npm - @poolzin/pool-bot - Versions diffs - 2026.2.23 → 2026.2.25 - Mend

@poolzin/pool-bot 2026.2.23 → 2026.2.25

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (235) hide show

package/CHANGELOG.md +29 -0
package/dist/acp/client.js +207 -18
package/dist/acp/secret-file.js +22 -0
package/dist/agents/agent-scope.js +10 -0
package/dist/agents/bash-process-registry.test-helpers.js +29 -0
package/dist/agents/bash-tools.exec-approval-request.js +20 -0
package/dist/agents/bash-tools.exec-host-gateway.js +230 -0
package/dist/agents/bash-tools.exec-host-node.js +235 -0
package/dist/agents/bash-tools.exec-types.js +1 -0
package/dist/agents/bash-tools.process.js +224 -218
package/dist/agents/content-blocks.js +16 -0
package/dist/agents/model-fallback.js +96 -101
package/dist/agents/models-config.providers.js +299 -182
package/dist/agents/pi-embedded-payloads.js +1 -0
package/dist/agents/pi-embedded-runner/run.overflow-compaction.fixture.js +34 -0
package/dist/agents/skills.test-helpers.js +13 -0
package/dist/agents/stable-stringify.js +12 -0
package/dist/agents/subagent-registry.mocks.shared.js +12 -0
package/dist/agents/test-helpers/assistant-message-fixtures.js +29 -0
package/dist/agents/test-helpers/pi-tools-sandbox-context.js +27 -0
package/dist/agents/tool-policy-shared.js +108 -0
package/dist/agents/tools/browser-tool.js +160 -54
package/dist/agents/tools/cron-tool.test-helpers.js +12 -0
package/dist/agents/tools/discord-actions-moderation-shared.js +27 -0
package/dist/agents/tools/image-tool.js +214 -99
package/dist/agents/tools/sessions-history-tool.js +140 -108
package/dist/agents/workspace.js +222 -46
package/dist/auto-reply/commands-registry.js +15 -18
package/dist/auto-reply/fallback-state.js +114 -0
package/dist/auto-reply/model-runtime.js +68 -0
package/dist/auto-reply/reply/agent-runner-execution.js +36 -4
package/dist/auto-reply/reply/agent-runner.js +165 -39
package/dist/auto-reply/reply/commands-setunset-standard.js +13 -0
package/dist/browser/config.js +26 -0
package/dist/browser/navigation-guard.js +31 -0
package/dist/browser/routes/agent.act.js +431 -424
package/dist/browser/routes/agent.shared.js +47 -3
package/dist/browser/routes/agent.snapshot.js +122 -116
package/dist/browser/routes/agent.storage.js +303 -297
package/dist/browser/routes/tabs.js +154 -100
package/dist/browser/server-lifecycle.js +37 -0
package/dist/build-info.json +3 -3
package/dist/channels/allow-from.js +25 -0
package/dist/channels/plugins/account-action-gate.js +13 -0
package/dist/channels/plugins/message-actions.js +10 -0
package/dist/channels/telegram/api.js +18 -0
package/dist/cli/argv.js +84 -21
package/dist/cli/banner.js +2 -1
package/dist/cli/exec-approvals-cli.js +92 -124
package/dist/cli/memory-cli.js +158 -61
package/dist/cli/nodes-cli/register.push.js +63 -0
package/dist/cli/nodes-media-utils.js +21 -0
package/dist/cli/plugins-cli.js +245 -61
package/dist/cli/program/build-program.js +3 -1
package/dist/cli/program/command-registry.js +223 -136
package/dist/cli/program/help.js +43 -12
package/dist/cli/route.js +1 -1
package/dist/cli/test-runtime-capture.js +24 -0
package/dist/commands/agent.js +163 -87
package/dist/commands/channels.mock-harness.js +23 -0
package/dist/commands/daemon-install-runtime-warning.js +11 -0
package/dist/commands/onboard-helpers.js +4 -4
package/dist/commands/sessions.test-helpers.js +61 -0
package/dist/compat/legacy-names.js +2 -2
package/dist/config/commands.js +3 -0
package/dist/config/config.js +1 -1
package/dist/config/env-substitution.js +62 -34
package/dist/config/env-vars.js +9 -0
package/dist/config/io.js +571 -171
package/dist/config/merge-patch.js +50 -4
package/dist/config/redact-snapshot.js +404 -76
package/dist/config/schema.js +58 -570
package/dist/config/validation.js +140 -85
package/dist/config/zod-schema.hooks.js +40 -11
package/dist/config/zod-schema.installs.js +20 -0
