npm - @sentry/junior - Versions diffs - 0.42.0 → 0.44.0 - Mend

@sentry/junior 0.42.0 → 0.44.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/app.js +1067 -442
package/dist/{chunk-SCE5C645.js → chunk-BCG3I2T2.js} +197 -101
package/dist/{chunk-Y3UO7NR6.js → chunk-QAMTCT2R.js} +50 -10
package/dist/{chunk-7QYONRLH.js → chunk-ZUUJTQ2H.js} +1 -1
package/dist/cli/check.js +30 -11
package/dist/cli/snapshot-warmup.js +2 -2
package/package.json +3 -2

package/dist/app.js CHANGED Viewed

@@ -3,7 +3,7 @@ import {
   findSkillByName,
   loadSkillsByName,
   parseSkillInvocation
-} from "./chunk-7QYONRLH.js";
+} from "./chunk-ZUUJTQ2H.js";
 import {
   GEN_AI_PROVIDER_NAME,
   MISSING_GATEWAY_CREDENTIALS_ERROR,
@@ -14,6 +14,7 @@ import {
   buildNonInteractiveShellScript,
   completeObject,
   completeText,
+  createSandboxInstance,
   getGatewayApiKey,
   getPiGatewayApiKeyOverride,
   getRuntimeDependencyProfileHash,
@@ -30,7 +31,7 @@ import {
   runNonInteractiveCommand,
   sandboxSkillDir,
   sandboxSkillFile
-} from "./chunk-Y3UO7NR6.js";
+} from "./chunk-QAMTCT2R.js";
 import {
   CredentialUnavailableError,
   buildOAuthTokenRequest,
@@ -58,6 +59,7 @@ import {
   mergeHeaderTransforms,
   parseOAuthTokenResponse,
   resolveAuthTokenPlaceholder,
+  resolvePluginCommandEnv,
   serializeGenAiAttribute,
   setSpanAttributes,
   setSpanStatus,
@@ -66,7 +68,7 @@ import {
   toOptionalString,
   withContext,
   withSpan
-} from "./chunk-SCE5C645.js";
+} from "./chunk-BCG3I2T2.js";
 import {
   sentry_exports
 } from "./chunk-Z3YD6NHK.js";
@@ -3219,140 +3221,6 @@ var ProviderCredentialRouter = class {
   }
 };
-// src/chat/capabilities/runtime.ts
-function toHeaderTransforms(lease) {
-  if (!Array.isArray(lease.headerTransforms) || lease.headerTransforms.length === 0) {
-    return [];
-  }
-  return lease.headerTransforms.filter(
-    (transform) => Boolean(transform?.domain?.trim()) && transform.headers && typeof transform.headers === "object" && Object.keys(transform.headers).length > 0
-  ).map((transform) => ({
-    domain: transform.domain.trim(),
-    headers: transform.headers
-  }));
-}
-var SkillCapabilityRuntime = class {
-  router;
-  requesterId;
-  enabledByProvider = /* @__PURE__ */ new Map();
-  constructor(params) {
-    if (params.router) {
-      this.router = params.router;
-    } else if (params.broker) {
-      this.router = {
-        issue: async (input) => await params.broker.issue(input)
-      };
-    } else {
-      throw new Error(
-        "SkillCapabilityRuntime requires either router or broker"
-      );
-    }
-    this.requesterId = params.requesterId;
-  }
-  async enableCredentialsForTurn(input) {
-    const provider = input.activeSkill?.pluginProvider;
-    if (!provider) {
-      return void 0;
-    }
-    if (!this.requesterId) {
-      throw new Error("Credential enablement requires requester context");
-    }
-    const plugin = getPluginDefinition(provider);
-    if (!plugin?.manifest.credentials && !plugin?.manifest.apiHeaders) {
-      return void 0;
-    }
-    const existing = this.enabledByProvider.get(provider);
-    const now = Date.now();
-    if (existing && existing.expiresAtMs - now > 1e4) {
-      return {
-        reused: true,
-        expiresAt: new Date(existing.expiresAtMs).toISOString()
-      };
-    }
-    logInfo(
-      "credential_issue_request",
-      {},
-      {
-        "app.skill.name": input.activeSkill?.name,
-        "app.credential.provider": provider
-      },
-      "Issuing provider credential for current turn"
-    );
-    try {
-      const lease = await this.router.issue({
-        provider,
-        reason: input.reason,
-        requesterId: this.requesterId
-      });
-      const transforms = toHeaderTransforms(lease);
-      if (transforms.length === 0) {
-        throw new Error(
-          `Credential lease for ${provider} did not include header transforms`
-        );
-      }
-      const expiresAtMs = Date.parse(lease.expiresAt);
-      if (!Number.isFinite(expiresAtMs)) {
-        throw new Error(
-          `Credential lease for ${provider} returned invalid expiresAt`
-        );
-      }
-      this.enabledByProvider.set(provider, {
-        expiresAtMs,
-        transforms,
-        env: lease.env
-      });
-      logInfo(
-        "credential_issue_success",
-        {},
-        {
-          "app.skill.name": input.activeSkill?.name,
-          "app.credential.provider": lease.provider,
-          "app.credential.expires_at": lease.expiresAt,
-          "app.credential.delivery": "header_transform"
-        },
-        "Issued provider credential lease"
-      );
-      return { reused: false, expiresAt: lease.expiresAt };
-    } catch (error) {
-      logWarn(
-        "credential_issue_failed",
-        {},
-        {
-          "app.skill.name": input.activeSkill?.name,
-          "app.credential.provider": provider,
-          "exception.message": error instanceof Error ? error.message : String(error)
-        },
-        "Provider credential resolution failed"
-      );
-      throw error;
-    }
-  }
-  getTurnHeaderTransforms() {
-    const now = Date.now();
-    const headerTransforms = [];
-    for (const [provider, entry] of this.enabledByProvider.entries()) {
-      if (!Number.isFinite(entry.expiresAtMs) || entry.expiresAtMs <= now) {
-        this.enabledByProvider.delete(provider);
-        continue;
-      }
-      headerTransforms.push(...entry.transforms);
-    }
-    return headerTransforms.length > 0 ? headerTransforms : void 0;
-  }
-  getTurnEnv() {
-    const now = Date.now();
-    const env = {};
-    for (const [provider, entry] of this.enabledByProvider.entries()) {
-      if (!Number.isFinite(entry.expiresAtMs) || entry.expiresAtMs <= now) {
-        this.enabledByProvider.delete(provider);
-        continue;
-      }
-      Object.assign(env, entry.env);
-    }
-    return Object.keys(env).length > 0 ? env : void 0;
-  }
-};
 // src/chat/credentials/state-adapter-token-store.ts
 var KEY_PREFIX = "oauth-token";
 var BUFFER_MS = 24 * 60 * 60 * 1e3;
@@ -3419,12 +3287,13 @@ var TestCredentialBroker = class {
 // src/chat/capabilities/factory.ts
 var ENV_PLACEHOLDER_RE = /\$\{([A-Z_][A-Z0-9_]*)\}/g;
+var sandboxEgressRouters = /* @__PURE__ */ new WeakMap();
 function createUserTokenStore() {
   return new StateAdapterTokenStore(getStateAdapter());
 }
 function resolveTestApiHeaderTransforms(manifest) {
-  const { apiDomains, apiHeaders } = manifest;
-  if (!apiDomains || !apiHeaders) {
+  const { domains, apiHeaders } = manifest;
+  if (!domains || !apiHeaders) {
     return [];
   }
   const headers = Object.fromEntries(
@@ -3435,44 +3304,51 @@ function resolveTestApiHeaderTransforms(manifest) {
       })
     ])
   );
-  return apiDomains.map((domain) => ({ domain, headers }));
+  return domains.map((domain) => ({ domain, headers }));
+}
+function createTestBroker(plugin) {
+  const { apiHeaders, credentials, name } = plugin.manifest;
+  const commandEnv = resolvePluginCommandEnv(plugin.manifest);
+  return new TestCredentialBroker({
+    provider: name,
+    ...credentials ? {
+      domains: credentials.domains,
+      ...credentials.apiHeaders ? { apiHeaders: credentials.apiHeaders } : {},
+      envKey: credentials.authTokenEnv,
+      placeholder: resolveAuthTokenPlaceholder(credentials)
+    } : {},
+    ...apiHeaders ? {
+      headerTransforms: () => resolveTestApiHeaderTransforms(plugin.manifest)
+    } : {},
+    ...Object.keys(commandEnv).length > 0 ? { env: commandEnv } : {}
+  });
 }
-function createSkillCapabilityRuntime(options = {}) {
+function createProviderCredentialRouter(userTokenStore) {
   logCapabilityCatalogLoadedOnce();
   const useTestBroker = process.env.EVAL_ENABLE_TEST_CREDENTIALS === "1";
-  const userTokenStore = createUserTokenStore();
   const brokersByProvider = {};
   for (const plugin of getPluginProviders()) {
-    const { apiHeaders, credentials, name } = plugin.manifest;
-    if (!credentials && !apiHeaders) {
+    const { name } = plugin.manifest;
+    if (!plugin.manifest.credentials && !plugin.manifest.apiHeaders) {
       continue;
     }
-    if (!credentials) {
-      brokersByProvider[name] = useTestBroker ? new TestCredentialBroker({
-        provider: name,
-        headerTransforms: () => resolveTestApiHeaderTransforms(plugin.manifest),
-        ...plugin.manifest.commandEnv ? { env: plugin.manifest.commandEnv } : {}
-      }) : createPluginBroker(name, { userTokenStore });
-      continue;
-    }
-    const placeholder = resolveAuthTokenPlaceholder(credentials);
-    brokersByProvider[name] = useTestBroker ? new TestCredentialBroker({
-      provider: name,
