@poolzin/pool-bot 2026.2.24 → 2026.2.26

package/dist/agents/pi-extensions/compaction-safeguard.js

@@ -1,5 +1,11 @@
-import { BASE_CHUNK_RATIO, MIN_CHUNK_RATIO, SAFETY_MARGIN, computeAdaptiveChunkRatio, estimateMessagesTokens, isOversizedForSummary, pruneHistoryForContextShare, resolveContextWindowTokens, summarizeInStages, } from "../compaction.js";
+import fs from "node:fs";
+import path from "node:path";
+import { extractSections } from "../../auto-reply/reply/post-compaction-context.js";
+import { createSubsystemLogger } from "../../logging/subsystem.js";
+import { BASE_CHUNK_RATIO, MIN_CHUNK_RATIO, SAFETY_MARGIN, SUMMARIZATION_OVERHEAD_TOKENS, computeAdaptiveChunkRatio, estimateMessagesTokens, isOversizedForSummary, pruneHistoryForContextShare, resolveContextWindowTokens, summarizeInStages, } from "../compaction.js";
+import { collectTextContentBlocks } from "../content-blocks.js";
 import { getCompactionSafeguardRuntime } from "./compaction-safeguard-runtime.js";
+const log = createSubsystemLogger("compaction-safeguard");
 const FALLBACK_SUMMARY = "Summary unavailable due to context limits. Older messages were truncated.";
 const TURN_PREFIX_INSTRUCTIONS = "This summary covers the prefix of a split turn. Focus on the original request," +
     " early progress, and any details needed to understand the retained suffix.";
@@ -9,54 +15,51 @@ function normalizeFailureText(text) {
     return text.replace(/\s+/g, " ").trim();
 }
 function truncateFailureText(text, maxChars) {
-    if (text.length <= maxChars)
+    if (text.length <= maxChars) {
         return text;
+    }
     return `${text.slice(0, Math.max(0, maxChars - 3))}...`;
 }
 function formatToolFailureMeta(details) {
-    if (!details || typeof details !== "object")
+    if (!details || typeof details !== "object") {
         return undefined;
+    }
     const record = details;
     const status = typeof record.status === "string" ? record.status : undefined;
     const exitCode = typeof record.exitCode === "number" && Number.isFinite(record.exitCode)
         ? record.exitCode
         : undefined;
     const parts = [];
-    if (status)
+    if (status) {
         parts.push(`status=${status}`);
-    if (exitCode !== undefined)
+    }
+    if (exitCode !== undefined) {
         parts.push(`exitCode=${exitCode}`);
+    }
     return parts.length > 0 ? parts.join(" ") : undefined;
 }
 function extractToolResultText(content) {
-    if (!Array.isArray(content))
-        return "";
-    const parts = [];
-    for (const block of content) {
-        if (!block || typeof block !== "object")
-            continue;
-        const rec = block;
-        if (rec.type === "text" && typeof rec.text === "string") {
-            parts.push(rec.text);
-        }
-    }
-    return parts.join("\n");
+    return collectTextContentBlocks(content).join("\n");
 }
 function collectToolFailures(messages) {
     const failures = [];
     const seen = new Set();
     for (const message of messages) {
-        if (!message || typeof message !== "object")
+        if (!message || typeof message !== "object") {
             continue;
+        }
         const role = message.role;
-        if (role !== "toolResult")
+        if (role !== "toolResult") {
             continue;
+        }
         const toolResult = message;
-        if (toolResult.isError !== true)
+        if (toolResult.isError !== true) {
             continue;
+        }
         const toolCallId = typeof toolResult.toolCallId === "string" ? toolResult.toolCallId : "";
-        if (!toolCallId || seen.has(toolCallId))
+        if (!toolCallId || seen.has(toolCallId)) {
             continue;
+        }
         seen.add(toolCallId);
         const toolName = typeof toolResult.toolName === "string" && toolResult.toolName.trim()
             ? toolResult.toolName
@@ -70,8 +73,9 @@ function collectToolFailures(messages) {
     return failures;
 }
 function formatToolFailuresSection(failures) {
-    if (failures.length === 0)
+    if (failures.length === 0) {
         return "";
+    }
     const lines = failures.slice(0, MAX_TOOL_FAILURES).map((failure) => {
         const meta = failure.meta ? ` (${failure.meta})` : "";
         return `- ${failure.toolName}${meta}: ${failure.summary}`;
@@ -83,8 +87,8 @@ function formatToolFailuresSection(failures) {
 }
 function computeFileLists(fileOps) {
     const modified = new Set([...fileOps.edited, ...fileOps.written]);
-    const readFiles = [...fileOps.read].filter((f) => !modified.has(f)).sort();
-    const modifiedFiles = [...modified].sort();
+    const readFiles = [...fileOps.read].filter((f) => !modified.has(f)).toSorted();
+    const modifiedFiles = [...modified].toSorted();
     return { readFiles, modifiedFiles };
 }
 function formatFileOperations(readFiles, modifiedFiles) {
@@ -95,10 +99,39 @@ function formatFileOperations(readFiles, modifiedFiles) {
     if (modifiedFiles.length > 0) {
         sections.push(`<modified-files>\n${modifiedFiles.join("\n")}\n</modified-files>`);
     }
-    if (sections.length === 0)
+    if (sections.length === 0) {
         return "";
+    }
     return `\n\n${sections.join("\n\n")}`;
 }
+/**
+ * Read and format critical workspace context for compaction summary.
