@spacebar_ai/moldclaw-core 2026.3.43 → 2026.3.44

package/dist/workspace-dirs-CGeIPpGN.js

@@ -0,0 +1,2003 @@
+import { r as STATE_DIR } from "./paths-D6AgsMTU.js";
+import { n as defaultRuntime } from "./runtime-_tQz41uA.js";
+import { t as createSubsystemLogger } from "./subsystem-CPmDTJ2P.js";
+import { n as markmoldClawExecEnv } from "./moldclaw-exec-env-ZDcTcMZI.js";
+import { D as isPlainObject, y as resolveUserPath } from "./utils-C7ykRPCQ.js";
+import { i as resolveAgentConfig, m as resolveDefaultAgentId, p as resolveAgentWorkspaceDir } from "./agent-scope-lZlwP1At.js";
+import { c as normalizeAgentId, u as resolveAgentIdFromSessionKey } from "./session-key-UoG7Kfw5.js";
+import { o as resolvePathViaExistingAncestorSync } from "./boundary-file-read-tPYh_8fH.js";
+import { l as normalizeSecretInputString } from "./types.secrets-Ca-9L8vU.js";
+import { t as getBlockedNetworkModeReason } from "./network-mode-BtWXzwYn.js";
+import { l as CHANNEL_IDS, s as normalizeChannelId } from "./registry-C1pRrsQl.js";
+import { n as getProcessStartTime, r as isPidAlive, t as resolveProcessScopedMap } from "./process-scoped-map-BHiqAIVX.js";
+import { t as formatCliCommand } from "./command-format-C_z0Ru-7.js";
+import { t as sanitizeEnvVars } from "./sanitize-env-vars-LzjaOgVf.js";
+import { n as materializeWindowsSpawnProgram, r as resolveWindowsSpawnProgram } from "./windows-spawn-Du1a57S-.js";
+import { r as writeJsonAtomic } from "./json-files-B9YQFF4Z.js";
+import fs from "node:fs";
+import path, { posix } from "node:path";
+import { spawn } from "node:child_process";
+import fs$1 from "node:fs/promises";
+import crypto from "node:crypto";
+//#region src/agents/sandbox/constants.ts
+const DEFAULT_SANDBOX_WORKSPACE_ROOT = path.join(STATE_DIR, "sandboxes");
+const DEFAULT_SANDBOX_IMAGE = "moldclaw-sandbox:bookworm-slim";
+const DEFAULT_TOOL_ALLOW = [
+	"exec",
+	"process",
+	"read",
+	"write",
+	"edit",
+	"apply_patch",
+	"image",
+	"sessions_list",
+	"sessions_history",
+	"sessions_send",
+	"sessions_spawn",
+	"sessions_yield",
+	"subagents",
+	"session_status"
+];
+const DEFAULT_TOOL_DENY = [
+	"browser",
+	"canvas",
+	"nodes",
+	"cron",
+	"gateway",
+	...CHANNEL_IDS
+];
+const DEFAULT_SANDBOX_BROWSER_IMAGE = "moldclaw-sandbox-browser:bookworm-slim";
+const DEFAULT_SANDBOX_COMMON_IMAGE = "moldclaw-sandbox-common:bookworm-slim";
+const SANDBOX_BROWSER_SECURITY_HASH_EPOCH = "2026-02-28-no-sandbox-env";
+const SANDBOX_AGENT_WORKSPACE_MOUNT = "/agent";
+const SANDBOX_STATE_DIR = path.join(STATE_DIR, "sandbox");
+const SANDBOX_REGISTRY_PATH = path.join(SANDBOX_STATE_DIR, "containers.json");
+const SANDBOX_BROWSER_REGISTRY_PATH = path.join(SANDBOX_STATE_DIR, "browsers.json");
+//#endregion
+//#region src/agents/glob-pattern.ts
+function escapeRegex(value) {
+	return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+function compileGlobPattern(params) {
+	const normalized = params.normalize(params.raw);
+	if (!normalized) return {
+		kind: "exact",
+		value: ""
+	};
+	if (normalized === "*") return { kind: "all" };
+	if (!normalized.includes("*")) return {
+		kind: "exact",
+		value: normalized
+	};
+	return {
+		kind: "regex",
+		value: new RegExp(`^${escapeRegex(normalized).replaceAll("\\*", ".*")}$`)
+	};
+}
+function compileGlobPatterns(params) {
+	if (!Array.isArray(params.raw)) return [];
+	return params.raw.map((raw) => compileGlobPattern({
+		raw,
+		normalize: params.normalize
+	})).filter((pattern) => pattern.kind !== "exact" || pattern.value);
+}
+function matchesAnyGlobPattern(value, patterns) {
+	for (const pattern of patterns) {
+		if (pattern.kind === "all") return true;
+		if (pattern.kind === "exact" && value === pattern.value) return true;
+		if (pattern.kind === "regex" && pattern.value.test(value)) return true;
+	}
+	return false;
+}
+//#endregion
+//#region src/agents/tool-catalog.ts
+const CORE_TOOL_SECTION_ORDER = [
+	{
+		id: "fs",
+		label: "Files"
+	},
+	{
+		id: "runtime",
+		label: "Runtime"
+	},
+	{
+		id: "web",
+		label: "Web"
+	},
+	{
+		id: "memory",
+		label: "Memory"
+	},
+	{
+		id: "sessions",
+		label: "Sessions"
+	},
+	{
+		id: "ui",
+		label: "UI"
+	},
+	{
+		id: "messaging",
+		label: "Messaging"
+	},
+	{
+		id: "automation",
+		label: "Automation"
+	},
+	{
+		id: "nodes",
+		label: "Nodes"
+	},
+	{
+		id: "agents",
+		label: "Agents"
+	},
+	{
+		id: "media",
+		label: "Media"
+	}
+];
+const CORE_TOOL_DEFINITIONS = [
+	{
+		id: "read",
+		label: "read",
+		description: "Read file contents",
+		sectionId: "fs",
+		profiles: ["coding"]
+	},
+	{
+		id: "write",
+		label: "write",
+		description: "Create or overwrite files",
+		sectionId: "fs",
+		profiles: ["coding"]
+	},
+	{
+		id: "edit",
+		label: "edit",
+		description: "Make precise edits",
+		sectionId: "fs",
+		profiles: ["coding"]
+	},
+	{
+		id: "apply_patch",
+		label: "apply_patch",
+		description: "Patch files (OpenAI)",
+		sectionId: "fs",
+		profiles: ["coding"]
+	},
+	{
+		id: "exec",
+		label: "exec",
+		description: "Run shell commands",
+		sectionId: "runtime",
+		profiles: ["coding"]
+	},
+	{
+		id: "process",
+		label: "process",
+		description: "Manage background processes",
+		sectionId: "runtime",
+		profiles: ["coding"]
+	},
+	{
+		id: "web_search",
+		label: "web_search",
+		description: "Search the web",
+		sectionId: "web",
+		profiles: ["coding"],
+		includeInmoldClawGroup: true
+	},
+	{
+		id: "web_fetch",
+		label: "web_fetch",
+		description: "Fetch web content",
+		sectionId: "web",
+		profiles: ["coding"],
+		includeInmoldClawGroup: true
+	},
+	{
+		id: "memory_search",
+		label: "memory_search",
+		description: "Semantic search",
+		sectionId: "memory",
+		profiles: ["coding"],
+		includeInmoldClawGroup: true
+	},
+	{
+		id: "memory_get",
+		label: "memory_get",
+		description: "Read memory files",
+		sectionId: "memory",
+		profiles: ["coding"],
+		includeInmoldClawGroup: true
+	},
+	{
+		id: "sessions_list",
+		label: "sessions_list",
+		description: "List sessions",
+		sectionId: "sessions",
+		profiles: ["coding", "messaging"],
+		includeInmoldClawGroup: true
+	},
+	{
+		id: "sessions_history",
+		label: "sessions_history",
+		description: "Session history",
+		sectionId: "sessions",
+		profiles: ["coding", "messaging"],
+		includeInmoldClawGroup: true
+	},
+	{
+		id: "sessions_send",
+		label: "sessions_send",
+		description: "Send to session",
+		sectionId: "sessions",
+		profiles: ["coding", "messaging"],
+		includeInmoldClawGroup: true
+	},
+	{
+		id: "sessions_spawn",
+		label: "sessions_spawn",
+		description: "Spawn sub-agent",
+		sectionId: "sessions",
+		profiles: ["coding"],
+		includeInmoldClawGroup: true
+	},
+	{
+		id: "sessions_yield",
+		label: "sessions_yield",
+		description: "End turn to receive sub-agent results",
+		sectionId: "sessions",
+		profiles: ["coding"],
+		includeInmoldClawGroup: true
+	},
+	{
+		id: "subagents",
+		label: "subagents",
+		description: "Manage sub-agents",
+		sectionId: "sessions",
+		profiles: ["coding"],
+		includeInmoldClawGroup: true
+	},
+	{
+		id: "session_status",
+		label: "session_status",
+		description: "Session status",
+		sectionId: "sessions",
+		profiles: [
+			"minimal",
+			"coding",
+			"messaging"
+		],
+		includeInmoldClawGroup: true
+	},
+	{
+		id: "browser",
+		label: "browser",
+		description: "Control web browser",
+		sectionId: "ui",
+		profiles: [],
+		includeInmoldClawGroup: true
+	},
+	{
+		id: "canvas",
+		label: "canvas",
+		description: "Control canvases",
+		sectionId: "ui",
+		profiles: [],
+		includeInmoldClawGroup: true
+	},
+	{
+		id: "message",
+		label: "message",
+		description: "Send messages",
+		sectionId: "messaging",
+		profiles: ["messaging"],
+		includeInmoldClawGroup: true
+	},
+	{
+		id: "cron",
+		label: "cron",
+		description: "Schedule tasks",
+		sectionId: "automation",
+		profiles: ["coding"],
+		includeInmoldClawGroup: true
+	},
+	{
+		id: "gateway",
+		label: "gateway",
+		description: "Gateway control",
+		sectionId: "automation",
+		profiles: [],
+		includeInmoldClawGroup: true
+	},
+	{
+		id: "nodes",
+		label: "nodes",
+		description: "Nodes + devices",
+		sectionId: "nodes",
+		profiles: [],
+		includeInmoldClawGroup: true
+	},
+	{
+		id: "agents_list",
+		label: "agents_list",
+		description: "List agents",
+		sectionId: "agents",
+		profiles: [],
+		includeInmoldClawGroup: true
+	},
+	{
+		id: "image",
+		label: "image",
+		description: "Image understanding",
+		sectionId: "media",
+		profiles: ["coding"],
+		includeInmoldClawGroup: true
+	},
+	{
+		id: "image_generate",
+		label: "image_generate",
+		description: "Image generation",
+		sectionId: "media",
+		profiles: ["coding"],
+		includeInmoldClawGroup: true
+	},
+	{
+		id: "tts",
+		label: "tts",
+		description: "Text-to-speech conversion",
+		sectionId: "media",
+		profiles: [],
+		includeInmoldClawGroup: true
+	}
+];
+const CORE_TOOL_BY_ID = new Map(CORE_TOOL_DEFINITIONS.map((tool) => [tool.id, tool]));