-      domains: credentials.apiDomains,
-      ...credentials.apiHeaders ? { apiHeaders: credentials.apiHeaders } : {},
-      ...apiHeaders ? {
-        headerTransforms: () => resolveTestApiHeaderTransforms(plugin.manifest)
-      } : {},
-      ...plugin.manifest.commandEnv ? { env: plugin.manifest.commandEnv } : {},
-      envKey: credentials.authTokenEnv,
-      placeholder
-    }) : createPluginBroker(name, { userTokenStore });
+    brokersByProvider[name] = useTestBroker ? createTestBroker(plugin) : createPluginBroker(name, { userTokenStore });
   }
-  const router = new ProviderCredentialRouter({ brokersByProvider });
-  return new SkillCapabilityRuntime({
-    router,
-    requesterId: options.requesterId
-  });
+  return new ProviderCredentialRouter({ brokersByProvider });
+}
+function getSandboxEgressRouter() {
+  const stateAdapter = getStateAdapter();
+  let router = sandboxEgressRouters.get(stateAdapter);
+  if (!router) {
+    router = createProviderCredentialRouter(
+      new StateAdapterTokenStore(stateAdapter)
+    );
+    sandboxEgressRouters.set(stateAdapter, router);
+  }
+  return router;
+}
+async function issueProviderCredentialLease(input) {
+  return await getSandboxEgressRouter().issue(input);
 }
 // src/chat/capabilities/jr-rpc-command.ts
@@ -7354,13 +7230,272 @@ function createSlackThreadReadTool(context) {
   });
 }
-// src/chat/tools/system-time.ts
+// src/chat/tools/slack/user-lookup.ts
 import { Type as Type19 } from "@sinclair/typebox";
+// src/chat/slack/users.ts
+function normalizeUser(raw) {
+  const rawFields = raw.profile?.fields;
+  const profileFields = [];
+  if (rawFields && typeof rawFields === "object") {
+    for (const [id, field] of Object.entries(rawFields)) {
+      if (!field) continue;
+      profileFields.push({
+        id,
+        label: field.label || void 0,
+        value: field.value || void 0,
+        alt: field.alt || void 0
+      });
+    }
+  }
+  return {
+    id: raw.id ?? "",
+    team_id: raw.team_id || void 0,
+    name: raw.name || void 0,
+    real_name: raw.real_name || raw.profile?.real_name || void 0,
+    display_name: raw.profile?.display_name || void 0,
+    title: raw.profile?.title || void 0,
+    email: raw.profile?.email || void 0,
+    status_text: raw.profile?.status_text || void 0,
+    status_emoji: raw.profile?.status_emoji || void 0,
+    is_bot: raw.is_bot ?? false,
+    is_deleted: raw.deleted ?? false,
+    timezone: raw.tz || void 0,
+    ...profileFields.length > 0 ? { profile_fields: profileFields } : {}
+  };
+}
+async function lookupSlackUserProfile(userId) {
+  const client2 = getSlackClient();
+  const result = await withSlackRetries(
+    () => client2.users.info({ user: userId }),
+    3,
+    { action: "users.info" }
+  );
+  const user = result.user;
+  if (!user) {
+    throw new Error(`Slack users.info returned no user for ${userId}`);
+  }
+  return normalizeUser(user);
+}
+async function lookupSlackUserByEmail(email) {
+  const client2 = getSlackClient();
+  let result;
+  try {
+    result = await withSlackRetries(
+      () => client2.users.lookupByEmail({ email }),
+      3,
+      { action: "users.lookupByEmail" }
+    );
+  } catch (error) {
+    const apiError = error.apiError;
+    if (apiError === "users_not_found") {
+      return null;
+    }
+    throw error;
+  }
+  const user = result.user;
+  if (!user) {
+    return null;
+  }
+  return normalizeUser(user);
+}
+function scoreMatch(user, queryLower) {
+  const name = (user.name ?? "").toLowerCase();
+  const realName = (user.real_name ?? user.profile?.real_name ?? "").toLowerCase();
+  const displayName = (user.profile?.display_name ?? "").toLowerCase();
+  if (name === queryLower || displayName === queryLower) return 100;
+  if (realName === queryLower) return 90;
+  if (name.startsWith(queryLower) || displayName.startsWith(queryLower))
+    return 70;
+  if (realName.startsWith(queryLower)) return 60;
+  const realNameWords = realName.split(/\s+/);
+  if (realNameWords.some((w) => w === queryLower)) return 55;
+  if (realNameWords.some((w) => w.startsWith(queryLower))) return 50;
+  if (name.includes(queryLower) || displayName.includes(queryLower)) return 30;
+  if (realName.includes(queryLower)) return 20;
+  return 0;
+}
+async function searchSlackUsers(options) {
+  const {
+    query,
+    limit = 10,
+    maxPages = 3,
+    includeDeleted = false,
+    includeBots = false
+  } = options;
+  const queryLower = query.toLowerCase().trim();
+  const client2 = getSlackClient();
+  const matches = [];
+  let cursor;
+  let pages = 0;
+  let totalScanned = 0;
+  let truncated = false;
+  while (pages < maxPages) {
+    pages++;
+    const result = await withSlackRetries(
+      () => client2.users.list({
+        limit: 200,
+        ...cursor ? { cursor } : {}
+      }),
+      3,
+      { action: "users.list" }
+    );
+    const members = result.members ?? [];
+    totalScanned += members.length;
+    for (const member of members) {
+      if (!includeDeleted && member.deleted) continue;
+      if (!includeBots && member.is_bot) continue;
+      if (member.id === "USLACKBOT") continue;
+      const score = scoreMatch(member, queryLower);
+      if (score > 0) {
+        matches.push({ user: member, score });
+      }
+    }
+    const nextCursor = result.response_metadata?.next_cursor;
+    if (!nextCursor) {
+      break;
+    }
+    cursor = nextCursor;
+  }
+  if (pages >= maxPages && cursor) {
+    truncated = true;
+  }
+  matches.sort((a, b) => {
+    if (b.score !== a.score) return b.score - a.score;
+    return (a.user.name ?? "").localeCompare(b.user.name ?? "");
+  });
+  return {
+    users: matches.slice(0, limit).map((m) => normalizeUser(m.user)),
+    searched_pages: pages,
+    searched_user_count: totalScanned,
+    truncated
+  };
+}
+// src/chat/tools/slack/user-lookup.ts
+function createSlackUserLookupTool() {
+  return tool({
+    description: "Look up Slack user profiles by user ID, email, or name search. Use when you need to identify a user, resolve cross-platform identity, or look up profile details like title or status. Returns profile fields including custom fields. For user ID lookup, pass a Slack user ID (e.g. U039RR91S). For search, pass a name query.",
+    annotations: { readOnlyHint: true, destructiveHint: false },
+    inputSchema: Type19.Object({
+      user_id: Type19.Optional(
+        Type19.String({
+          minLength: 1,
+          description: "Slack user ID to look up (e.g. U039RR91S). Mutually exclusive with email and query."
+        })
+      ),
+      email: Type19.Optional(
+        Type19.String({
+          minLength: 3,
+          description: "Email address to look up. Mutually exclusive with user_id and query."
+        })
+      ),
+      query: Type19.Optional(
+        Type19.String({
+          minLength: 2,
+          description: "Name to search for (matches against username, display name, real name). Mutually exclusive with user_id and email."
+        })
+      ),
+      limit: Type19.Optional(
+        Type19.Integer({
+          minimum: 1,
+          maximum: 20,
+          description: "Maximum number of results to return for name search. Defaults to 10."
+        })
+      ),
+      max_pages: Type19.Optional(
+        Type19.Integer({
+          minimum: 1,
+          maximum: 5,
+          description: "Maximum number of Slack API pages to scan for name search. Defaults to 3."
+        })
+      ),
+      include_bots: Type19.Optional(
+        Type19.Boolean({
+          description: "Include bot accounts in name search results. Defaults to false."
+        })
+      )
+    }),
+    execute: async ({
+      user_id,
+      email,
+      query,
+      limit,
+      max_pages,
+      include_bots
+    }) => {
+      const modes = [user_id, email, query].filter(Boolean);
+      if (modes.length === 0) {
+        return {
+          ok: false,
+          error: "Provide exactly one of user_id, email, or query to look up a Slack user."
+        };
+      }
+      if (modes.length > 1) {
+        return {
+          ok: false,
+          error: "Only one of user_id, email, or query can be provided."
+        };
+      }
+      try {
+        if (user_id) {
+          return {
+            ok: true,
+            mode: "user_id",
+            user: await lookupSlackUserProfile(user_id)
+          };
+        }
+        if (email) {
+          const profile = await lookupSlackUserByEmail(email);
+          if (!profile) {
+            return {
+              ok: false,
+              mode: "email",
+              email,
+              error: "No Slack user found with that email address."