package/dist/config/zod-schema.js +8 -7
package/dist/control-ui/assets/{index-HRr1grwl.js → index-Dvkl4Xlx.js} +2 -1
package/dist/control-ui/assets/{index-HRr1grwl.js.map → index-Dvkl4Xlx.js.map} +1 -1
package/dist/control-ui/index.html +1 -1
package/dist/daemon/cmd-argv.js +21 -0
package/dist/daemon/cmd-set.js +58 -0
package/dist/daemon/service-types.js +1 -0
package/dist/discord/monitor/exec-approvals.js +357 -162
package/dist/gateway/auth.js +38 -3
package/dist/gateway/call.js +149 -68
package/dist/gateway/canvas-capability.js +75 -0
package/dist/gateway/control-plane-audit.js +28 -0
package/dist/gateway/control-plane-rate-limit.js +53 -0
package/dist/gateway/events.js +1 -0
package/dist/gateway/hooks.js +109 -54
package/dist/gateway/http-common.js +22 -0
package/dist/gateway/method-scopes.js +169 -0
package/dist/gateway/net.js +23 -0
package/dist/gateway/openresponses-http.js +120 -110
package/dist/gateway/probe-auth.js +2 -0
package/dist/gateway/protocol/index.js +3 -2
package/dist/gateway/protocol/schema/protocol-schemas.js +2 -0
package/dist/gateway/protocol/schema/push.js +18 -0
package/dist/gateway/protocol/schema.js +1 -0
package/dist/gateway/server-http.js +236 -52
package/dist/gateway/server-methods/agent.js +162 -24
package/dist/gateway/server-methods/chat.js +461 -130
package/dist/gateway/server-methods/config.js +193 -150
package/dist/gateway/server-methods/nodes.helpers.js +12 -0
package/dist/gateway/server-methods/nodes.js +251 -69
package/dist/gateway/server-methods/push.js +53 -0
package/dist/gateway/server-reload-handlers.js +2 -3
package/dist/gateway/server-runtime-config.js +5 -0
package/dist/gateway/server-runtime-state.js +2 -0
package/dist/gateway/server-ws-runtime.js +1 -0
package/dist/gateway/server.impl.js +296 -139
package/dist/gateway/session-preview.test-helpers.js +11 -0
package/dist/gateway/startup-auth.js +126 -0
package/dist/gateway/test-helpers.agent-results.js +15 -0
package/dist/gateway/test-helpers.mocks.js +37 -14
package/dist/gateway/test-helpers.server.js +161 -77
package/dist/hooks/bundled/session-memory/handler.js +165 -34
package/dist/hooks/gmail-watcher-lifecycle.js +23 -0
package/dist/infra/archive-path.js +49 -0
package/dist/infra/device-pairing.js +148 -167
package/dist/infra/exec-approvals-allowlist.js +19 -70
package/dist/infra/exec-approvals-analysis.js +44 -17
package/dist/infra/exec-safe-bin-policy.js +269 -0
package/dist/infra/fixed-window-rate-limit.js +33 -0
package/dist/infra/git-root.js +61 -0
package/dist/infra/heartbeat-active-hours.js +2 -2
package/dist/infra/heartbeat-reason.js +40 -0
package/dist/infra/heartbeat-runner.js +72 -32
package/dist/infra/install-source-utils.js +91 -7
package/dist/infra/node-pairing.js +50 -105
package/dist/infra/npm-integrity.js +45 -0
package/dist/infra/npm-pack-install.js +40 -0
package/dist/infra/outbound/channel-adapters.js +20 -7
package/dist/infra/outbound/message-action-runner.js +107 -327
package/dist/infra/outbound/message.js +59 -36
package/dist/infra/outbound/outbound-policy.js +52 -25
package/dist/infra/outbound/outbound-send-service.js +58 -71
package/dist/infra/pairing-files.js +10 -0
package/dist/infra/plain-object.js +9 -0
package/dist/infra/push-apns.js +365 -0
package/dist/infra/restart-sentinel.js +16 -1
package/dist/infra/restart.js +229 -26
package/dist/infra/scp-host.js +54 -0
package/dist/infra/update-startup.js +86 -9
package/dist/media/inbound-path-policy.js +114 -0
package/dist/media/input-files.js +16 -0
package/dist/memory/test-manager.js +8 -0
package/dist/plugin-sdk/temp-path.js +47 -0
package/dist/plugins/discovery.js +217 -23
package/dist/plugins/hook-runner-global.js +16 -0
package/dist/plugins/loader.js +192 -26
package/dist/plugins/logger.js +8 -0
package/dist/plugins/manifest-registry.js +3 -0
package/dist/plugins/path-safety.js +34 -0
package/dist/plugins/registry.js +5 -2
package/dist/plugins/runtime/index.js +271 -206