+function listCoreToolIdsForProfile(profile) {
+	return CORE_TOOL_DEFINITIONS.filter((tool) => tool.profiles.includes(profile)).map((tool) => tool.id);
+}
+const CORE_TOOL_PROFILES = {
+	minimal: { allow: listCoreToolIdsForProfile("minimal") },
+	coding: { allow: listCoreToolIdsForProfile("coding") },
+	messaging: { allow: listCoreToolIdsForProfile("messaging") },
+	full: {}
+};
+function buildCoreToolGroupMap() {
+	const sectionToolMap = /* @__PURE__ */ new Map();
+	for (const tool of CORE_TOOL_DEFINITIONS) {
+		const groupId = `group:${tool.sectionId}`;
+		const list = sectionToolMap.get(groupId) ?? [];
+		list.push(tool.id);
+		sectionToolMap.set(groupId, list);
+	}
+	const moldclawTools = CORE_TOOL_DEFINITIONS.filter((tool) => tool.includeInmoldClawGroup).map((tool) => tool.id);
+	return {
+		"group:moldclaw": moldclawTools,
+		...Object.fromEntries(sectionToolMap.entries())
+	};
+}
+const CORE_TOOL_GROUPS = buildCoreToolGroupMap();
+const PROFILE_OPTIONS = [
+	{
+		id: "minimal",
+		label: "Minimal"
+	},
+	{
+		id: "coding",
+		label: "Coding"
+	},
+	{
+		id: "messaging",
+		label: "Messaging"
+	},
+	{
+		id: "full",
+		label: "Full"
+	}
+];
+function resolveCoreToolProfilePolicy(profile) {
+	if (!profile) return;
+	const resolved = CORE_TOOL_PROFILES[profile];
+	if (!resolved) return;
+	if (!resolved.allow && !resolved.deny) return;
+	return {
+		allow: resolved.allow ? [...resolved.allow] : void 0,
+		deny: resolved.deny ? [...resolved.deny] : void 0
+	};
+}
+function listCoreToolSections() {
+	return CORE_TOOL_SECTION_ORDER.map((section) => ({
+		id: section.id,
+		label: section.label,
+		tools: CORE_TOOL_DEFINITIONS.filter((tool) => tool.sectionId === section.id).map((tool) => ({
+			id: tool.id,
+			label: tool.label,
+			description: tool.description
+		}))
+	})).filter((section) => section.tools.length > 0);
+}
+function resolveCoreToolProfiles(toolId) {
+	const tool = CORE_TOOL_BY_ID.get(toolId);
+	if (!tool) return [];
+	return [...tool.profiles];
+}
+function isKnownCoreToolId(toolId) {
+	return CORE_TOOL_BY_ID.has(toolId);
+}
+//#endregion
+//#region src/agents/tool-policy-shared.ts
+const TOOL_NAME_ALIASES = {
+	bash: "exec",
+	"apply-patch": "apply_patch"
+};
+const TOOL_GROUPS = { ...CORE_TOOL_GROUPS };
+function normalizeToolName(name) {
+	const normalized = name.trim().toLowerCase();
+	return TOOL_NAME_ALIASES[normalized] ?? normalized;
+}
+function normalizeToolList(list) {
+	if (!list) return [];
+	return list.map(normalizeToolName).filter(Boolean);
+}
+function expandToolGroups(list) {
+	const normalized = normalizeToolList(list);
+	const expanded = [];
+	for (const value of normalized) {
+		const group = TOOL_GROUPS[value];
+		if (group) {
+			expanded.push(...group);
+			continue;
+		}
+		expanded.push(value);
+	}
+	return Array.from(new Set(expanded));
+}
+function resolveToolProfilePolicy(profile) {
+	return resolveCoreToolProfilePolicy(profile);
+}
+//#endregion
+//#region src/agents/tool-policy.ts
+function wrapOwnerOnlyToolExecution(tool, senderIsOwner) {
+	if (tool.ownerOnly !== true || senderIsOwner || !tool.execute) return tool;
+	return {
+		...tool,
+		execute: async () => {
+			throw new Error("Tool restricted to owner senders.");
+		}
+	};
+}
+const OWNER_ONLY_TOOL_NAME_FALLBACKS = new Set([
+	"whatsapp_login",
+	"cron",
+	"gateway",
+	"nodes"
+]);
+function isOwnerOnlyToolName(name) {
+	return OWNER_ONLY_TOOL_NAME_FALLBACKS.has(normalizeToolName(name));
+}
+function isOwnerOnlyTool(tool) {
+	return tool.ownerOnly === true || isOwnerOnlyToolName(tool.name);
+}
+function applyOwnerOnlyToolPolicy(tools, senderIsOwner) {
+	const withGuard = tools.map((tool) => {
+		if (!isOwnerOnlyTool(tool)) return tool;
+		return wrapOwnerOnlyToolExecution(tool, senderIsOwner);
+	});
+	if (senderIsOwner) return withGuard;
+	return withGuard.filter((tool) => !isOwnerOnlyTool(tool));
+}
+function collectExplicitAllowlist(policies) {
+	const entries = [];
+	for (const policy of policies) {
+		if (!policy?.allow) continue;
+		for (const value of policy.allow) {
+			if (typeof value !== "string") continue;
+			const trimmed = value.trim();
+			if (trimmed) entries.push(trimmed);
+		}
+	}
+	return entries;
+}
+function buildPluginToolGroups(params) {
+	const all = [];
+	const byPlugin = /* @__PURE__ */ new Map();
+	for (const tool of params.tools) {
+		const meta = params.toolMeta(tool);
+		if (!meta) continue;
+		const name = normalizeToolName(tool.name);
+		all.push(name);
+		const pluginId = meta.pluginId.toLowerCase();
+		const list = byPlugin.get(pluginId) ?? [];
+		list.push(name);
+		byPlugin.set(pluginId, list);
+	}
+	return {
+		all,
+		byPlugin
+	};
+}
+function expandPluginGroups(list, groups) {
+	if (!list || list.length === 0) return list;
+	const expanded = [];
+	for (const entry of list) {
+		const normalized = normalizeToolName(entry);
+		if (normalized === "group:plugins") {
+			if (groups.all.length > 0) expanded.push(...groups.all);
+			else expanded.push(normalized);
+			continue;
+		}
+		const tools = groups.byPlugin.get(normalized);
+		if (tools && tools.length > 0) {
+			expanded.push(...tools);
+			continue;
+		}
+		expanded.push(normalized);
+	}
+	return Array.from(new Set(expanded));
+}
+function expandPolicyWithPluginGroups(policy, groups) {
+	if (!policy) return;
+	return {
+		allow: expandPluginGroups(policy.allow, groups),
+		deny: expandPluginGroups(policy.deny, groups)
+	};
+}
+function stripPluginOnlyAllowlist(policy, groups, coreTools) {
+	if (!policy?.allow || policy.allow.length === 0) return {
+		policy,
+		unknownAllowlist: [],
+		strippedAllowlist: false
+	};
+	const normalized = normalizeToolList(policy.allow);
+	if (normalized.length === 0) return {
+		policy,
+		unknownAllowlist: [],
+		strippedAllowlist: false
+	};
+	const pluginIds = new Set(groups.byPlugin.keys());
+	const pluginTools = new Set(groups.all);
+	const unknownAllowlist = [];
+	let hasCoreEntry = false;
+	for (const entry of normalized) {
+		if (entry === "*") {
+			hasCoreEntry = true;
+			continue;
+		}
+		const isPluginEntry = entry === "group:plugins" || pluginIds.has(entry) || pluginTools.has(entry);
+		const isCoreEntry = expandToolGroups([entry]).some((tool) => coreTools.has(tool));
+		if (isCoreEntry) hasCoreEntry = true;
+		if (!isCoreEntry && !isPluginEntry) unknownAllowlist.push(entry);
+	}
+	const strippedAllowlist = !hasCoreEntry;
+	if (strippedAllowlist) {}
+	return {
+		policy: strippedAllowlist ? {
+			...policy,
+			allow: void 0
+		} : policy,
+		unknownAllowlist: Array.from(new Set(unknownAllowlist)),
+		strippedAllowlist
+	};
+}
+function mergeAlsoAllowPolicy(policy, alsoAllow) {
+	if (!policy?.allow || !Array.isArray(alsoAllow) || alsoAllow.length === 0) return policy;
+	return {
+		...policy,
+		allow: Array.from(new Set([...policy.allow, ...alsoAllow]))
+	};
+}
+//#endregion
+//#region src/agents/sandbox/tool-policy.ts
+function normalizeGlob(value) {
+	return value.trim().toLowerCase();
+}
+function isToolAllowed(policy, name) {
+	const normalized = normalizeGlob(name);
+	if (matchesAnyGlobPattern(normalized, compileGlobPatterns({
+		raw: expandToolGroups(policy.deny ?? []),
+		normalize: normalizeGlob
+	}))) return false;
+	const allow = compileGlobPatterns({
+		raw: expandToolGroups(policy.allow ?? []),
+		normalize: normalizeGlob
+	});
+	if (allow.length === 0) return true;
+	return matchesAnyGlobPattern(normalized, allow);
+}
+function resolveSandboxToolPolicyForAgent(cfg, agentId) {
+	const agentConfig = cfg && agentId ? resolveAgentConfig(cfg, agentId) : void 0;
+	const agentAllow = agentConfig?.tools?.sandbox?.tools?.allow;
+	const agentDeny = agentConfig?.tools?.sandbox?.tools?.deny;
+	const globalAllow = cfg?.tools?.sandbox?.tools?.allow;
+	const globalDeny = cfg?.tools?.sandbox?.tools?.deny;
+	const allowSource = Array.isArray(agentAllow) ? {
+		source: "agent",
+		key: "agents.list[].tools.sandbox.tools.allow"
+	} : Array.isArray(globalAllow) ? {
+		source: "global",
+		key: "tools.sandbox.tools.allow"
+	} : {
+		source: "default",
+		key: "tools.sandbox.tools.allow"
+	};
+	const denySource = Array.isArray(agentDeny) ? {
+		source: "agent",
+		key: "agents.list[].tools.sandbox.tools.deny"
+	} : Array.isArray(globalDeny) ? {
+		source: "global",
+		key: "tools.sandbox.tools.deny"
+	} : {
+		source: "default",
+		key: "tools.sandbox.tools.deny"
+	};
+	const deny = Array.isArray(agentDeny) ? agentDeny : Array.isArray(globalDeny) ? globalDeny : [...DEFAULT_TOOL_DENY];
+	const allow = Array.isArray(agentAllow) ? agentAllow : Array.isArray(globalAllow) ? globalAllow : [...DEFAULT_TOOL_ALLOW];
+	const expandedDeny = expandToolGroups(deny);
+	let expandedAllow = expandToolGroups(allow);
+	if (expandedAllow.length > 0 && !expandedDeny.map((v) => v.toLowerCase()).includes("image") && !expandedAllow.map((v) => v.toLowerCase()).includes("image")) expandedAllow = [...expandedAllow, "image"];
+	return {