+            };
+          }
+          return { ok: true, mode: "email", user: profile };
+        }
+        const result = await searchSlackUsers({
+          query,
+          limit: limit ?? 10,
+          maxPages: max_pages ?? 3,
+          includeBots: include_bots ?? false
+        });
+        return {
+          ok: true,
+          mode: "query",
+          query,
+          count: result.users.length,
+          searched_pages: result.searched_pages,
+          searched_user_count: result.searched_user_count,
+          truncated: result.truncated,
+          users: result.users
+        };
+      } catch (error) {
+        if (error instanceof SlackActionError) {
+          return {
+            ok: false,
+            error: error.message,
+            slack_error: error.apiError,
+            code: error.code,
+            ...error.needed ? { needed_scope: error.needed } : {}
+          };
+        }
+        throw error;
+      }
+    }
+  });
+}
+// src/chat/tools/system-time.ts
+import { Type as Type20 } from "@sinclair/typebox";
 function createSystemTimeTool() {
   return tool({
     description: "Return current system time in UTC and local ISO formats. Use when the user asks for current time/date context. Do not use as a substitute for historical or timezone-conversion research.",
     annotations: { readOnlyHint: true, destructiveHint: false },
-    inputSchema: Type19.Object({}),
+    inputSchema: Type20.Object({}),
     execute: async () => {
       const now = /* @__PURE__ */ new Date();
       return {
@@ -7378,7 +7513,7 @@ function createSystemTimeTool() {
 import {
   Agent
 } from "@mariozechner/pi-agent-core";
-import { Type as Type20 } from "@sinclair/typebox";
+import { Type as Type21 } from "@sinclair/typebox";
 // src/chat/respond-helpers.ts
 var MAX_INLINE_ATTACHMENT_BASE64_CHARS = 12e4;
@@ -7666,12 +7801,12 @@ function createAdvisorTool(context) {
   const spanContext = context.logContext ?? {};
   return tool({
     description: ADVISOR_TOOL_DESCRIPTION,
-    inputSchema: Type20.Object({
-      question: Type20.String({
+    inputSchema: Type21.Object({
+      question: Type21.String({
         minLength: 1,
         description: "Focused advisor question or decision point."
       }),
-      context: Type20.String({
+      context: Type21.String({
         minLength: 1,
         description: "Curated evidence packet: relevant requirements, constraints, current plan, alternatives, code snippets, diffs, command output, and open questions."
       })
@@ -7783,7 +7918,7 @@ function createAdvisorTool(context) {
 }
 // src/chat/tools/web/fetch-tool.ts
-import { Type as Type21 } from "@sinclair/typebox";
+import { Type as Type22 } from "@sinclair/typebox";
 // src/chat/tools/web/constants.ts
 var USER_AGENT = "junior-bot/0.1";
@@ -8136,13 +8271,13 @@ function createWebFetchTool(hooks) {
       destructiveHint: false,
       openWorldHint: true
     },
-    inputSchema: Type21.Object({
-      url: Type21.String({
+    inputSchema: Type22.Object({
+      url: Type22.String({
         minLength: 1,
         description: "HTTP(S) URL to fetch."
       }),
-      max_chars: Type21.Optional(
-        Type21.Integer({
+      max_chars: Type22.Optional(
+        Type22.Integer({
           minimum: 500,
           maximum: MAX_FETCH_CHARS,
           description: "Optional maximum number of extracted characters to return."
@@ -8202,7 +8337,7 @@ function createWebFetchTool(hooks) {
 // src/chat/tools/web/search.ts
 import { generateText } from "ai";
 import { createGatewayProvider } from "@ai-sdk/gateway";
-import { Type as Type22 } from "@sinclair/typebox";
+import { Type as Type23 } from "@sinclair/typebox";
 var SEARCH_TIMEOUT_MS = 6e4;
 var MAX_RESULTS2 = 5;
 var DEFAULT_SEARCH_MODEL = "xai/grok-4-fast-reasoning";
@@ -8250,14 +8385,14 @@ function createWebSearchTool() {
       destructiveHint: false,
       openWorldHint: true
     },
-    inputSchema: Type22.Object({
-      query: Type22.String({
+    inputSchema: Type23.Object({
+      query: Type23.String({
         minLength: 1,
         maxLength: 500,
         description: "Search query."
       }),
-      max_results: Type22.Optional(
-        Type22.Integer({
+      max_results: Type23.Optional(
+        Type23.Integer({
           minimum: 1,
           maximum: MAX_RESULTS2,
           description: "Max results to return."
@@ -8326,20 +8461,20 @@ function createWebSearchTool() {
 }
 // src/chat/tools/sandbox/write-file.ts
-import { Type as Type23 } from "@sinclair/typebox";
+import { Type as Type24 } from "@sinclair/typebox";
 function createWriteFileTool() {
   return tool({
     description: "Write UTF-8 content to a file in the sandbox workspace. Use for intentional file creation or replacement after validation. Do not use for exploratory analysis-only turns.",
     promptSnippet: "new file or deliberate full-file replacement",
     promptGuidelines: ["targeted existing-file changes: editFile"],
     executionMode: "sequential",
-    inputSchema: Type23.Object(
+    inputSchema: Type24.Object(
       {
-        path: Type23.String({
+        path: Type24.String({
           minLength: 1,
           description: "Path to write in the sandbox workspace."
         }),
-        content: Type23.String({
+        content: Type24.String({
           description: "UTF-8 file content to write."
         })
       },
@@ -8413,6 +8548,7 @@ function createTools(availableSkills, hooks = {}, context) {
     slackCanvasRead: createSlackCanvasReadTool(),
     slackCanvasUpdate: createSlackCanvasUpdateTool(state, context),
     slackThreadRead: createSlackThreadReadTool(context),
+    slackUserLookup: createSlackUserLookupTool(),
     slackListCreate: createSlackListCreateTool(state),
     slackListAddItems: createSlackListAddItemsTool(state),
     slackListGetItems: createSlackListGetItemsTool(state),
@@ -8463,6 +8599,175 @@ function resolveChannelCapabilities(channelId) {
 // src/chat/sandbox/sandbox.ts
 import fs4 from "fs/promises";
+// src/chat/sandbox/egress-policy.ts
+var SANDBOX_EGRESS_PROXY_PATH = "/api/internal/sandbox-egress";
+function matchesSandboxEgressDomain(host, domain) {
+  return host.toLowerCase() === domain.toLowerCase();
+}
+function manifestDomains(manifest) {
+  const domains = /* @__PURE__ */ new Set([
+    ...manifest.credentials?.domains ?? [],
+    ...manifest.domains ?? []
+  ]);
+  return [...domains].sort((left, right) => left.localeCompare(right));
+}
+function providerEntries() {
+  return getPluginProviders().map((plugin) => ({
+    provider: plugin.manifest.name,
+    domains: manifestDomains(plugin.manifest)
+  })).filter((entry) => entry.domains.length > 0).sort((left, right) => left.provider.localeCompare(right.provider));
+}
+function resolveSandboxEgressProviderForHost(host) {
+  return providerEntries().find(
+    (entry) => entry.domains.some((domain) => matchesSandboxEgressDomain(host, domain))
+  )?.provider;
+}
+function proxyUrl(egressId) {
+  const baseUrl = resolveBaseUrl();
+  if (!baseUrl) {
+    return void 0;
+  }
+  const url = new URL(
+    `${SANDBOX_EGRESS_PROXY_PATH}/${encodeURIComponent(egressId)}`,
+    baseUrl
+  );
+  return url.toString();
+}
+function buildSandboxEgressNetworkPolicy(egressId) {
+  const entries = providerEntries();
+  if (entries.length === 0) {
+    return void 0;
+  }
+  const forwardURL = proxyUrl(egressId);
+  if (!forwardURL) {
+    throw new Error(
+      "Cannot determine base URL for sandbox credential egress (set JUNIOR_BASE_URL or deploy to Vercel)"
+    );
+  }
+  const allow = {
+    "*": []
+  };
+  for (const entry of entries) {
+    for (const domain of entry.domains) {
+      allow[domain] = [{ forwardURL }];
+    }
+  }
+  return { allow };
+}
+async function resolveSandboxCommandEnvironment() {
+  const env = {};
+  for (const plugin of getPluginProviders().sort(
+    (left, right) => left.manifest.name.localeCompare(right.manifest.name)
+  )) {
+    Object.assign(env, resolvePluginCommandEnv(plugin.manifest));
+    const credentials = plugin.manifest.credentials;
+    if (credentials) {
+      env[credentials.authTokenEnv] = resolveAuthTokenPlaceholder(credentials);
+    }
+  }
+  return env;
+}
+// src/chat/sandbox/egress-session.ts
+import { randomUUID as randomUUID3 } from "crypto";
+var SANDBOX_EGRESS_SESSION_PREFIX = "sandbox-egress-session";
+var SANDBOX_EGRESS_LEASE_PREFIX = "sandbox-egress-lease";
+var DEFAULT_SESSION_TTL_MS = 30 * 60 * 1e3;
+function sessionKey2(egressId) {
+  return `${SANDBOX_EGRESS_SESSION_PREFIX}:${egressId}`;
+}
+function leaseKey(egressId, provider, session) {
+  return `${SANDBOX_EGRESS_LEASE_PREFIX}:${egressId}:${provider}:${session.requesterId}:${session.activationId}`;
+}
+function parseSession(value) {
+  if (!value || typeof value !== "object") {
+    return void 0;