+ * Extracts "Session Startup" and "Red Lines" from AGENTS.md.
+ * Limited to 2000 chars to avoid bloating the summary.
+ */
+async function readWorkspaceContextForSummary() {
+    const MAX_SUMMARY_CONTEXT_CHARS = 2000;
+    const workspaceDir = process.cwd();
+    const agentsPath = path.join(workspaceDir, "AGENTS.md");
+    try {
+        if (!fs.existsSync(agentsPath)) {
+            return "";
+        }
+        const content = await fs.promises.readFile(agentsPath, "utf-8");
+        const sections = extractSections(content, ["Session Startup", "Red Lines"]);
+        if (sections.length === 0) {
+            return "";
+        }
+        const combined = sections.join("\n\n");
+        const safeContent = combined.length > MAX_SUMMARY_CONTEXT_CHARS
+            ? combined.slice(0, MAX_SUMMARY_CONTEXT_CHARS) + "\n...[truncated]..."
+            : combined;
+        return `\n\n<workspace-critical-rules>\n${safeContent}\n</workspace-critical-rules>`;
+    }
+    catch {
+        return "";
+    }
+}
 export default function compactionSafeguardExtension(api) {
     api.on("session_before_compact", async (event, ctx) => {
         const { preparation, customInstructions, signal } = event;
@@ -133,10 +166,11 @@ export default function compactionSafeguardExtension(api) {
             };
         }
         try {
-            const contextWindowTokens = resolveContextWindowTokens(model);
+            const runtime = getCompactionSafeguardRuntime(ctx.sessionManager);
+            const modelContextWindow = resolveContextWindowTokens(model);
+            const contextWindowTokens = runtime?.contextWindowTokens ?? modelContextWindow;
             const turnPrefixMessages = preparation.turnPrefixMessages ?? [];
             let messagesToSummarize = preparation.messagesToSummarize;
-            const runtime = getCompactionSafeguardRuntime(ctx.sessionManager);
             const maxHistoryShare = runtime?.maxHistoryShare ?? 0.5;
             const tokensBefore = typeof preparation.tokensBefore === "number" && Number.isFinite(preparation.tokensBefore)
                 ? preparation.tokensBefore
@@ -156,14 +190,15 @@ export default function compactionSafeguardExtension(api) {
                     });
                     if (pruned.droppedChunks > 0) {
                         const newContentRatio = (newContentTokens / contextWindowTokens) * 100;
-                        console.warn(`Compaction safeguard: new content uses ${newContentRatio.toFixed(1)}% of context; dropped ${pruned.droppedChunks} older chunk(s) ` +
+                        log.warn(`Compaction safeguard: new content uses ${newContentRatio.toFixed(1)}% of context; dropped ${pruned.droppedChunks} older chunk(s) ` +
                             `(${pruned.droppedMessages} messages) to fit history budget.`);
                         messagesToSummarize = pruned.messages;
                         // Summarize dropped messages so context isn't lost
                         if (pruned.droppedMessagesList.length > 0) {
                             try {
                                 const droppedChunkRatio = computeAdaptiveChunkRatio(pruned.droppedMessagesList, contextWindowTokens);
-                                const droppedMaxChunkTokens = Math.max(1, Math.floor(contextWindowTokens * droppedChunkRatio));
+                                const droppedMaxChunkTokens = Math.max(1, Math.floor(contextWindowTokens * droppedChunkRatio) -
+                                    SUMMARIZATION_OVERHEAD_TOKENS);
                                 droppedSummary = await summarizeInStages({
                                     messages: pruned.droppedMessagesList,
                                     model,
@@ -177,16 +212,18 @@ export default function compactionSafeguardExtension(api) {
                                 });
                             }
                             catch (droppedError) {
-                                console.warn(`Compaction safeguard: failed to summarize dropped messages, continuing without: ${droppedError instanceof Error ? droppedError.message : String(droppedError)}`);
+                                log.warn(`Compaction safeguard: failed to summarize dropped messages, continuing without: ${droppedError instanceof Error ? droppedError.message : String(droppedError)}`);
                             }
                         }
                     }
                 }
             }
-            // Use adaptive chunk ratio based on message sizes
+            // Use adaptive chunk ratio based on message sizes, reserving headroom for
+            // the summarization prompt, system prompt, previous summary, and reasoning budget
+            // that generateSummary adds on top of the serialized conversation chunk.