+		allow: expandedAllow,
+		deny: expandedDeny,
+		sources: {
+			allow: allowSource,
+			deny: denySource
+		}
+	};
+}
+//#endregion
+//#region src/agents/sandbox/config.ts
+const DANGEROUS_SANDBOX_DOCKER_BOOLEAN_KEYS = [
+	"dangerouslyAllowReservedContainerTargets",
+	"dangerouslyAllowExternalBindSources",
+	"dangerouslyAllowContainerNamespaceJoin"
+];
+const DEFAULT_SANDBOX_SSH_COMMAND = "ssh";
+const DEFAULT_SANDBOX_SSH_WORKSPACE_ROOT = "/tmp/moldclaw-sandboxes";
+function resolveDangerousSandboxDockerBooleans(agentDocker, globalDocker) {
+	const resolved = {};
+	for (const key of DANGEROUS_SANDBOX_DOCKER_BOOLEAN_KEYS) resolved[key] = agentDocker?.[key] ?? globalDocker?.[key];
+	return resolved;
+}
+function resolveSandboxBrowserDockerCreateConfig(params) {
+	const browserNetwork = params.browser.network.trim();
+	const base = {
+		...params.docker,
+		network: browserNetwork || "moldclaw-sandbox-browser",
+		image: params.browser.image
+	};
+	return params.browser.binds !== void 0 ? {
+		...base,
+		binds: params.browser.binds
+	} : base;
+}
+function resolveSandboxScope(params) {
+	if (params.scope) return params.scope;
+	if (typeof params.perSession === "boolean") return params.perSession ? "session" : "shared";
+	return "agent";
+}
+function resolveSandboxDockerConfig(params) {
+	const agentDocker = params.scope === "shared" ? void 0 : params.agentDocker;
+	const globalDocker = params.globalDocker;
+	const env = agentDocker?.env ? {
+		...globalDocker?.env ?? { LANG: "C.UTF-8" },
+		...agentDocker.env
+	} : globalDocker?.env ?? { LANG: "C.UTF-8" };
+	const ulimits = agentDocker?.ulimits ? {
+		...globalDocker?.ulimits,
+		...agentDocker.ulimits
+	} : globalDocker?.ulimits;
+	const binds = [...globalDocker?.binds ?? [], ...agentDocker?.binds ?? []];
+	return {
+		image: agentDocker?.image ?? globalDocker?.image ?? "moldclaw-sandbox:bookworm-slim",
+		containerPrefix: agentDocker?.containerPrefix ?? globalDocker?.containerPrefix ?? "moldclaw-sbx-",
+		workdir: agentDocker?.workdir ?? globalDocker?.workdir ?? "/workspace",
+		readOnlyRoot: agentDocker?.readOnlyRoot ?? globalDocker?.readOnlyRoot ?? true,
+		tmpfs: agentDocker?.tmpfs ?? globalDocker?.tmpfs ?? [
+			"/tmp",
+			"/var/tmp",
+			"/run"
+		],
+		network: agentDocker?.network ?? globalDocker?.network ?? "none",
+		user: agentDocker?.user ?? globalDocker?.user,
+		capDrop: agentDocker?.capDrop ?? globalDocker?.capDrop ?? ["ALL"],
+		env,
+		setupCommand: agentDocker?.setupCommand ?? globalDocker?.setupCommand,
+		pidsLimit: agentDocker?.pidsLimit ?? globalDocker?.pidsLimit,
+		memory: agentDocker?.memory ?? globalDocker?.memory,
+		memorySwap: agentDocker?.memorySwap ?? globalDocker?.memorySwap,
+		cpus: agentDocker?.cpus ?? globalDocker?.cpus,
+		ulimits,
+		seccompProfile: agentDocker?.seccompProfile ?? globalDocker?.seccompProfile,
+		apparmorProfile: agentDocker?.apparmorProfile ?? globalDocker?.apparmorProfile,
+		dns: agentDocker?.dns ?? globalDocker?.dns,
+		extraHosts: agentDocker?.extraHosts ?? globalDocker?.extraHosts,
+		binds: binds.length ? binds : void 0,
+		...resolveDangerousSandboxDockerBooleans(agentDocker, globalDocker)
+	};
+}
+function resolveSandboxBrowserConfig(params) {
+	const agentBrowser = params.scope === "shared" ? void 0 : params.agentBrowser;
+	const globalBrowser = params.globalBrowser;
+	const binds = [...globalBrowser?.binds ?? [], ...agentBrowser?.binds ?? []];
+	const bindsConfigured = globalBrowser?.binds !== void 0 || agentBrowser?.binds !== void 0;
+	return {
+		enabled: agentBrowser?.enabled ?? globalBrowser?.enabled ?? false,
+		image: agentBrowser?.image ?? globalBrowser?.image ?? "moldclaw-sandbox-browser:bookworm-slim",
+		containerPrefix: agentBrowser?.containerPrefix ?? globalBrowser?.containerPrefix ?? "moldclaw-sbx-browser-",
+		network: agentBrowser?.network ?? globalBrowser?.network ?? "moldclaw-sandbox-browser",
+		cdpPort: agentBrowser?.cdpPort ?? globalBrowser?.cdpPort ?? 9222,
+		cdpSourceRange: agentBrowser?.cdpSourceRange ?? globalBrowser?.cdpSourceRange,
+		vncPort: agentBrowser?.vncPort ?? globalBrowser?.vncPort ?? 5900,
+		noVncPort: agentBrowser?.noVncPort ?? globalBrowser?.noVncPort ?? 6080,
+		headless: agentBrowser?.headless ?? globalBrowser?.headless ?? false,
+		enableNoVnc: agentBrowser?.enableNoVnc ?? globalBrowser?.enableNoVnc ?? true,
+		allowHostControl: agentBrowser?.allowHostControl ?? globalBrowser?.allowHostControl ?? false,
+		autoStart: agentBrowser?.autoStart ?? globalBrowser?.autoStart ?? true,
+		autoStartTimeoutMs: agentBrowser?.autoStartTimeoutMs ?? globalBrowser?.autoStartTimeoutMs ?? 12e3,
+		binds: bindsConfigured ? binds : void 0
+	};
+}
+function resolveSandboxPruneConfig(params) {
+	const agentPrune = params.scope === "shared" ? void 0 : params.agentPrune;
+	const globalPrune = params.globalPrune;
+	return {
+		idleHours: agentPrune?.idleHours ?? globalPrune?.idleHours ?? 24,
+		maxAgeDays: agentPrune?.maxAgeDays ?? globalPrune?.maxAgeDays ?? 7
+	};
+}
+function normalizeOptionalString(value) {
+	const trimmed = value?.trim();
+	return trimmed ? trimmed : void 0;
+}
+function normalizeRemoteRoot(value, fallback) {
+	const normalized = normalizeOptionalString(value) ?? fallback;
+	const posix = normalized.replaceAll("\\", "/");
+	if (!posix.startsWith("/")) throw new Error(`Sandbox SSH workspaceRoot must be an absolute POSIX path: ${normalized}`);
+	return posix.replace(/\/+$/g, "") || "/";
+}
+function resolveSandboxSshConfig(params) {
+	const agentSsh = params.scope === "shared" ? void 0 : params.agentSsh;
+	const globalSsh = params.globalSsh;
+	return {
+		target: normalizeOptionalString(agentSsh?.target ?? globalSsh?.target),
+		command: normalizeOptionalString(agentSsh?.command ?? globalSsh?.command) ?? DEFAULT_SANDBOX_SSH_COMMAND,
+		workspaceRoot: normalizeRemoteRoot(agentSsh?.workspaceRoot ?? globalSsh?.workspaceRoot, DEFAULT_SANDBOX_SSH_WORKSPACE_ROOT),
+		strictHostKeyChecking: agentSsh?.strictHostKeyChecking ?? globalSsh?.strictHostKeyChecking ?? true,
+		updateHostKeys: agentSsh?.updateHostKeys ?? globalSsh?.updateHostKeys ?? true,
+		identityFile: normalizeOptionalString(agentSsh?.identityFile ?? globalSsh?.identityFile),
+		certificateFile: normalizeOptionalString(agentSsh?.certificateFile ?? globalSsh?.certificateFile),
+		knownHostsFile: normalizeOptionalString(agentSsh?.knownHostsFile ?? globalSsh?.knownHostsFile),
+		identityData: normalizeSecretInputString(agentSsh?.identityData ?? globalSsh?.identityData),
+		certificateData: normalizeSecretInputString(agentSsh?.certificateData ?? globalSsh?.certificateData),
+		knownHostsData: normalizeSecretInputString(agentSsh?.knownHostsData ?? globalSsh?.knownHostsData)
+	};
+}
+function resolveSandboxConfigForAgent(cfg, agentId) {
+	const agent = cfg?.agents?.defaults?.sandbox;
+	let agentSandbox;
+	const agentConfig = cfg && agentId ? resolveAgentConfig(cfg, agentId) : void 0;
+	if (agentConfig?.sandbox) agentSandbox = agentConfig.sandbox;
+	const scope = resolveSandboxScope({
+		scope: agentSandbox?.scope ?? agent?.scope,
+		perSession: agentSandbox?.perSession ?? agent?.perSession
+	});
+	const toolPolicy = resolveSandboxToolPolicyForAgent(cfg, agentId);
+	return {
+		mode: agentSandbox?.mode ?? agent?.mode ?? "off",
+		backend: agentSandbox?.backend?.trim() || agent?.backend?.trim() || "docker",
+		scope,
+		workspaceAccess: agentSandbox?.workspaceAccess ?? agent?.workspaceAccess ?? "none",
+		workspaceRoot: agentSandbox?.workspaceRoot ?? agent?.workspaceRoot ?? DEFAULT_SANDBOX_WORKSPACE_ROOT,
+		docker: resolveSandboxDockerConfig({
+			scope,
+			globalDocker: agent?.docker,
+			agentDocker: agentSandbox?.docker
+		}),
+		ssh: resolveSandboxSshConfig({
+			scope,
+			globalSsh: agent?.ssh,
+			agentSsh: agentSandbox?.ssh
+		}),
+		browser: resolveSandboxBrowserConfig({
+			scope,
+			globalBrowser: agent?.browser,
+			agentBrowser: agentSandbox?.browser
+		}),
+		tools: {
+			allow: toolPolicy.allow,
+			deny: toolPolicy.deny
+		},
+		prune: resolveSandboxPruneConfig({
+			scope,
+			globalPrune: agent?.prune,
+			agentPrune: agentSandbox?.prune
+		})
+	};
+}
+//#endregion
+//#region src/agents/sandbox/hash.ts
+function hashTextSha256(value) {
+	return crypto.createHash("sha256").update(value).digest("hex");
+}
+//#endregion
+//#region src/agents/sandbox/config-hash.ts
+function normalizeForHash(value) {
+	if (value === void 0) return;
+	if (Array.isArray(value)) return value.map(normalizeForHash).filter((item) => item !== void 0);
+	if (value && typeof value === "object") {
+		const entries = Object.entries(value).toSorted(([a], [b]) => a.localeCompare(b));
+		const normalized = {};
+		for (const [key, entryValue] of entries) {
+			const next = normalizeForHash(entryValue);
+			if (next !== void 0) normalized[key] = next;
+		}
+		return normalized;
+	}
+	return value;
+}
+function computeSandboxConfigHash(input) {
+	return computeHash(input);
+}