package/dist/providers/github-copilot-models.js +4 -1
package/dist/security/audit-channel.js +8 -19
package/dist/security/audit-extra.async.js +354 -182
package/dist/security/audit-extra.js +11 -1
package/dist/security/audit-extra.sync.js +340 -33
package/dist/security/audit-fs.js +31 -13
package/dist/security/audit.js +145 -371
package/dist/security/dm-policy-shared.js +24 -0
package/dist/security/external-content.js +20 -8
package/dist/security/fix.js +49 -85
package/dist/security/scan-paths.js +20 -0
package/dist/security/secret-equal.js +3 -7
package/dist/security/windows-acl.js +30 -15
package/dist/shared/node-list-parse.js +13 -0
package/dist/shared/operator-scope-compat.js +37 -0
package/dist/shared/text-chunking.js +29 -0
package/dist/slack/blocks.test-helpers.js +31 -0
package/dist/slack/monitor/mrkdwn.js +8 -0
package/dist/telegram/bot-message-dispatch.js +366 -164
package/dist/telegram/draft-stream.js +30 -7
package/dist/telegram/reasoning-lane-coordinator.js +128 -0
package/dist/terminal/prompt-select-styled.js +9 -0
package/dist/test-utils/command-runner.js +6 -0
package/dist/test-utils/internal-hook-event-payload.js +10 -0
package/dist/test-utils/model-auth-mock.js +12 -0
package/dist/test-utils/provider-usage-fetch.js +14 -0
package/dist/test-utils/temp-home.js +33 -0
package/dist/tui/components/chat-log.js +9 -0
package/dist/tui/tui-command-handlers.js +36 -27
package/dist/tui/tui-event-handlers.js +122 -32
package/dist/tui/tui.js +181 -45
package/dist/utils/mask-api-key.js +10 -0
package/dist/utils/run-with-concurrency.js +39 -0
package/dist/web/media.js +4 -0
package/docs/tools/slash-commands.md +5 -1
package/extensions/bluebubbles/package.json +1 -1
package/extensions/copilot-proxy/package.json +1 -1
package/extensions/diagnostics-otel/package.json +1 -1
package/extensions/discord/package.json +1 -1
package/extensions/feishu/package.json +1 -1
package/extensions/feishu/src/external-keys.ts +19 -0
package/extensions/google-antigravity-auth/package.json +1 -1
package/extensions/google-gemini-cli-auth/package.json +1 -1
package/extensions/googlechat/package.json +1 -1
package/extensions/imessage/package.json +1 -1
package/extensions/irc/package.json +1 -1
package/extensions/line/package.json +1 -1
package/extensions/llm-task/package.json +1 -1
package/extensions/lobster/package.json +1 -1
package/extensions/lobster/src/windows-spawn.ts +193 -0
package/extensions/matrix/CHANGELOG.md +5 -0
package/extensions/matrix/package.json +1 -1
package/extensions/matrix/src/matrix/actions/limits.ts +6 -0
package/extensions/mattermost/package.json +1 -1
package/extensions/mattermost/src/mattermost/reactions.test-helpers.ts +83 -0
package/extensions/memory-core/package.json +1 -1
package/extensions/memory-lancedb/package.json +1 -1
package/extensions/minimax-portal-auth/package.json +1 -1
package/extensions/msteams/CHANGELOG.md +5 -0
package/extensions/msteams/package.json +1 -1
package/extensions/nextcloud-talk/package.json +1 -1
package/extensions/nostr/CHANGELOG.md +5 -0
package/extensions/nostr/package.json +1 -1
package/extensions/open-prose/package.json +1 -1
package/extensions/openai-codex-auth/package.json +1 -1
package/extensions/signal/package.json +1 -1
package/extensions/slack/package.json +1 -1
package/extensions/telegram/package.json +1 -1
package/extensions/tlon/package.json +1 -1
package/extensions/twitch/CHANGELOG.md +5 -0
package/extensions/twitch/package.json +1 -1
package/extensions/voice-call/CHANGELOG.md +5 -0
package/extensions/voice-call/package.json +1 -1
package/extensions/whatsapp/package.json +1 -1
package/extensions/zalo/CHANGELOG.md +5 -0
package/extensions/zalo/package.json +1 -1
package/extensions/zalouser/CHANGELOG.md +5 -0
package/extensions/zalouser/package.json +1 -1
package/package.json +1 -1

package/dist/agents/tools/image-tool.js CHANGED Viewed

@@ -1,10 +1,8 @@
