@sentry/junior 0.41.0 → 0.43.0

package/dist/app.js

@@ -3,7 +3,7 @@ import {
   findSkillByName,
   loadSkillsByName,
   parseSkillInvocation
-} from "./chunk-7QYONRLH.js";
+} from "./chunk-ZUUJTQ2H.js";
 import {
   GEN_AI_PROVIDER_NAME,
   MISSING_GATEWAY_CREDENTIALS_ERROR,
@@ -14,6 +14,7 @@ import {
   buildNonInteractiveShellScript,
   completeObject,
   completeText,
+  createSandboxInstance,
   getGatewayApiKey,
   getPiGatewayApiKeyOverride,
   getRuntimeDependencyProfileHash,
@@ -30,7 +31,7 @@ import {
   runNonInteractiveCommand,
   sandboxSkillDir,
   sandboxSkillFile
-} from "./chunk-Y3UO7NR6.js";
+} from "./chunk-YSXHRIWR.js";
 import {
   CredentialUnavailableError,
   buildOAuthTokenRequest,
@@ -58,6 +59,7 @@ import {
   mergeHeaderTransforms,
   parseOAuthTokenResponse,
   resolveAuthTokenPlaceholder,
+  resolvePluginCommandEnv,
   serializeGenAiAttribute,
   setSpanAttributes,
   setSpanStatus,
@@ -66,7 +68,7 @@ import {
   toOptionalString,
   withContext,
   withSpan
-} from "./chunk-SCE5C645.js";
+} from "./chunk-BCG3I2T2.js";
 import {
   sentry_exports
 } from "./chunk-Z3YD6NHK.js";
@@ -3219,140 +3221,6 @@ var ProviderCredentialRouter = class {
   }
 };
 
-// src/chat/capabilities/runtime.ts
-function toHeaderTransforms(lease) {
-  if (!Array.isArray(lease.headerTransforms) || lease.headerTransforms.length === 0) {
-    return [];
-  }
-  return lease.headerTransforms.filter(
-    (transform) => Boolean(transform?.domain?.trim()) && transform.headers && typeof transform.headers === "object" && Object.keys(transform.headers).length > 0
-  ).map((transform) => ({
-    domain: transform.domain.trim(),
-    headers: transform.headers
-  }));
-}
-var SkillCapabilityRuntime = class {
-  router;
-  requesterId;
-  enabledByProvider = /* @__PURE__ */ new Map();
-  constructor(params) {
-    if (params.router) {
-      this.router = params.router;
-    } else if (params.broker) {
-      this.router = {
-        issue: async (input) => await params.broker.issue(input)
-      };
-    } else {
-      throw new Error(
-        "SkillCapabilityRuntime requires either router or broker"
-      );
-    }
-    this.requesterId = params.requesterId;
-  }
-  async enableCredentialsForTurn(input) {
-    const provider = input.activeSkill?.pluginProvider;
-    if (!provider) {
-      return void 0;
-    }
-    if (!this.requesterId) {
-      throw new Error("Credential enablement requires requester context");
-    }
-    const plugin = getPluginDefinition(provider);
-    if (!plugin?.manifest.credentials && !plugin?.manifest.apiHeaders) {
-      return void 0;
-    }
-    const existing = this.enabledByProvider.get(provider);
-    const now = Date.now();
-    if (existing && existing.expiresAtMs - now > 1e4) {
-      return {
-        reused: true,
-        expiresAt: new Date(existing.expiresAtMs).toISOString()
-      };
-    }
-    logInfo(
-      "credential_issue_request",
-      {},
-      {
-        "app.skill.name": input.activeSkill?.name,
-        "app.credential.provider": provider
-      },
-      "Issuing provider credential for current turn"
-    );
-    try {
-      const lease = await this.router.issue({
-        provider,
-        reason: input.reason,
-        requesterId: this.requesterId
-      });
-      const transforms = toHeaderTransforms(lease);
-      if (transforms.length === 0) {
-        throw new Error(
-          `Credential lease for ${provider} did not include header transforms`
-        );
-      }
-      const expiresAtMs = Date.parse(lease.expiresAt);
-      if (!Number.isFinite(expiresAtMs)) {
-        throw new Error(
-          `Credential lease for ${provider} returned invalid expiresAt`
-        );
-      }
-      this.enabledByProvider.set(provider, {
-        expiresAtMs,
-        transforms,
-        env: lease.env
-      });
-      logInfo(
-        "credential_issue_success",
-        {},
-        {
-          "app.skill.name": input.activeSkill?.name,
-          "app.credential.provider": lease.provider,
-          "app.credential.expires_at": lease.expiresAt,
-          "app.credential.delivery": "header_transform"
-        },
-        "Issued provider credential lease"
-      );
-      return { reused: false, expiresAt: lease.expiresAt };
-    } catch (error) {
-      logWarn(
-        "credential_issue_failed",
-        {},
-        {
-          "app.skill.name": input.activeSkill?.name,
-          "app.credential.provider": provider,
-          "exception.message": error instanceof Error ? error.message : String(error)
-        },
-        "Provider credential resolution failed"
-      );
-      throw error;
-    }
-  }
-  getTurnHeaderTransforms() {
-    const now = Date.now();
-    const headerTransforms = [];
-    for (const [provider, entry] of this.enabledByProvider.entries()) {
-      if (!Number.isFinite(entry.expiresAtMs) || entry.expiresAtMs <= now) {
-        this.enabledByProvider.delete(provider);
-        continue;
-      }
-      headerTransforms.push(...entry.transforms);
-    }
-    return headerTransforms.length > 0 ? headerTransforms : void 0;
-  }
-  getTurnEnv() {
-    const now = Date.now();
-    const env = {};
-    for (const [provider, entry] of this.enabledByProvider.entries()) {
-      if (!Number.isFinite(entry.expiresAtMs) || entry.expiresAtMs <= now) {
-        this.enabledByProvider.delete(provider);
-        continue;
-      }
-      Object.assign(env, entry.env);
-    }
-    return Object.keys(env).length > 0 ? env : void 0;
-  }
-};
-
 // src/chat/credentials/state-adapter-token-store.ts
 var KEY_PREFIX = "oauth-token";
 var BUFFER_MS = 24 * 60 * 60 * 1e3;
@@ -3419,12 +3287,13 @@ var TestCredentialBroker = class {
 
 // src/chat/capabilities/factory.ts
 var ENV_PLACEHOLDER_RE = /\$\{([A-Z_][A-Z0-9_]*)\}/g;
+var sandboxEgressRouters = /* @__PURE__ */ new WeakMap();
 function createUserTokenStore() {
   return new StateAdapterTokenStore(getStateAdapter());
 }
 function resolveTestApiHeaderTransforms(manifest) {
-  const { apiDomains, apiHeaders } = manifest;
-  if (!apiDomains || !apiHeaders) {
+  const { domains, apiHeaders } = manifest;
+  if (!domains || !apiHeaders) {
     return [];
   }
   const headers = Object.fromEntries(
@@ -3435,44 +3304,51 @@ function resolveTestApiHeaderTransforms(manifest) {
       })
     ])
   );
-  return apiDomains.map((domain) => ({ domain, headers }));
+  return domains.map((domain) => ({ domain, headers }));
+}
+function createTestBroker(plugin) {
+  const { apiHeaders, credentials, name } = plugin.manifest;
+  const commandEnv = resolvePluginCommandEnv(plugin.manifest);
+  return new TestCredentialBroker({
+    provider: name,
+    ...credentials ? {
+      domains: credentials.domains,
+      ...credentials.apiHeaders ? { apiHeaders: credentials.apiHeaders } : {},
+      envKey: credentials.authTokenEnv,
+      placeholder: resolveAuthTokenPlaceholder(credentials)
+    } : {},
+    ...apiHeaders ? {
+      headerTransforms: () => resolveTestApiHeaderTransforms(plugin.manifest)
+    } : {},
+    ...Object.keys(commandEnv).length > 0 ? { env: commandEnv } : {}
+  });
 }
-function createSkillCapabilityRuntime(options = {}) {
+function createProviderCredentialRouter(userTokenStore) {
   logCapabilityCatalogLoadedOnce();
   const useTestBroker = process.env.EVAL_ENABLE_TEST_CREDENTIALS === "1";
-  const userTokenStore = createUserTokenStore();
   const brokersByProvider = {};
   for (const plugin of getPluginProviders()) {
-    const { apiHeaders, credentials, name } = plugin.manifest;
-    if (!credentials && !apiHeaders) {
+    const { name } = plugin.manifest;
+    if (!plugin.manifest.credentials && !plugin.manifest.apiHeaders) {
       continue;
     }
-    if (!credentials) {
-      brokersByProvider[name] = useTestBroker ? new TestCredentialBroker({
-        provider: name,
-        headerTransforms: () => resolveTestApiHeaderTransforms(plugin.manifest),
-        ...plugin.manifest.commandEnv ? { env: plugin.manifest.commandEnv } : {}
-      }) : createPluginBroker(name, { userTokenStore });
-      continue;
-    }
-    const placeholder = resolveAuthTokenPlaceholder(credentials);
-    brokersByProvider[name] = useTestBroker ? new TestCredentialBroker({
-      provider: name,
-      domains: credentials.apiDomains,
-      ...credentials.apiHeaders ? { apiHeaders: credentials.apiHeaders } : {},
-      ...apiHeaders ? {
-        headerTransforms: () => resolveTestApiHeaderTransforms(plugin.manifest)
-      } : {},
-      ...plugin.manifest.commandEnv ? { env: plugin.manifest.commandEnv } : {},
-      envKey: credentials.authTokenEnv,
-      placeholder
-    }) : createPluginBroker(name, { userTokenStore });
+    brokersByProvider[name] = useTestBroker ? createTestBroker(plugin) : createPluginBroker(name, { userTokenStore });
   }
-  const router = new ProviderCredentialRouter({ brokersByProvider });
-  return new SkillCapabilityRuntime({
-    router,
-    requesterId: options.requesterId
-  });
+  return new ProviderCredentialRouter({ brokersByProvider });
+}
+function getSandboxEgressRouter() {
+  const stateAdapter = getStateAdapter();
+  let router = sandboxEgressRouters.get(stateAdapter);
+  if (!router) {
+    router = createProviderCredentialRouter(
+      new StateAdapterTokenStore(stateAdapter)
+    );
+    sandboxEgressRouters.set(stateAdapter, router);
+  }
+  return router;
+}
+async function issueProviderCredentialLease(input) {
+  return await getSandboxEgressRouter().issue(input);
 }
 