+function computeSandboxBrowserConfigHash(input) {
+	return computeHash(input);
+}
+function computeHash(input) {
+	const payload = normalizeForHash(input);
+	return hashTextSha256(JSON.stringify(payload));
+}
+//#endregion
+//#region src/agents/session-write-lock.ts
+function isValidLockNumber(value) {
+	return typeof value === "number" && Number.isInteger(value) && value >= 0;
+}
+const CLEANUP_SIGNALS = [
+	"SIGINT",
+	"SIGTERM",
+	"SIGQUIT",
+	"SIGABRT"
+];
+const CLEANUP_STATE_KEY = Symbol.for("moldclaw.sessionWriteLockCleanupState");
+const HELD_LOCKS_KEY = Symbol.for("moldclaw.sessionWriteLockHeldLocks");
+const WATCHDOG_STATE_KEY = Symbol.for("moldclaw.sessionWriteLockWatchdogState");
+const DEFAULT_STALE_MS = 1800 * 1e3;
+const DEFAULT_MAX_HOLD_MS = 300 * 1e3;
+const DEFAULT_WATCHDOG_INTERVAL_MS = 6e4;
+const DEFAULT_TIMEOUT_GRACE_MS = 120 * 1e3;
+const MAX_LOCK_HOLD_MS = 2147e6;
+const HELD_LOCKS = resolveProcessScopedMap(HELD_LOCKS_KEY);
+function resolveCleanupState() {
+	const proc = process;
+	if (!proc[CLEANUP_STATE_KEY]) proc[CLEANUP_STATE_KEY] = {
+		registered: false,
+		cleanupHandlers: /* @__PURE__ */ new Map()
+	};
+	return proc[CLEANUP_STATE_KEY];
+}
+function resolveWatchdogState() {
+	const proc = process;
+	if (!proc[WATCHDOG_STATE_KEY]) proc[WATCHDOG_STATE_KEY] = {
+		started: false,
+		intervalMs: DEFAULT_WATCHDOG_INTERVAL_MS
+	};
+	return proc[WATCHDOG_STATE_KEY];
+}
+function resolvePositiveMs(value, fallback, opts = {}) {
+	if (typeof value !== "number" || Number.isNaN(value) || value <= 0) return fallback;
+	if (value === Number.POSITIVE_INFINITY) return opts.allowInfinity ? value : fallback;
+	if (!Number.isFinite(value)) return fallback;
+	return value;
+}
+function resolveSessionLockMaxHoldFromTimeout(params) {
+	const minMs = resolvePositiveMs(params.minMs, DEFAULT_MAX_HOLD_MS);
+	const timeoutMs = resolvePositiveMs(params.timeoutMs, minMs, { allowInfinity: true });
+	if (timeoutMs === Number.POSITIVE_INFINITY) return MAX_LOCK_HOLD_MS;
+	const graceMs = resolvePositiveMs(params.graceMs, DEFAULT_TIMEOUT_GRACE_MS);
+	return Math.min(MAX_LOCK_HOLD_MS, Math.max(minMs, timeoutMs + graceMs));
+}
+async function releaseHeldLock(normalizedSessionFile, held, opts = {}) {
+	if (HELD_LOCKS.get(normalizedSessionFile) !== held) return false;
+	if (opts.force) held.count = 0;
+	else {
+		held.count -= 1;
+		if (held.count > 0) return false;
+	}
+	if (held.releasePromise) {
+		await held.releasePromise.catch(() => void 0);
+		return true;
+	}
+	HELD_LOCKS.delete(normalizedSessionFile);
+	held.releasePromise = (async () => {
+		try {
+			await held.handle.close();
+		} catch {}
+		try {
+			await fs$1.rm(held.lockPath, { force: true });
+		} catch {}
+	})();
+	try {
+		await held.releasePromise;
+		return true;
+	} finally {
+		held.releasePromise = void 0;
+	}
+}
+/**
+* Synchronously release all held locks.
+* Used during process exit when async operations aren't reliable.
+*/
+function releaseAllLocksSync() {
+	for (const [sessionFile, held] of HELD_LOCKS) {
+		try {
+			if (typeof held.handle.close === "function") held.handle.close().catch(() => {});
+		} catch {}
+		try {
+			fs.rmSync(held.lockPath, { force: true });
+		} catch {}
+		HELD_LOCKS.delete(sessionFile);
+	}
+}
+async function runLockWatchdogCheck(nowMs = Date.now()) {
+	let released = 0;
+	for (const [sessionFile, held] of HELD_LOCKS.entries()) {
+		const heldForMs = nowMs - held.acquiredAt;
+		if (heldForMs <= held.maxHoldMs) continue;
+		console.warn(`[session-write-lock] releasing lock held for ${heldForMs}ms (max=${held.maxHoldMs}ms): ${held.lockPath}`);
+		if (await releaseHeldLock(sessionFile, held, { force: true })) released += 1;
+	}
+	return released;
+}
+function ensureWatchdogStarted(intervalMs) {
+	const watchdogState = resolveWatchdogState();
+	if (watchdogState.started) return;
+	watchdogState.started = true;
+	watchdogState.intervalMs = intervalMs;
+	watchdogState.timer = setInterval(() => {
+		runLockWatchdogCheck().catch(() => {});
+	}, intervalMs);
+	watchdogState.timer.unref?.();
+}
+function handleTerminationSignal(signal) {
+	releaseAllLocksSync();
+	const cleanupState = resolveCleanupState();
+	if (process.listenerCount(signal) === 1) {
+		const handler = cleanupState.cleanupHandlers.get(signal);
+		if (handler) {
+			process.off(signal, handler);
+			cleanupState.cleanupHandlers.delete(signal);
+		}
+		try {
+			process.kill(process.pid, signal);
+		} catch {}
+	}
+}
+function registerCleanupHandlers() {
+	const cleanupState = resolveCleanupState();
+	if (!cleanupState.registered) {
+		cleanupState.registered = true;
+		process.on("exit", () => {
+			releaseAllLocksSync();
+		});
+	}
+	ensureWatchdogStarted(DEFAULT_WATCHDOG_INTERVAL_MS);
+	for (const signal of CLEANUP_SIGNALS) {
+		if (cleanupState.cleanupHandlers.has(signal)) continue;
+		try {
+			const handler = () => handleTerminationSignal(signal);
+			cleanupState.cleanupHandlers.set(signal, handler);
+			process.on(signal, handler);
+		} catch {}
+	}
+}
+async function readLockPayload(lockPath) {
+	try {
+		const raw = await fs$1.readFile(lockPath, "utf8");
+		const parsed = JSON.parse(raw);
+		const payload = {};
+		if (isValidLockNumber(parsed.pid) && parsed.pid > 0) payload.pid = parsed.pid;
+		if (typeof parsed.createdAt === "string") payload.createdAt = parsed.createdAt;
+		if (isValidLockNumber(parsed.starttime)) payload.starttime = parsed.starttime;
+		return payload;
+	} catch {
+		return null;
+	}
+}
+function inspectLockPayload(payload, staleMs, nowMs) {
+	const pid = isValidLockNumber(payload?.pid) && payload.pid > 0 ? payload.pid : null;
+	const pidAlive = pid !== null ? isPidAlive(pid) : false;
+	const createdAt = typeof payload?.createdAt === "string" ? payload.createdAt : null;
+	const createdAtMs = createdAt ? Date.parse(createdAt) : NaN;
+	const ageMs = Number.isFinite(createdAtMs) ? Math.max(0, nowMs - createdAtMs) : null;
+	const storedStarttime = isValidLockNumber(payload?.starttime) ? payload.starttime : null;
+	const pidRecycled = pidAlive && pid !== null && storedStarttime !== null ? (() => {
+		const currentStarttime = getProcessStartTime(pid);
+		return currentStarttime !== null && currentStarttime !== storedStarttime;
+	})() : false;
+	const staleReasons = [];
+	if (pid === null) staleReasons.push("missing-pid");
+	else if (!pidAlive) staleReasons.push("dead-pid");
+	else if (pidRecycled) staleReasons.push("recycled-pid");
+	if (ageMs === null) staleReasons.push("invalid-createdAt");
+	else if (ageMs > staleMs) staleReasons.push("too-old");
+	return {
+		pid,
+		pidAlive,
+		createdAt,
+		ageMs,
+		stale: staleReasons.length > 0,
+		staleReasons
+	};
+}
+function lockInspectionNeedsMtimeStaleFallback(details) {
+	return details.stale && details.staleReasons.every((reason) => reason === "missing-pid" || reason === "invalid-createdAt");
+}
+async function shouldReclaimContendedLockFile(lockPath, details, staleMs, nowMs) {
+	if (!details.stale) return false;
+	if (!lockInspectionNeedsMtimeStaleFallback(details)) return true;
+	try {
+		const stat = await fs$1.stat(lockPath);
+		return Math.max(0, nowMs - stat.mtimeMs) > staleMs;
+	} catch (error) {
+		return error?.code !== "ENOENT";
+	}
+}
+function shouldTreatAsOrphanSelfLock(params) {
+	if ((isValidLockNumber(params.payload?.pid) ? params.payload.pid : null) !== process.pid) return false;
+	if (isValidLockNumber(params.payload?.starttime)) return false;
+	return !HELD_LOCKS.has(params.normalizedSessionFile);
+}
+async function cleanStaleLockFiles(params) {
+	const sessionsDir = path.resolve(params.sessionsDir);
+	const staleMs = resolvePositiveMs(params.staleMs, DEFAULT_STALE_MS);
+	const removeStale = params.removeStale !== false;
+	const nowMs = params.nowMs ?? Date.now();
+	let entries = [];
+	try {
+		entries = await fs$1.readdir(sessionsDir, { withFileTypes: true });
+	} catch (err) {
+		if (err.code === "ENOENT") return {
+			locks: [],
+			cleaned: []
+		};
+		throw err;
+	}
+	const locks = [];
+	const cleaned = [];
+	const lockEntries = entries.filter((entry) => entry.name.endsWith(".jsonl.lock")).toSorted((a, b) => a.name.localeCompare(b.name));
+	for (const entry of lockEntries) {
+		const lockPath = path.join(sessionsDir, entry.name);
+		const lockInfo = {
+			lockPath,
+			...inspectLockPayload(await readLockPayload(lockPath), staleMs, nowMs),
+			removed: false
+		};
+		if (lockInfo.stale && removeStale) {
+			await fs$1.rm(lockPath, { force: true });
+			lockInfo.removed = true;
+			cleaned.push(lockInfo);
+			params.log?.warn?.(`removed stale session lock: ${lockPath} (${lockInfo.staleReasons.join(", ") || "unknown"})`);
+		}
+		locks.push(lockInfo);
+	}
+	return {
+		locks,
+		cleaned
+	};
+}
+async function acquireSessionWriteLock(params) {
+	registerCleanupHandlers();
+	const timeoutMs = resolvePositiveMs(params.timeoutMs, 1e4, { allowInfinity: true });
+	const staleMs = resolvePositiveMs(params.staleMs, DEFAULT_STALE_MS);