             const allMessages = [...messagesToSummarize, ...turnPrefixMessages];
             const adaptiveRatio = computeAdaptiveChunkRatio(allMessages, contextWindowTokens);
-            const maxChunkTokens = Math.max(1, Math.floor(contextWindowTokens * adaptiveRatio));
+            const maxChunkTokens = Math.max(1, Math.floor(contextWindowTokens * adaptiveRatio) - SUMMARIZATION_OVERHEAD_TOKENS);
             const reserveTokens = Math.max(1, Math.floor(preparation.settings.reserveTokens));
             // Feed dropped-messages summary as previousSummary so the main summarization
             // incorporates context from pruned messages instead of losing it entirely.
@@ -219,6 +256,11 @@ export default function compactionSafeguardExtension(api) {
             }
             summary += toolFailureSection;
             summary += fileOpsSummary;
+            // Append workspace critical context (Session Startup + Red Lines from AGENTS.md)
+            const workspaceContext = await readWorkspaceContextForSummary();
+            if (workspaceContext) {
+                summary += workspaceContext;
+            }
             return {
                 compaction: {
                     summary,
@@ -229,7 +271,7 @@ export default function compactionSafeguardExtension(api) {
             };
         }
         catch (error) {
-            console.warn(`Compaction summarization failed; truncating history: ${error instanceof Error ? error.message : String(error)}`);
+            log.warn(`Compaction summarization failed; truncating history: ${error instanceof Error ? error.message : String(error)}`);
             return {
                 compaction: {
                     summary: fallbackSummary,

package/dist/agents/pi-settings.js

@@ -17,3 +17,43 @@ export function resolveCompactionReserveTokensFloor(cfg) {
     }
     return DEFAULT_PI_COMPACTION_RESERVE_TOKENS_FLOOR;
 }
+function toNonNegativeInt(value) {
+    if (typeof value !== "number" || !Number.isFinite(value) || value < 0) {
+        return undefined;
+    }
+    return Math.floor(value);
+}
+function toPositiveInt(value) {
+    if (typeof value !== "number" || !Number.isFinite(value) || value <= 0) {
+        return undefined;
+    }
+    return Math.floor(value);
+}
+export function applyPiCompactionSettingsFromConfig(params) {
+    const currentReserveTokens = params.settingsManager.getCompactionReserveTokens();
+    const currentKeepRecentTokens = params.settingsManager.getCompactionKeepRecentTokens();
+    const compactionCfg = params.cfg?.agents?.defaults?.compaction;
+    const configuredReserveTokens = toNonNegativeInt(compactionCfg?.reserveTokens);
+    const configuredKeepRecentTokens = toPositiveInt(compactionCfg?.keepRecentTokens);
+    const reserveTokensFloor = resolveCompactionReserveTokensFloor(params.cfg);
+    const targetReserveTokens = Math.max(configuredReserveTokens ?? currentReserveTokens, reserveTokensFloor);
+    const targetKeepRecentTokens = configuredKeepRecentTokens ?? currentKeepRecentTokens;
+    const overrides = {};
+    if (targetReserveTokens !== currentReserveTokens) {
+        overrides.reserveTokens = targetReserveTokens;
+    }
+    if (targetKeepRecentTokens !== currentKeepRecentTokens) {
+        overrides.keepRecentTokens = targetKeepRecentTokens;
+    }
+    const didOverride = Object.keys(overrides).length > 0;
+    if (didOverride) {
+        params.settingsManager.applyOverrides({ compaction: overrides });
