clawmini 0.0.7 → 0.0.9

package/src/daemon/observation.test.ts

@@ -1,6 +1,6 @@
 import { describe, it, expect, vi, beforeEach } from 'vitest';
 import { userRouter as appRouter } from './api/index.js';
-import { daemonEvents, DAEMON_EVENT_MESSAGE_APPENDED } from './events.js';
+import { daemonEvents, emitMessageAppended } from './events.js';
 import * as daemonChats from './chats.js';
 
 vi.mock('./chats.js', async (importOriginal) => {
@@ -49,8 +49,8 @@ describe('Daemon Message Observation', () => {
     const result = (await iterator.next()).value;
 
     expect(result).toHaveLength(2);
-    expect(result![0]!.id).toBe('2');
-    expect(result![1]!.id).toBe('3');
+    expect(result![0]).toMatchObject({ kind: 'message', message: { id: '2' } });
+    expect(result![1]).toMatchObject({ kind: 'message', message: { id: '3' } });
   });
 
   it('waitForMessages should wait for a new message if none are available after lastMessageId', async () => {
@@ -67,16 +67,20 @@ describe('Daemon Message Observation', () => {
 
     const waitPromise = iterator.next();
 
-    const newMessage = { id: '2', role: 'log', content: 'hi', timestamp: '...' };
+    const newMessage = {
+      id: '2',
+      role: 'log' as const,
+      content: 'hi',
+      timestamp: '...',
+    } as unknown as import('./chats.js').ChatMessage;
 
-    // Simulate message arrival
-    setTimeout(() => {
-      daemonEvents.emit(DAEMON_EVENT_MESSAGE_APPENDED, { chatId: 'chat-1', message: newMessage });
-    }, 10);
+    // Simulate message arrival via the shared emit helper so the merged
+    // chat-stream channel receives it alongside the legacy one.
+    setTimeout(() => emitMessageAppended('chat-1', newMessage), 10);
 
     const result = await waitPromise;
     expect(result.value).toHaveLength(1);
-    expect(result.value![0]!.id).toBe('2');
+    expect(result.value![0]).toMatchObject({ kind: 'message', message: { id: '2' } });
   });
 
   it('waitForMessages should ignore messages for other chats while waiting', async () => {
@@ -95,10 +99,12 @@ describe('Daemon Message Observation', () => {
     iterator.next().then((res: any) => (yieldedValue = res.value));
 
     // Simulate message for another chat
-    daemonEvents.emit(DAEMON_EVENT_MESSAGE_APPENDED, {
-      chatId: 'other-chat',
-      message: { id: 'x', role: 'user', content: 'wrong', timestamp: '...' },
-    });
+    emitMessageAppended('other-chat', {
+      id: 'x',
+      role: 'user',
+      content: 'wrong',
+      timestamp: '...',
+    } as unknown as import('./chats.js').ChatMessage);
 
     // Wait a tick
     await new Promise((resolve) => setTimeout(resolve, 10));
@@ -106,13 +112,15 @@ describe('Daemon Message Observation', () => {
     expect(yieldedValue).toBeNull(); // Should still be waiting
 
     // Now simulate the correct chat
-    daemonEvents.emit(DAEMON_EVENT_MESSAGE_APPENDED, {
-      chatId: 'chat-1',
-      message: { id: 'y', role: 'user', content: 'right', timestamp: '...' },
-    });
+    emitMessageAppended('chat-1', {
+      id: 'y',
+      role: 'user',
+      content: 'right',
+      timestamp: '...',
+    } as unknown as import('./chats.js').ChatMessage);
 
     await new Promise((resolve) => setTimeout(resolve, 10));
     expect(yieldedValue).toHaveLength(1);
-    expect(yieldedValue![0]!.id).toBe('y');
+    expect(yieldedValue![0]).toMatchObject({ kind: 'message', message: { id: 'y' } });
   });
 });