+	const maxHoldMs = resolvePositiveMs(params.maxHoldMs, DEFAULT_MAX_HOLD_MS);
+	const sessionFile = path.resolve(params.sessionFile);
+	const sessionDir = path.dirname(sessionFile);
+	await fs$1.mkdir(sessionDir, { recursive: true });
+	let normalizedDir = sessionDir;
+	try {
+		normalizedDir = await fs$1.realpath(sessionDir);
+	} catch {}
+	const normalizedSessionFile = path.join(normalizedDir, path.basename(sessionFile));
+	const lockPath = `${normalizedSessionFile}.lock`;
+	const allowReentrant = params.allowReentrant ?? true;
+	const held = HELD_LOCKS.get(normalizedSessionFile);
+	if (allowReentrant && held) {
+		held.count += 1;
+		return { release: async () => {
+			await releaseHeldLock(normalizedSessionFile, held);
+		} };
+	}
+	const startedAt = Date.now();
+	let attempt = 0;
+	while (Date.now() - startedAt < timeoutMs) {
+		attempt += 1;
+		let handle = null;
+		try {
+			handle = await fs$1.open(lockPath, "wx");
+			const createdAt = (/* @__PURE__ */ new Date()).toISOString();
+			const starttime = getProcessStartTime(process.pid);
+			const lockPayload = {
+				pid: process.pid,
+				createdAt
+			};
+			if (starttime !== null) lockPayload.starttime = starttime;
+			await handle.writeFile(JSON.stringify(lockPayload, null, 2), "utf8");
+			const createdHeld = {
+				count: 1,
+				handle,
+				lockPath,
+				acquiredAt: Date.now(),
+				maxHoldMs
+			};
+			HELD_LOCKS.set(normalizedSessionFile, createdHeld);
+			return { release: async () => {
+				await releaseHeldLock(normalizedSessionFile, createdHeld);
+			} };
+		} catch (err) {
+			if (handle) {
+				try {
+					await handle.close();
+				} catch {}
+				try {
+					await fs$1.rm(lockPath, { force: true });
+				} catch {}
+			}
+			if (err.code !== "EEXIST") throw err;
+			const payload = await readLockPayload(lockPath);
+			const nowMs = Date.now();
+			const inspected = inspectLockPayload(payload, staleMs, nowMs);
+			if (await shouldReclaimContendedLockFile(lockPath, shouldTreatAsOrphanSelfLock({
+				payload,
+				normalizedSessionFile
+			}) ? {
+				...inspected,
+				stale: true,
+				staleReasons: inspected.staleReasons.includes("orphan-self-pid") ? inspected.staleReasons : [...inspected.staleReasons, "orphan-self-pid"]
+			} : inspected, staleMs, nowMs)) {
+				await fs$1.rm(lockPath, { force: true });
+				continue;
+			}
+			const delay = Math.min(1e3, 50 * attempt);
+			await new Promise((r) => setTimeout(r, delay));
+		}
+	}
+	const payload = await readLockPayload(lockPath);
+	const owner = typeof payload?.pid === "number" ? `pid=${payload.pid}` : "unknown";
+	throw new Error(`session file locked (timeout ${timeoutMs}ms): ${owner} ${lockPath}`);
+}
+[...CLEANUP_SIGNALS];
+//#endregion
+//#region src/agents/sandbox/registry.ts
+function isRecord(value) {
+	return Boolean(value) && typeof value === "object";
+}
+function isRegistryEntry(value) {
+	return isRecord(value) && typeof value.containerName === "string";
+}
+function normalizeSandboxRegistryEntry(entry) {
+	return {
+		...entry,
+		backendId: entry.backendId?.trim() || "docker",
+		runtimeLabel: entry.runtimeLabel?.trim() || entry.containerName,
+		configLabelKind: entry.configLabelKind?.trim() || "Image"
+	};
+}
+function isRegistryFile(value) {
+	if (!isRecord(value)) return false;
+	const maybeEntries = value.entries;
+	return Array.isArray(maybeEntries) && maybeEntries.every(isRegistryEntry);
+}
+async function withRegistryLock(registryPath, fn) {
+	const lock = await acquireSessionWriteLock({
+		sessionFile: registryPath,
+		allowReentrant: false
+	});
+	try {
+		return await fn();
+	} finally {
+		await lock.release();
+	}
+}
+async function readRegistryFromFile(registryPath, mode) {
+	try {
+		const raw = await fs$1.readFile(registryPath, "utf-8");
+		const parsed = JSON.parse(raw);
+		if (isRegistryFile(parsed)) return parsed;
+		if (mode === "fallback") return { entries: [] };
+		throw new Error(`Invalid sandbox registry format: ${registryPath}`);
+	} catch (error) {
+		if (error?.code === "ENOENT") return { entries: [] };
+		if (mode === "fallback") return { entries: [] };
+		if (error instanceof Error) throw error;
+		throw new Error(`Failed to read sandbox registry file: ${registryPath}`, { cause: error });
+	}
+}
+async function writeRegistryFile(registryPath, registry) {
+	await writeJsonAtomic(registryPath, registry, { trailingNewline: true });
+}
+async function readRegistry() {
+	return { entries: (await readRegistryFromFile(SANDBOX_REGISTRY_PATH, "fallback")).entries.map((entry) => normalizeSandboxRegistryEntry(entry)) };
+}
+function upsertEntry(entries, entry) {
+	const existing = entries.find((item) => item.containerName === entry.containerName);
+	const next = entries.filter((item) => item.containerName !== entry.containerName);
+	next.push({
+		...entry,
+		backendId: entry.backendId ?? existing?.backendId,
+		runtimeLabel: entry.runtimeLabel ?? existing?.runtimeLabel,
+		createdAtMs: existing?.createdAtMs ?? entry.createdAtMs,
+		image: existing?.image ?? entry.image,
+		configLabelKind: entry.configLabelKind ?? existing?.configLabelKind,
+		configHash: entry.configHash ?? existing?.configHash
+	});
+	return next;
+}
+function removeEntry(entries, containerName) {
+	return entries.filter((entry) => entry.containerName !== containerName);
+}
+async function withRegistryMutation(registryPath, mutate) {
+	await withRegistryLock(registryPath, async () => {
+		const next = mutate((await readRegistryFromFile(registryPath, "strict")).entries);
+		if (next === null) return;
+		await writeRegistryFile(registryPath, { entries: next });
+	});
+}
+async function updateRegistry(entry) {
+	await withRegistryMutation(SANDBOX_REGISTRY_PATH, (entries) => upsertEntry(entries, entry));
+}
+async function removeRegistryEntry(containerName) {
+	await withRegistryMutation(SANDBOX_REGISTRY_PATH, (entries) => {
+		const next = removeEntry(entries, containerName);
+		if (next.length === entries.length) return null;
+		return next;
+	});
+}
+async function readBrowserRegistry() {
+	return await readRegistryFromFile(SANDBOX_BROWSER_REGISTRY_PATH, "fallback");
+}
+async function updateBrowserRegistry(entry) {
+	await withRegistryMutation(SANDBOX_BROWSER_REGISTRY_PATH, (entries) => upsertEntry(entries, entry));
+}
+async function removeBrowserRegistryEntry(containerName) {
+	await withRegistryMutation(SANDBOX_BROWSER_REGISTRY_PATH, (entries) => {
+		const next = removeEntry(entries, containerName);
+		if (next.length === entries.length) return null;
+		return next;
+	});
+}
+//#endregion
+//#region src/agents/sandbox/shared.ts
+function slugifySessionKey(value) {
+	const trimmed = value.trim() || "session";
+	const hash = hashTextSha256(trimmed).slice(0, 8);
+	return `${trimmed.toLowerCase().replace(/[^a-z0-9._-]+/g, "-").replace(/^-+|-+$/g, "").slice(0, 32) || "session"}-${hash}`;
+}
+function resolveSandboxWorkspaceDir(root, sessionKey) {
+	const resolvedRoot = resolveUserPath(root);
+	const slug = slugifySessionKey(sessionKey);
+	return path.join(resolvedRoot, slug);
+}
+function resolveSandboxScopeKey(scope, sessionKey) {
+	const trimmed = sessionKey.trim() || "main";
+	if (scope === "shared") return "shared";
+	if (scope === "session") return trimmed;
+	return `agent:${resolveAgentIdFromSessionKey(trimmed)}`;
+}
+function resolveSandboxAgentId(scopeKey) {
+	const trimmed = scopeKey.trim();
+	if (!trimmed || trimmed === "shared") return;
+	const parts = trimmed.split(":").filter(Boolean);
+	if (parts[0] === "agent" && parts[1]) return normalizeAgentId(parts[1]);
+	return resolveAgentIdFromSessionKey(trimmed);
+}
+//#endregion
+//#region src/agents/sandbox/bind-spec.ts
+function splitSandboxBindSpec(spec) {
+	const separator = getHostContainerSeparatorIndex(spec);
+	if (separator === -1) return null;
+	const host = spec.slice(0, separator);
+	const rest = spec.slice(separator + 1);
+	const optionsStart = rest.indexOf(":");
+	if (optionsStart === -1) return {
+		host,
+		container: rest,
+		options: ""
+	};
+	return {
+		host,
+		container: rest.slice(0, optionsStart),
+		options: rest.slice(optionsStart + 1)
+	};
+}
+function getHostContainerSeparatorIndex(spec) {
+	const hasDriveLetterPrefix = /^[A-Za-z]:[\\/]/.test(spec);
+	for (let i = hasDriveLetterPrefix ? 2 : 0; i < spec.length; i += 1) if (spec[i] === ":") return i;
+	return -1;
+}
+//#endregion
+//#region src/agents/sandbox/host-paths.ts
+function stripWindowsNamespacePrefix(input) {
+	if (input.startsWith("\\\\?\\")) {
+		const withoutPrefix = input.slice(4);
+		if (withoutPrefix.toUpperCase().startsWith("UNC\\")) return `\\\\${withoutPrefix.slice(4)}`;
+		return withoutPrefix;
+	}
+	if (input.startsWith("//?/")) {
+		const withoutPrefix = input.slice(4);
+		if (withoutPrefix.toUpperCase().startsWith("UNC/")) return `//${withoutPrefix.slice(4)}`;
+		return withoutPrefix;
+	}
+	return input;
+}
+/**
+* Normalize a POSIX host path: resolve `.`, `..`, collapse `//`, strip trailing `/`.