+    }
+    return {
+        didOverride,
+        compaction: {
+            reserveTokens: targetReserveTokens,
+            keepRecentTokens: targetKeepRecentTokens,
+        },
+    };
+}

package/dist/agents/pi-tools.policy.js

@@ -5,6 +5,7 @@ import { normalizeMessageChannel } from "../utils/message-channel.js";
 import { resolveAgentConfig, resolveAgentIdFromSessionKey } from "./agent-scope.js";
 import { compileGlobPatterns, matchesAnyGlobPattern } from "./glob-pattern.js";
 import { pickSandboxToolPolicy } from "./sandbox-tool-policy.js";
+import { DEFAULT_SUBAGENT_MAX_SPAWN_DEPTH } from "../config/agent-limits.js";
 import { expandToolGroups, normalizeToolName } from "./tool-policy.js";
 function makeToolPolicyMatcher(policy) {
     const deny = compileGlobPatterns({
@@ -75,7 +76,7 @@ function resolveSubagentDenyList(depth, maxSpawnDepth) {
 }
 export function resolveSubagentToolPolicy(cfg, depth) {
     const configured = cfg?.tools?.subagents?.tools;
-    const maxSpawnDepth = cfg?.agents?.defaults?.subagents?.maxSpawnDepth ?? 1;
+    const maxSpawnDepth = cfg?.agents?.defaults?.subagents?.maxSpawnDepth ?? DEFAULT_SUBAGENT_MAX_SPAWN_DEPTH;
     const effectiveDepth = typeof depth === "number" && depth >= 0 ? depth : 1;
     const baseDeny = resolveSubagentDenyList(effectiveDepth, maxSpawnDepth);
     const deny = [...baseDeny, ...(Array.isArray(configured?.deny) ? configured.deny : [])];

package/dist/agents/provider/config-loader.js

@@ -46,7 +46,7 @@ export function loadPoolConfig(cfg) {
             }
             try {
                 TokenPool.addToken(providerID, tokenCfg.id, tokenCfg.key, {
-                    tier: tokenCfg.tier ?? "paid",
+                    tier: (tokenCfg.tier ?? "paid"),
                     label: tokenCfg.label,
                     enabled: tokenCfg.enabled ?? true,
                 });

package/dist/agents/sandbox/browser.js

@@ -1,23 +1,31 @@
+import crypto from "node:crypto";
 import { startBrowserBridgeServer, stopBrowserBridgeServer } from "../../browser/bridge-server.js";
 import { resolveProfile } from "../../browser/config.js";
-import { DEFAULT_BROWSER_EVALUATE_ENABLED, DEFAULT_CLAWD_BROWSER_COLOR, } from "../../browser/constants.js";
+import { DEFAULT_BROWSER_EVALUATE_ENABLED, DEFAULT_CLAWD_BROWSER_COLOR, DEFAULT_CLAWD_BROWSER_PROFILE_NAME, } from "../../browser/constants.js";
+import { defaultRuntime } from "../../runtime.js";
 import { BROWSER_BRIDGES } from "./browser-bridges.js";
-import { DEFAULT_SANDBOX_BROWSER_IMAGE, SANDBOX_AGENT_WORKSPACE_MOUNT } from "./constants.js";
-import { buildSandboxCreateArgs, dockerContainerState, execDocker, readDockerPort, } from "./docker.js";
-import { updateBrowserRegistry } from "./registry.js";
-import { slugifySessionKey } from "./shared.js";
+import { computeSandboxBrowserConfigHash } from "./config-hash.js";
+import { resolveSandboxBrowserDockerCreateConfig } from "./config.js";
+import { DEFAULT_SANDBOX_BROWSER_IMAGE, SANDBOX_AGENT_WORKSPACE_MOUNT, SANDBOX_BROWSER_SECURITY_HASH_EPOCH, } from "./constants.js";
+import { buildSandboxCreateArgs, dockerContainerState, execDocker, readDockerContainerEnvVar, readDockerContainerLabel, readDockerPort, } from "./docker.js";
+import { buildNoVncDirectUrl, buildNoVncObserverTokenUrl, consumeNoVncObserverToken, generateNoVncPassword, isNoVncEnabled, NOVNC_PASSWORD_ENV_KEY, issueNoVncObserverToken, } from "./novnc-auth.js";