package/src/daemon/pending-replies.test.ts

@@ -0,0 +1,112 @@
+import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest';
+import fs from 'node:fs';
+import os from 'node:os';
+import path from 'node:path';
+
+import {
+  enqueuePendingReply,
+  dequeuePendingReply,
+  readPendingReplies,
+  getPendingRepliesPath,
+  drainPendingReplies,
+} from './pending-replies.js';
+
+describe('pending-replies queue', () => {
+  let tmp: string;
+
+  beforeEach(() => {
+    tmp = fs.mkdtempSync(path.join(os.tmpdir(), 'clawmini-pending-'));
+    fs.mkdirSync(path.join(tmp, '.clawmini'), { recursive: true });
+  });
+
+  afterEach(() => {
+    fs.rmSync(tmp, { recursive: true, force: true });
+  });
+
+  it('returns empty list when file does not exist', () => {
+    expect(readPendingReplies(tmp)).toEqual([]);
+  });
+
+  it('round-trips entries via enqueue + readPendingReplies', () => {
+    enqueuePendingReply({ chatId: 'chat-1', kind: 'restart-complete' }, tmp);
+    enqueuePendingReply({ chatId: 'chat-2', kind: 'upgrade-complete', messageId: 'msg-x' }, tmp);
+
+    expect(fs.existsSync(getPendingRepliesPath(tmp))).toBe(true);
+    expect(readPendingReplies(tmp)).toEqual([
+      { chatId: 'chat-1', kind: 'restart-complete' },
+      { chatId: 'chat-2', kind: 'upgrade-complete', messageId: 'msg-x' },
+    ]);
+  });
+
+  it('dequeuePendingReply removes the matching entry and deletes the file when empty', () => {
+    enqueuePendingReply({ chatId: 'chat-1', kind: 'upgrade-complete', messageId: 'm-1' }, tmp);
+    expect(dequeuePendingReply((e) => e.messageId === 'm-1', tmp)).toBe(true);
+    expect(fs.existsSync(getPendingRepliesPath(tmp))).toBe(false);
+  });
+
+  it('dequeuePendingReply returns false when no entry matches', () => {
+    enqueuePendingReply({ chatId: 'chat-1', kind: 'restart-complete' }, tmp);
+    expect(dequeuePendingReply((e) => e.messageId === 'nope', tmp)).toBe(false);
+    expect(readPendingReplies(tmp)).toHaveLength(1);
+  });
+
+  it('treats a corrupt file as empty and removes it on drain', async () => {
+    fs.writeFileSync(getPendingRepliesPath(tmp), 'not json');
+    await drainPendingReplies('1.2.3', tmp);
+    expect(fs.existsSync(getPendingRepliesPath(tmp))).toBe(false);
+  });
+
+  it('drainPendingReplies appends a SystemMessage for each entry', async () => {
+    enqueuePendingReply({ chatId: 'default', kind: 'restart-complete' }, tmp);
+    enqueuePendingReply({ chatId: 'default', kind: 'upgrade-complete' }, tmp);
+    enqueuePendingReply(
+      {
+        chatId: 'default',
+        kind: 'upgrade-failed',
+        requestedVersion: '9.9.9',
+        reason: 'npm install -g exited with code 1',
+      },
+      tmp
+    );
+
+    await drainPendingReplies('1.2.3', tmp);
+
+    const chatLog = path.join(tmp, '.clawmini', 'chats', 'default', 'chat.jsonl');
+    expect(fs.existsSync(chatLog)).toBe(true);
+    const lines = fs
+      .readFileSync(chatLog, 'utf-8')
+      .split('\n')
+      .filter((l) => l.trim());
+    expect(lines).toHaveLength(3);
+    const parsed = lines.map((l) => JSON.parse(l) as { role: string; content: string });
+    expect(parsed[0]?.role).toBe('system');
+    expect(parsed[0]?.content).toBe('Clawmini restarted (v1.2.3).');
+    expect(parsed[1]?.content).toBe('Clawmini upgraded to v1.2.3.');
+    expect(parsed[2]?.content).toBe(
+      'Clawmini upgrade to v9.9.9 failed: npm install -g exited with code 1'
+    );
+    expect(fs.existsSync(getPendingRepliesPath(tmp))).toBe(false);
+  });
+
+  it('drain consumes entries one at a time, leaving the rest on disk if a delivery throws', async () => {
+    // Make the second delivery throw by giving it an invalid chatId. The
+    // shared chats helper rejects ids containing path separators.
+    enqueuePendingReply({ chatId: 'a', kind: 'restart-complete' }, tmp);
+    enqueuePendingReply({ chatId: '../escape', kind: 'restart-complete' }, tmp);
+    enqueuePendingReply({ chatId: 'c', kind: 'restart-complete' }, tmp);
+
+    // Silence the expected error log from the failing entry.
+    const err = vi.spyOn(console, 'error').mockImplementation(() => {});
+    try {
+      await drainPendingReplies('1.0.0', tmp);
+    } finally {
+      err.mockRestore();
+    }
+
+    // All three are consumed (the failing one is dropped after logging) and
+    // the file is removed. The two valid chats got their messages.
+    expect(fs.existsSync(getPendingRepliesPath(tmp))).toBe(false);
+    expect(fs.existsSync(path.join(tmp, '.clawmini', 'chats', 'a', 'chat.jsonl'))).toBe(true);
+    expect(fs.existsSync(path.join(tmp, '.clawmini', 'chats', 'c', 'chat.jsonl'))).toBe(true);
+  });
+});