+*/
+function normalizeSandboxHostPath(raw) {
+	const trimmed = stripWindowsNamespacePrefix(raw.trim());
+	if (!trimmed) return "/";
+	return posix.normalize(trimmed.replaceAll("\\", "/")).replace(/\/+$/, "") || "/";
+}
+/**
+* Resolve a path through the deepest existing ancestor so parent symlinks are honored
+* even when the final source leaf does not exist yet.
+*/
+function resolveSandboxHostPathViaExistingAncestor(sourcePath) {
+	if (!sourcePath.startsWith("/")) return sourcePath;
+	return normalizeSandboxHostPath(resolvePathViaExistingAncestorSync(sourcePath));
+}
+//#endregion
+//#region src/agents/sandbox/validate-sandbox-security.ts
+/**
+* Sandbox security validation — blocks dangerous Docker configurations.
+*
+* Threat model: local-trusted config, but protect against foot-guns and config injection.
+* Enforced at runtime when creating sandbox containers.
+*/
+const BLOCKED_HOST_PATHS = [
+	"/etc",
+	"/private/etc",
+	"/proc",
+	"/sys",
+	"/dev",
+	"/root",
+	"/boot",
+	"/run",
+	"/var/run",
+	"/private/var/run",
+	"/var/run/docker.sock",
+	"/private/var/run/docker.sock",
+	"/run/docker.sock"
+];
+const BLOCKED_SECCOMP_PROFILES = new Set(["unconfined"]);
+const BLOCKED_APPARMOR_PROFILES = new Set(["unconfined"]);
+const RESERVED_CONTAINER_TARGET_PATHS = ["/workspace", SANDBOX_AGENT_WORKSPACE_MOUNT];
+function parseBindSpec(bind) {
+	const trimmed = bind.trim();
+	const parsed = splitSandboxBindSpec(trimmed);
+	if (!parsed) return {
+		source: trimmed,
+		target: ""
+	};
+	return {
+		source: parsed.host,
+		target: parsed.container
+	};
+}
+/**
+* Parse the host/source path from a Docker bind mount string.
+* Format: `source:target[:mode]`
+*/
+function parseBindSourcePath(bind) {
+	return parseBindSpec(bind).source.trim();
+}
+function parseBindTargetPath(bind) {
+	return parseBindSpec(bind).target.trim();
+}
+/**
+* Normalize a POSIX path: resolve `.`, `..`, collapse `//`, strip trailing `/`.
+*/
+function normalizeHostPath(raw) {
+	return normalizeSandboxHostPath(raw);
+}
+/**
+* String-only blocked-path check (no filesystem I/O).
+* Blocks:
+* - binds that target blocked paths (equal or under)
+* - binds that cover the system root (mounting "/" is never safe)
+* - non-absolute source paths (relative / volume names) because they are hard to validate safely
+*/
+function getBlockedBindReason(bind) {
+	const sourceRaw = parseBindSourcePath(bind);
+	if (!sourceRaw.startsWith("/")) return {
+		kind: "non_absolute",
+		sourcePath: sourceRaw
+	};
+	return getBlockedReasonForSourcePath(normalizeHostPath(sourceRaw));
+}
+function getBlockedReasonForSourcePath(sourceNormalized) {
+	if (sourceNormalized === "/") return {
+		kind: "covers",
+		blockedPath: "/"
+	};
+	for (const blocked of BLOCKED_HOST_PATHS) if (sourceNormalized === blocked || sourceNormalized.startsWith(blocked + "/")) return {
+		kind: "targets",
+		blockedPath: blocked
+	};
+	return null;
+}
+function normalizeAllowedRoots(roots) {
+	if (!roots?.length) return [];
+	const normalized = roots.map((entry) => entry.trim()).filter((entry) => entry.startsWith("/")).map(normalizeHostPath);
+	const expanded = /* @__PURE__ */ new Set();
+	for (const root of normalized) {
+		expanded.add(root);
+		const real = resolveSandboxHostPathViaExistingAncestor(root);
+		if (real !== root) expanded.add(real);
+	}
+	return [...expanded];
+}
+function isPathInsidePosix(root, target) {
+	if (root === "/") return true;
+	return target === root || target.startsWith(`${root}/`);
+}
+function getOutsideAllowedRootsReason(sourceNormalized, allowedRoots) {
+	if (allowedRoots.length === 0) return null;
+	for (const root of allowedRoots) if (isPathInsidePosix(root, sourceNormalized)) return null;
+	return {
+		kind: "outside_allowed_roots",
+		sourcePath: sourceNormalized,
+		allowedRoots
+	};
+}
+function getReservedTargetReason(bind) {
+	const targetRaw = parseBindTargetPath(bind);
+	if (!targetRaw || !targetRaw.startsWith("/")) return null;
+	const target = normalizeHostPath(targetRaw);
+	for (const reserved of RESERVED_CONTAINER_TARGET_PATHS) if (isPathInsidePosix(reserved, target)) return {
+		kind: "reserved_target",
+		targetPath: target,
+		reservedPath: reserved
+	};
+	return null;
+}
+function enforceSourcePathPolicy(params) {
+	const blockedReason = getBlockedReasonForSourcePath(params.sourcePath);
+	if (blockedReason) throw formatBindBlockedError({
+		bind: params.bind,
+		reason: blockedReason
+	});
+	if (params.allowSourcesOutsideAllowedRoots) return;
+	const allowedReason = getOutsideAllowedRootsReason(params.sourcePath, params.allowedRoots);
+	if (allowedReason) throw formatBindBlockedError({
+		bind: params.bind,
+		reason: allowedReason
+	});
+}
+function formatBindBlockedError(params) {
+	if (params.reason.kind === "non_absolute") return /* @__PURE__ */ new Error(`Sandbox security: bind mount "${params.bind}" uses a non-absolute source path "${params.reason.sourcePath}". Only absolute POSIX paths are supported for sandbox binds.`);
+	if (params.reason.kind === "outside_allowed_roots") return /* @__PURE__ */ new Error(`Sandbox security: bind mount "${params.bind}" source "${params.reason.sourcePath}" is outside allowed roots (${params.reason.allowedRoots.join(", ")}). Use a dangerous override only when you fully trust this runtime.`);
+	if (params.reason.kind === "reserved_target") return /* @__PURE__ */ new Error(`Sandbox security: bind mount "${params.bind}" targets reserved container path "${params.reason.reservedPath}" (resolved target: "${params.reason.targetPath}"). This can shadow moldClaw sandbox mounts. Use a dangerous override only when you fully trust this runtime.`);
+	const verb = params.reason.kind === "covers" ? "covers" : "targets";
+	return /* @__PURE__ */ new Error(`Sandbox security: bind mount "${params.bind}" ${verb} blocked path "${params.reason.blockedPath}". Mounting system directories (or Docker socket paths) into sandbox containers is not allowed. Use project-specific paths instead (e.g. /home/user/myproject).`);
+}
+/**
+* Validate bind mounts — throws if any source path is dangerous.
+* Includes a symlink/realpath pass via existing ancestors so non-existent leaf
+* paths cannot bypass source-root and blocked-path checks.
+*/
+function validateBindMounts(binds, options) {
+	if (!binds?.length) return;
+	const allowedRoots = normalizeAllowedRoots(options?.allowedSourceRoots);
+	for (const rawBind of binds) {
+		const bind = rawBind.trim();
+		if (!bind) continue;
+		const blocked = getBlockedBindReason(bind);
+		if (blocked) throw formatBindBlockedError({
+			bind,
+			reason: blocked
+		});
+		if (!options?.allowReservedContainerTargets) {
+			const reservedTarget = getReservedTargetReason(bind);
+			if (reservedTarget) throw formatBindBlockedError({
+				bind,
+				reason: reservedTarget
+			});
+		}
+		const sourceNormalized = normalizeHostPath(parseBindSourcePath(bind));
+		enforceSourcePathPolicy({
+			bind,
+			sourcePath: sourceNormalized,
+			allowedRoots,
+			allowSourcesOutsideAllowedRoots: options?.allowSourcesOutsideAllowedRoots === true
+		});
+		enforceSourcePathPolicy({
+			bind,
+			sourcePath: resolveSandboxHostPathViaExistingAncestor(sourceNormalized),
+			allowedRoots,
+			allowSourcesOutsideAllowedRoots: options?.allowSourcesOutsideAllowedRoots === true
+		});
+	}
+}
+function validateNetworkMode(network, options) {
+	const blockedReason = getBlockedNetworkModeReason({
+		network,
+		allowContainerNamespaceJoin: options?.allowContainerNamespaceJoin
+	});
+	if (blockedReason === "host") throw new Error(`Sandbox security: network mode "${network}" is blocked. Network "host" mode bypasses container network isolation. Use "bridge" or "none" instead.`);
+	if (blockedReason === "container_namespace_join") throw new Error(`Sandbox security: network mode "${network}" is blocked by default. Network "container:*" joins another container namespace and bypasses sandbox network isolation. Use a custom bridge network, or set dangerouslyAllowContainerNamespaceJoin=true only when you fully trust this runtime.`);
+}
+function validateSeccompProfile(profile) {
+	if (profile && BLOCKED_SECCOMP_PROFILES.has(profile.trim().toLowerCase())) throw new Error(`Sandbox security: seccomp profile "${profile}" is blocked. Disabling seccomp removes syscall filtering and weakens sandbox isolation. Use a custom seccomp profile file or omit this setting.`);
+}
+function validateApparmorProfile(profile) {
+	if (profile && BLOCKED_APPARMOR_PROFILES.has(profile.trim().toLowerCase())) throw new Error(`Sandbox security: apparmor profile "${profile}" is blocked. Disabling AppArmor removes mandatory access controls and weakens sandbox isolation. Use a named AppArmor profile or omit this setting.`);
+}
+function validateSandboxSecurity(cfg) {
+	validateBindMounts(cfg.binds, cfg);
+	validateNetworkMode(cfg.network, { allowContainerNamespaceJoin: cfg.dangerouslyAllowContainerNamespaceJoin === true });
+	validateSeccompProfile(cfg.seccompProfile);
+	validateApparmorProfile(cfg.apparmorProfile);
+}
+//#endregion
+//#region src/agents/sandbox/workspace-mounts.ts
+function mainWorkspaceMountSuffix(access) {
+	return access === "rw" ? "" : ":ro";
+}
+function agentWorkspaceMountSuffix(access) {
+	return access === "ro" ? ":ro" : "";
+}
+function appendWorkspaceMountArgs(params) {
+	const { args, workspaceDir, agentWorkspaceDir, workdir, workspaceAccess } = params;
+	args.push("-v", `${workspaceDir}:${workdir}${mainWorkspaceMountSuffix(workspaceAccess)}`);