 // src/chat/capabilities/jr-rpc-command.ts
@@ -7103,9 +6979,86 @@ function parseSlackMessageReference(input) {
   };
 }
 
+// src/chat/slack/legacy-attachments.ts
+var MAX_ATTACHMENTS = 10;
+var MAX_FIELDS_PER_ATTACHMENT = 20;
+var MAX_FIELD_CHARS = 1e3;
+var MAX_ATTACHMENT_TEXT_CHARS = 4e3;
+function toStr(value) {
+  return typeof value === "string" && value.length > 0 ? value : void 0;
+}
+function getAttachmentPayload(input) {
+  if (Array.isArray(input)) return input;
+  if (!input || typeof input !== "object") return [];
+  const attachments = input.attachments;
+  return Array.isArray(attachments) ? attachments : [];
+}
+function renderField(raw) {
+  if (!raw || typeof raw !== "object") return void 0;
+  const obj = raw;
+  const title = toStr(obj.title);
+  const value = toStr(obj.value)?.slice(0, MAX_FIELD_CHARS);
+  if (title && value) return `${title}: ${value}`;
+  return title || value;
+}
+function renderAttachment(raw) {
+  if (!raw || typeof raw !== "object") return "";
+  const obj = raw;
+  const parts = [];
+  const seen = /* @__PURE__ */ new Set();
+  const fallback = toStr(obj.fallback);
+  const pretext = toStr(obj.pretext);
+  const authorName = toStr(obj.author_name);
+  const title = toStr(obj.title);
+  const titleLink = toStr(obj.title_link);
+  const text = toStr(obj.text);
+  const footer = toStr(obj.footer);
+  const fields = Array.isArray(obj.fields) ? obj.fields : [];
+  const add = (value) => {
+    if (!value) return;
+    const normalized = value.trim();
+    if (!normalized || seen.has(normalized)) return;
+    seen.add(normalized);
+    parts.push(normalized);
+  };
+  const hasRichContent = pretext || title || text;
+  if (!hasRichContent) {
+    add(fallback);
+  }
+  add(pretext);
+  add(authorName);
+  if (title && titleLink) {
+    add(`${title} (${titleLink})`);
+    seen.add(title.trim());
+  } else {
+    add(title);
+  }
+  add(text);
+  for (const field of fields.slice(0, MAX_FIELDS_PER_ATTACHMENT)) {
+    add(renderField(field));
+  }
+  add(footer);
+  return parts.join(" | ");
+}
+function renderSlackLegacyAttachmentText(input) {
+  const rendered = getAttachmentPayload(input).slice(0, MAX_ATTACHMENTS).map(renderAttachment).filter((line) => line.length > 0).map((line) => `[attachment] ${line}`).join("\n");
+  return rendered.slice(0, MAX_ATTACHMENT_TEXT_CHARS);
+}
+function appendSlackLegacyAttachmentText(baseText, rawMessageOrAttachments) {
+  const base = baseText?.trim() ?? "";
+  const attachmentText = renderSlackLegacyAttachmentText(
+    rawMessageOrAttachments
+  );
+  if (!attachmentText) return base;
+  if (!base) return attachmentText;
+  return `${base}
+${attachmentText}`;
+}
+
 // src/chat/tools/slack/thread-read.ts
 var MAX_THREAD_READ_CHARS = 4e4;
 function sanitizeMessage(msg) {
+  const attachmentText = renderSlackLegacyAttachmentText(msg.attachments);
   return {
     ts: msg.ts,
     user: msg.user,
@@ -7114,6 +7067,7 @@ function sanitizeMessage(msg) {
     subtype: msg.subtype,
     bot_id: msg.bot_id,
     type: msg.type,
+    ...attachmentText ? { attachment_text: attachmentText } : {},
     ...msg.files?.length ? {
       files: msg.files.map((f) => ({
         id: f.id,
@@ -7128,7 +7082,7 @@ function truncateMessages(messages, maxChars) {
   let chars = 0;
   const kept = [];
   for (const msg of messages) {
-    const textLen = msg.text?.length ?? 0;
+    const textLen = (msg.text?.length ?? 0) + (msg.attachment_text?.length ?? 0);
     if (kept.length > 0 && chars + textLen > maxChars) {
       break;
     }
@@ -7276,13 +7230,272 @@ function createSlackThreadReadTool(context) {
   });
 }
 
-// src/chat/tools/system-time.ts
+// src/chat/tools/slack/user-lookup.ts
 import { Type as Type19 } from "@sinclair/typebox";
+
+// src/chat/slack/users.ts
+function normalizeUser(raw) {
+  const rawFields = raw.profile?.fields;
+  const profileFields = [];
+  if (rawFields && typeof rawFields === "object") {
+    for (const [id, field] of Object.entries(rawFields)) {
+      if (!field) continue;
+      profileFields.push({
+        id,
+        label: field.label || void 0,
+        value: field.value || void 0,
+        alt: field.alt || void 0
+      });
+    }
+  }
+  return {
+    id: raw.id ?? "",
+    team_id: raw.team_id || void 0,
+    name: raw.name || void 0,
+    real_name: raw.real_name || raw.profile?.real_name || void 0,
+    display_name: raw.profile?.display_name || void 0,
+    title: raw.profile?.title || void 0,
+    email: raw.profile?.email || void 0,
+    status_text: raw.profile?.status_text || void 0,
+    status_emoji: raw.profile?.status_emoji || void 0,
+    is_bot: raw.is_bot ?? false,
+    is_deleted: raw.deleted ?? false,
+    timezone: raw.tz || void 0,
+    ...profileFields.length > 0 ? { profile_fields: profileFields } : {}
+  };
+}
+async function lookupSlackUserProfile(userId) {
+  const client2 = getSlackClient();
+  const result = await withSlackRetries(
+    () => client2.users.info({ user: userId }),
+    3,
+    { action: "users.info" }
+  );
+  const user = result.user;
+  if (!user) {
+    throw new Error(`Slack users.info returned no user for ${userId}`);
+  }
+  return normalizeUser(user);
+}
+async function lookupSlackUserByEmail(email) {
+  const client2 = getSlackClient();
+  let result;
+  try {
+    result = await withSlackRetries(
+      () => client2.users.lookupByEmail({ email }),
+      3,
+      { action: "users.lookupByEmail" }
+    );
+  } catch (error) {
+    const apiError = error.apiError;
+    if (apiError === "users_not_found") {
+      return null;
+    }
+    throw error;
+  }
+  const user = result.user;
+  if (!user) {
+    return null;
+  }
+  return normalizeUser(user);
+}
+function scoreMatch(user, queryLower) {
+  const name = (user.name ?? "").toLowerCase();
+  const realName = (user.real_name ?? user.profile?.real_name ?? "").toLowerCase();
+  const displayName = (user.profile?.display_name ?? "").toLowerCase();
+  if (name === queryLower || displayName === queryLower) return 100;
+  if (realName === queryLower) return 90;
+  if (name.startsWith(queryLower) || displayName.startsWith(queryLower))
+    return 70;
+  if (realName.startsWith(queryLower)) return 60;
+  const realNameWords = realName.split(/\s+/);
+  if (realNameWords.some((w) => w === queryLower)) return 55;
+  if (realNameWords.some((w) => w.startsWith(queryLower))) return 50;
+  if (name.includes(queryLower) || displayName.includes(queryLower)) return 30;
+  if (realName.includes(queryLower)) return 20;
+  return 0;
+}
+async function searchSlackUsers(options) {
+  const {
+    query,
+    limit = 10,
+    maxPages = 3,
+    includeDeleted = false,
+    includeBots = false
+  } = options;
+  const queryLower = query.toLowerCase().trim();
+  const client2 = getSlackClient();
+  const matches = [];
+  let cursor;
+  let pages = 0;
+  let totalScanned = 0;
+  let truncated = false;
+  while (pages < maxPages) {
+    pages++;
+    const result = await withSlackRetries(
+      () => client2.users.list({
+        limit: 200,
+        ...cursor ? { cursor } : {}
+      }),
+      3,
+      { action: "users.list" }
+    );
+    const members = result.members ?? [];
+    totalScanned += members.length;
+    for (const member of members) {
+      if (!includeDeleted && member.deleted) continue;
+      if (!includeBots && member.is_bot) continue;
+      if (member.id === "USLACKBOT") continue;
+      const score = scoreMatch(member, queryLower);
+      if (score > 0) {
+        matches.push({ user: member, score });
+      }
+    }
+    const nextCursor = result.response_metadata?.next_cursor;
+    if (!nextCursor) {
+      break;
+    }
+    cursor = nextCursor;
+  }
+  if (pages >= maxPages && cursor) {
+    truncated = true;
+  }
+  matches.sort((a, b) => {
+    if (b.score !== a.score) return b.score - a.score;
+    return (a.user.name ?? "").localeCompare(b.user.name ?? "");
+  });
+  return {
+    users: matches.slice(0, limit).map((m) => normalizeUser(m.user)),
+    searched_pages: pages,
+    searched_user_count: totalScanned,
+    truncated
+  };
+}
+
+// src/chat/tools/slack/user-lookup.ts
+function createSlackUserLookupTool() {
+  return tool({
+    description: "Look up Slack user profiles by user ID, email, or name search. Use when you need to identify a user, resolve cross-platform identity, or look up profile details like title or status. Returns profile fields including custom fields. For user ID lookup, pass a Slack user ID (e.g. U039RR91S). For search, pass a name query.",
+    annotations: { readOnlyHint: true, destructiveHint: false },
+    inputSchema: Type19.Object({
+      user_id: Type19.Optional(
+        Type19.String({
+          minLength: 1,
+          description: "Slack user ID to look up (e.g. U039RR91S). Mutually exclusive with email and query."
+        })
+      ),
+      email: Type19.Optional(
+        Type19.String({
+          minLength: 3,
+          description: "Email address to look up. Mutually exclusive with user_id and query."
+        })
+      ),
+      query: Type19.Optional(
+        Type19.String({
+          minLength: 2,
+          description: "Name to search for (matches against username, display name, real name). Mutually exclusive with user_id and email."
+        })
+      ),
+      limit: Type19.Optional(
+        Type19.Integer({
+          minimum: 1,
+          maximum: 20,
+          description: "Maximum number of results to return for name search. Defaults to 10."
+        })
+      ),
+      max_pages: Type19.Optional(
+        Type19.Integer({
+          minimum: 1,
+          maximum: 5,
+          description: "Maximum number of Slack API pages to scan for name search. Defaults to 3."
+        })
+      ),
+      include_bots: Type19.Optional(
+        Type19.Boolean({
+          description: "Include bot accounts in name search results. Defaults to false."
+        })
+      )
+    }),
+    execute: async ({
+      user_id,
+      email,
+      query,
+      limit,
+      max_pages,
+      include_bots
+    }) => {
+      const modes = [user_id, email, query].filter(Boolean);
+      if (modes.length === 0) {
+        return {
+          ok: false,
+          error: "Provide exactly one of user_id, email, or query to look up a Slack user."
+        };
+      }
+      if (modes.length > 1) {
+        return {
+          ok: false,
+          error: "Only one of user_id, email, or query can be provided."
+        };
+      }
+      try {
+        if (user_id) {
+          return {
+            ok: true,
+            mode: "user_id",
+            user: await lookupSlackUserProfile(user_id)
+          };
+        }
+        if (email) {
+          const profile = await lookupSlackUserByEmail(email);
+          if (!profile) {
+            return {
+              ok: false,
+              mode: "email",
+              email,
+              error: "No Slack user found with that email address."
+            };
+          }
+          return { ok: true, mode: "email", user: profile };
+        }
+        const result = await searchSlackUsers({
+          query,
+          limit: limit ?? 10,
+          maxPages: max_pages ?? 3,
+          includeBots: include_bots ?? false
+        });
+        return {
+          ok: true,
+          mode: "query",
+          query,
+          count: result.users.length,
+          searched_pages: result.searched_pages,
+          searched_user_count: result.searched_user_count,
+          truncated: result.truncated,
+          users: result.users
+        };
+      } catch (error) {
+        if (error instanceof SlackActionError) {
+          return {
+            ok: false,
+            error: error.message,
+            slack_error: error.apiError,
+            code: error.code,
+            ...error.needed ? { needed_scope: error.needed } : {}
+          };
+        }
+        throw error;
+      }
+    }
+  });
+}
+
+// src/chat/tools/system-time.ts
+import { Type as Type20 } from "@sinclair/typebox";
 function createSystemTimeTool() {
   return tool({
     description: "Return current system time in UTC and local ISO formats. Use when the user asks for current time/date context. Do not use as a substitute for historical or timezone-conversion research.",
     annotations: { readOnlyHint: true, destructiveHint: false },
-    inputSchema: Type19.Object({}),
+    inputSchema: Type20.Object({}),
     execute: async () => {
       const now = /* @__PURE__ */ new Date();
       return {
@@ -7300,7 +7513,7 @@ function createSystemTimeTool() {
 import {
   Agent
 } from "@mariozechner/pi-agent-core";
-import { Type as Type20 } from "@sinclair/typebox";
+import { Type as Type21 } from "@sinclair/typebox";
 