package/src/daemon/pending-replies.ts

@@ -0,0 +1,162 @@
+import fs from 'node:fs';
+import { randomUUID } from 'node:crypto';
+import path from 'node:path';
+
+import { getClawminiDir } from '../shared/workspace.js';
+import type { SystemMessage } from '../shared/chats.js';
+import { appendMessage } from './chats.js';
+
+export type PendingReplyKind = 'restart-complete' | 'upgrade-complete' | 'upgrade-failed';
+
+export interface PendingReply {
+  chatId: string;
+  kind: PendingReplyKind;
+  /** Original user messageId, recorded so the SystemMessage can reference it. */
+  messageId?: string;
+  /** Requested target version (set for upgrade-* kinds). */
+  requestedVersion?: string;
+  /** Failure reason; set for upgrade-failed. */
+  reason?: string;
+}
+
+interface PendingRepliesFile {
+  version: 1;
+  entries: PendingReply[];
+}
+
+export function getPendingRepliesPath(startDir = process.cwd()): string {
+  return path.join(getClawminiDir(startDir), 'pending-replies.json');
+}
+
+function readFileSafe(filePath: string): PendingRepliesFile | null {
+  if (!fs.existsSync(filePath)) return null;
+  try {
+    const raw = fs.readFileSync(filePath, 'utf-8');
+    const parsed = JSON.parse(raw) as PendingRepliesFile;
+    if (!parsed || parsed.version !== 1 || !Array.isArray(parsed.entries)) return null;
+    return parsed;
+  } catch {
+    return null;
+  }
+}
+
+function writeAtomic(filePath: string, data: PendingRepliesFile): void {
+  // tmp + rename so a crash never leaves a half-written file. The target file
+  // is on the same filesystem as the workspace, so rename is atomic.
+  fs.mkdirSync(path.dirname(filePath), { recursive: true });
+  const tmpPath = `${filePath}.${process.pid}.tmp`;
+  fs.writeFileSync(tmpPath, JSON.stringify(data, null, 2));
+  fs.renameSync(tmpPath, filePath);
+}
+
+function tryUnlink(filePath: string): void {
+  if (!fs.existsSync(filePath)) return;
+  try {
+    fs.unlinkSync(filePath);
+  } catch {
+    // best-effort
+  }
+}
+
+export function enqueuePendingReply(entry: PendingReply, startDir = process.cwd()): void {
+  const filePath = getPendingRepliesPath(startDir);
+  const existing = readFileSafe(filePath);
+  const entries = existing?.entries ?? [];
+  entries.push(entry);
+  writeAtomic(filePath, { version: 1, entries });
+}
+
+/**
+ * Remove the first entry that matches the predicate. Used to roll back an
+ * enqueued entry when the supervisor reports the action could not be started.
+ */
+export function dequeuePendingReply(
+  predicate: (entry: PendingReply) => boolean,
+  startDir = process.cwd()
+): boolean {
+  const filePath = getPendingRepliesPath(startDir);
+  const existing = readFileSafe(filePath);
+  if (!existing) return false;
+  const idx = existing.entries.findIndex(predicate);
+  if (idx === -1) return false;
+  existing.entries.splice(idx, 1);
+  if (existing.entries.length === 0) {
+    tryUnlink(filePath);
+  } else {
+    writeAtomic(filePath, existing);
+  }
+  return true;
+}
+
+export function readPendingReplies(startDir = process.cwd()): PendingReply[] {
+  return readFileSafe(getPendingRepliesPath(startDir))?.entries ?? [];