-import fs from "node:fs/promises";
 import path from "node:path";
-import { complete, } from "@mariozechner/pi-ai";
-import { discoverAuthStorage, discoverModels } from "../pi-model-discovery.js";
+import { complete } from "@mariozechner/pi-ai";
 import { Type } from "@sinclair/typebox";
 import { resolveUserPath } from "../../utils.js";
-import { loadWebMedia } from "../../web/media.js";
+import { getDefaultLocalRoots, loadWebMedia } from "../../web/media.js";
 import { ensureAuthProfileStore, listProfilesForProvider } from "../auth-profiles.js";
 import { DEFAULT_MODEL, DEFAULT_PROVIDER } from "../defaults.js";
 import { minimaxUnderstandImage } from "../minimax-vlm.js";
@@ -12,13 +10,26 @@ import { getApiKeyForModel, requireApiKey, resolveEnvApiKey } from "../model-aut
 import { runWithImageModelFallback } from "../model-fallback.js";
 import { resolveConfiguredModelRef } from "../model-selection.js";
 import { ensurePoolbotModelsJson } from "../models-config.js";
-import { assertSandboxPath } from "../sandbox-paths.js";
+import { discoverAuthStorage, discoverModels } from "../pi-model-discovery.js";
+import { normalizeWorkspaceDir } from "../workspace-dir.js";
 import { coerceImageAssistantText, coerceImageModelConfig, decodeDataUrl, resolveProviderVisionModelFromConfig, } from "./image-tool.helpers.js";
 const DEFAULT_PROMPT = "Describe the image.";
+const ANTHROPIC_IMAGE_PRIMARY = "anthropic/claude-opus-4-6";
+const ANTHROPIC_IMAGE_FALLBACK = "anthropic/claude-opus-4-5";
+const DEFAULT_MAX_IMAGES = 20;
 export const __testing = {
     decodeDataUrl,
     coerceImageAssistantText,
+    resolveImageToolMaxTokens,
 };
+function resolveImageToolMaxTokens(modelMaxTokens, requestedMaxTokens = 4096) {
+    if (typeof modelMaxTokens !== "number" ||
+        !Number.isFinite(modelMaxTokens) ||
+        modelMaxTokens <= 0) {
+        return requestedMaxTokens;
+    }
+    return Math.min(requestedMaxTokens, modelMaxTokens);
+}
 function resolveDefaultModelRef(cfg) {
     if (cfg) {
         const resolved = resolveConfiguredModelRef({
@@ -31,8 +42,9 @@ function resolveDefaultModelRef(cfg) {
     return { provider: DEFAULT_PROVIDER, model: DEFAULT_MODEL };
 }
 function hasAuthForProvider(params) {
-    if (resolveEnvApiKey(params.provider)?.apiKey)
+    if (resolveEnvApiKey(params.provider)?.apiKey) {
         return true;
+    }
     const store = ensureAuthProfileStore(params.agentDir, {
         allowKeychainPrompt: false,
     });
@@ -67,10 +79,12 @@ export function resolveImageModelConfigForTool(params) {
     const fallbacks = [];
     const addFallback = (modelRef) => {
         const ref = (modelRef ?? "").trim();
-        if (!ref)
+        if (!ref) {
             return;
-        if (fallbacks.includes(ref))
+        }
+        if (fallbacks.includes(ref)) {
             return;
+        }
         fallbacks.push(ref);
     };
     const providerVisionFromConfig = resolveProviderVisionModelFromConfig({
@@ -89,17 +103,22 @@ export function resolveImageModelConfigForTool(params) {
     else if (providerOk && providerVisionFromConfig) {
         preferred = providerVisionFromConfig;
     }
+    else if (primary.provider === "zai" && providerOk) {
+        preferred = "zai/glm-4.6v";
+    }
     else if (primary.provider === "openai" && openaiOk) {
         preferred = "openai/gpt-5-mini";
     }
     else if (primary.provider === "anthropic" && anthropicOk) {
-        preferred = "anthropic/claude-opus-4-5";
+        preferred = ANTHROPIC_IMAGE_PRIMARY;
     }
     if (preferred?.trim()) {
-        if (openaiOk)
+        if (openaiOk) {
             addFallback("openai/gpt-5-mini");
-        if (anthropicOk)
-            addFallback("anthropic/claude-opus-4-5");
+        }
+        if (anthropicOk) {
+            addFallback(ANTHROPIC_IMAGE_FALLBACK);
+        }
         // Don't duplicate primary in fallbacks.