 // src/chat/respond-helpers.ts
 var MAX_INLINE_ATTACHMENT_BASE64_CHARS = 12e4;
@@ -7588,12 +7801,12 @@ function createAdvisorTool(context) {
   const spanContext = context.logContext ?? {};
   return tool({
     description: ADVISOR_TOOL_DESCRIPTION,
-    inputSchema: Type20.Object({
-      question: Type20.String({
+    inputSchema: Type21.Object({
+      question: Type21.String({
         minLength: 1,
         description: "Focused advisor question or decision point."
       }),
-      context: Type20.String({
+      context: Type21.String({
         minLength: 1,
         description: "Curated evidence packet: relevant requirements, constraints, current plan, alternatives, code snippets, diffs, command output, and open questions."
       })
@@ -7705,7 +7918,7 @@ function createAdvisorTool(context) {
 }
 
 // src/chat/tools/web/fetch-tool.ts
-import { Type as Type21 } from "@sinclair/typebox";
+import { Type as Type22 } from "@sinclair/typebox";
 
 // src/chat/tools/web/constants.ts
 var USER_AGENT = "junior-bot/0.1";
@@ -8058,13 +8271,13 @@ function createWebFetchTool(hooks) {
       destructiveHint: false,
       openWorldHint: true
     },
-    inputSchema: Type21.Object({
-      url: Type21.String({
+    inputSchema: Type22.Object({
+      url: Type22.String({
         minLength: 1,
         description: "HTTP(S) URL to fetch."
       }),
-      max_chars: Type21.Optional(
-        Type21.Integer({
+      max_chars: Type22.Optional(
+        Type22.Integer({
           minimum: 500,
           maximum: MAX_FETCH_CHARS,
           description: "Optional maximum number of extracted characters to return."
@@ -8124,7 +8337,7 @@ function createWebFetchTool(hooks) {
 // src/chat/tools/web/search.ts
 import { generateText } from "ai";
 import { createGatewayProvider } from "@ai-sdk/gateway";
-import { Type as Type22 } from "@sinclair/typebox";
+import { Type as Type23 } from "@sinclair/typebox";
 var SEARCH_TIMEOUT_MS = 6e4;
 var MAX_RESULTS2 = 5;
 var DEFAULT_SEARCH_MODEL = "xai/grok-4-fast-reasoning";
@@ -8172,14 +8385,14 @@ function createWebSearchTool() {
       destructiveHint: false,
       openWorldHint: true
     },
-    inputSchema: Type22.Object({
-      query: Type22.String({
+    inputSchema: Type23.Object({
+      query: Type23.String({
         minLength: 1,
         maxLength: 500,
         description: "Search query."
       }),
-      max_results: Type22.Optional(
-        Type22.Integer({
+      max_results: Type23.Optional(
+        Type23.Integer({
           minimum: 1,
           maximum: MAX_RESULTS2,
           description: "Max results to return."
@@ -8248,20 +8461,20 @@ function createWebSearchTool() {
 }
 
 // src/chat/tools/sandbox/write-file.ts
-import { Type as Type23 } from "@sinclair/typebox";
+import { Type as Type24 } from "@sinclair/typebox";
 function createWriteFileTool() {
   return tool({
     description: "Write UTF-8 content to a file in the sandbox workspace. Use for intentional file creation or replacement after validation. Do not use for exploratory analysis-only turns.",
     promptSnippet: "new file or deliberate full-file replacement",
     promptGuidelines: ["targeted existing-file changes: editFile"],
     executionMode: "sequential",
-    inputSchema: Type23.Object(
+    inputSchema: Type24.Object(
       {
-        path: Type23.String({
+        path: Type24.String({
           minLength: 1,
           description: "Path to write in the sandbox workspace."
         }),
-        content: Type23.String({
+        content: Type24.String({
           description: "UTF-8 file content to write."
         })
       },
@@ -8335,6 +8548,7 @@ function createTools(availableSkills, hooks = {}, context) {
     slackCanvasRead: createSlackCanvasReadTool(),
     slackCanvasUpdate: createSlackCanvasUpdateTool(state, context),
     slackThreadRead: createSlackThreadReadTool(context),
+    slackUserLookup: createSlackUserLookupTool(),
     slackListCreate: createSlackListCreateTool(state),
     slackListAddItems: createSlackListAddItemsTool(state),
     slackListGetItems: createSlackListGetItemsTool(state),
@@ -8385,6 +8599,173 @@ function resolveChannelCapabilities(channelId) {
 // src/chat/sandbox/sandbox.ts
 import fs4 from "fs/promises";
 