+}
+
+function renderMessage(entry: PendingReply, runtimeVersion: string): string {
+  switch (entry.kind) {
+    case 'restart-complete':
+      return `Clawmini restarted (v${runtimeVersion}).`;
+    case 'upgrade-complete':
+      return `Clawmini upgraded to v${runtimeVersion}.`;
+    case 'upgrade-failed': {
+      const target = entry.requestedVersion ? ` to v${entry.requestedVersion}` : '';
+      const reason = entry.reason ? `: ${entry.reason}` : '.';
+      return `Clawmini upgrade${target} failed${reason}`;
+    }
+  }
+}
+
+/**
+ * Append a SystemMessage for each pending reply. Called from the daemon
+ * startup path so adapters (which reconnect via tRPC subscription with
+ * lastMessageId) replay the message after the daemon comes back online.
+ *
+ * Crash-safe: each entry is consumed only after its SystemMessage is
+ * appended. A crash mid-loop leaves the un-delivered entries on disk for the
+ * next daemon start to drain.
+ */
+export async function drainPendingReplies(
+  runtimeVersion: string,
+  startDir = process.cwd()
+): Promise<void> {
+  const filePath = getPendingRepliesPath(startDir);
+  const data = readFileSafe(filePath);
+  if (!data) {
+    // A corrupt file is treated as empty — remove it so it doesn't trip the
+    // next read, but otherwise no-op.
+    tryUnlink(filePath);
+    return;
+  }
+
+  const remaining: PendingReply[] = [...data.entries];
+  while (remaining.length > 0) {
+    const entry = remaining[0]!;
+    const sysMsg: SystemMessage = {
+      id: randomUUID(),
+      role: 'system',
+      content: renderMessage(entry, runtimeVersion),
+      timestamp: new Date().toISOString(),
+      sessionId: undefined,
+      event: 'router',
+      displayRole: 'agent',
+      ...(entry.messageId ? { messageId: entry.messageId } : {}),
+    };
+    try {
+      await appendMessage(entry.chatId, sysMsg, startDir);
+    } catch (err) {
+      // A delivery failure (e.g. chatId no longer exists) shouldn't block the
+      // rest of the queue from draining. Drop the entry after logging — the
+      // alternative is an infinite redelivery loop on the next start.
+      console.error(
+        `Failed to deliver pending reply to chat ${entry.chatId}:`,
+        err instanceof Error ? err.message : err
+      );
+    }
+    remaining.shift();
+    if (remaining.length === 0) {
+      tryUnlink(filePath);
+    } else {
+      writeAtomic(filePath, { version: 1, entries: remaining });
+    }
+  }
+}

package/src/daemon/policy-request-service.ts

@@ -22,7 +22,8 @@ export class PolicyRequestService {
     chatId: string,
     agentId: string,
     skipSave: boolean = false,
-    subagentId?: string
+    subagentId?: string,
+    cwd?: string
   ): Promise<PolicyRequest> {
     const allRequests = await this.store.list();
     const pendingCount = allRequests.filter((r) => r.state === 'Pending').length;
@@ -47,6 +48,7 @@ export class PolicyRequestService {
       commandName,
       args,
       fileMappings: snapshotMappings,
+      ...(cwd ? { cwd } : {}),
       state: skipSave ? 'Approved' : 'Pending',
       createdAt: Date.now(),
       chatId,