+	if (workspaceAccess !== "none" && workspaceDir !== agentWorkspaceDir) args.push("-v", `${agentWorkspaceDir}:${SANDBOX_AGENT_WORKSPACE_MOUNT}${agentWorkspaceMountSuffix(workspaceAccess)}`);
+}
+//#endregion
+//#region src/agents/sandbox/docker.ts
+function createAbortError() {
+	const err = /* @__PURE__ */ new Error("Aborted");
+	err.name = "AbortError";
+	return err;
+}
+const DEFAULT_DOCKER_SPAWN_RUNTIME = {
+	platform: process.platform,
+	env: process.env,
+	execPath: process.execPath
+};
+function resolveDockerSpawnInvocation(args, runtime = DEFAULT_DOCKER_SPAWN_RUNTIME) {
+	const resolved = materializeWindowsSpawnProgram(resolveWindowsSpawnProgram({
+		command: "docker",
+		platform: runtime.platform,
+		env: runtime.env,
+		execPath: runtime.execPath,
+		packageName: "docker",
+		allowShellFallback: false
+	}), args);
+	return {
+		command: resolved.command,
+		args: resolved.argv,
+		shell: resolved.shell,
+		windowsHide: resolved.windowsHide
+	};
+}
+function execDockerRaw(args, opts) {
+	return new Promise((resolve, reject) => {
+		const spawnInvocation = resolveDockerSpawnInvocation(args);
+		const child = spawn(spawnInvocation.command, spawnInvocation.args, {
+			stdio: [
+				"pipe",
+				"pipe",
+				"pipe"
+			],
+			shell: spawnInvocation.shell,
+			windowsHide: spawnInvocation.windowsHide
+		});
+		const stdoutChunks = [];
+		const stderrChunks = [];
+		let aborted = false;
+		const signal = opts?.signal;
+		const handleAbort = () => {
+			if (aborted) return;
+			aborted = true;
+			child.kill("SIGTERM");
+		};
+		if (signal) if (signal.aborted) handleAbort();
+		else signal.addEventListener("abort", handleAbort);
+		child.stdout?.on("data", (chunk) => {
+			stdoutChunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk));
+		});
+		child.stderr?.on("data", (chunk) => {
+			stderrChunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk));
+		});
+		child.on("error", (error) => {
+			if (signal) signal.removeEventListener("abort", handleAbort);
+			if (error && typeof error === "object" && "code" in error && error.code === "ENOENT") {
+				reject(Object.assign(/* @__PURE__ */ new Error("Sandbox mode requires Docker, but the \"docker\" command was not found in PATH. Install Docker (and ensure \"docker\" is available), or set `agents.defaults.sandbox.mode=off` to disable sandboxing."), {
+					code: "INVALID_CONFIG",
+					cause: error
+				}));
+				return;
+			}
+			reject(error);
+		});
+		child.on("close", (code) => {
+			if (signal) signal.removeEventListener("abort", handleAbort);
+			const stdout = Buffer.concat(stdoutChunks);
+			const stderr = Buffer.concat(stderrChunks);
+			if (aborted || signal?.aborted) {
+				reject(createAbortError());
+				return;
+			}
+			const exitCode = code ?? 0;
+			if (exitCode !== 0 && !opts?.allowFailure) {
+				const message = stderr.length > 0 ? stderr.toString("utf8").trim() : "";
+				reject(Object.assign(new Error(message || `docker ${args.join(" ")} failed`), {
+					code: exitCode,
+					stdout,
+					stderr
+				}));
+				return;
+			}
+			resolve({
+				stdout,
+				stderr,
+				code: exitCode
+			});
+		});
+		const stdin = child.stdin;
+		if (stdin) if (opts?.input !== void 0) stdin.end(opts.input);
+		else stdin.end();
+	});
+}
+const log = createSubsystemLogger("docker");
+const HOT_CONTAINER_WINDOW_MS = 300 * 1e3;
+async function execDocker(args, opts) {
+	const result = await execDockerRaw(args, opts);
+	return {
+		stdout: result.stdout.toString("utf8"),
+		stderr: result.stderr.toString("utf8"),
+		code: result.code
+	};
+}
+async function readDockerContainerLabel(containerName, label) {
+	const result = await execDocker([
+		"inspect",
+		"-f",
+		`{{ index .Config.Labels "${label}" }}`,
+		containerName
+	], { allowFailure: true });
+	if (result.code !== 0) return null;
+	const raw = result.stdout.trim();
+	if (!raw || raw === "<no value>") return null;
+	return raw;
+}
+async function readDockerContainerEnvVar(containerName, envVar) {
+	const result = await execDocker([
+		"inspect",
+		"-f",
+		"{{range .Config.Env}}{{println .}}{{end}}",
+		containerName
+	], { allowFailure: true });
+	if (result.code !== 0) return null;
+	for (const line of result.stdout.split(/\r?\n/)) if (line.startsWith(`${envVar}=`)) return line.slice(envVar.length + 1);
+	return null;
+}
+async function readDockerPort(containerName, port) {
+	const result = await execDocker([
+		"port",
+		containerName,
+		`${port}/tcp`
+	], { allowFailure: true });
+	if (result.code !== 0) return null;
+	const match = (result.stdout.trim().split(/\r?\n/)[0] ?? "").match(/:(\d+)\s*$/);
+	if (!match) return null;
+	const mapped = Number.parseInt(match[1] ?? "", 10);
+	return Number.isFinite(mapped) ? mapped : null;
+}
+async function dockerImageExists(image) {
+	const result = await execDocker([
+		"image",
+		"inspect",
+		image
+	], { allowFailure: true });
+	if (result.code === 0) return true;
+	const stderr = result.stderr.trim();
+	if (stderr.includes("No such image")) return false;
+	throw new Error(`Failed to inspect sandbox image: ${stderr}`);
+}
+async function ensureDockerImage(image) {
+	if (await dockerImageExists(image)) return;
+	if (image === "moldclaw-sandbox:bookworm-slim") {
+		await execDocker(["pull", "debian:bookworm-slim"]);
+		await execDocker([
+			"tag",
+			"debian:bookworm-slim",
+			DEFAULT_SANDBOX_IMAGE
+		]);
+		return;
+	}
+	throw new Error(`Sandbox image not found: ${image}. Build or pull it first.`);
+}
+async function dockerContainerState(name) {
+	const result = await execDocker([
+		"inspect",
+		"-f",
+		"{{.State.Running}}",
+		name
+	], { allowFailure: true });
+	if (result.code !== 0) return {
+		exists: false,
+		running: false
+	};
+	return {
+		exists: true,
+		running: result.stdout.trim() === "true"
+	};
+}
+function normalizeDockerLimit(value) {
+	if (value === void 0 || value === null) return;
+	if (typeof value === "number") return Number.isFinite(value) ? String(value) : void 0;
+	const trimmed = value.trim();
+	return trimmed ? trimmed : void 0;
+}
+function formatUlimitValue(name, value) {
+	if (!name.trim()) return null;
+	if (typeof value === "number" || typeof value === "string") {
+		const raw = String(value).trim();
+		return raw ? `${name}=${raw}` : null;
+	}
+	const soft = typeof value.soft === "number" ? Math.max(0, value.soft) : void 0;
+	const hard = typeof value.hard === "number" ? Math.max(0, value.hard) : void 0;
+	if (soft === void 0 && hard === void 0) return null;
+	if (soft === void 0) return `${name}=${hard}`;
+	if (hard === void 0) return `${name}=${soft}`;
+	return `${name}=${soft}:${hard}`;
+}
+function buildSandboxCreateArgs(params) {
+	validateSandboxSecurity({
+		...params.cfg,
+		allowedSourceRoots: params.bindSourceRoots,
+		allowSourcesOutsideAllowedRoots: params.allowSourcesOutsideAllowedRoots ?? params.cfg.dangerouslyAllowExternalBindSources === true,
+		allowReservedContainerTargets: params.allowReservedContainerTargets ?? params.cfg.dangerouslyAllowReservedContainerTargets === true,
+		dangerouslyAllowContainerNamespaceJoin: params.allowContainerNamespaceJoin ?? params.cfg.dangerouslyAllowContainerNamespaceJoin === true
+	});
+	const createdAtMs = params.createdAtMs ?? Date.now();
+	const args = [
+		"create",
+		"--name",
+		params.name
+	];
+	args.push("--label", "moldclaw.sandbox=1");
+	args.push("--label", `moldclaw.sessionKey=${params.scopeKey}`);
+	args.push("--label", `moldclaw.createdAtMs=${createdAtMs}`);
+	if (params.configHash) args.push("--label", `moldclaw.configHash=${params.configHash}`);
+	for (const [key, value] of Object.entries(params.labels ?? {})) if (key && value) args.push("--label", `${key}=${value}`);
+	if (params.cfg.readOnlyRoot) args.push("--read-only");
+	for (const entry of params.cfg.tmpfs) args.push("--tmpfs", entry);
+	if (params.cfg.network) args.push("--network", params.cfg.network);
+	if (params.cfg.user) args.push("--user", params.cfg.user);
+	const envSanitization = sanitizeEnvVars(params.cfg.env ?? {}, params.envSanitizationOptions);
+	if (envSanitization.blocked.length > 0) log.warn(`Blocked sensitive environment variables: ${envSanitization.blocked.join(", ")}`);
+	if (envSanitization.warnings.length > 0) log.warn(`Suspicious environment variables: ${envSanitization.warnings.join(", ")}`);
+	for (const [key, value] of Object.entries(markmoldClawExecEnv(envSanitization.allowed))) args.push("--env", `${key}=${value}`);
+	for (const cap of params.cfg.capDrop) args.push("--cap-drop", cap);
+	args.push("--security-opt", "no-new-privileges");
+	if (params.cfg.seccompProfile) args.push("--security-opt", `seccomp=${params.cfg.seccompProfile}`);
+	if (params.cfg.apparmorProfile) args.push("--security-opt", `apparmor=${params.cfg.apparmorProfile}`);
+	for (const entry of params.cfg.dns ?? []) if (entry.trim()) args.push("--dns", entry);
+	for (const entry of params.cfg.extraHosts ?? []) if (entry.trim()) args.push("--add-host", entry);
+	if (typeof params.cfg.pidsLimit === "number" && params.cfg.pidsLimit > 0) args.push("--pids-limit", String(params.cfg.pidsLimit));
+	const memory = normalizeDockerLimit(params.cfg.memory);
+	if (memory) args.push("--memory", memory);
+	const memorySwap = normalizeDockerLimit(params.cfg.memorySwap);
+	if (memorySwap) args.push("--memory-swap", memorySwap);
+	if (typeof params.cfg.cpus === "number" && params.cfg.cpus > 0) args.push("--cpus", String(params.cfg.cpus));