         const pruned = fallbacks.filter((ref) => ref !== preferred);
         return {
@@ -109,15 +128,19 @@ export function resolveImageModelConfigForTool(params) {
     }
     // Cross-provider fallback when we can't pair with the primary provider.
     if (openaiOk) {
-        if (anthropicOk)
-            addFallback("anthropic/claude-opus-4-5");
+        if (anthropicOk) {
+            addFallback(ANTHROPIC_IMAGE_FALLBACK);
+        }
         return {
             primary: "openai/gpt-5-mini",
             ...(fallbacks.length ? { fallbacks } : {}),
         };
     }
     if (anthropicOk) {
-        return { primary: "anthropic/claude-opus-4-5" };
+        return {
+            primary: ANTHROPIC_IMAGE_PRIMARY,
+            fallbacks: [ANTHROPIC_IMAGE_FALLBACK],
+        };
     }
     return null;
 }
@@ -131,15 +154,16 @@ function pickMaxBytes(cfg, maxBytesMb) {
     }
     return undefined;
 }
-function buildImageContext(prompt, base64, mimeType) {
+function buildImageContext(prompt, images) {
+    const content = [{ type: "text", text: prompt }];
+    for (const img of images) {
+        content.push({ type: "image", data: img.base64, mimeType: img.mimeType });
+    }
     return {
         messages: [
             {
                 role: "user",
-                content: [
-                    { type: "text", text: prompt },
-                    { type: "image", data: base64, mimeType },
-                ],
+                content,
                 timestamp: Date.now(),
             },
         ],
@@ -149,29 +173,32 @@ async function resolveSandboxedImagePath(params) {
     const normalize = (p) => (p.startsWith("file://") ? p.slice("file://".length) : p);
     const filePath = normalize(params.imagePath);
     try {
-        const out = await assertSandboxPath({
+        const resolved = params.sandbox.bridge.resolvePath({
             filePath,
-            cwd: params.sandboxRoot,
-            root: params.sandboxRoot,
+            cwd: params.sandbox.root,
         });
-        return { resolved: out.resolved };
+        return { resolved: resolved.hostPath };
     }
     catch (err) {
         const name = path.basename(filePath);
         const candidateRel = path.join("media", "inbound", name);
-        const candidateAbs = path.join(params.sandboxRoot, candidateRel);
         try {
-            await fs.stat(candidateAbs);
+            const stat = await params.sandbox.bridge.stat({
+                filePath: candidateRel,
+                cwd: params.sandbox.root,
+            });
+            if (!stat) {
+                throw err;
+            }
         }
         catch {
             throw err;
         }
-        const out = await assertSandboxPath({
+        const out = params.sandbox.bridge.resolvePath({
             filePath: candidateRel,
-            cwd: params.sandboxRoot,
-            root: params.sandboxRoot,
+            cwd: params.sandbox.root,
         });
-        return { resolved: out.resolved, rewrittenFrom: filePath };
+        return { resolved: out.hostPath, rewrittenFrom: filePath };
     }
 }
 async function runImagePrompt(params) {
@@ -208,8 +235,10 @@ async function runImagePrompt(params) {
             });
             const apiKey = requireApiKey(apiKeyInfo, model.provider);
             authStorage.setRuntimeApiKey(model.provider, apiKey);
-            const imageDataUrl = `data:${params.mimeType};base64,${params.base64}`;
+            // MiniMax VLM only supports a single image; use the first one.