package/src/daemon/policy-utils.test.ts

@@ -2,7 +2,14 @@ import { describe, it, expect, beforeEach, afterEach } from 'vitest';
 import fs from 'node:fs/promises';
 import path from 'node:path';
 import os from 'node:os';
-import { createSnapshot, interpolateArgs, executeSafe, MAX_SNAPSHOT_SIZE } from './policy-utils.js';
+import {
+  createSnapshot,
+  interpolateArgs,
+  executeSafe,
+  MAX_SNAPSHOT_SIZE,
+  translateSandboxPath,
+  assertPathInsideDir,
+} from './policy-utils.js';
 
 describe('policy-utils', () => {
   let tempDir: string;
@@ -135,4 +142,62 @@ describe('policy-utils', () => {
       expect(result.stdout.trim()).toBe('hello && echo injected');
     });
   });
+
+  describe('translateSandboxPath', () => {
+    it('strips baseDir from sandboxCwd and resolves against hostTargetDir', () => {
+      const result = translateSandboxPath('/app/src/components', '/app', '/Users/host/env');
+      expect(result).toBe(path.resolve('/Users/host/env', 'src/components'));
+    });
+
+    it('handles sandboxCwd exactly matching baseDir', () => {
+      const result = translateSandboxPath('/app', '/app', '/Users/host/env');
+      expect(result).toBe(path.resolve('/Users/host/env'));
+    });
+
+    it('treats sandboxCwd as relative to hostTargetDir when it does not start with baseDir', () => {
+      // Does not throw — translation is pure. Validation is the caller's job.
+      const result = translateSandboxPath('/other/path', '/app', '/Users/host/env');
+      expect(result).toBe(path.resolve('/Users/host/env', 'other/path'));
+    });
+
+    it('does not validate path traversal (caller validates)', () => {
+      // `..` segments collapse via path.resolve but no security error is thrown.
+      const result = translateSandboxPath('/app/../../etc/passwd', '/app', '/Users/host/env');
+      expect(result).toBe(path.resolve('/Users/host/env', '../../etc/passwd'));
+    });
+  });
+
+  describe('assertPathInsideDir', () => {
+    it('does not throw when cwd is inside boundaryDir', () => {
+      const inside = path.join(agentDir, 'sub');
+      expect(() => assertPathInsideDir(inside, agentDir)).not.toThrow();
+    });
+
+    it('allows cwd equal to boundaryDir', () => {
+      expect(() => assertPathInsideDir(agentDir, agentDir)).not.toThrow();
+    });
+
+    it('throws when cwd escapes boundaryDir', () => {
+      const outside = path.join(agentDir, '..', 'outside');
+      expect(() => assertPathInsideDir(outside, agentDir)).toThrow(
+        /Security Error: Path resolves outside the allowed directory/
+      );
+    });
+
+    it('follows symlinks before comparing (prevents symlink escape)', async () => {
+      const outsideTarget = path.join(tempDir, 'outside-target');
+      await fs.mkdir(outsideTarget);
+      const linkInsideAgent = path.join(agentDir, 'escape-link');
+      await fs.symlink(outsideTarget, linkInsideAgent);
+
+      expect(() => assertPathInsideDir(linkInsideAgent, agentDir)).toThrow(
+        /Security Error: Path resolves outside the allowed directory/
+      );
+    });
+
+    it('tolerates non-existent paths (uses the path as-is)', () => {
+      const nonExistentInside = path.join(agentDir, 'does-not-exist', 'nested');
+      expect(() => assertPathInsideDir(nonExistentInside, agentDir)).not.toThrow();
+    });
+  });
 });

package/src/daemon/policy-utils.ts

@@ -1,12 +1,105 @@
 import fs from 'node:fs/promises';
-import { constants } from 'node:fs';
+import fsSync, { constants } from 'node:fs';
 import path from 'node:path';
 import { randomBytes } from 'node:crypto';
 import { spawn } from 'node:child_process';
 import { pathIsInsideDir } from '../shared/utils/fs.js';
 import type { PolicyRequest, PolicyDefinition } from '../shared/policies.js';
+import { resolveAgentDir } from './api/router-utils.js';
+import {
+  getWorkspaceRoot,
+  getActiveEnvironmentInfo,
+  readEnvironment,
+} from '../shared/workspace.js';
 