+// src/chat/sandbox/egress-policy.ts
+var SANDBOX_EGRESS_PROXY_PATH = "/api/internal/sandbox-egress";
+function matchesSandboxEgressDomain(host, domain) {
+  return host.toLowerCase() === domain.toLowerCase();
+}
+function manifestDomains(manifest) {
+  const domains = /* @__PURE__ */ new Set([
+    ...manifest.credentials?.domains ?? [],
+    ...manifest.domains ?? []
+  ]);
+  return [...domains].sort((left, right) => left.localeCompare(right));
+}
+function providerEntries() {
+  return getPluginProviders().map((plugin) => ({
+    provider: plugin.manifest.name,
+    domains: manifestDomains(plugin.manifest)
+  })).filter((entry) => entry.domains.length > 0).sort((left, right) => left.provider.localeCompare(right.provider));
+}
+function resolveSandboxEgressProviderForHost(host) {
+  return providerEntries().find(
+    (entry) => entry.domains.some((domain) => matchesSandboxEgressDomain(host, domain))
+  )?.provider;
+}
+function proxyUrl(sandboxId) {
+  const baseUrl = resolveBaseUrl();
+  if (!baseUrl) {
+    return void 0;
+  }
+  const url = new URL(
+    `${SANDBOX_EGRESS_PROXY_PATH}/${encodeURIComponent(sandboxId)}`,
+    baseUrl
+  );
+  return url.toString();
+}
+function buildSandboxEgressNetworkPolicy(sandboxId) {
+  const forwardURL = proxyUrl(sandboxId);
+  if (!forwardURL) {
+    return void 0;
+  }
+  const entries = providerEntries();
+  if (entries.length === 0) {
+    return void 0;
+  }
+  const allow = {
+    "*": []
+  };
+  for (const entry of entries) {
+    for (const domain of entry.domains) {
+      allow[domain] = [{ forwardURL }];
+    }
+  }
+  return { allow };
+}
+async function resolveSandboxCommandEnvironment() {
+  const env = {};
+  for (const plugin of getPluginProviders().sort(
+    (left, right) => left.manifest.name.localeCompare(right.manifest.name)
+  )) {
+    Object.assign(env, resolvePluginCommandEnv(plugin.manifest));
+    const credentials = plugin.manifest.credentials;
+    if (credentials) {
+      env[credentials.authTokenEnv] = resolveAuthTokenPlaceholder(credentials);
+    }
+  }
+  return env;
+}
+
+// src/chat/sandbox/egress-session.ts
+import { randomUUID as randomUUID3 } from "crypto";
+var SANDBOX_EGRESS_SESSION_PREFIX = "sandbox-egress-session";
+var SANDBOX_EGRESS_LEASE_PREFIX = "sandbox-egress-lease";
+var DEFAULT_SESSION_TTL_MS = 30 * 60 * 1e3;
+function sessionKey2(sandboxId) {
+  return `${SANDBOX_EGRESS_SESSION_PREFIX}:${sandboxId}`;
+}
+function leaseKey(sandboxId, provider, session) {
+  return `${SANDBOX_EGRESS_LEASE_PREFIX}:${sandboxId}:${provider}:${session.requesterId}:${session.activationId}`;
+}
+function parseSession(value) {
+  if (!value || typeof value !== "object") {
+    return void 0;
+  }
+  const record = value;
+  if (typeof record.requesterId !== "string" || typeof record.expiresAtMs !== "number" || !Number.isFinite(record.expiresAtMs) || typeof record.activationId !== "string" || !record.activationId) {
+    return void 0;
+  }
+  if (record.expiresAtMs <= Date.now()) {
+    return void 0;
+  }
+  return {
+    requesterId: record.requesterId,
+    expiresAtMs: record.expiresAtMs,
+    activationId: record.activationId
+  };
+}
+function parseLease(value) {
+  if (!value || typeof value !== "object") {
+    return void 0;
+  }
+  const record = value;
+  if (typeof record.provider !== "string" || typeof record.expiresAt !== "string" || !Array.isArray(record.headerTransforms)) {
+    return void 0;
+  }
+  const expiresAtMs = Date.parse(record.expiresAt);
+  if (!Number.isFinite(expiresAtMs) || expiresAtMs <= Date.now()) {
+    return void 0;
+  }
+  const headerTransforms = record.headerTransforms.filter(
+    (transform) => Boolean(
+      transform && typeof transform.domain === "string" && transform.headers && typeof transform.headers === "object"
+    )
+  );
+  if (headerTransforms.length === 0) {
+    return void 0;
+  }
+  return {
+    provider: record.provider,
+    expiresAt: record.expiresAt,
+    headerTransforms
+  };
+}
+async function upsertSandboxEgressSession(input) {
+  const state = getStateAdapter();
+  await state.connect();
+  const ttlMs = Math.max(1, input.ttlMs ?? DEFAULT_SESSION_TTL_MS);
+  const now = Date.now();
+  const session = {
+    requesterId: input.requesterId,
+    expiresAtMs: now + ttlMs,
+    activationId: randomUUID3()
+  };
+  await state.set(sessionKey2(input.sandboxId), session, ttlMs);
+}
+async function clearSandboxEgressSession(sandboxId) {
+  const state = getStateAdapter();
+  await state.connect();
+  await state.delete(sessionKey2(sandboxId));
+}
+async function getSandboxEgressSession(sandboxId) {
+  const state = getStateAdapter();
+  await state.connect();
+  return parseSession(await state.get(sessionKey2(sandboxId)));
+}
+async function setSandboxEgressCredentialLease(sandboxId, session, lease) {
+  const leaseExpiresAtMs = Date.parse(lease.expiresAt);
+  if (!Number.isFinite(leaseExpiresAtMs) || leaseExpiresAtMs <= Date.now()) {
+    return;
+  }
+  const ttlMs = Math.max(
+    1,
+    Math.min(leaseExpiresAtMs, session.expiresAtMs) - Date.now()
+  );
+  const state = getStateAdapter();
+  await state.connect();
+  await state.set(leaseKey(sandboxId, lease.provider, session), lease, ttlMs);
+}
+async function getSandboxEgressCredentialLease(sandboxId, provider, session) {
+  const state = getStateAdapter();
+  await state.connect();
+  return parseLease(await state.get(leaseKey(sandboxId, provider, session)));
+}
+async function clearSandboxEgressCredentialLease(sandboxId, provider, session) {
+  const state = getStateAdapter();
+  await state.connect();
+  await state.delete(leaseKey(sandboxId, provider, session));
+}
+
 // src/chat/sandbox/http-error-details.ts
 var DEFAULT_PREVIEW_LIMIT = 512;
 function toTrimmedString(value, maxChars) {
@@ -8587,6 +8968,7 @@ function throwSandboxOperationError(action, error, includeMissingPath = false) {
 }
 
 // src/chat/sandbox/session.ts
+import { randomUUID as randomUUID4 } from "crypto";
 import { Sandbox } from "@vercel/sandbox";
 import { createBashTool as createBashTool2 } from "bash-tool";
 