             if (model.provider === "minimax") {
+                const first = params.images[0];
+                const imageDataUrl = `data:${first.mimeType};base64,${first.base64}`;
                 const text = await minimaxUnderstandImage({
                     apiKey,
                     prompt: params.prompt,
@@ -218,11 +247,11 @@ async function runImagePrompt(params) {
                 });
                 return { text, provider: model.provider, model: model.id };
             }
-            const context = buildImageContext(params.prompt, params.base64, params.mimeType);
-            const message = (await complete(model, context, {
+            const context = buildImageContext(params.prompt, params.images);
+            const message = await complete(model, context, {
                 apiKey,
-                maxTokens: 512,
-            }));
+                maxTokens: resolveImageToolMaxTokens(model.maxTokens),
+            });
             const text = coerceImageAssistantText({
                 message,
                 provider: model.provider,
@@ -255,53 +284,76 @@ export function createImageTool(options) {
         cfg: options?.config,
         agentDir,
     });
-    if (!imageModelConfig)
+    if (!imageModelConfig) {
         return null;
+    }
     // If model has native vision, images in the prompt are auto-injected
     // so this tool is only needed when image wasn't provided in the prompt
     const description = options?.modelHasVision
-        ? "Analyze an image with a vision model. Only use this tool when the image was NOT already provided in the user's message. Images mentioned in the prompt are automatically visible to you."
-        : "Analyze an image with the configured image model (agents.defaults.imageModel). Provide a prompt and image path or URL.";
+        ? "Analyze one or more images with a vision model. Use image for a single path/URL, or images for multiple (up to 20). Only use this tool when images were NOT already provided in the user's message. Images mentioned in the prompt are automatically visible to you."
+        : "Analyze one or more images with the configured image model (agents.defaults.imageModel). Use image for a single path/URL, or images for multiple (up to 20). Provide a prompt describing what to analyze.";
+    const localRoots = (() => {
+        const roots = getDefaultLocalRoots();
+        const workspaceDir = normalizeWorkspaceDir(options?.workspaceDir);
+        if (!workspaceDir) {
+            return roots;
+        }
+        return Array.from(new Set([...roots, workspaceDir]));
+    })();
     return {
         label: "Image",
         name: "image",
         description,
         parameters: Type.Object({
             prompt: Type.Optional(Type.String()),
-            image: Type.String(),
+            image: Type.Optional(Type.String({ description: "Single image path or URL." })),
+            images: Type.Optional(Type.Array(Type.String(), {
+                description: "Multiple image paths or URLs (up to maxImages, default 20).",
+            })),
             model: Type.Optional(Type.String()),
             maxBytesMb: Type.Optional(Type.Number()),
+            maxImages: Type.Optional(Type.Number()),
         }),
         execute: async (_toolCallId, args) => {
             const record = args && typeof args === "object" ? args : {};
-            const imageRawInput = typeof record.image === "string" ? record.image.trim() : "";
-            const imageRaw = imageRawInput.startsWith("@")
-                ? imageRawInput.slice(1).trim()
-                : imageRawInput;
-            if (!imageRaw)
+            // MARK: - Normalize image + images input and dedupe while preserving order
+            const imageCandidates = [];
+            if (typeof record.image === "string") {
+                imageCandidates.push(record.image);
+            }
+            if (Array.isArray(record.images)) {
+                imageCandidates.push(...record.images.filter((v) => typeof v === "string"));
+            }
+            const seenImages = new Set();
+            const imageInputs = [];
+            for (const candidate of imageCandidates) {
+                const trimmedCandidate = candidate.trim();
+                const normalizedForDedupe = trimmedCandidate.startsWith("@")
+                    ? trimmedCandidate.slice(1).trim()
+                    : trimmedCandidate;
+                if (!normalizedForDedupe || seenImages.has(normalizedForDedupe)) {
+                    continue;
+                }
+                seenImages.add(normalizedForDedupe);
+                imageInputs.push(trimmedCandidate);
+            }
+            if (imageInputs.length === 0) {
                 throw new Error("image required");
-            // The tool accepts file paths, file/data URLs, or http(s) URLs. In some
-            // agent/model contexts, images can be referenced as pseudo-URIs like
-            // `image:0` (e.g. "first image in the prompt"). We don't have access to a
-            // shared image registry here, so fail gracefully instead of attempting to
-            // `fs.readFile("image:0")` and producing a noisy ENOENT.