+import { readBrowserRegistry, updateBrowserRegistry } from "./registry.js";
+import { resolveSandboxAgentId, slugifySessionKey } from "./shared.js";
 import { isToolAllowed } from "./tool-policy.js";
+const HOT_BROWSER_WINDOW_MS = 5 * 60 * 1000;
+const CDP_SOURCE_RANGE_ENV_KEY = "POOLBOT_BROWSER_CDP_SOURCE_RANGE";
 async function waitForSandboxCdp(params) {
     const deadline = Date.now() + Math.max(0, params.timeoutMs);
     const url = `http://127.0.0.1:${params.cdpPort}/json/version`;
     while (Date.now() < deadline) {
         try {
             const ctrl = new AbortController();
-            const t = setTimeout(() => ctrl.abort(), 1000);
+            const t = setTimeout(ctrl.abort.bind(ctrl), 1000);
             try {
                 const res = await fetch(url, { signal: ctrl.signal });
-                if (res.ok)
+                if (res.ok) {
                     return true;
+                }
             }
             finally {
                 clearTimeout(t);
@@ -46,9 +54,13 @@ function buildSandboxBrowserResolvedConfig(params) {
         headless: params.headless,
         noSandbox: false,
         attachOnly: true,
-        defaultProfile: "clawd",
+        defaultProfile: DEFAULT_CLAWD_BROWSER_PROFILE_NAME,
+        extraArgs: [],
         profiles: {
-            clawd: { cdpPort: params.cdpPort, color: DEFAULT_CLAWD_BROWSER_COLOR },
+            [DEFAULT_CLAWD_BROWSER_PROFILE_NAME]: {
+                cdpPort: params.cdpPort,
+                color: DEFAULT_CLAWD_BROWSER_COLOR,
+            },
         },
     };
 }
@@ -56,26 +68,115 @@ async function ensureSandboxBrowserImage(image) {
     const result = await execDocker(["image", "inspect", image], {
         allowFailure: true,
     });
-    if (result.code === 0)
+    if (result.code === 0) {
         return;
+    }
     throw new Error(`Sandbox browser image not found: ${image}. Build it with scripts/sandbox-browser-setup.sh.`);
 }
+async function ensureDockerNetwork(network) {
+    const normalized = network.trim().toLowerCase();
+    if (!normalized ||
+        normalized === "bridge" ||
+        normalized === "none" ||
+        normalized.startsWith("container:")) {
+        return;
+    }
+    const inspect = await execDocker(["network", "inspect", network], { allowFailure: true });
+    if (inspect.code === 0) {
+        return;
+    }
+    await execDocker(["network", "create", "--driver", "bridge", network]);
+}
 export async function ensureSandboxBrowser(params) {
-    if (!params.cfg.browser.enabled)
+    if (!params.cfg.browser.enabled) {
         return null;
-    if (!isToolAllowed(params.cfg.tools, "browser"))
+    }
+    if (!isToolAllowed(params.cfg.tools, "browser")) {
         return null;
+    }
     const slug = params.cfg.scope === "shared" ? "shared" : slugifySessionKey(params.scopeKey);
     const name = `${params.cfg.browser.containerPrefix}${slug}`;
     const containerName = name.slice(0, 63);
     const state = await dockerContainerState(containerName);
-    if (!state.exists) {
-        await ensureSandboxBrowserImage(params.cfg.browser.image ?? DEFAULT_SANDBOX_BROWSER_IMAGE);
+    const browserImage = params.cfg.browser.image ?? DEFAULT_SANDBOX_BROWSER_IMAGE;
+    const cdpSourceRange = params.cfg.browser.cdpSourceRange?.trim() || undefined;
+    const browserDockerCfg = resolveSandboxBrowserDockerCreateConfig({
+        docker: params.cfg.docker,
+        browser: { ...params.cfg.browser, image: browserImage },