+  }
+  const record = value;
+  if (typeof record.requesterId !== "string" || typeof record.expiresAtMs !== "number" || !Number.isFinite(record.expiresAtMs) || typeof record.activationId !== "string" || !record.activationId) {
+    return void 0;
+  }
+  if (record.expiresAtMs <= Date.now()) {
+    return void 0;
+  }
+  return {
+    requesterId: record.requesterId,
+    expiresAtMs: record.expiresAtMs,
+    activationId: record.activationId
+  };
+}
+function parseLease(value) {
+  if (!value || typeof value !== "object") {
+    return void 0;
+  }
+  const record = value;
+  if (typeof record.provider !== "string" || typeof record.expiresAt !== "string" || !Array.isArray(record.headerTransforms)) {
+    return void 0;
+  }
+  const expiresAtMs = Date.parse(record.expiresAt);
+  if (!Number.isFinite(expiresAtMs) || expiresAtMs <= Date.now()) {
+    return void 0;
+  }
+  const headerTransforms = record.headerTransforms.filter(
+    (transform) => Boolean(
+      transform && typeof transform.domain === "string" && transform.headers && typeof transform.headers === "object"
+    )
+  );
+  if (headerTransforms.length === 0) {
+    return void 0;
+  }
+  return {
+    provider: record.provider,
+    expiresAt: record.expiresAt,
+    headerTransforms
+  };
+}
+async function upsertSandboxEgressSession(input) {
+  const state = getStateAdapter();
+  await state.connect();
+  const ttlMs = Math.max(1, input.ttlMs ?? DEFAULT_SESSION_TTL_MS);
+  const now = Date.now();
+  const session = {
+    requesterId: input.requesterId,
+    expiresAtMs: now + ttlMs,
+    activationId: randomUUID3()
+  };
+  await state.set(sessionKey2(input.egressId), session, ttlMs);
+}
+async function clearSandboxEgressSession(egressId) {
+  const state = getStateAdapter();
+  await state.connect();
+  await state.delete(sessionKey2(egressId));
+}
+async function getSandboxEgressSession(egressId) {
+  const state = getStateAdapter();
+  await state.connect();
+  return parseSession(await state.get(sessionKey2(egressId)));
+}
+async function setSandboxEgressCredentialLease(egressId, session, lease) {
+  const leaseExpiresAtMs = Date.parse(lease.expiresAt);
+  if (!Number.isFinite(leaseExpiresAtMs) || leaseExpiresAtMs <= Date.now()) {
+    return;
+  }
+  const ttlMs = Math.max(
+    1,
+    Math.min(leaseExpiresAtMs, session.expiresAtMs) - Date.now()
+  );
+  const state = getStateAdapter();
+  await state.connect();
+  await state.set(leaseKey(egressId, lease.provider, session), lease, ttlMs);
+}
+async function getSandboxEgressCredentialLease(egressId, provider, session) {
+  const state = getStateAdapter();
+  await state.connect();
+  return parseLease(await state.get(leaseKey(egressId, provider, session)));
+}
+async function clearSandboxEgressCredentialLease(egressId, provider, session) {
+  const state = getStateAdapter();
+  await state.connect();
+  await state.delete(leaseKey(egressId, provider, session));
+}
 // src/chat/sandbox/http-error-details.ts
 var DEFAULT_PREVIEW_LIMIT = 512;
 function toTrimmedString(value, maxChars) {
@@ -8665,6 +8970,7 @@ function throwSandboxOperationError(action, error, includeMissingPath = false) {
 }
 // src/chat/sandbox/session.ts
+import { randomUUID as randomUUID4 } from "crypto";
 import { Sandbox } from "@vercel/sandbox";
 import { createBashTool as createBashTool2 } from "bash-tool";
@@ -9238,27 +9544,39 @@ var SANDBOX_RUNTIME = "node22";
 var SANDBOX_RUNTIME_BIN_DIR = `${SANDBOX_WORKSPACE_ROOT}/.junior/bin`;
 var SNAPSHOT_BOOT_RETRY_COUNT = 3;
 var SNAPSHOT_BOOT_RETRY_DELAY_MS = 1e3;
-function mergeNetworkPolicyWithHeaderTransforms(networkPolicy, headerTransforms) {
-  const basePolicy = networkPolicy && typeof networkPolicy === "object" && !Array.isArray(networkPolicy) ? { ...networkPolicy } : {};
-  const existingAllowRaw = basePolicy.allow;
-  const existingAllow = existingAllowRaw && typeof existingAllowRaw === "object" && !Array.isArray(existingAllowRaw) ? Object.fromEntries(
-    Object.entries(existingAllowRaw).map(
-      ([domain, rules]) => [
-        domain,
-        Array.isArray(rules) ? [...rules] : []
-      ]
-    )
-  ) : { "*": [] };
-  for (const transform of headerTransforms) {
-    const currentRules = existingAllow[transform.domain] ?? [];
-    existingAllow[transform.domain] = [
-      ...currentRules,
-      { transform: [{ headers: transform.headers }] }
-    ];
-  }
+var SANDBOX_NAME_PREFIX = "junior-";
+function createBashToolSandboxAdapter(sandbox) {
   return {
-    ...basePolicy,
-    allow: existingAllow
+    async executeCommand(command) {
+      const result = await sandbox.runCommand({
+        cmd: "bash",
+        args: ["-c", command]
+      });
+      const [stdout, stderr] = await Promise.all([
+        result.stdout(),
+        result.stderr()
+      ]);
+      return {
+        stdout,
+        stderr,
+        exitCode: result.exitCode
+      };
+    },
+    async readFile(filePath) {
+      const content = await sandbox.readFileToBuffer({ path: filePath });
+      if (content == null) {
+        throw new Error(`File not found: ${filePath}`);
+      }
+      return content.toString("utf8");
+    },
+    async writeFiles(files) {
+      await sandbox.writeFiles(
+        files.map((file) => ({
+          path: file.path,
+          content: file.content
+        }))
+      );
+    }
   };
 }
 function truncateOutput(output, maxLength) {
@@ -9291,23 +9609,31 @@ function createSandboxSessionManager(options) {
   let availableSkills = [];
   let availableReferenceFiles = [];
   let toolExecutors;
+  let appliedNetworkPolicyKey;
   const timeoutMs = options?.timeoutMs ?? 1e3 * 60 * 30;
   const traceContext = options?.traceContext ?? {};
   const dependencyProfileHash = getRuntimeDependencyProfileHash(SANDBOX_RUNTIME);
+  const resolveCommandEnv = options?.commandEnv ?? (async () => ({}));
   const withSandboxSpan = (name, op, attributes, callback) => withSpan(name, op, traceContext, callback, attributes);
   const clearSession = () => {
     sandbox = null;
     sandboxIdHint = void 0;
     toolExecutors = void 0;
+    appliedNetworkPolicyKey = void 0;
+  };
+  const createSandboxName = () => `${SANDBOX_NAME_PREFIX}${randomUUID4()}`;
+  const preflightNetworkPolicy = (sandboxName) => {
+    return options?.createNetworkPolicy?.(sandboxName);
   };
   const rememberSandbox = async (nextSandbox) => {
     sandbox = nextSandbox;
     sandboxIdHint = nextSandbox.sandboxId;
     toolExecutors = void 0;
-    await options?.onSandboxAcquired?.({
-      sandboxId: nextSandbox.sandboxId,
+    const acquired = {
+      sandboxId: sandboxIdHint,
       ...dependencyProfileHash ? { sandboxDependencyProfileHash: dependencyProfileHash } : {}
-    });
+    };
+    await options?.onSandboxAcquired?.(acquired);
     return nextSandbox;
   };
   const failSetup = (error) => {
@@ -9322,6 +9648,30 @@ function createSandboxSessionManager(options) {
       runtimeBinDir: SANDBOX_RUNTIME_BIN_DIR
     });
   };
+  const refreshNetworkPolicy = async (targetSandbox) => {
+    const networkPolicy = options?.createNetworkPolicy?.(
+      targetSandbox.sandboxEgressId
+    );
+    if (!networkPolicy) {
+      return;
+    }
+    const networkPolicyKey = JSON.stringify(networkPolicy);
+    if (appliedNetworkPolicyKey === networkPolicyKey) {
+      return;
+    }
+    await withSandboxSpan(
+      "sandbox.network_policy.update",
+      "sandbox.update",
+      {
+        "app.sandbox.reused": true,
+        "app.sandbox.source": "id_hint"
+      },
+      async () => {
+        await targetSandbox.update({ networkPolicy });
+      }
+    );
+    appliedNetworkPolicyKey = networkPolicyKey;
+  };
   const ensureSandboxReachable = async (targetSandbox, source) => {
     await withSandboxSpan(
       "sandbox.reuse_probe",
@@ -9341,23 +9691,6 @@ function createSandboxSessionManager(options) {
       }
     );
   };
-  const invalidateSandboxInstance = async (targetSandbox, reason) => {
-    if (sandbox === targetSandbox) {
-      clearSession();
-    }
-    logWarn(
-      "sandbox_network_policy_restore_failed",
-      traceContext,
-      {
-        "exception.message": reason instanceof Error ? reason.message : String(reason)
-      },
-      "Sandbox network policy restore failed; discarding sandbox instance"
-    );
-    try {
-      await targetSandbox.stop({ blocking: true });
-    } catch {
-    }
-  };
   const recreateUnavailableSandbox = async (source) => {
     setSpanAttributes({
       "app.sandbox.recovery.attempted": true,
@@ -9370,17 +9703,22 @@ function createSandboxSessionManager(options) {
     });
     return replacement;
   };
-  const createSandboxFromSnapshot = async (snapshotId, sandboxCredentials) => {
+  const createSandboxFromSnapshot = async (snapshotId, sandboxCredentials, initialSandboxName) => {