@@ -9160,27 +9542,39 @@ var SANDBOX_RUNTIME = "node22";
 var SANDBOX_RUNTIME_BIN_DIR = `${SANDBOX_WORKSPACE_ROOT}/.junior/bin`;
 var SNAPSHOT_BOOT_RETRY_COUNT = 3;
 var SNAPSHOT_BOOT_RETRY_DELAY_MS = 1e3;
-function mergeNetworkPolicyWithHeaderTransforms(networkPolicy, headerTransforms) {
-  const basePolicy = networkPolicy && typeof networkPolicy === "object" && !Array.isArray(networkPolicy) ? { ...networkPolicy } : {};
-  const existingAllowRaw = basePolicy.allow;
-  const existingAllow = existingAllowRaw && typeof existingAllowRaw === "object" && !Array.isArray(existingAllowRaw) ? Object.fromEntries(
-    Object.entries(existingAllowRaw).map(
-      ([domain, rules]) => [
-        domain,
-        Array.isArray(rules) ? [...rules] : []
-      ]
-    )
-  ) : { "*": [] };
-  for (const transform of headerTransforms) {
-    const currentRules = existingAllow[transform.domain] ?? [];
-    existingAllow[transform.domain] = [
-      ...currentRules,
-      { transform: [{ headers: transform.headers }] }
-    ];
-  }
+var SANDBOX_NAME_PREFIX = "junior-";
+function createBashToolSandboxAdapter(sandbox) {
   return {
-    ...basePolicy,
-    allow: existingAllow
+    async executeCommand(command) {
+      const result = await sandbox.runCommand({
+        cmd: "bash",
+        args: ["-c", command]
+      });
+      const [stdout, stderr] = await Promise.all([
+        result.stdout(),
+        result.stderr()
+      ]);
+      return {
+        stdout,
+        stderr,
+        exitCode: result.exitCode
+      };
+    },
+    async readFile(filePath) {
+      const content = await sandbox.readFileToBuffer({ path: filePath });
+      if (content == null) {
+        throw new Error(`File not found: ${filePath}`);
+      }
+      return content.toString("utf8");
+    },
+    async writeFiles(files) {
+      await sandbox.writeFiles(
+        files.map((file) => ({
+          path: file.path,
+          content: file.content
+        }))
+      );
+    }
   };
 }
 function truncateOutput(output, maxLength) {
@@ -9213,23 +9607,36 @@ function createSandboxSessionManager(options) {
   let availableSkills = [];
   let availableReferenceFiles = [];
   let toolExecutors;
+  let appliedNetworkPolicyKey;
   const timeoutMs = options?.timeoutMs ?? 1e3 * 60 * 30;
   const traceContext = options?.traceContext ?? {};
   const dependencyProfileHash = getRuntimeDependencyProfileHash(SANDBOX_RUNTIME);
+  const resolveCommandEnv = options?.commandEnv ?? (async () => ({}));
   const withSandboxSpan = (name, op, attributes, callback) => withSpan(name, op, traceContext, callback, attributes);
   const clearSession = () => {
     sandbox = null;
     sandboxIdHint = void 0;
     toolExecutors = void 0;
+    appliedNetworkPolicyKey = void 0;
+  };
+  const createSandboxName = () => `${SANDBOX_NAME_PREFIX}${randomUUID4()}`;
+  const rememberNetworkPolicy = (networkPolicy) => {
+    appliedNetworkPolicyKey = networkPolicy ? JSON.stringify(networkPolicy) : void 0;
   };
-  const rememberSandbox = async (nextSandbox) => {
+  const rememberSandbox = async (nextSandbox, rememberOptions) => {
     sandbox = nextSandbox;
     sandboxIdHint = nextSandbox.sandboxId;
     toolExecutors = void 0;
-    await options?.onSandboxAcquired?.({
-      sandboxId: nextSandbox.sandboxId,
+    const acquired = {
+      sandboxId: sandboxIdHint,
       ...dependencyProfileHash ? { sandboxDependencyProfileHash: dependencyProfileHash } : {}
-    });
+    };
+    await options?.onSandboxAcquired?.(acquired);
+    if (rememberOptions?.recordNetworkPolicy) {
+      rememberNetworkPolicy(
+        options?.createNetworkPolicy?.(nextSandbox.sandboxId)
+      );
+    }
     return nextSandbox;
   };
   const failSetup = (error) => {
@@ -9244,6 +9651,30 @@ function createSandboxSessionManager(options) {
       runtimeBinDir: SANDBOX_RUNTIME_BIN_DIR
     });
   };
+  const refreshNetworkPolicy = async (targetSandbox) => {
+    const networkPolicy = options?.createNetworkPolicy?.(
+      targetSandbox.sandboxId
+    );
+    if (!networkPolicy) {
+      return;
+    }
+    const networkPolicyKey = JSON.stringify(networkPolicy);
+    if (appliedNetworkPolicyKey === networkPolicyKey) {
+      return;
+    }
+    await withSandboxSpan(
+      "sandbox.network_policy.update",
+      "sandbox.update",
+      {
+        "app.sandbox.reused": true,
+        "app.sandbox.source": "id_hint"
+      },
+      async () => {
+        await targetSandbox.update({ networkPolicy });
+      }
+    );
+    appliedNetworkPolicyKey = networkPolicyKey;
+  };
   const ensureSandboxReachable = async (targetSandbox, source) => {
     await withSandboxSpan(
       "sandbox.reuse_probe",
@@ -9263,23 +9694,6 @@ function createSandboxSessionManager(options) {
       }
     );
   };
-  const invalidateSandboxInstance = async (targetSandbox, reason) => {
-    if (sandbox === targetSandbox) {
-      clearSession();
-    }
-    logWarn(
-      "sandbox_network_policy_restore_failed",
-      traceContext,
-      {
-        "exception.message": reason instanceof Error ? reason.message : String(reason)
-      },
-      "Sandbox network policy restore failed; discarding sandbox instance"
-    );
-    try {
-      await targetSandbox.stop({ blocking: true });
-    } catch {
-    }
-  };
   const recreateUnavailableSandbox = async (source) => {
     setSpanAttributes({
       "app.sandbox.recovery.attempted": true,
@@ -9292,17 +9706,22 @@ function createSandboxSessionManager(options) {
     });
     return replacement;
   };
-  const createSandboxFromSnapshot = async (snapshotId, sandboxCredentials) => {
+  const createSandboxFromSnapshot = async (snapshotId, sandboxCredentials, initialSandboxName) => {
     for (let attempt = 0; attempt < SNAPSHOT_BOOT_RETRY_COUNT; attempt += 1) {
+      const sandboxName = attempt === 0 ? initialSandboxName : createSandboxName();
+      const networkPolicy = options?.createNetworkPolicy?.(sandboxName);
       try {
-        return await Sandbox.create({
-          timeout: timeoutMs,
-          source: {
-            type: "snapshot",
-            snapshotId
-          },
-          ...sandboxCredentials ?? {}
-        });
+        return createSandboxInstance(
+          await Sandbox.create({
+            timeout: timeoutMs,
+            ...networkPolicy ? { name: sandboxName, persistent: false, networkPolicy } : {},
+            source: {
+              type: "snapshot",
+              snapshotId
+            },
+            ...sandboxCredentials ?? {}
+          })
+        );
       } catch (error) {
         if (!isSnapshottingError(error) || attempt === SNAPSHOT_BOOT_RETRY_COUNT - 1) {
           throw error;
@@ -9327,18 +9746,23 @@ function createSandboxSessionManager(options) {
     });
   };
   const createSandboxFromResolvedSnapshot = async (params) => {
-    const { runtime, snapshot, sandboxCredentials } = params;
+    const { runtime, snapshot, sandboxCredentials, sandboxName } = params;
     if (!snapshot.snapshotId) {
-      return await Sandbox.create({
-        timeout: timeoutMs,
-        runtime,
-        ...sandboxCredentials ?? {}
-      });
+      const networkPolicy = options?.createNetworkPolicy?.(sandboxName);
+      return createSandboxInstance(
+        await Sandbox.create({
+          timeout: timeoutMs,
+          runtime,
+          ...networkPolicy ? { name: sandboxName, persistent: false, networkPolicy } : {},
+          ...sandboxCredentials ?? {}
+        })
+      );
     }
     try {
       return await createSandboxFromSnapshot(
         snapshot.snapshotId,
-        sandboxCredentials
+        sandboxCredentials,
+        sandboxName
       );
     } catch (error) {
       if (!isSnapshotMissingError(error)) {
@@ -9358,13 +9782,15 @@ function createSandboxSessionManager(options) {
       }
       return await createSandboxFromSnapshot(
         rebuiltSnapshot.snapshotId,
-        sandboxCredentials
+        sandboxCredentials,
+        sandboxName
       );
     }
   };
   const createFreshSandbox = async () => {
     const runtime = SANDBOX_RUNTIME;
     const sandboxCredentials = getVercelSandboxCredentials();
+    const sandboxName = createSandboxName();
     let createdSandbox;
     try {
       createdSandbox = await withSandboxSpan(
@@ -9384,7 +9810,8 @@ function createSandboxSessionManager(options) {
           return await createSandboxFromResolvedSnapshot({
             runtime,
             snapshot,
-            sandboxCredentials
+            sandboxCredentials,
+            sandboxName
           });
         }
       );
@@ -9396,7 +9823,7 @@ function createSandboxSessionManager(options) {
     } catch (error) {
       return failSetup(error);
     }
-    return await rememberSandbox(createdSandbox);
+    return await rememberSandbox(createdSandbox, { recordNetworkPolicy: true });
   };
   const discardHintIfProfileChanged = () => {
     if (sandbox || !sandboxIdHint || dependencyProfileHash === options?.sandboxDependencyProfileHash) {
@@ -9419,6 +9846,7 @@ function createSandboxSessionManager(options) {
     }
     try {
       await ensureSandboxReachable(cachedSandbox, "memory");
+      await refreshNetworkPolicy(cachedSandbox);
       return cachedSandbox;
     } catch (error) {
       if (isSandboxUnavailableError(error)) {
@@ -9441,15 +9869,19 @@ function createSandboxSessionManager(options) {
           "app.sandbox.reused": true,
           "app.sandbox.source": "id_hint"
         },
-        async () => await Sandbox.get({
-          sandboxId: sandboxIdHint,
-          ...sandboxCredentials ?? {}
-        })
+        async () => createSandboxInstance(
+          await Sandbox.get({
+            name: sandboxIdHint,
+            resume: true,
+            ...sandboxCredentials ?? {}
+          })
+        )
       );
     } catch {
       return null;
     }
     try {
+      await refreshNetworkPolicy(hintedSandbox);
       await syncSkills(hintedSandbox);
       return await rememberSandbox(hintedSandbox);
     } catch (error) {
@@ -9504,37 +9936,6 @@ function createSandboxSessionManager(options) {
       stderrTruncated: stderr.truncated
     };
   };
-  const withTemporaryHeaderTransforms = async (sandboxInstance, headerTransforms, callback) => {
-    if (!headerTransforms || headerTransforms.length === 0) {
-      return await callback();
-    }
-    const restoreNetworkPolicy = sandboxInstance.networkPolicy ?? "allow-all";
-    const policy = mergeNetworkPolicyWithHeaderTransforms(
-      restoreNetworkPolicy,
-      headerTransforms
-    );
-    await sandboxInstance.updateNetworkPolicy(policy);
-    let callbackError;
-    let restoreError;
-    let result;
-    try {
-      result = await callback();
-    } catch (error) {
-      callbackError = error;
-      throw error;
-    } finally {
-      try {
-        await sandboxInstance.updateNetworkPolicy(restoreNetworkPolicy);
-      } catch (error) {
-        restoreError = error;
-        await invalidateSandboxInstance(sandboxInstance, error);
-      }
-    }
-    if (restoreError && !callbackError) {
-      throw restoreError;
-    }
-    return result;
-  };
   const extendKeepAlive = async (activeSandbox) => {
     const keepAliveMs = parseKeepAliveMs();
     if (keepAliveMs === 0) {
@@ -9555,6 +9956,7 @@ function createSandboxSessionManager(options) {
     }
   };
   const buildToolExecutors = async (sandboxInstance) => {
+    const activeSandboxId = sandboxInstance.sandboxId;
     const toolkit = await withSandboxSpan(
       "sandbox.bash_tool.init",
       "sandbox.tool.init",
@@ -9563,7 +9965,7 @@ function createSandboxSessionManager(options) {
         "app.sandbox.destination": SANDBOX_WORKSPACE_ROOT
       },
       async () => await createBashTool2({
-        sandbox: sandboxInstance,
+        sandbox: createBashToolSandboxAdapter(sandboxInstance),
         destination: SANDBOX_WORKSPACE_ROOT
       })
     );
@@ -9574,47 +9976,69 @@ function createSandboxSessionManager(options) {
     }
     return {
       bash: async (input) => {
-        const script = buildNonInteractiveShellScript(input.command, {
-          env: input.env,
-          pathPrefix: `${SANDBOX_RUNTIME_BIN_DIR}:$PATH`
-        });
-        const controller = input.timeoutMs && input.timeoutMs > 0 ? new AbortController() : void 0;
+        await options?.beforeCommand?.(activeSandboxId);
         let timedOut = false;
-        const timeoutId = controller ? setTimeout(() => {
-          timedOut = true;
-          controller.abort();
-        }, input.timeoutMs) : void 0;
-        return await withTemporaryHeaderTransforms(
-          sandboxInstance,
-          input.headerTransforms,
-          async () => {
-            try {
-              const commandResult2 = await sandboxInstance.runCommand({
-                cmd: "bash",
-                args: ["-c", script],
-                cwd: SANDBOX_WORKSPACE_ROOT,
-                ...controller ? { signal: controller.signal } : {}
-              });
-              return await readCommandOutput(commandResult2);
-            } catch (error) {
-              if (timedOut) {
-                return {
-                  stdout: "",
-                  stderr: `Command timed out after ${input.timeoutMs}ms`,
-                  exitCode: 124,
-                  stdoutTruncated: false,
-                  stderrTruncated: false,
-                  timedOut: true
-                };
-              }
-              throw error;
-            } finally {
-              if (timeoutId) {
-                clearTimeout(timeoutId);
-              }
-            }
+        let timeoutId;
+        let commandFinished = false;
+        const finishCommand = async () => {
+          if (commandFinished) {
+            return;
           }
-        );
+          commandFinished = true;
+          await options?.afterCommand?.(activeSandboxId);
+        };
+        const finishCommandBestEffort = async () => {
+          try {
+            await finishCommand();
+          } catch (error) {
+            logWarn(
+              "sandbox_command_cleanup_failed",
+              traceContext,
+              {
+                "app.sandbox.id": activeSandboxId,
+                "error.type": error instanceof Error ? error.name : "sandbox_command_cleanup_error"
+              },
+              "Sandbox command cleanup failed"
+            );
+          }
+        };
+        try {
+          const sandboxCommandEnv = await resolveCommandEnv();
+          const script = buildNonInteractiveShellScript(input.command, {
+            env: { ...sandboxCommandEnv, ...input.env ?? {} },
+            pathPrefix: `${SANDBOX_RUNTIME_BIN_DIR}:$PATH`
+          });
+          const controller = input.timeoutMs && input.timeoutMs > 0 ? new AbortController() : void 0;
+          timeoutId = controller ? setTimeout(() => {
+            timedOut = true;
+            controller.abort();
+          }, input.timeoutMs) : void 0;
+          const commandResult2 = await sandboxInstance.runCommand({
+            cmd: "bash",
+            args: ["-c", script],
+            cwd: SANDBOX_WORKSPACE_ROOT,
+            ...controller ? { signal: controller.signal } : {}
+          });
+          await finishCommandBestEffort();
+          return await readCommandOutput(commandResult2);
+        } catch (error) {
+          if (timedOut) {
+            return {
+              stdout: "",
+              stderr: `Command timed out after ${input.timeoutMs}ms`,
+              exitCode: 124,
+              stdoutTruncated: false,
+              stderrTruncated: false,
+              timedOut: true
+            };
+          }
+          throw error;
+        } finally {
+          if (timeoutId) {
+            clearTimeout(timeoutId);
+          }
+          await finishCommandBestEffort();
+        }
       },
       readFile: async (input) => await executeReadFile(input, {
         toolCallId: "sandbox-read-file",
@@ -9647,7 +10071,7 @@ function createSandboxSessionManager(options) {
       availableReferenceFiles = [...files];
     },
     getSandboxId() {
-      return sandbox?.sandboxId ?? sandboxIdHint;
+      return sandbox ? sandbox.sandboxId : sandboxIdHint;
     },
     getDependencyProfileHash() {
       return dependencyProfileHash;
@@ -9670,7 +10094,7 @@ function createSandboxSessionManager(options) {
           "app.sandbox.stop.blocking": true
         },
         async () => {
-          await activeSandbox.stop({ blocking: true });
+          await activeSandbox.stop();
         }
       );
       sandbox = null;
@@ -9689,21 +10113,6 @@ var SANDBOX_TOOL_NAMES = /* @__PURE__ */ new Set([
   "listDir",
   "writeFile"
 ]);
-function parseHeaderTransforms(raw) {
-  if (!Array.isArray(raw)) {
-    return void 0;
-  }
-  return raw.filter(
-    (value) => Boolean(value && typeof value === "object")
-  ).map((transform) => ({
-    domain: String(transform.domain ?? "").trim(),
-    headers: transform.headers && typeof transform.headers === "object" && !Array.isArray(transform.headers) ? Object.fromEntries(
-      Object.entries(transform.headers).filter(([, value]) => typeof value === "string").map(([key, value]) => [key, value])
-    ) : {}
-  })).filter(
-    (transform) => transform.domain.length > 0 && Object.keys(transform.headers).length > 0
-  );
-}
 function parseEnv(raw) {
   if (!raw || typeof raw !== "object" || Array.isArray(raw)) {
     return void 0;
@@ -9712,27 +10121,33 @@ function parseEnv(raw) {
     Object.entries(raw).filter(([, value]) => typeof value === "string").map(([key, value]) => [key, value])
   );
 }
-function createSandboxWorkspace(sandbox) {
-  return {
-    sandboxId: sandbox.sandboxId,
-    readFileToBuffer(input) {
-      return sandbox.readFileToBuffer(input);
-    },
-    runCommand(input) {
-      return sandbox.runCommand(input);
-    }
-  };
-}
 function createSandboxExecutor(options) {
   let availableSkills = [];
   let referenceFiles = [];
   const traceContext = options?.traceContext ?? {};
+  const credentialEgress = options?.credentialEgress;
+  const syncSandboxEgressSession = credentialEgress ? async (sandboxId) => {
+    await upsertSandboxEgressSession({
+      sandboxId,
+      requesterId: credentialEgress.requesterId,
+      ttlMs: options?.timeoutMs
+    });
+  } : void 0;
+  const clearSandboxEgressSessionForCommand = credentialEgress ? async (sandboxId) => {
+    await clearSandboxEgressSession(sandboxId);
+  } : void 0;
   const sessionManager = createSandboxSessionManager({
     sandboxId: options?.sandboxId,
     sandboxDependencyProfileHash: options?.sandboxDependencyProfileHash,
     timeoutMs: options?.timeoutMs,
     traceContext,
-    onSandboxAcquired: options?.onSandboxAcquired
+    commandEnv: credentialEgress ? async () => await resolveSandboxCommandEnvironment() : void 0,
+    createNetworkPolicy: credentialEgress ? buildSandboxEgressNetworkPolicy : void 0,
+    beforeCommand: syncSandboxEgressSession,
+    afterCommand: clearSandboxEgressSessionForCommand,
+    onSandboxAcquired: async (sandbox) => {
+      await options?.onSandboxAcquired?.(sandbox);
+    }
   });
   const withSandboxSpan = (name, op, attributes, callback) => withSpan(name, op, traceContext, callback, attributes);
   const logSandboxBootRequest = (trigger, details = {}) => {
@@ -9750,7 +10165,6 @@ function createSandboxExecutor(options) {
     );
   };
   const executeBashTool = async (rawInput, command) => {
-    const headerTransforms = parseHeaderTransforms(rawInput.headerTransforms);
     const env = parseEnv(rawInput.env);
     const timeoutMs = positiveInteger(rawInput.timeoutMs);
     logSandboxBootRequest("tool.bash", {
@@ -9767,7 +10181,6 @@ function createSandboxExecutor(options) {
         try {
           const response = await executeBash({
             command,
-            ...headerTransforms ? { headerTransforms } : {},
             ...env ? { env } : {},
             ...timeoutMs ? { timeoutMs } : {}
           });
@@ -10071,7 +10484,7 @@ function createSandboxExecutor(options) {
       return SANDBOX_TOOL_NAMES.has(toolName);
     },
     async createSandbox() {
-      return createSandboxWorkspace(await sessionManager.createSandbox());
+      return await sessionManager.createSandbox();
     },
     execute,
     async dispose() {
@@ -10172,34 +10585,6 @@ function buildSandboxInput(toolName, params) {
   return params;
 }
 