+    });
+    const expectedHash = computeSandboxBrowserConfigHash({
+        docker: browserDockerCfg,
+        browser: {
+            cdpPort: params.cfg.browser.cdpPort,
+            vncPort: params.cfg.browser.vncPort,
+            noVncPort: params.cfg.browser.noVncPort,
+            headless: params.cfg.browser.headless,
+            enableNoVnc: params.cfg.browser.enableNoVnc,
+            cdpSourceRange,
+        },
+        securityEpoch: SANDBOX_BROWSER_SECURITY_HASH_EPOCH,
+        workspaceAccess: params.cfg.workspaceAccess,
+        workspaceDir: params.workspaceDir,
+        agentWorkspaceDir: params.agentWorkspaceDir,
+    });
+    const now = Date.now();
+    let hasContainer = state.exists;
+    let running = state.running;
+    let currentHash = null;
+    let hashMismatch = false;
+    const noVncEnabled = isNoVncEnabled(params.cfg.browser);
+    let noVncPassword;
+    if (hasContainer) {
+        if (noVncEnabled) {
+            noVncPassword =
+                (await readDockerContainerEnvVar(containerName, NOVNC_PASSWORD_ENV_KEY)) ?? undefined;
+        }
+        const registry = await readBrowserRegistry();
+        const registryEntry = registry.entries.find((entry) => entry.containerName === containerName);
+        currentHash = await readDockerContainerLabel(containerName, "poolbot.configHash");
+        hashMismatch = !currentHash || currentHash !== expectedHash;
+        if (!currentHash) {
+            currentHash = registryEntry?.configHash ?? null;
+            hashMismatch = !currentHash || currentHash !== expectedHash;
+        }
+        if (hashMismatch) {
+            const lastUsedAtMs = registryEntry?.lastUsedAtMs;
+            const isHot = running && (typeof lastUsedAtMs !== "number" || now - lastUsedAtMs < HOT_BROWSER_WINDOW_MS);
+            if (isHot) {
+                const hint = (() => {
+                    if (params.cfg.scope === "session") {
+                        return `poolbot sandbox recreate --browser --session ${params.scopeKey}`;
+                    }
+                    if (params.cfg.scope === "agent") {
+                        const agentId = resolveSandboxAgentId(params.scopeKey) ?? "main";
+                        return `poolbot sandbox recreate --browser --agent ${agentId}`;
+                    }
+                    return "poolbot sandbox recreate --browser --all";
+                })();
+                defaultRuntime.log(`Sandbox browser config changed for ${containerName} (recently used). Recreate to apply: ${hint}`);
+            }
+            else {
+                await execDocker(["rm", "-f", containerName], { allowFailure: true });
+                hasContainer = false;
+                running = false;
+            }
+        }
+    }
+    if (!hasContainer) {
+        if (noVncEnabled) {
+            noVncPassword = generateNoVncPassword();
+        }
+        await ensureDockerNetwork(browserDockerCfg.network);
+        await ensureSandboxBrowserImage(browserImage);
         const args = buildSandboxCreateArgs({
             name: containerName,
-            cfg: params.cfg.docker,
+            cfg: browserDockerCfg,
             scopeKey: params.scopeKey,
-            labels: { "poolbot.sandboxBrowser": "1" },
+            labels: {
+                "poolbot.sandboxBrowser": "1",
+                "poolbot.browserConfigEpoch": SANDBOX_BROWSER_SECURITY_HASH_EPOCH,
+            },