     for (let attempt = 0; attempt < SNAPSHOT_BOOT_RETRY_COUNT; attempt += 1) {
+      const sandboxName = attempt === 0 ? initialSandboxName : createSandboxName();
+      const networkPolicy = preflightNetworkPolicy(sandboxName);
       try {
-        return await Sandbox.create({
-          timeout: timeoutMs,
-          source: {
-            type: "snapshot",
-            snapshotId
-          },
-          ...sandboxCredentials ?? {}
-        });
+        return createSandboxInstance(
+          await Sandbox.create({
+            timeout: timeoutMs,
+            ...networkPolicy ? { name: sandboxName, persistent: false, networkPolicy } : {},
+            source: {
+              type: "snapshot",
+              snapshotId
+            },
+            ...sandboxCredentials ?? {}
+          })
+        );
       } catch (error) {
         if (!isSnapshottingError(error) || attempt === SNAPSHOT_BOOT_RETRY_COUNT - 1) {
           throw error;
@@ -9405,18 +9743,23 @@ function createSandboxSessionManager(options) {
     });
   };
   const createSandboxFromResolvedSnapshot = async (params) => {
-    const { runtime, snapshot, sandboxCredentials } = params;
+    const { runtime, snapshot, sandboxCredentials, sandboxName } = params;
     if (!snapshot.snapshotId) {
-      return await Sandbox.create({
-        timeout: timeoutMs,
-        runtime,
-        ...sandboxCredentials ?? {}
-      });
+      const networkPolicy = preflightNetworkPolicy(sandboxName);
+      return createSandboxInstance(
+        await Sandbox.create({
+          timeout: timeoutMs,
+          runtime,
+          ...networkPolicy ? { name: sandboxName, persistent: false, networkPolicy } : {},
+          ...sandboxCredentials ?? {}
+        })
+      );
     }
     try {
       return await createSandboxFromSnapshot(
         snapshot.snapshotId,
-        sandboxCredentials
+        sandboxCredentials,
+        sandboxName
       );
     } catch (error) {
       if (!isSnapshotMissingError(error)) {
@@ -9436,13 +9779,15 @@ function createSandboxSessionManager(options) {
       }
       return await createSandboxFromSnapshot(
         rebuiltSnapshot.snapshotId,
-        sandboxCredentials
+        sandboxCredentials,
+        sandboxName
       );
     }
   };
   const createFreshSandbox = async () => {
     const runtime = SANDBOX_RUNTIME;
     const sandboxCredentials = getVercelSandboxCredentials();
+    const sandboxName = createSandboxName();
     let createdSandbox;
     try {
       createdSandbox = await withSandboxSpan(
@@ -9462,7 +9807,8 @@ function createSandboxSessionManager(options) {
           return await createSandboxFromResolvedSnapshot({
             runtime,
             snapshot,
-            sandboxCredentials
+            sandboxCredentials,
+            sandboxName
           });
         }
       );
@@ -9470,6 +9816,7 @@ function createSandboxSessionManager(options) {
       return failSetup(error);
     }
     try {
+      await refreshNetworkPolicy(createdSandbox);
       await syncSkills(createdSandbox);
     } catch (error) {
       return failSetup(error);
@@ -9497,6 +9844,7 @@ function createSandboxSessionManager(options) {
     }
     try {
       await ensureSandboxReachable(cachedSandbox, "memory");
+      await refreshNetworkPolicy(cachedSandbox);
       return cachedSandbox;
     } catch (error) {
       if (isSandboxUnavailableError(error)) {
@@ -9519,15 +9867,19 @@ function createSandboxSessionManager(options) {
           "app.sandbox.reused": true,
           "app.sandbox.source": "id_hint"
         },
-        async () => await Sandbox.get({
-          sandboxId: sandboxIdHint,
-          ...sandboxCredentials ?? {}
-        })
+        async () => createSandboxInstance(
+          await Sandbox.get({
+            name: sandboxIdHint,
+            resume: true,
+            ...sandboxCredentials ?? {}
+          })
+        )
       );
     } catch {
       return null;
     }
     try {
+      await refreshNetworkPolicy(hintedSandbox);
       await syncSkills(hintedSandbox);
       return await rememberSandbox(hintedSandbox);
     } catch (error) {
@@ -9582,37 +9934,6 @@ function createSandboxSessionManager(options) {
       stderrTruncated: stderr.truncated
     };
   };
-  const withTemporaryHeaderTransforms = async (sandboxInstance, headerTransforms, callback) => {
-    if (!headerTransforms || headerTransforms.length === 0) {
-      return await callback();
-    }
-    const restoreNetworkPolicy = sandboxInstance.networkPolicy ?? "allow-all";
-    const policy = mergeNetworkPolicyWithHeaderTransforms(
-      restoreNetworkPolicy,
-      headerTransforms
-    );
-    await sandboxInstance.updateNetworkPolicy(policy);
-    let callbackError;
-    let restoreError;
-    let result;
-    try {
-      result = await callback();
-    } catch (error) {
-      callbackError = error;
-      throw error;
-    } finally {
-      try {
-        await sandboxInstance.updateNetworkPolicy(restoreNetworkPolicy);
-      } catch (error) {
-        restoreError = error;
-        await invalidateSandboxInstance(sandboxInstance, error);
-      }
-    }
-    if (restoreError && !callbackError) {
-      throw restoreError;
-    }
-    return result;
-  };
   const extendKeepAlive = async (activeSandbox) => {
     const keepAliveMs = parseKeepAliveMs();
     if (keepAliveMs === 0) {
@@ -9633,6 +9954,7 @@ function createSandboxSessionManager(options) {
     }
   };
   const buildToolExecutors = async (sandboxInstance) => {
+    const activeSandboxId = sandboxInstance.sandboxId;
     const toolkit = await withSandboxSpan(
       "sandbox.bash_tool.init",
       "sandbox.tool.init",
@@ -9641,7 +9963,7 @@ function createSandboxSessionManager(options) {
         "app.sandbox.destination": SANDBOX_WORKSPACE_ROOT
       },
       async () => await createBashTool2({
-        sandbox: sandboxInstance,
+        sandbox: createBashToolSandboxAdapter(sandboxInstance),
         destination: SANDBOX_WORKSPACE_ROOT
       })
     );
@@ -9652,47 +9974,70 @@ function createSandboxSessionManager(options) {
     }
     return {
       bash: async (input) => {
-        const script = buildNonInteractiveShellScript(input.command, {
-          env: input.env,
-          pathPrefix: `${SANDBOX_RUNTIME_BIN_DIR}:$PATH`
-        });
-        const controller = input.timeoutMs && input.timeoutMs > 0 ? new AbortController() : void 0;
+        const commandEgressId = sandboxInstance.sandboxEgressId;
+        await options?.beforeCommand?.(commandEgressId);
         let timedOut = false;
-        const timeoutId = controller ? setTimeout(() => {
-          timedOut = true;
-          controller.abort();
-        }, input.timeoutMs) : void 0;
-        return await withTemporaryHeaderTransforms(
-          sandboxInstance,
-          input.headerTransforms,
-          async () => {
-            try {
-              const commandResult2 = await sandboxInstance.runCommand({
-                cmd: "bash",
-                args: ["-c", script],
-                cwd: SANDBOX_WORKSPACE_ROOT,
-                ...controller ? { signal: controller.signal } : {}
-              });
-              return await readCommandOutput(commandResult2);
-            } catch (error) {
-              if (timedOut) {
-                return {
-                  stdout: "",
-                  stderr: `Command timed out after ${input.timeoutMs}ms`,
-                  exitCode: 124,
-                  stdoutTruncated: false,
-                  stderrTruncated: false,
-                  timedOut: true
-                };
-              }
-              throw error;
-            } finally {
-              if (timeoutId) {
-                clearTimeout(timeoutId);
-              }
-            }
+        let timeoutId;
+        let commandFinished = false;
+        const finishCommand = async () => {
+          if (commandFinished) {
+            return;
           }
-        );
+          commandFinished = true;
+          await options?.afterCommand?.(commandEgressId);
+        };
+        const finishCommandBestEffort = async () => {
+          try {
+            await finishCommand();
+          } catch (error) {
+            logWarn(
+              "sandbox_command_cleanup_failed",
+              traceContext,
+              {
+                "app.sandbox.id": activeSandboxId,
+                "error.type": error instanceof Error ? error.name : "sandbox_command_cleanup_error"
+              },
+              "Sandbox command cleanup failed"
+            );
+          }
+        };
+        try {
+          const sandboxCommandEnv = await resolveCommandEnv();
+          const script = buildNonInteractiveShellScript(input.command, {
+            env: { ...sandboxCommandEnv, ...input.env ?? {} },
+            pathPrefix: `${SANDBOX_RUNTIME_BIN_DIR}:$PATH`