+	for (const [name, value] of Object.entries(params.cfg.ulimits ?? {})) {
+		const formatted = formatUlimitValue(name, value);
+		if (formatted) args.push("--ulimit", formatted);
+	}
+	if (params.includeBinds !== false && params.cfg.binds?.length) for (const bind of params.cfg.binds) args.push("-v", bind);
+	return args;
+}
+function appendCustomBinds(args, cfg) {
+	if (!cfg.binds?.length) return;
+	for (const bind of cfg.binds) args.push("-v", bind);
+}
+async function createSandboxContainer(params) {
+	const { name, cfg, workspaceDir, scopeKey } = params;
+	await ensureDockerImage(cfg.image);
+	const args = buildSandboxCreateArgs({
+		name,
+		cfg,
+		scopeKey,
+		configHash: params.configHash,
+		includeBinds: false,
+		bindSourceRoots: [workspaceDir, params.agentWorkspaceDir]
+	});
+	args.push("--workdir", cfg.workdir);
+	appendWorkspaceMountArgs({
+		args,
+		workspaceDir,
+		agentWorkspaceDir: params.agentWorkspaceDir,
+		workdir: cfg.workdir,
+		workspaceAccess: params.workspaceAccess
+	});
+	appendCustomBinds(args, cfg);
+	args.push(cfg.image, "sleep", "infinity");
+	await execDocker(args);
+	await execDocker(["start", name]);
+	if (cfg.setupCommand?.trim()) await execDocker([
+		"exec",
+		"-i",
+		name,
+		"/bin/sh",
+		"-lc",
+		cfg.setupCommand
+	]);
+}
+async function readContainerConfigHash(containerName) {
+	return await readDockerContainerLabel(containerName, "moldclaw.configHash");
+}
+function formatSandboxRecreateHint(params) {
+	if (params.scope === "session") return formatCliCommand(`moldclaw sandbox recreate --session ${params.sessionKey}`);
+	if (params.scope === "agent") return formatCliCommand(`moldclaw sandbox recreate --agent ${resolveSandboxAgentId(params.sessionKey) ?? "main"}`);
+	return formatCliCommand("moldclaw sandbox recreate --all");
+}
+async function ensureSandboxContainer(params) {
+	const scopeKey = resolveSandboxScopeKey(params.cfg.scope, params.sessionKey);
+	const slug = params.cfg.scope === "shared" ? "shared" : slugifySessionKey(scopeKey);
+	const containerName = `${params.cfg.docker.containerPrefix}${slug}`.slice(0, 63);
+	const expectedHash = computeSandboxConfigHash({
+		docker: params.cfg.docker,
+		workspaceAccess: params.cfg.workspaceAccess,
+		workspaceDir: params.workspaceDir,
+		agentWorkspaceDir: params.agentWorkspaceDir
+	});
+	const now = Date.now();
+	const state = await dockerContainerState(containerName);
+	let hasContainer = state.exists;
+	let running = state.running;
+	let currentHash = null;
+	let hashMismatch = false;
+	let registryEntry;
+	if (hasContainer) {
+		registryEntry = (await readRegistry()).entries.find((entry) => entry.containerName === containerName);
+		currentHash = await readContainerConfigHash(containerName);
+		if (!currentHash) currentHash = registryEntry?.configHash ?? null;
+		hashMismatch = !currentHash || currentHash !== expectedHash;
+		if (hashMismatch) {
+			const lastUsedAtMs = registryEntry?.lastUsedAtMs;
+			if (running && (typeof lastUsedAtMs !== "number" || now - lastUsedAtMs < HOT_CONTAINER_WINDOW_MS)) {
+				const hint = formatSandboxRecreateHint({
+					scope: params.cfg.scope,
+					sessionKey: scopeKey
+				});
+				defaultRuntime.log(`Sandbox config changed for ${containerName} (recently used). Recreate to apply: ${hint}`);
+			} else {
+				await execDocker([
+					"rm",
+					"-f",
+					containerName
+				], { allowFailure: true });
+				hasContainer = false;
+				running = false;
+			}
+		}
+	}
+	if (!hasContainer) await createSandboxContainer({
+		name: containerName,
+		cfg: params.cfg.docker,
+		workspaceDir: params.workspaceDir,
+		workspaceAccess: params.cfg.workspaceAccess,
+		agentWorkspaceDir: params.agentWorkspaceDir,
+		scopeKey,
+		configHash: expectedHash
+	});
+	else if (!running) await execDocker(["start", containerName]);
+	await updateRegistry({
+		containerName,
+		backendId: "docker",
+		runtimeLabel: containerName,
+		sessionKey: scopeKey,
+		createdAtMs: now,
+		lastUsedAtMs: now,
+		image: params.cfg.docker.image,
+		configLabelKind: "Image",
+		configHash: hashMismatch && running ? currentHash ?? void 0 : expectedHash
+	});
+	return containerName;
+}
+//#endregion
+//#region src/config/commands.ts
+function resolveAutoDefault(providerId) {
+	const id = normalizeChannelId(providerId);
+	if (!id) return false;
+	if (id === "discord" || id === "telegram") return true;
+	if (id === "slack") return false;
+	return false;
+}
+function resolveNativeSkillsEnabled(params) {
+	return resolveNativeCommandSetting(params);
+}
+function resolveNativeCommandsEnabled(params) {
+	return resolveNativeCommandSetting(params);
+}
+function resolveNativeCommandSetting(params) {
+	const { providerId, providerSetting, globalSetting } = params;
+	const setting = providerSetting === void 0 ? globalSetting : providerSetting;
+	if (setting === true) return true;
+	if (setting === false) return false;
+	return resolveAutoDefault(providerId);
+}
+function isNativeCommandsExplicitlyDisabled(params) {
+	const { providerSetting, globalSetting } = params;
+	if (providerSetting === false) return true;
+	if (providerSetting === void 0) return globalSetting === false;
+	return false;
+}
+function getOwnCommandFlagValue(config, key) {
+	const { commands } = config ?? {};
+	if (!isPlainObject(commands) || !Object.hasOwn(commands, key)) return;
+	return commands[key];
+}
+function isCommandFlagEnabled(config, key) {
+	return getOwnCommandFlagValue(config, key) === true;
+}
+function isRestartEnabled(config) {
+	return getOwnCommandFlagValue(config, "restart") !== false;
+}
+//#endregion
+//#region src/agents/sandbox-tool-policy.ts
+function unionAllow(base, extra) {
+	if (!Array.isArray(extra) || extra.length === 0) return base;
+	if (!Array.isArray(base) || base.length === 0) return Array.from(new Set(["*", ...extra]));
+	return Array.from(new Set([...base, ...extra]));
+}
+function pickSandboxToolPolicy(config) {
+	if (!config) return;
+	const allow = Array.isArray(config.allow) ? unionAllow(config.allow, config.alsoAllow) : Array.isArray(config.alsoAllow) && config.alsoAllow.length > 0 ? unionAllow(void 0, config.alsoAllow) : void 0;
+	const deny = Array.isArray(config.deny) ? config.deny : void 0;
+	if (!allow && !deny) return;
+	return {
+		allow,
+		deny
+	};
+}
+//#endregion
+//#region src/agents/tool-policy-match.ts
+function makeToolPolicyMatcher(policy) {
+	const deny = compileGlobPatterns({
+		raw: expandToolGroups(policy.deny ?? []),
+		normalize: normalizeToolName
+	});
+	const allow = compileGlobPatterns({
+		raw: expandToolGroups(policy.allow ?? []),
+		normalize: normalizeToolName
+	});
+	return (name) => {
+		const normalized = normalizeToolName(name);
+		if (matchesAnyGlobPattern(normalized, deny)) return false;
+		if (allow.length === 0) return true;
+		if (matchesAnyGlobPattern(normalized, allow)) return true;
+		if (normalized === "apply_patch" && matchesAnyGlobPattern("exec", allow)) return true;
+		return false;
+	};
+}
+function isToolAllowedByPolicyName(name, policy) {
+	if (!policy) return true;
+	return makeToolPolicyMatcher(policy)(name);
+}
+function isToolAllowedByPolicies(name, policies) {
+	return policies.every((policy) => isToolAllowedByPolicyName(name, policy));
+}
+//#endregion
+//#region src/agents/workspace-dirs.ts
+function listAgentWorkspaceDirs(cfg) {
+	const dirs = /* @__PURE__ */ new Set();
+	const list = cfg.agents?.list;
+	if (Array.isArray(list)) {
+		for (const entry of list) if (entry && typeof entry === "object" && typeof entry.id === "string") dirs.add(resolveAgentWorkspaceDir(cfg, entry.id));
+	}
+	dirs.add(resolveAgentWorkspaceDir(cfg, resolveDefaultAgentId(cfg)));
+	return [...dirs];
+}
+//#endregion
+export { listCoreToolSections as $, removeRegistryEntry as A, isToolAllowed as B, resolveSandboxAgentId as C, readBrowserRegistry as D, slugifySessionKey as E, resolveSessionLockMaxHoldFromTimeout as F, expandPolicyWithPluginGroups as G, applyOwnerOnlyToolPolicy as H, computeSandboxBrowserConfigHash as I, expandToolGroups as J, mergeAlsoAllowPolicy as K, resolveSandboxBrowserDockerCreateConfig as L, updateRegistry as M, acquireSessionWriteLock as N, readRegistry as O, cleanStaleLockFiles as P, isKnownCoreToolId as Q, resolveSandboxConfigForAgent as R, splitSandboxBindSpec as S, resolveSandboxWorkspaceDir as T, buildPluginToolGroups as U, resolveSandboxToolPolicyForAgent as V, collectExplicitAllowlist as W, resolveToolProfilePolicy as X, normalizeToolName as Y, PROFILE_OPTIONS as Z, readDockerPort as _, isCommandFlagEnabled as a, DEFAULT_SANDBOX_IMAGE as at, validateNetworkMode as b, resolveNativeCommandsEnabled as c, dockerContainerState as d, resolveCoreToolProfiles as et, ensureSandboxContainer as f, readDockerContainerLabel as g, readDockerContainerEnvVar as h, pickSandboxToolPolicy as i, DEFAULT_SANDBOX_COMMON_IMAGE as it, updateBrowserRegistry as j, removeBrowserRegistryEntry as k, resolveNativeSkillsEnabled as l, execDockerRaw as m, isToolAllowedByPolicies as n, matchesAnyGlobPattern as nt, isNativeCommandsExplicitlyDisabled as o, SANDBOX_AGENT_WORKSPACE_MOUNT as ot, execDocker as p, stripPluginOnlyAllowlist as q, isToolAllowedByPolicyName as r, DEFAULT_SANDBOX_BROWSER_IMAGE as rt, isRestartEnabled as s, SANDBOX_BROWSER_SECURITY_HASH_EPOCH as st, listAgentWorkspaceDirs as t, compileGlobPatterns as tt, buildSandboxCreateArgs as u, appendWorkspaceMountArgs as v, resolveSandboxScopeKey as w, resolveSandboxHostPathViaExistingAncestor as x, getBlockedBindReason as y, resolveSandboxScope as z };