+            configHash: expectedHash,
         });
         const mainMountSuffix = params.cfg.workspaceAccess === "ro" && params.workspaceDir === params.agentWorkspaceDir
             ? ":ro"
@@ -86,48 +187,75 @@ export async function ensureSandboxBrowser(params) {
             args.push("-v", `${params.agentWorkspaceDir}:${SANDBOX_AGENT_WORKSPACE_MOUNT}${agentMountSuffix}`);
         }
         args.push("-p", `127.0.0.1::${params.cfg.browser.cdpPort}`);
-        if (params.cfg.browser.enableNoVnc && !params.cfg.browser.headless) {
+        if (noVncEnabled) {
             args.push("-p", `127.0.0.1::${params.cfg.browser.noVncPort}`);
         }
         args.push("-e", `POOLBOT_BROWSER_HEADLESS=${params.cfg.browser.headless ? "1" : "0"}`);
-        args.push("-e", `CLAWDBOT_BROWSER_HEADLESS=${params.cfg.browser.headless ? "1" : "0"}`);
         args.push("-e", `POOLBOT_BROWSER_ENABLE_NOVNC=${params.cfg.browser.enableNoVnc ? "1" : "0"}`);
-        args.push("-e", `CLAWDBOT_BROWSER_ENABLE_NOVNC=${params.cfg.browser.enableNoVnc ? "1" : "0"}`);
         args.push("-e", `POOLBOT_BROWSER_CDP_PORT=${params.cfg.browser.cdpPort}`);
-        args.push("-e", `CLAWDBOT_BROWSER_CDP_PORT=${params.cfg.browser.cdpPort}`);
+        if (cdpSourceRange) {
+            args.push("-e", `${CDP_SOURCE_RANGE_ENV_KEY}=${cdpSourceRange}`);
+        }
         args.push("-e", `POOLBOT_BROWSER_VNC_PORT=${params.cfg.browser.vncPort}`);
-        args.push("-e", `CLAWDBOT_BROWSER_VNC_PORT=${params.cfg.browser.vncPort}`);
         args.push("-e", `POOLBOT_BROWSER_NOVNC_PORT=${params.cfg.browser.noVncPort}`);
-        args.push("-e", `CLAWDBOT_BROWSER_NOVNC_PORT=${params.cfg.browser.noVncPort}`);
-        args.push(params.cfg.browser.image);
+        if (noVncEnabled && noVncPassword) {
+            args.push("-e", `${NOVNC_PASSWORD_ENV_KEY}=${noVncPassword}`);
+        }
+        args.push(browserImage);
         await execDocker(args);
         await execDocker(["start", containerName]);
     }
-    else if (!state.running) {
+    else if (!running) {
         await execDocker(["start", containerName]);
     }
     const mappedCdp = await readDockerPort(containerName, params.cfg.browser.cdpPort);
     if (!mappedCdp) {
         throw new Error(`Failed to resolve CDP port mapping for ${containerName}.`);
     }
-    const mappedNoVnc = params.cfg.browser.enableNoVnc && !params.cfg.browser.headless
+    const mappedNoVnc = noVncEnabled
         ? await readDockerPort(containerName, params.cfg.browser.noVncPort)
         : null;
+    if (noVncEnabled && !noVncPassword) {
+        noVncPassword =
+            (await readDockerContainerEnvVar(containerName, NOVNC_PASSWORD_ENV_KEY)) ?? undefined;
+    }
     const existing = BROWSER_BRIDGES.get(params.scopeKey);
-    const existingProfile = existing ? resolveProfile(existing.bridge.state.resolved, "clawd") : null;
+    const existingProfile = existing
+        ? resolveProfile(existing.bridge.state.resolved, DEFAULT_CLAWD_BROWSER_PROFILE_NAME)
+        : null;
+    let desiredAuthToken = params.bridgeAuth?.token?.trim() || undefined;
+    let desiredAuthPassword = params.bridgeAuth?.password?.trim() || undefined;
+    if (!desiredAuthToken && !desiredAuthPassword) {
+        // Always require auth for the sandbox bridge server, even if gateway auth
+        // mode doesn't produce a shared secret (e.g. trusted-proxy).
+        // Keep it stable across calls by reusing the existing bridge auth.