+          });
+          const controller = input.timeoutMs && input.timeoutMs > 0 ? new AbortController() : void 0;
+          timeoutId = controller ? setTimeout(() => {
+            timedOut = true;
+            controller.abort();
+          }, input.timeoutMs) : void 0;
+          const commandResult2 = await sandboxInstance.runCommand({
+            cmd: "bash",
+            args: ["-c", script],
+            cwd: SANDBOX_WORKSPACE_ROOT,
+            ...controller ? { signal: controller.signal } : {}
+          });
+          await finishCommandBestEffort();
+          return await readCommandOutput(commandResult2);
+        } catch (error) {
+          if (timedOut) {
+            return {
+              stdout: "",
+              stderr: `Command timed out after ${input.timeoutMs}ms`,
+              exitCode: 124,
+              stdoutTruncated: false,
+              stderrTruncated: false,
+              timedOut: true
+            };
+          }
+          throw error;
+        } finally {
+          if (timeoutId) {
+            clearTimeout(timeoutId);
+          }
+          await finishCommandBestEffort();
+        }
       },
       readFile: async (input) => await executeReadFile(input, {
         toolCallId: "sandbox-read-file",
@@ -9725,7 +10070,7 @@ function createSandboxSessionManager(options) {
       availableReferenceFiles = [...files];
     },
     getSandboxId() {
-      return sandbox?.sandboxId ?? sandboxIdHint;
+      return sandbox ? sandbox.sandboxId : sandboxIdHint;
     },
     getDependencyProfileHash() {
       return dependencyProfileHash;
@@ -9748,7 +10093,7 @@ function createSandboxSessionManager(options) {
           "app.sandbox.stop.blocking": true
         },
         async () => {
-          await activeSandbox.stop({ blocking: true });
+          await activeSandbox.stop();
         }
       );
       sandbox = null;
@@ -9767,21 +10112,6 @@ var SANDBOX_TOOL_NAMES = /* @__PURE__ */ new Set([
   "listDir",
   "writeFile"
 ]);
-function parseHeaderTransforms(raw) {
-  if (!Array.isArray(raw)) {
-    return void 0;
-  }
-  return raw.filter(
-    (value) => Boolean(value && typeof value === "object")
-  ).map((transform) => ({
-    domain: String(transform.domain ?? "").trim(),
-    headers: transform.headers && typeof transform.headers === "object" && !Array.isArray(transform.headers) ? Object.fromEntries(
-      Object.entries(transform.headers).filter(([, value]) => typeof value === "string").map(([key, value]) => [key, value])
-    ) : {}
-  })).filter(
-    (transform) => transform.domain.length > 0 && Object.keys(transform.headers).length > 0
-  );
-}
 function parseEnv(raw) {
   if (!raw || typeof raw !== "object" || Array.isArray(raw)) {
     return void 0;
@@ -9790,27 +10120,33 @@ function parseEnv(raw) {
     Object.entries(raw).filter(([, value]) => typeof value === "string").map(([key, value]) => [key, value])
   );
 }
-function createSandboxWorkspace(sandbox) {
-  return {
-    sandboxId: sandbox.sandboxId,
-    readFileToBuffer(input) {
-      return sandbox.readFileToBuffer(input);
-    },
-    runCommand(input) {
-      return sandbox.runCommand(input);
-    }
-  };
-}
 function createSandboxExecutor(options) {
   let availableSkills = [];
   let referenceFiles = [];
   const traceContext = options?.traceContext ?? {};
+  const credentialEgress = options?.credentialEgress;
+  const syncSandboxEgressSession = credentialEgress ? async (egressId) => {
+    await upsertSandboxEgressSession({
+      egressId,
+      requesterId: credentialEgress.requesterId,
+      ttlMs: options?.timeoutMs
+    });
+  } : void 0;
+  const clearSandboxEgressSessionForCommand = credentialEgress ? async (egressId) => {
+    await clearSandboxEgressSession(egressId);
+  } : void 0;
   const sessionManager = createSandboxSessionManager({
     sandboxId: options?.sandboxId,
     sandboxDependencyProfileHash: options?.sandboxDependencyProfileHash,
     timeoutMs: options?.timeoutMs,
     traceContext,
-    onSandboxAcquired: options?.onSandboxAcquired
+    commandEnv: credentialEgress ? async () => await resolveSandboxCommandEnvironment() : void 0,
+    createNetworkPolicy: credentialEgress ? buildSandboxEgressNetworkPolicy : void 0,
+    beforeCommand: syncSandboxEgressSession,
+    afterCommand: clearSandboxEgressSessionForCommand,
+    onSandboxAcquired: async (sandbox) => {
+      await options?.onSandboxAcquired?.(sandbox);
+    }
   });
   const withSandboxSpan = (name, op, attributes, callback) => withSpan(name, op, traceContext, callback, attributes);
   const logSandboxBootRequest = (trigger, details = {}) => {
@@ -9828,7 +10164,6 @@ function createSandboxExecutor(options) {
     );
   };
   const executeBashTool = async (rawInput, command) => {
-    const headerTransforms = parseHeaderTransforms(rawInput.headerTransforms);
     const env = parseEnv(rawInput.env);
     const timeoutMs = positiveInteger(rawInput.timeoutMs);
     logSandboxBootRequest("tool.bash", {
@@ -9845,7 +10180,6 @@ function createSandboxExecutor(options) {
         try {
           const response = await executeBash({
             command,
-            ...headerTransforms ? { headerTransforms } : {},
             ...env ? { env } : {},
             ...timeoutMs ? { timeoutMs } : {}
           });
@@ -10149,7 +10483,7 @@ function createSandboxExecutor(options) {
       return SANDBOX_TOOL_NAMES.has(toolName);
     },
     async createSandbox() {
-      return createSandboxWorkspace(await sessionManager.createSandbox());
+      return await sessionManager.createSandbox();
     },
     execute,
     async dispose() {
@@ -10250,34 +10584,6 @@ function buildSandboxInput(toolName, params) {
   return params;
 }
-// src/chat/tools/execution/inject-credentials.ts
-function resolveCredentialInjection(toolName, command, capabilityRuntime, sandbox) {
-  if (toolName !== "bash" || !capabilityRuntime) {
-    return {};
-  }
-  const headerTransforms = capabilityRuntime.getTurnHeaderTransforms();
-  const env = capabilityRuntime.getTurnEnv();
-  const isCustomCommand = /^jr-rpc(?:\s|$)/.test(command.trim());
-  const shouldLog = !isCustomCommand && Boolean(headerTransforms && headerTransforms.length > 0);
-  if (shouldLog) {
-    const headerDomains = (headerTransforms ?? []).map(
-      (transform) => transform.domain
-    );
-    const skillName = sandbox.getActiveSkill()?.name;
-    logInfo(
-      "credential_inject_start",
-      {},
-      {
-        "app.skill.name": skillName,
-        "app.credential.delivery": "header_transform",
-        "app.credential.header_domains": headerDomains
-      },
-      `Injecting scoped credential headers for sandbox command (${skillName ?? "unknown skill"} \u2192 ${headerDomains.join(", ")})`
-    );
-  }
-  return { headerTransforms, env };
-}
 // src/chat/tools/execution/normalize-result.ts
 function isStructuredToolExecutionResult(value) {
   const content = value?.content;
@@ -10367,7 +10673,7 @@ function handleToolExecutionError(error, toolName, toolCallId, shouldTrace, trac
 }
 // src/chat/tools/agent-tools.ts
-function createAgentTools(tools, sandbox, spanContext, onStatus, sandboxExecutor, capabilityRuntime, pluginAuthOrchestration, onToolCall) {
+function createAgentTools(tools, sandbox, spanContext, onStatus, sandboxExecutor, pluginAuthOrchestration, onToolCall) {
   const shouldTrace = shouldEmitDevAgentTrace();
   return Object.entries(tools).map(([toolName, toolDef]) => ({
     name: toolName,
@@ -10407,21 +10713,11 @@ function createAgentTools(tools, sandbox, spanContext, onStatus, sandboxExecutor
               };
             }
             const bashCommand = toolName === "bash" && typeof parsed.command === "string" ? parsed.command.trim() : "";
-            const injection = resolveCredentialInjection(
-              toolName,
-              bashCommand,
-              capabilityRuntime,
-              sandbox
-            );
             const sandboxInput = buildSandboxInput(toolName, parsed);
             const isSandbox = Boolean(sandboxExecutor?.canExecute(toolName));
             const result = isSandbox ? await sandboxExecutor.execute({
               toolName,
-              input: toolName === "bash" && (injection.headerTransforms || injection.env) ? {
-                ...sandboxInput,
-                ...injection.headerTransforms ? { headerTransforms: injection.headerTransforms } : {},
-                ...injection.env ? { env: injection.env } : {}
-              } : sandboxInput
+              input: sandboxInput
             }) : await toolDef.execute(parsed, {
               experimental_context: sandbox
             });
@@ -11284,6 +11580,7 @@ ${typeof result.stderr === "string" ? result.stderr : ""}`.toLowerCase();
     return false;
   }
   return [
+    /\bjunior-auth-required\b/,
     /\b401\b/,
