount "${params.bind}" uses a non-absolute source path ` +
+            `"${params.reason.sourcePath}". Only absolute POSIX paths are supported for sandbox binds.`);
+    }
+    const verb = params.reason.kind === "covers" ? "covers" : "targets";
+    return new Error(`Sandbox security: bind mount "${params.bind}" ${verb} blocked path "${params.reason.blockedPath}". ` +
+        "Mounting system directories (or Docker socket paths) into sandbox containers is not allowed. " +
+        "Use project-specific paths instead (e.g. /home/user/myproject).");
+}
+/**
+ * Validate bind mounts — throws if any source path is dangerous.
+ * Includes a symlink/realpath pass when the source path exists.
+ */
+export function validateBindMounts(binds) {
+    if (!binds?.length) {
+        return;
+    }
+    for (const rawBind of binds) {
+        const bind = rawBind.trim();
+        if (!bind) {
+            continue;
+        }
+        // Fast string-only check (covers .., //, ancestor/descendant logic).
+        const blocked = getBlockedBindReason(bind);
+        if (blocked) {
+            throw formatBindBlockedError({ bind, reason: blocked });
+        }
+        // Symlink escape hardening: resolve existing absolute paths and re-check.
+        const sourceRaw = parseBindSourcePath(bind);
+        const sourceNormalized = normalizeHostPath(sourceRaw);
+        const sourceReal = tryRealpathAbsolute(sourceNormalized);
+        if (sourceReal !== sourceNormalized) {
+            const reason = getBlockedReasonForSourcePath(sourceReal);
+            if (reason) {
+                throw formatBindBlockedError({ bind, reason });
+            }
+        }
+    }
+}
+export function validateNetworkMode(network) {
+    if (network && BLOCKED_NETWORK_MODES.has(network.trim().toLowerCase())) {
+        throw new Error(`Sandbox security: network mode "${network}" is blocked. ` +
+            'Network "host" mode bypasses container network isolation. ' +
+            'Use "bridge" or "none" instead.');
+    }
+}
+export function validateSeccompProfile(profile) {
+    if (profile && BLOCKED_SECCOMP_PROFILES.has(profile.trim().toLowerCase())) {
+        throw new Error(`Sandbox security: seccomp profile "${profile}" is blocked. ` +
+            "Disabling seccomp removes syscall filtering and weakens sandbox isolation. " +
+            "Use a custom seccomp profile file or omit this setting.");
+    }
+}
+export function validateApparmorProfile(profile) {
+    if (profile && BLOCKED_APPARMOR_PROFILES.has(profile.trim().toLowerCase())) {
+        throw new Error(`Sandbox security: apparmor profile "${profile}" is blocked. ` +
+            "Disabling AppArmor removes mandatory access controls and weakens sandbox isolation. " +
+            "Use a named AppArmor profile or omit this setting.");
+    }
+}
+export function validateSandboxSecurity(cfg) {
+    validateBindMounts(cfg.binds);
+    validateNetworkMode(cfg.network);
+    validateSeccompProfile(cfg.seccompProfile);
+    validateApparmorProfile(cfg.apparmorProfile);
+}

package/dist/agents/sandbox-tool-policy.js

@@ -0,0 +1,26 @@
+function unionAllow(base, extra) {
+    if (!Array.isArray(extra) || extra.length === 0) {
+        return base;
+    }
+    // If the user is using alsoAllow without an allowlist, treat it as additive on top of
+    // an implicit allow-all policy.
+    if (!Array.isArray(base) || base.length === 0) {
+        return Array.from(new Set(["*", ...extra]));
+    }
+    return Array.from(new Set([...base, ...extra]));
+}
+export function pickSandboxToolPolicy(config) {
+    if (!config) {
+        return undefined;
+    }
+    const allow = Array.isArray(config.allow)
+        ? unionAllow(config.allow, config.alsoAllow)
+        : Array.isArray(config.alsoAllow) && config.alsoAllow.length > 0
+            ? unionAllow(undefined, config.alsoAllow)
+            : undefined;
+    const deny = Array.isArray(config.deny) ? config.deny : undefined;
+    if (!allow && !deny) {
+        return undefined;
+    }
+    return { allow, deny };
+}

package/dist/agents/sanitize-for-prompt.js

@@ -0,0 +1,18 @@
+/**
+ * Sanitize untrusted strings before embedding them into an LLM prompt.
+ *
+ * Threat model (OC-19): attacker-controlled directory names (or other runtime strings)
+ * that contain newline/control characters can break prompt structure and inject
+ * arbitrary instructions.
+ *
+ * Strategy (Option 3 hardening):
+ * - Strip Unicode "control" (Cc) + "format" (Cf) characters (includes CR/LF/NUL, bidi marks, zero-width chars).
+ * - Strip explicit line/paragraph separators (Zl/Zp): U+2028/U+2029.
+ *
+ * Notes:
+ * - This is intentionally lossy; it trades edge-case path fidelity for prompt integrity.
+ * - If you need lossless representation, escape instead of stripping.
+ */
+export function sanitizeForPromptLiteral(value) {
+    return value.replace(/[\p{Cc}\p{Cf}\u2028\u2029]/gu, "");
+}