+        desiredAuthToken = existing?.authToken;
+        desiredAuthPassword = existing?.authPassword;
+        if (!desiredAuthToken && !desiredAuthPassword) {
+            desiredAuthToken = crypto.randomBytes(24).toString("hex");
+        }
+    }
     const shouldReuse = existing && existing.containerName === containerName && existingProfile?.cdpPort === mappedCdp;
+    const authMatches = !existing ||
+        (existing.authToken === desiredAuthToken && existing.authPassword === desiredAuthPassword);
     if (existing && !shouldReuse) {
         await stopBrowserBridgeServer(existing.bridge.server).catch(() => undefined);
         BROWSER_BRIDGES.delete(params.scopeKey);
     }
+    if (existing && shouldReuse && !authMatches) {
+        await stopBrowserBridgeServer(existing.bridge.server).catch(() => undefined);
+        BROWSER_BRIDGES.delete(params.scopeKey);
+    }
     const bridge = (() => {
-        if (shouldReuse && existing)
+        if (shouldReuse && authMatches && existing) {
             return existing.bridge;
+        }
         return null;
     })();
     const ensureBridge = async () => {
-        if (bridge)
+        if (bridge) {
             return bridge;
+        }
         const onEnsureAttachTarget = params.cfg.browser.autoStart
             ? async () => {
                 const state = await dockerContainerState(containerName);
@@ -150,28 +278,37 @@ export async function ensureSandboxBrowser(params) {
                 headless: params.cfg.browser.headless,
                 evaluateEnabled: params.evaluateEnabled ?? DEFAULT_BROWSER_EVALUATE_ENABLED,
             }),
+            authToken: desiredAuthToken,
+            authPassword: desiredAuthPassword,
             onEnsureAttachTarget,
+            resolveSandboxNoVncToken: consumeNoVncObserverToken,
         });
     };
     const resolvedBridge = await ensureBridge();
-    if (!shouldReuse) {
+    if (!shouldReuse || !authMatches) {
         BROWSER_BRIDGES.set(params.scopeKey, {
             bridge: resolvedBridge,
             containerName,
+            authToken: desiredAuthToken,
+            authPassword: desiredAuthPassword,
         });
     }
-    const now = Date.now();
     await updateBrowserRegistry({
         containerName,
         sessionKey: params.scopeKey,
         createdAtMs: now,
         lastUsedAtMs: now,
-        image: params.cfg.browser.image,
+        image: browserImage,
+        configHash: hashMismatch && running ? (currentHash ?? undefined) : expectedHash,
         cdpPort: mappedCdp,
         noVncPort: mappedNoVnc ?? undefined,
     });
-    const noVncUrl = mappedNoVnc && params.cfg.browser.enableNoVnc && !params.cfg.browser.headless
-        ? `http://127.0.0.1:${mappedNoVnc}/vnc.html?autoconnect=1&resize=remote`
+    const noVncUrl = mappedNoVnc && noVncEnabled
+        ? (() => {
+            const directUrl = buildNoVncDirectUrl(mappedNoVnc, noVncPassword);
+            const token = issueNoVncObserverToken({ url: directUrl });
+            return buildNoVncObserverTokenUrl(resolvedBridge.baseUrl, token);
+        })()
         : undefined;
     return {
         bridgeUrl: resolvedBridge.baseUrl,

package/dist/agents/sandbox/config-hash.js

@@ -1,45 +1,32 @@
-import crypto from "node:crypto";
-function isPrimitive(value) {
-    return value === null || (typeof value !== "object" && typeof value !== "function");
-}
+import { hashTextSha256 } from "./hash.js";
 function normalizeForHash(value) {
-    if (value === undefined)
+    if (value === undefined) {
         return undefined;
+    }
     if (Array.isArray(value)) {
-        const normalized = value
-            .map(normalizeForHash)
-            .filter((item) => item !== undefined);
-        const primitives = normalized.filter(isPrimitive);
-        if (primitives.length === normalized.length) {
-            return [...primitives].sort((a, b) => primitiveToString(a).localeCompare(primitiveToString(b)));
-        }
-        return normalized;
+        return value.map(normalizeForHash).filter((item) => item !== undefined);
     }
     if (value && typeof value === "object") {
-        const entries = Object.entries(value).sort(([a], [b]) => a.localeCompare(b));
+        const entries = Object.entries(value).toSorted(([a], [b]) => a.localeCompare(b));
         const normalized = {};
         for (const [key, entryValue] of entries) {
             const next = normalizeForHash(entryValue);
-            if (next !== undefined)
+            if (next !== undefined) {
                 normalized[key] = next;
+            }
         }
         return normalized;
     }
     return value;
 }
-function primitiveToString(value) {
-    if (value === null)
-        return "null";
-    if (typeof value === "string")
-        return value;
-    if (typeof value === "number")
-        return String(value);
-    if (typeof value === "boolean")
-        return value ? "true" : "false";
-    return JSON.stringify(value);
-}
 export function computeSandboxConfigHash(input) {
+    return computeHash(input);
+}
+export function computeSandboxBrowserConfigHash(input) {
+    return computeHash(input);
+}
+function computeHash(input) {
     const payload = normalizeForHash(input);
     const raw = JSON.stringify(payload);
-    return crypto.createHash("sha1").update(raw).digest("hex");
+    return hashTextSha256(raw);
 }