     /\bunauthorized\b/,
     /\bbad credentials\b/,
@@ -11296,6 +11593,33 @@ ${typeof result.stderr === "string" ? result.stderr : ""}`.toLowerCase();
     /\breauthoriz/
   ].some((pattern) => pattern.test(text));
 }
+function commandText(details) {
+  if (!details || typeof details !== "object") {
+    return "";
+  }
+  const result = details;
+  return `${typeof result.stdout === "string" ? result.stdout : ""}
+${typeof result.stderr === "string" ? result.stderr : ""}`;
+}
+function explicitAuthRequiredProvider(details) {
+  const match = /\bjunior-auth-required\s+provider=([a-z0-9-]+)\b/.exec(
+    commandText(details).toLowerCase()
+  );
+  return match?.[1];
+}
+function registeredProviderNames() {
+  const providers = /* @__PURE__ */ new Set();
+  for (const plugin of getPluginProviders()) {
+    const domains = [
+      ...plugin.manifest.credentials?.domains ?? [],
+      ...plugin.manifest.domains ?? []
+    ];
+    if (domains.length > 0) {
+      providers.add(plugin.manifest.name);
+    }
+  }
+  return [...providers].sort((left, right) => left.localeCompare(right));
+}
 function commandTargetsProvider(provider, command, details) {
   const normalizedCommand = command.trim().toLowerCase();
   if (!normalizedCommand) {
@@ -11310,16 +11634,15 @@ function commandTargetsProvider(provider, command, details) {
   const credentials = manifest?.credentials;
   if (credentials) {
     candidates.add(credentials.authTokenEnv.toLowerCase());
-    for (const domain of credentials.apiDomains) {
+    for (const domain of credentials.domains) {
       candidates.add(domain.toLowerCase());
     }
   }
-  for (const domain of manifest?.apiDomains ?? []) {
+  for (const domain of manifest?.domains ?? []) {
     candidates.add(domain.toLowerCase());
   }
   const combinedText = `${normalizedCommand}
-${details.stdout?.toLowerCase() ?? ""}
-${details.stderr?.toLowerCase() ?? ""}`;
+${commandText(details).toLowerCase()}`;
   return [...candidates].some((candidate) => combinedText.includes(candidate));
 }
 function createPluginAuthOrchestration(deps, abortAgent) {
@@ -11377,23 +11700,22 @@ function createPluginAuthOrchestration(deps, abortAgent) {
     abortAgent();
     throw pendingPause;
   };
-  const handleCredentialUnavailable = async (input) => {
-    if (pendingPause) {
-      throw pendingPause;
-    }
-    if (!deps.requesterId || !getPluginOAuthConfig(input.error.provider)) {
-      throw input.error;
-    }
-    return await startAuthorizationPause(
-      input.error.provider,
-      input.activeSkill
-    );
-  };
   return {
-    handleCredentialUnavailable,
     handleCommandFailure: async (input) => {
-      const provider = input.activeSkill?.pluginProvider;
-      if (!provider || !deps.requesterId || !deps.userTokenStore || !getPluginOAuthConfig(provider) || !isCommandAuthFailure(input.details) || !commandTargetsProvider(provider, input.command, input.details)) {
+      const providers = registeredProviderNames();
+      const authFailure = isCommandAuthFailure(input.details);
+      if (!authFailure) {
+        return;
+      }
+      const explicitProvider = explicitAuthRequiredProvider(input.details);
+      const provider = explicitProvider && providers.includes(explicitProvider) ? explicitProvider : providers.find(
+        (availableProvider) => commandTargetsProvider(
+          availableProvider,
+          input.command,
+          input.details
+        )
+      );
+      if (!provider || !deps.requesterId || !deps.userTokenStore || !getPluginOAuthConfig(provider)) {
         return;
       }
       await startAuthorizationPause(provider, input.activeSkill, {
@@ -11659,14 +11981,15 @@ async function generateAssistantReply(messageText, context = {}) {
       ...context.configuration ?? {},
       ...persistedConfigurationValues
     };
-    const capabilityRuntime = createSkillCapabilityRuntime({
-      requesterId: context.requester?.userId
-    });
+    const requesterId = context.requester?.userId;
     const userTokenStore = createUserTokenStore();
     sandboxExecutor = createSandboxExecutor({
       sandboxId: context.sandbox?.sandboxId,
       sandboxDependencyProfileHash: context.sandbox?.sandboxDependencyProfileHash,
       traceContext: spanContext,
+      credentialEgress: requesterId ? {
+        requesterId
+      } : void 0,
       onSandboxAcquired: async (sandbox2) => {
         lastKnownSandboxId = sandbox2.sandboxId;
         lastKnownSandboxDependencyProfileHash = sandbox2.sandboxDependencyProfileHash;
@@ -11830,25 +12153,6 @@ async function generateAssistantReply(messageText, context = {}) {
     const syncResumeState = () => {
       loadedSkillNamesForResume = activeSkills.map((skill) => skill.name);
     };
-    const enableSkillCredentials = async (skill, reason) => {
-      if (!skill?.pluginProvider) {
-        return;
-      }
-      try {
-        await capabilityRuntime.enableCredentialsForTurn({
-          activeSkill: skill,
-          reason
-        });
-      } catch (error) {
-        if (error instanceof CredentialUnavailableError && context.requester?.userId) {
-          await pluginAuth.handleCredentialUnavailable({
-            activeSkill: skill,
-            error
-          });
-        }
-        throw error;
-      }
-    };
     setTags({
       conversationId: spanContext.conversationId,
       slackThreadId: context.correlation?.threadId,
@@ -11890,10 +12194,6 @@ async function generateAssistantReply(messageText, context = {}) {
           if (mcpAuth.getPendingPause()) {
             return void 0;
           }
-          await enableSkillCredentials(
-            effective,
-            `skill:${effective.name}:turn:load`
-          );
           if (!effective.pluginProvider) {
             return void 0;
           }
@@ -11946,7 +12246,6 @@ async function generateAssistantReply(messageText, context = {}) {
         timeoutResumeMessages = existingCheckpoint?.piMessages ?? [];
         throw mcpAuth.getPendingPause();
       }
-      await enableSkillCredentials(skill, `skill:${skill.name}:turn:resume`);
     }
     syncResumeState();
     const activeMcpCatalogs = toActiveMcpCatalogSummaries(
@@ -12007,7 +12306,6 @@ async function generateAssistantReply(messageText, context = {}) {
       spanContext,
       context.onStatus,
       sandboxExecutor,
-      capabilityRuntime,
       pluginAuth,
       onToolCall
     );
@@ -12017,7 +12315,6 @@ async function generateAssistantReply(messageText, context = {}) {
       spanContext,
       context.onStatus,
       sandboxExecutor,
-      capabilityRuntime,
       pluginAuth,
       onToolCall
     );
@@ -14368,6 +14665,328 @@ async function GET5(request, provider, waitUntil) {
   });
 }
+// src/chat/sandbox/egress-oidc.ts
+import {
+  createRemoteJWKSet,
+  decodeJwt,
+  jwtVerify
+} from "jose";
+var OIDC_DISCOVERY_CACHE_TTL_MS = 60 * 60 * 1e3;
+var OIDC_DISCOVERY_CACHE_MAX_ENTRIES = 8;
+var jwksByIssuer = /* @__PURE__ */ new Map();
+function buildDiscoveryUrl(issuer) {
+  const url = new URL(issuer);
+  if (url.protocol !== "https:" || url.hostname !== "oidc.vercel.com") {
+    throw new Error("Unexpected Vercel OIDC issuer");
+  }
+  url.pathname = `${url.pathname.replace(/\/$/, "")}/.well-known/openid-configuration`;
+  url.search = "";
+  url.hash = "";
+  return url;
+}
+function buildJwksUrl(value) {
+  const url = new URL(value);
+  if (url.protocol !== "https:") {
+    throw new Error("Vercel OIDC discovery jwks_uri must use HTTPS");
+  }
+  return url;
+}
+async function getJwks(issuer) {
+  const now = Date.now();
+  const cached = jwksByIssuer.get(issuer);
+  if (cached && cached.expiresAtMs > now) {
+    return cached.jwks;
+  }
+  if (cached) {
+    jwksByIssuer.delete(issuer);
+  }
+  const response = await fetch(buildDiscoveryUrl(issuer), {
+    redirect: "error"
+  });
+  if (!response.ok) {
+    throw new Error("Unable to load Vercel OIDC discovery metadata");
+  }
+  const config = await response.json();
+  if (!config.jwks_uri) {
+    throw new Error("Vercel OIDC discovery metadata did not include jwks_uri");
+  }
+  const jwks = createRemoteJWKSet(buildJwksUrl(config.jwks_uri));
+  if (!jwksByIssuer.has(issuer) && jwksByIssuer.size >= OIDC_DISCOVERY_CACHE_MAX_ENTRIES) {
+    const oldestIssuer = jwksByIssuer.keys().next().value;
+    if (oldestIssuer) {
+      jwksByIssuer.delete(oldestIssuer);
+    }
+  }
+  jwksByIssuer.set(issuer, {
+    jwks,
+    expiresAtMs: now + OIDC_DISCOVERY_CACHE_TTL_MS
+  });
+  return jwks;
+}
+function validateSandboxClaim(payload, egressId) {
+  if (payload.sandbox_id !== egressId) {
+    throw new Error("Vercel OIDC token belongs to a different sandbox");
+  }
+}
+async function verifyVercelSandboxOidcToken(token, egressId) {
+  const unverified = decodeJwt(token);
+  if (typeof unverified.iss !== "string") {