-            const looksLikeWindowsDrivePath = /^[a-zA-Z]:[\\/]/.test(imageRaw);
-            const hasScheme = /^[a-z][a-z0-9+.-]*:/i.test(imageRaw);
-            const isFileUrl = /^file:/i.test(imageRaw);
-            const isHttpUrl = /^https?:\/\//i.test(imageRaw);
-            const isDataUrl = /^data:/i.test(imageRaw);
-            if (hasScheme && !looksLikeWindowsDrivePath && !isFileUrl && !isHttpUrl && !isDataUrl) {
+            }
+            // MARK: - Enforce max images cap
+            const maxImagesRaw = typeof record.maxImages === "number" ? record.maxImages : undefined;
+            const maxImages = typeof maxImagesRaw === "number" && Number.isFinite(maxImagesRaw) && maxImagesRaw > 0
+                ? Math.floor(maxImagesRaw)
+                : DEFAULT_MAX_IMAGES;
+            if (imageInputs.length > maxImages) {
                 return {
                     content: [
                         {
                             type: "text",
-                            text: `Unsupported image reference: ${imageRawInput}. Use a file path, a file:// URL, a data: URL, or an http(s) URL.`,
+                            text: `Too many images: ${imageInputs.length} provided, maximum is ${maxImages}. Please reduce the number of images.`,
                         },
                     ],
-                    details: {
-                        error: "unsupported_image_reference",
-                        image: imageRawInput,
-                    },
+                    details: { error: "too_many_images", count: imageInputs.length, max: maxImages },
                 };
             }
             const promptRaw = typeof record.prompt === "string" && record.prompt.trim()
@@ -310,58 +362,121 @@ export function createImageTool(options) {
             const modelOverride = typeof record.model === "string" && record.model.trim() ? record.model.trim() : undefined;
             const maxBytesMb = typeof record.maxBytesMb === "number" ? record.maxBytesMb : undefined;
             const maxBytes = pickMaxBytes(options?.config, maxBytesMb);
-            const sandboxRoot = options?.sandbox?.root?.trim() ?? options?.sandboxRoot?.trim();
-            const isUrl = isHttpUrl;
-            if (sandboxRoot && isUrl) {
-                throw new Error("Sandboxed image tool does not allow remote URLs.");
-            }
-            const resolvedImage = (() => {
-                if (sandboxRoot)
-                    return imageRaw;
-                if (imageRaw.startsWith("~"))
-                    return resolveUserPath(imageRaw);
-                return imageRaw;
-            })();
-            const resolvedPathInfo = isDataUrl
-                ? { resolved: "" }
-                : sandboxRoot
-                    ? await resolveSandboxedImagePath({
-                        sandboxRoot,
-                        imagePath: resolvedImage,
-                    })
-                    : {
-                        resolved: resolvedImage.startsWith("file://")
-                            ? resolvedImage.slice("file://".length)
-                            : resolvedImage,
+            const sandboxConfig = options?.sandbox && options?.sandbox.root.trim()
+                ? { root: options.sandbox.root.trim(), bridge: options.sandbox.bridge }
+                : null;
+            // MARK: - Load and resolve each image
+            const loadedImages = [];
+            for (const imageRawInput of imageInputs) {
+                const trimmed = imageRawInput.trim();
+                const imageRaw = trimmed.startsWith("@") ? trimmed.slice(1).trim() : trimmed;
+                if (!imageRaw) {
+                    throw new Error("image required (empty string in array)");
+                }
+                // The tool accepts file paths, file/data URLs, or http(s) URLs. In some
+                // agent/model contexts, images can be referenced as pseudo-URIs like
+                // `image:0` (e.g. "first image in the prompt"). We don't have access to a
+                // shared image registry here, so fail gracefully instead of attempting to
+                // `fs.readFile("image:0")` and producing a noisy ENOENT.