-// src/chat/tools/execution/inject-credentials.ts
-function resolveCredentialInjection(toolName, command, capabilityRuntime, sandbox) {
-  if (toolName !== "bash" || !capabilityRuntime) {
-    return {};
-  }
-  const headerTransforms = capabilityRuntime.getTurnHeaderTransforms();
-  const env = capabilityRuntime.getTurnEnv();
-  const isCustomCommand = /^jr-rpc(?:\s|$)/.test(command.trim());
-  const shouldLog = !isCustomCommand && Boolean(headerTransforms && headerTransforms.length > 0);
-  if (shouldLog) {
-    const headerDomains = (headerTransforms ?? []).map(
-      (transform) => transform.domain
-    );
-    const skillName = sandbox.getActiveSkill()?.name;
-    logInfo(
-      "credential_inject_start",
-      {},
-      {
-        "app.skill.name": skillName,
-        "app.credential.delivery": "header_transform",
-        "app.credential.header_domains": headerDomains
-      },
-      `Injecting scoped credential headers for sandbox command (${skillName ?? "unknown skill"} \u2192 ${headerDomains.join(", ")})`
-    );
-  }
-  return { headerTransforms, env };
-}
-
 // src/chat/tools/execution/normalize-result.ts
 function isStructuredToolExecutionResult(value) {
   const content = value?.content;
@@ -10289,7 +10674,7 @@ function handleToolExecutionError(error, toolName, toolCallId, shouldTrace, trac
 }
 