+    throw new Error("Vercel OIDC token did not include an issuer");
+  }
+  const jwks = await getJwks(unverified.iss);
+  const verified = await jwtVerify(token, jwks, {
+    issuer: unverified.iss
+  });
+  validateSandboxClaim(verified.payload, egressId);
+  return verified.payload;
+}
+// src/chat/sandbox/egress-proxy.ts
+var OIDC_TOKEN_HEADER = "vercel-sandbox-oidc-token";
+var FORWARDED_HOST_HEADER = "vercel-forwarded-host";
+var FORWARDED_SCHEME_HEADER = "vercel-forwarded-scheme";
+var FORWARDED_PORT_HEADER = "vercel-forwarded-port";
+var ROUTE_PREFIX = "/api/internal/sandbox-egress";
+var HOP_BY_HOP_HEADERS = /* @__PURE__ */ new Set([
+  "connection",
+  "host",
+  "keep-alive",
+  "proxy-authenticate",
+  "proxy-authorization",
+  "te",
+  "trailer",
+  "transfer-encoding",
+  "upgrade"
+]);
+var PROXY_ONLY_HEADERS = /* @__PURE__ */ new Set([
+  OIDC_TOKEN_HEADER,
+  FORWARDED_HOST_HEADER,
+  FORWARDED_SCHEME_HEADER,
+  FORWARDED_PORT_HEADER
+]);
+var AUTH_REJECTION_STATUS = /* @__PURE__ */ new Set([401, 403]);
+function jsonError(message, status) {
+  return Response.json({ error: message }, { status });
+}
+function normalizeHost(value) {
+  const trimmed = value.trim().toLowerCase();
+  if (!trimmed || trimmed.includes("/") || trimmed.includes("\\") || trimmed.includes(":")) {
+    return void 0;
+  }
+  return trimmed.replace(/\.$/, "");
+}
+function normalizeScheme(value) {
+  return value.trim().toLowerCase() === "https" ? "https" : void 0;
+}
+function normalizePort(value) {
+  if (!value) {
+    return void 0;
+  }
+  const trimmed = value.trim();
+  if (!/^\d{1,5}$/.test(trimmed)) {
+    return void 0;
+  }
+  const port = Number.parseInt(trimmed, 10);
+  return port >= 1 && port <= 65535 ? trimmed : void 0;
+}
+function upstreamPath(request, egressId) {
+  const url = new URL(request.url);
+  const prefix = `${ROUTE_PREFIX}/${encodeURIComponent(egressId)}`;
+  if (url.pathname === prefix) {
+    return `/${url.search}`;
+  }
+  if (url.pathname.startsWith(`${prefix}/`)) {
+    return `${url.pathname.slice(prefix.length)}${url.search}`;
+  }
+  return void 0;
+}
+function buildUpstreamUrl(request, egressId) {
+  const forwardedHost = request.headers.get(FORWARDED_HOST_HEADER);
+  if (!forwardedHost?.trim()) {
+    return { ok: false, error: "Missing forwarded host" };
+  }
+  const host = normalizeHost(forwardedHost);
+  if (!host) {
+    return { ok: false, error: "Invalid forwarded host" };
+  }
+  const forwardedScheme = request.headers.get(FORWARDED_SCHEME_HEADER);
+  if (!forwardedScheme?.trim()) {
+    return { ok: false, error: "Missing forwarded scheme" };
+  }
+  const scheme = normalizeScheme(forwardedScheme);
+  if (!scheme) {
+    return { ok: false, error: "Forwarded scheme must be https" };
+  }
+  const forwardedPort = request.headers.get(FORWARDED_PORT_HEADER);
+  const port = normalizePort(forwardedPort);
+  if (forwardedPort && !port) {
+    return { ok: false, error: "Invalid forwarded port" };
+  }
+  const path11 = upstreamPath(request, egressId);
+  if (!path11) {
+    return { ok: false, error: "Invalid egress route" };
+  }
+  try {
+    const url = new URL(`${scheme}://${host}${port ? `:${port}` : ""}${path11}`);
+    return { ok: true, url };
+  } catch {
+    return { ok: false, error: "Invalid forwarded URL" };
+  }
+}
+async function requestBodyBytes(request) {
+  if (request.method === "GET" || request.method === "HEAD" || request.body === null) {
+    return void 0;
+  }
+  return await request.arrayBuffer();
+}
+function requestHeaders(request, lease, upstreamHost) {
+  const headers = new Headers();
+  request.headers.forEach((value, key) => {
+    const normalized = key.toLowerCase();
+    if (HOP_BY_HOP_HEADERS.has(normalized) || PROXY_ONLY_HEADERS.has(normalized)) {
+      return;
+    }
+    headers.append(key, value);
+  });
+  for (const transform of lease.headerTransforms) {
+    if (!matchesSandboxEgressDomain(upstreamHost, transform.domain)) {
+      continue;
+    }
+    for (const [key, value] of Object.entries(transform.headers)) {
+      headers.set(key, value);
+    }
+  }
+  return headers;
+}
+function responseHeaders(upstream) {
+  const headers = new Headers();
+  upstream.headers.forEach((value, key) => {
+    const normalized = key.toLowerCase();
+    if (!HOP_BY_HOP_HEADERS.has(normalized)) {
+      headers.append(key, value);
+    }
+  });
+  return headers;
+}
+async function credentialLease(egressId, provider, session) {
+  const cached = await getSandboxEgressCredentialLease(
+    egressId,
+    provider,
+    session
+  );
+  if (cached) {
+    return cached;
+  }
+  const lease = await issueProviderCredentialLease({
+    provider,
+    requesterId: session.requesterId,
+    reason: `sandbox-egress:${provider}`
+  });
+  const headerTransforms = lease.headerTransforms ?? [];
+  if (headerTransforms.length === 0) {
+    throw new Error(
+      `Credential lease for ${provider} did not include header transforms`
+    );
+  }
+  const cachedLease = {
+    provider,
+    expiresAt: lease.expiresAt,
+    headerTransforms
+  };
+  await setSandboxEgressCredentialLease(egressId, session, cachedLease);
+  return cachedLease;
+}
+function hasTransformForHost(lease, host) {
+  return lease.headerTransforms.some(
+    (transform) => matchesSandboxEgressDomain(host, transform.domain)
+  );
+}
+async function proxySandboxEgressRequest(request, egressId, deps = {}) {
+  const oidcToken = request.headers.get(OIDC_TOKEN_HEADER)?.trim();
+  if (!oidcToken) {
+    return jsonError("Missing Vercel Sandbox OIDC token", 401);
+  }
+  try {
+    await (deps.verifyOidc ?? verifyVercelSandboxOidcToken)(
+      oidcToken,
+      egressId
+    );
+  } catch (error) {
+    logWarn(
+      "sandbox_egress_oidc_verification_failed",
+      {},
+      {
+        "app.sandbox.oidc_error": error instanceof Error ? error.message : String(error)
+      },
+      "Sandbox egress OIDC verification failed"
+    );
+    return jsonError("Invalid Vercel Sandbox OIDC token", 401);
+  }
+  const upstreamResult = buildUpstreamUrl(request, egressId);
+  if (!upstreamResult.ok) {
+    return jsonError(upstreamResult.error, 400);
+  }
+  const upstreamUrl = upstreamResult.url;
+  const provider = resolveSandboxEgressProviderForHost(upstreamUrl.hostname);
+  if (!provider) {
+    return jsonError("No provider owns forwarded host", 403);
+  }
+  const session = await getSandboxEgressSession(egressId);
+  if (!session) {
+    return jsonError("Sandbox egress session is not authorized", 403);
+  }
+  let lease;
+  try {
+    lease = await credentialLease(egressId, provider, session);
+  } catch (error) {
+    if (error instanceof CredentialUnavailableError) {
+      return new Response(
+        `junior-auth-required provider=${error.provider} 401 unauthorized
+${error.message}`,
+        {
+          status: 401,
+          headers: { "content-type": "text/plain; charset=utf-8" }
+        }
+      );
+    }
+    throw error;
+  }
+  if (!hasTransformForHost(lease, upstreamUrl.hostname)) {
+    return jsonError("Credential lease does not cover forwarded host", 403);
+  }
+  const body = await requestBodyBytes(request);
+  const upstream = await (deps.fetch ?? fetch)(upstreamUrl, {
+    method: request.method,
+    headers: requestHeaders(request, lease, upstreamUrl.hostname),
+    ...body ? { body } : {},
+    redirect: "manual"
+  });
+  if (AUTH_REJECTION_STATUS.has(upstream.status)) {
+    logWarn(
+      "sandbox_egress_upstream_auth_rejected",
+      {},
+      {
+        "app.credential.provider": provider,
+        "http.request.method": request.method,
+        "http.response.status_code": upstream.status,
+        "server.address": upstreamUrl.hostname
+      },
+      "Sandbox egress upstream auth rejected"
+    );
+    await clearSandboxEgressCredentialLease(egressId, provider, session);
+  }
+  return new Response(upstream.body, {
+    status: upstream.status,
+    statusText: upstream.statusText,
+    headers: responseHeaders(upstream)
+  });
+}
+// src/handlers/sandbox-egress-proxy.ts
+async function ALL(request, egressId) {
+  return await proxySandboxEgressRequest(request, egressId);
+}
 // src/chat/slack/context.ts
 function toTrimmedSlackString(value) {
   const normalized = toOptionalString(value);
@@ -17744,6 +18363,12 @@ async function createApp(options) {
   app.post("/api/internal/turn-resume", (c) => {
     return POST(c.req.raw, waitUntil);
   });
+  app.all("/api/internal/sandbox-egress/:egressId", (c) => {
+    return ALL(c.req.raw, c.req.param("egressId"));
+  });
+  app.all("/api/internal/sandbox-egress/:egressId/*", (c) => {
+    return ALL(c.req.raw, c.req.param("egressId"));
+  });
   app.post("/api/webhooks/:platform", (c) => {
     return POST2(c.req.raw, c.req.param("platform"), waitUntil);
   });