+                const looksLikeWindowsDrivePath = /^[a-zA-Z]:[\\/]/.test(imageRaw);
+                const hasScheme = /^[a-z][a-z0-9+.-]*:/i.test(imageRaw);
+                const isFileUrl = /^file:/i.test(imageRaw);
+                const isHttpUrl = /^https?:\/\//i.test(imageRaw);
+                const isDataUrl = /^data:/i.test(imageRaw);
+                if (hasScheme && !looksLikeWindowsDrivePath && !isFileUrl && !isHttpUrl && !isDataUrl) {
+                    return {
+                        content: [
+                            {
+                                type: "text",
+                                text: `Unsupported image reference: ${imageRawInput}. Use a file path, a file:// URL, a data: URL, or an http(s) URL.`,
+                            },
+                        ],
+                        details: {
+                            error: "unsupported_image_reference",
+                            image: imageRawInput,
+                        },
                     };
-            const resolvedPath = isDataUrl ? null : resolvedPathInfo.resolved;
-            const media = isDataUrl
-                ? decodeDataUrl(resolvedImage)
-                : await loadWebMedia(resolvedPath ?? resolvedImage, maxBytes);
-            if (media.kind !== "image") {
-                throw new Error(`Unsupported media type: ${media.kind}`);
+                }
+                if (sandboxConfig && isHttpUrl) {
+                    throw new Error("Sandboxed image tool does not allow remote URLs.");
+                }
+                const resolvedImage = (() => {
+                    if (sandboxConfig) {
+                        return imageRaw;
+                    }
+                    if (imageRaw.startsWith("~")) {
+                        return resolveUserPath(imageRaw);
+                    }
+                    return imageRaw;
+                })();
+                const resolvedPathInfo = isDataUrl
+                    ? { resolved: "" }
+                    : sandboxConfig
+                        ? await resolveSandboxedImagePath({
+                            sandbox: sandboxConfig,
+                            imagePath: resolvedImage,
+                        })
+                        : {
+                            resolved: resolvedImage.startsWith("file://")
+                                ? resolvedImage.slice("file://".length)
+                                : resolvedImage,
+                        };
+                const resolvedPath = isDataUrl ? null : resolvedPathInfo.resolved;
+                const media = isDataUrl
+                    ? decodeDataUrl(resolvedImage)
+                    : sandboxConfig
+                        ? await loadWebMedia(resolvedPath ?? resolvedImage, {
+                            maxBytes,
+                            sandboxValidated: true,
+                            readFile: (filePath) => sandboxConfig.bridge.readFile({ filePath, cwd: sandboxConfig.root }),
+                        })
+                        : await loadWebMedia(resolvedPath ?? resolvedImage, {
+                            maxBytes,
+                            localRoots,
+                        });
+                if (media.kind !== "image") {
+                    throw new Error(`Unsupported media type: ${media.kind}`);
+                }
+                const mimeType = ("contentType" in media && media.contentType) ||
+                    ("mimeType" in media && media.mimeType) ||
+                    "image/png";
+                const base64 = media.buffer.toString("base64");
+                loadedImages.push({
+                    base64,
+                    mimeType,
+                    resolvedImage,
+                    ...(resolvedPathInfo.rewrittenFrom
+                        ? { rewrittenFrom: resolvedPathInfo.rewrittenFrom }
+                        : {}),
+                });
             }
-            const mimeType = ("contentType" in media && media.contentType) ||
-                ("mimeType" in media && media.mimeType) ||
-                "image/png";
-            const base64 = media.buffer.toString("base64");
+            // MARK: - Run image prompt with all loaded images
             const result = await runImagePrompt({
                 cfg: options?.config,
                 agentDir,
                 imageModelConfig,
                 modelOverride,
                 prompt: promptRaw,
-                base64,
-                mimeType,
+                images: loadedImages.map((img) => ({ base64: img.base64, mimeType: img.mimeType })),
             });
+            const imageDetails = loadedImages.length === 1
+                ? {
+                    image: loadedImages[0].resolvedImage,
+                    ...(loadedImages[0].rewrittenFrom
+                        ? { rewrittenFrom: loadedImages[0].rewrittenFrom }
+                        : {}),
+                }
+                : {
+                    images: loadedImages.map((img) => ({
+                        image: img.resolvedImage,
+                        ...(img.rewrittenFrom ? { rewrittenFrom: img.rewrittenFrom } : {}),
+                    })),
+                };
             return {
                 content: [{ type: "text", text: result.text }],
                 details: {
                     model: `${result.provider}/${result.model}`,
-                    image: resolvedImage,
-                    ...(resolvedPathInfo.rewrittenFrom
-                        ? { rewrittenFrom: resolvedPathInfo.rewrittenFrom }
-                        : {}),
+                    ...imageDetails,
                     attempts: result.attempts,
                 },
             };