 // src/chat/tools/agent-tools.ts
-function createAgentTools(tools, sandbox, spanContext, onStatus, sandboxExecutor, capabilityRuntime, pluginAuthOrchestration, onToolCall) {
+function createAgentTools(tools, sandbox, spanContext, onStatus, sandboxExecutor, pluginAuthOrchestration, onToolCall) {
   const shouldTrace = shouldEmitDevAgentTrace();
   return Object.entries(tools).map(([toolName, toolDef]) => ({
     name: toolName,
@@ -10329,21 +10714,11 @@ function createAgentTools(tools, sandbox, spanContext, onStatus, sandboxExecutor
               };
             }
             const bashCommand = toolName === "bash" && typeof parsed.command === "string" ? parsed.command.trim() : "";
-            const injection = resolveCredentialInjection(
-              toolName,
-              bashCommand,
-              capabilityRuntime,
-              sandbox
-            );
             const sandboxInput = buildSandboxInput(toolName, parsed);
             const isSandbox = Boolean(sandboxExecutor?.canExecute(toolName));
             const result = isSandbox ? await sandboxExecutor.execute({
               toolName,
-              input: toolName === "bash" && (injection.headerTransforms || injection.env) ? {
-                ...sandboxInput,
-                ...injection.headerTransforms ? { headerTransforms: injection.headerTransforms } : {},
-                ...injection.env ? { env: injection.env } : {}
-              } : sandboxInput
+              input: sandboxInput
             }) : await toolDef.execute(parsed, {
               experimental_context: sandbox
             });
@@ -11206,6 +11581,7 @@ ${typeof result.stderr === "string" ? result.stderr : ""}`.toLowerCase();
     return false;
   }
   return [
+    /\bjunior-auth-required\b/,
     /\b401\b/,
     /\bunauthorized\b/,
     /\bbad credentials\b/,
@@ -11218,6 +11594,33 @@ ${typeof result.stderr === "string" ? result.stderr : ""}`.toLowerCase();
     /\breauthoriz/
   ].some((pattern) => pattern.test(text));
 }
+function commandText(details) {
+  if (!details || typeof details !== "object") {
+    return "";
+  }
+  const result = details;
+  return `${typeof result.stdout === "string" ? result.stdout : ""}
+${typeof result.stderr === "string" ? result.stderr : ""}`;
+}
+function explicitAuthRequiredProvider(details) {
+  const match = /\bjunior-auth-required\s+provider=([a-z0-9-]+)\b/.exec(
+    commandText(details).toLowerCase()
+  );
+  return match?.[1];
+}
+function registeredProviderNames() {
+  const providers = /* @__PURE__ */ new Set();
+  for (const plugin of getPluginProviders()) {
+    const domains = [
+      ...plugin.manifest.credentials?.domains ?? [],
+      ...plugin.manifest.domains ?? []
+    ];
+    if (domains.length > 0) {
+      providers.add(plugin.manifest.name);
+    }
+  }
+  return [...providers].sort((left, right) => left.localeCompare(right));
+}
 function commandTargetsProvider(provider, command, details) {
   const normalizedCommand = command.trim().toLowerCase();
   if (!normalizedCommand) {
@@ -11232,16 +11635,15 @@ function commandTargetsProvider(provider, command, details) {
   const credentials = manifest?.credentials;
   if (credentials) {
     candidates.add(credentials.authTokenEnv.toLowerCase());
-    for (const domain of credentials.apiDomains) {
+    for (const domain of credentials.domains) {
       candidates.add(domain.toLowerCase());
     }
   }
-  for (const domain of manifest?.apiDomains ?? []) {
+  for (const domain of manifest?.domains ?? []) {
     candidates.add(domain.toLowerCase());
   }
   const combinedText = `${normalizedCommand}
-${details.stdout?.toLowerCase() ?? ""}
-${details.stderr?.toLowerCase() ?? ""}`;
+${commandText(details).toLowerCase()}`;
   return [...candidates].some((candidate) => combinedText.includes(candidate));
 }
 function createPluginAuthOrchestration(deps, abortAgent) {
@@ -11299,23 +11701,22 @@ function createPluginAuthOrchestration(deps, abortAgent) {
     abortAgent();
     throw pendingPause;
   };
-  const handleCredentialUnavailable = async (input) => {
-    if (pendingPause) {
-      throw pendingPause;
-    }
-    if (!deps.requesterId || !getPluginOAuthConfig(input.error.provider)) {
-      throw input.error;
-    }
-    return await startAuthorizationPause(
-      input.error.provider,
-      input.activeSkill
-    );
-  };
   return {
-    handleCredentialUnavailable,
     handleCommandFailure: async (input) => {
-      const provider = input.activeSkill?.pluginProvider;
-      if (!provider || !deps.requesterId || !deps.userTokenStore || !getPluginOAuthConfig(provider) || !isCommandAuthFailure(input.details) || !commandTargetsProvider(provider, input.command, input.details)) {
+      const providers = registeredProviderNames();
+      const authFailure = isCommandAuthFailure(input.details);
+      if (!authFailure) {
+        return;
+      }
+      const explicitProvider = explicitAuthRequiredProvider(input.details);
+      const provider = explicitProvider && providers.includes(explicitProvider) ? explicitProvider : providers.find(
+        (availableProvider) => commandTargetsProvider(
+          availableProvider,
+          input.command,
+          input.details
+        )
+      );
+      if (!provider || !deps.requesterId || !deps.userTokenStore || !getPluginOAuthConfig(provider)) {
         return;
       }
       await startAuthorizationPause(provider, input.activeSkill, {
@@ -11581,14 +11982,15 @@ async function generateAssistantReply(messageText, context = {}) {
       ...context.configuration ?? {},
       ...persistedConfigurationValues
     };
-    const capabilityRuntime = createSkillCapabilityRuntime({
-      requesterId: context.requester?.userId
-    });
+    const requesterId = context.requester?.userId;
     const userTokenStore = createUserTokenStore();
     sandboxExecutor = createSandboxExecutor({
       sandboxId: context.sandbox?.sandboxId,
       sandboxDependencyProfileHash: context.sandbox?.sandboxDependencyProfileHash,
       traceContext: spanContext,
+      credentialEgress: requesterId ? {
+        requesterId
+      } : void 0,
       onSandboxAcquired: async (sandbox2) => {
         lastKnownSandboxId = sandbox2.sandboxId;
         lastKnownSandboxDependencyProfileHash = sandbox2.sandboxDependencyProfileHash;
@@ -11752,25 +12154,6 @@ async function generateAssistantReply(messageText, context = {}) {
     const syncResumeState = () => {
       loadedSkillNamesForResume = activeSkills.map((skill) => skill.name);
     };
-    const enableSkillCredentials = async (skill, reason) => {
-      if (!skill?.pluginProvider) {
-        return;
-      }
-      try {
-        await capabilityRuntime.enableCredentialsForTurn({
-          activeSkill: skill,
-          reason
-        });
-      } catch (error) {
-        if (error instanceof CredentialUnavailableError && context.requester?.userId) {
-          await pluginAuth.handleCredentialUnavailable({
-            activeSkill: skill,
-            error
-          });
-        }
-        throw error;
-      }
-    };
     setTags({
       conversationId: spanContext.conversationId,
       slackThreadId: context.correlation?.threadId,
@@ -11812,10 +12195,6 @@ async function generateAssistantReply(messageText, context = {}) {
           if (mcpAuth.getPendingPause()) {
             return void 0;
           }
-          await enableSkillCredentials(
-            effective,
-            `skill:${effective.name}:turn:load`
-          );
           if (!effective.pluginProvider) {
             return void 0;
           }
@@ -11868,7 +12247,6 @@ async function generateAssistantReply(messageText, context = {}) {
         timeoutResumeMessages = existingCheckpoint?.piMessages ?? [];
         throw mcpAuth.getPendingPause();
       }
-      await enableSkillCredentials(skill, `skill:${skill.name}:turn:resume`);
     }
     syncResumeState();
     const activeMcpCatalogs = toActiveMcpCatalogSummaries(
@@ -11929,7 +12307,6 @@ async function generateAssistantReply(messageText, context = {}) {
       spanContext,
       context.onStatus,
       sandboxExecutor,
-      capabilityRuntime,
       pluginAuth,
       onToolCall
     );
@@ -11939,7 +12316,6 @@ async function generateAssistantReply(messageText, context = {}) {
       spanContext,
       context.onStatus,
       sandboxExecutor,
-      capabilityRuntime,
       pluginAuth,
       onToolCall
     );
@@ -14290,6 +14666,337 @@ async function GET5(request, provider, waitUntil) {
   });
 }
 
+// src/chat/sandbox/egress-oidc.ts
+import {
+  createRemoteJWKSet,
+  decodeJwt,
+  jwtVerify
+} from "jose";
+var OIDC_DISCOVERY_CACHE_TTL_MS = 60 * 60 * 1e3;
+var OIDC_DISCOVERY_CACHE_MAX_ENTRIES = 8;
+var jwksByIssuer = /* @__PURE__ */ new Map();
+function buildDiscoveryUrl(issuer) {
+  const url = new URL(issuer);
+  if (url.protocol !== "https:" || url.hostname !== "oidc.vercel.com") {
+    throw new Error("Unexpected Vercel OIDC issuer");
+  }
+  url.pathname = `${url.pathname.replace(/\/$/, "")}/.well-known/openid-configuration`;
+  url.search = "";
+  url.hash = "";
+  return url;
+}
+function buildJwksUrl(value) {
+  const url = new URL(value);
+  if (url.protocol !== "https:") {
+    throw new Error("Vercel OIDC discovery jwks_uri must use HTTPS");
+  }
+  return url;
+}
+async function getJwks(issuer) {
+  const now = Date.now();
+  const cached = jwksByIssuer.get(issuer);
+  if (cached && cached.expiresAtMs > now) {
+    return cached.jwks;
+  }
+  if (cached) {
+    jwksByIssuer.delete(issuer);
+  }
+  const response = await fetch(buildDiscoveryUrl(issuer), {
+    redirect: "error"
+  });
+  if (!response.ok) {
+    throw new Error("Unable to load Vercel OIDC discovery metadata");
+  }
+  const config = await response.json();
+  if (!config.jwks_uri) {
+    throw new Error("Vercel OIDC discovery metadata did not include jwks_uri");
+  }
+  const jwks = createRemoteJWKSet(buildJwksUrl(config.jwks_uri));
+  if (!jwksByIssuer.has(issuer) && jwksByIssuer.size >= OIDC_DISCOVERY_CACHE_MAX_ENTRIES) {
+    const oldestIssuer = jwksByIssuer.keys().next().value;
+    if (oldestIssuer) {
+      jwksByIssuer.delete(oldestIssuer);
+    }
+  }
+  jwksByIssuer.set(issuer, {
+    jwks,
+    expiresAtMs: now + OIDC_DISCOVERY_CACHE_TTL_MS
+  });
+  return jwks;
+}
+function expectedVercelOidcAudience() {
+  const audience = process.env.VERCEL_OIDC_AUDIENCE?.trim();
+  if (!audience) {
+    throw new Error("VERCEL_OIDC_AUDIENCE is required for sandbox egress OIDC");
+  }
+  return audience;
+}
+function validateVercelSandboxOidcClaims(payload, sandboxId) {
+  const expectedTeamId = process.env.VERCEL_TEAM_ID?.trim();
+  const expectedProjectId = process.env.VERCEL_PROJECT_ID?.trim();
+  if (!expectedProjectId) {
+    throw new Error("VERCEL_PROJECT_ID is required for sandbox egress OIDC");
+  }
+  if (expectedTeamId && (typeof payload.owner_id !== "string" || payload.owner_id !== expectedTeamId)) {
+    throw new Error("Vercel OIDC token belongs to a different team");
+  }
+  if (typeof payload.project_id !== "string" || payload.project_id !== expectedProjectId) {
+    throw new Error("Vercel OIDC token belongs to a different project");
+  }
+  if (payload.sandbox_id !== sandboxId) {
+    throw new Error("Vercel OIDC token belongs to a different sandbox");
+  }
+}
+async function verifyVercelSandboxOidcToken(token, sandboxId) {
+  const unverified = decodeJwt(token);
+  if (typeof unverified.iss !== "string") {
+    throw new Error("Vercel OIDC token did not include an issuer");
+  }
+  const audience = expectedVercelOidcAudience();
+  const jwks = await getJwks(unverified.iss);
+  const verified = await jwtVerify(token, jwks, {
+    issuer: unverified.iss,
+    audience
+  });
+  validateVercelSandboxOidcClaims(verified.payload, sandboxId);
+  return verified.payload;
+}
+
+// src/chat/sandbox/egress-proxy.ts
+var OIDC_TOKEN_HEADER = "vercel-sandbox-oidc-token";
+var FORWARDED_HOST_HEADER = "vercel-forwarded-host";
+var FORWARDED_SCHEME_HEADER = "vercel-forwarded-scheme";
+var FORWARDED_PORT_HEADER = "vercel-forwarded-port";
+var ROUTE_PREFIX = "/api/internal/sandbox-egress";
+var HOP_BY_HOP_HEADERS = /* @__PURE__ */ new Set([
+  "connection",
+  "host",
+  "keep-alive",
+  "proxy-authenticate",
+  "proxy-authorization",
+  "te",
+  "trailer",
+  "transfer-encoding",
+  "upgrade"
+]);
+var PROXY_ONLY_HEADERS = /* @__PURE__ */ new Set([
+  OIDC_TOKEN_HEADER,
+  FORWARDED_HOST_HEADER,
+  FORWARDED_SCHEME_HEADER,
+  FORWARDED_PORT_HEADER
+]);
+var AUTH_REJECTION_STATUS = /* @__PURE__ */ new Set([401, 403]);
+function jsonError(message, status) {
+  return Response.json({ error: message }, { status });
+}
+function normalizeHost(value) {
+  const trimmed = value.trim().toLowerCase();
+  if (!trimmed || trimmed.includes("/") || trimmed.includes("\\") || trimmed.includes(":")) {
+    return void 0;
+  }
+  return trimmed.replace(/\.$/, "");
+}
+function normalizeScheme(value) {
+  return value.trim().toLowerCase() === "https" ? "https" : void 0;
+}
+function normalizePort(value) {
+  if (!value) {
+    return void 0;
+  }
+  const trimmed = value.trim();
+  if (!/^\d{1,5}$/.test(trimmed)) {
+    return void 0;
+  }
+  const port = Number.parseInt(trimmed, 10);
+  return port >= 1 && port <= 65535 ? trimmed : void 0;
+}
+function upstreamPath(request, sandboxId) {
+  const url = new URL(request.url);
+  const prefix = `${ROUTE_PREFIX}/${encodeURIComponent(sandboxId)}`;
+  if (url.pathname === prefix) {
+    return `/${url.search}`;
+  }
+  if (url.pathname.startsWith(`${prefix}/`)) {
+    return `${url.pathname.slice(prefix.length)}${url.search}`;
+  }
+  return void 0;
+}
+function buildUpstreamUrl(request, sandboxId) {
+  const forwardedHost = request.headers.get(FORWARDED_HOST_HEADER);
+  if (!forwardedHost?.trim()) {
+    return { ok: false, error: "Missing forwarded host" };
+  }
+  const host = normalizeHost(forwardedHost);
+  if (!host) {
+    return { ok: false, error: "Invalid forwarded host" };
+  }
+  const forwardedScheme = request.headers.get(FORWARDED_SCHEME_HEADER);
+  if (!forwardedScheme?.trim()) {
+    return { ok: false, error: "Missing forwarded scheme" };
+  }
+  const scheme = normalizeScheme(forwardedScheme);
+  if (!scheme) {
+    return { ok: false, error: "Forwarded scheme must be https" };
+  }
+  const forwardedPort = request.headers.get(FORWARDED_PORT_HEADER);
+  const port = normalizePort(forwardedPort);
+  if (forwardedPort && !port) {
+    return { ok: false, error: "Invalid forwarded port" };
+  }
+  const path11 = upstreamPath(request, sandboxId);
+  if (!path11) {
+    return { ok: false, error: "Invalid egress route" };
+  }
+  try {
+    const url = new URL(`${scheme}://${host}${port ? `:${port}` : ""}${path11}`);
+    return { ok: true, url };
+  } catch {
+    return { ok: false, error: "Invalid forwarded URL" };
+  }
+}
+async function requestBodyBytes(request) {
+  if (request.method === "GET" || request.method === "HEAD" || request.body === null) {
+    return void 0;
+  }
+  return await request.arrayBuffer();
+}
+function requestHeaders(request, lease, upstreamHost) {
+  const headers = new Headers();
+  request.headers.forEach((value, key) => {
+    const normalized = key.toLowerCase();
+    if (HOP_BY_HOP_HEADERS.has(normalized) || PROXY_ONLY_HEADERS.has(normalized)) {
+      return;
+    }
+    headers.append(key, value);
+  });
+  for (const transform of lease.headerTransforms) {
+    if (!matchesSandboxEgressDomain(upstreamHost, transform.domain)) {
+      continue;
+    }
+    for (const [key, value] of Object.entries(transform.headers)) {
+      headers.set(key, value);
+    }
+  }
+  return headers;
+}
+function responseHeaders(upstream) {
+  const headers = new Headers();
+  upstream.headers.forEach((value, key) => {
+    const normalized = key.toLowerCase();
+    if (!HOP_BY_HOP_HEADERS.has(normalized)) {
+      headers.append(key, value);
+    }
+  });
+  return headers;
+}
+async function credentialLease(sandboxId, provider, session) {
+  const cached = await getSandboxEgressCredentialLease(
+    sandboxId,
+    provider,
+    session
+  );
+  if (cached) {
+    return cached;
+  }
+  const lease = await issueProviderCredentialLease({
+    provider,
+    requesterId: session.requesterId,
+    reason: `sandbox-egress:${provider}`
+  });
+  const headerTransforms = lease.headerTransforms ?? [];
+  if (headerTransforms.length === 0) {
+    throw new Error(
+      `Credential lease for ${provider} did not include header transforms`
+    );
+  }
+  const cachedLease = {
+    provider,
+    expiresAt: lease.expiresAt,
+    headerTransforms
+  };
+  await setSandboxEgressCredentialLease(sandboxId, session, cachedLease);
+  return cachedLease;
+}
+function hasTransformForHost(lease, host) {
+  return lease.headerTransforms.some(
+    (transform) => matchesSandboxEgressDomain(host, transform.domain)
+  );
+}
+async function proxySandboxEgressRequest(request, sandboxId, deps = {}) {
+  const oidcToken = request.headers.get(OIDC_TOKEN_HEADER)?.trim();
+  if (!oidcToken) {
+    return jsonError("Missing Vercel Sandbox OIDC token", 401);
+  }
+  try {
+    await (deps.verifyOidc ?? verifyVercelSandboxOidcToken)(
+      oidcToken,
+      sandboxId
+    );
+  } catch (error) {
+    logWarn(
+      "sandbox_egress_oidc_verification_failed",
+      {},
+      {
+        "app.sandbox.oidc_error": error instanceof Error ? error.message : String(error)
+      },
+      "Sandbox egress OIDC verification failed"
+    );
+    return jsonError("Invalid Vercel Sandbox OIDC token", 401);
+  }
+  const upstreamResult = buildUpstreamUrl(request, sandboxId);
+  if (!upstreamResult.ok) {
+    return jsonError(upstreamResult.error, 400);
+  }
+  const upstreamUrl = upstreamResult.url;
+  const provider = resolveSandboxEgressProviderForHost(upstreamUrl.hostname);
+  if (!provider) {
+    return jsonError("No provider owns forwarded host", 403);
+  }
+  const session = await getSandboxEgressSession(sandboxId);
+  if (!session) {
+    return jsonError("Sandbox egress session is not authorized", 403);
+  }
+  let lease;
+  try {
+    lease = await credentialLease(sandboxId, provider, session);
+  } catch (error) {
+    if (error instanceof CredentialUnavailableError) {
+      return new Response(
+        `junior-auth-required provider=${error.provider} 401 unauthorized
+${error.message}`,
+        {
+          status: 401,
+          headers: { "content-type": "text/plain; charset=utf-8" }
+        }
+      );
+    }
+    throw error;
+  }
+  if (!hasTransformForHost(lease, upstreamUrl.hostname)) {
+    return jsonError("Credential lease does not cover forwarded host", 403);
+  }
+  const body = await requestBodyBytes(request);
+  const upstream = await (deps.fetch ?? fetch)(upstreamUrl, {
+    method: request.method,
+    headers: requestHeaders(request, lease, upstreamUrl.hostname),
+    ...body ? { body } : {},
+    redirect: "manual"
+  });
+  if (AUTH_REJECTION_STATUS.has(upstream.status)) {
+    await clearSandboxEgressCredentialLease(sandboxId, provider, session);
+  }
+  return new Response(upstream.body, {
+    status: upstream.status,
+    statusText: upstream.statusText,
+    headers: responseHeaders(upstream)
+  });
+}
+
+// src/handlers/sandbox-egress-proxy.ts
+async function ALL(request, sandboxId) {
+  return await proxySandboxEgressRequest(request, sandboxId);
+}
+
 // src/chat/slack/context.ts
 function toTrimmedSlackString(value) {
   const normalized = toOptionalString(value);
@@ -15087,10 +15794,20 @@ function createSlackTurnRuntime(deps) {
             runId
           }),
           async () => {
-            const rawUserText = message.text;
-            const userText = deps.stripLeadingBotMention(rawUserText, {
+            const legacyAttachmentText = renderSlackLegacyAttachmentText(
+              message.raw
+            );
+            const rawUserText = appendSlackLegacyAttachmentText(
+              message.text,
+              message.raw
+            );
+            const strippedUserText = deps.stripLeadingBotMention(message.text, {
               stripLeadingSlackMentionToken: Boolean(message.isMention)
             });
+            const userText = appendSlackLegacyAttachmentText(
+              strippedUserText,
+              message.raw
+            );
             const context = {
               threadId,
               requesterId: message.author.userId,
@@ -15129,7 +15846,7 @@ function createSlackTurnRuntime(deps) {
               rawText: rawUserText,
               text: userText,
               conversationContext: deps.getPreparedConversationContext(preparedState),
-              hasAttachments: message.attachments.length > 0,
+              hasAttachments: message.attachments.length > 0 || legacyAttachmentText !== "",
               isExplicitMention: Boolean(message.isMention),
               context
             });
@@ -16084,9 +16801,13 @@ function createReplyToThread(deps) {
         modelId: botConfig.modelId
       },
       async () => {
-        const userText = stripLeadingBotMention(message.text, {
+        const strippedUserText = stripLeadingBotMention(message.text, {
           stripLeadingSlackMentionToken: options.explicitMention || Boolean(message.isMention)
         });
+        const userText = appendSlackLegacyAttachmentText(
+          strippedUserText,
+          message.raw
+        );
         const preparedState = options.preparedState ?? await deps.prepareTurnState({
           thread,
           message,
@@ -16525,7 +17246,8 @@ function hasPendingImageHydration(conversation) {
   );
 }
 function createConversationMessageFromSdkMessage(entry) {
-  const rawText = normalizeConversationText(entry.text);
+  const enrichedText = appendSlackLegacyAttachmentText(entry.text, entry.raw);
+  const rawText = normalizeConversationText(enrichedText);
   if (!rawText) {
     return null;
   }
@@ -17651,6 +18373,12 @@ async function createApp(options) {
   app.post("/api/internal/turn-resume", (c) => {
     return POST(c.req.raw, waitUntil);
   });
+  app.all("/api/internal/sandbox-egress/:sandboxId", (c) => {
+    return ALL(c.req.raw, c.req.param("sandboxId"));
+  });
+  app.all("/api/internal/sandbox-egress/:sandboxId/*", (c) => {
+    return ALL(c.req.raw, c.req.param("sandboxId"));
+  });
   app.post("/api/webhooks/:platform", (c) => {
     return POST2(c.req.raw, c.req.param("platform"), waitUntil);
   });