 export const MAX_SNAPSHOT_SIZE = 5 * 1024 * 1024;
+export const MAX_INLINE_OUTPUT_LENGTH = 500;
+
+/**
+ * Strips the sandbox `baseDir` from `sandboxCwd` and resolves the remainder
+ * against `hostTargetDir` (the host dir that mirrors baseDir inside the
+ * sandbox). Pure translation — no security validation; callers must validate
+ * the result with `assertPathInsideDir`.
+ */
+export function translateSandboxPath(
+  sandboxCwd: string,
+  baseDir: string,
+  hostTargetDir: string
+): string {
+  let relativePath = sandboxCwd;
+  if (sandboxCwd.startsWith(baseDir)) {
+    relativePath = sandboxCwd.slice(baseDir.length);
+  }
+  if (relativePath.startsWith('/') || relativePath.startsWith('\\')) {
+    relativePath = relativePath.slice(1);
+  }
+  return path.resolve(hostTargetDir, relativePath);
+}
+
+/**
+ * Throws if `cwd` (after symlink resolution) is not inside `boundaryDir`.
+ *
+ * Security note (TOCTOU): There is an inherent race between validating the
+ * resolved path here and the moment `spawn` uses it as cwd. A symlink created
+ * on the host filesystem in that window could redirect execution outside
+ * boundaryDir. We accept this because the sandboxed agent cannot modify the
+ * host filesystem — only a local user or process with host-level access could
+ * exploit the gap, and that is outside our threat model.
+ */
+export function assertPathInsideDir(cwd: string, boundaryDir: string): void {
+  const realCwd = tryRealpath(cwd);
+  const realBoundary = tryRealpath(boundaryDir);
+  if (!pathIsInsideDir(realCwd, realBoundary, { allowSameDir: true })) {
+    throw new Error(`Security Error: Path resolves outside the allowed directory: ${cwd}`);
+  }
+}
+
+// Realpath that tolerates missing leaves. Walks up to the nearest existing
+// ancestor, realpaths that, and re-appends the missing tail. Needed so that
+// symlinks in the existing prefix still resolve (e.g. macOS /var → /private/var)
+// when the full path is not yet on disk.
+function tryRealpath(p: string): string {
+  const resolved = path.resolve(p);
+  try {
+    return fsSync.realpathSync(resolved);
+  } catch (err: unknown) {
+    if (
+      !(err instanceof Error && 'code' in err && (err as NodeJS.ErrnoException).code === 'ENOENT')
+    ) {
+      throw err;
+    }
+  }
+  const parent = path.dirname(resolved);
+  if (parent === resolved) return resolved;
+  return path.join(tryRealpath(parent), path.basename(resolved));
+}
+
+export async function resolveRequestCwd(
+  requestCwd: string | undefined,
+  agentId: string | undefined,
+  workspaceRoot: string
+): Promise<string> {
+  if (!requestCwd) {
+    // TODO throw error instead?
+    return workspaceRoot;
+  }
+
+  const agentDir = await resolveAgentDir(agentId, workspaceRoot);
+  const envInfo = await getActiveEnvironmentInfo(agentDir, workspaceRoot);
+  const envConfig = envInfo ? await readEnvironment(envInfo.name, workspaceRoot) : null;
+
+  // Translate sandbox → host only when the env declares a baseDir (VM-style
+  // sandbox). Otherwise requestCwd is already a host path; resolve relative
+  // paths against agentDir and keep absolute paths as-is.
+  const hostCwd =
+    envInfo && envConfig?.baseDir
+      ? translateSandboxPath(requestCwd, envConfig.baseDir, envInfo.targetPath)
+      : path.resolve(agentDir, requestCwd);
+
+  // Boundary: the agent dir
+  assertPathInsideDir(hostCwd, agentDir);
+  return hostCwd;
+}
 
 export async function createSnapshot(
   requestedPath: string,
@@ -145,6 +238,38 @@ export async function executeRequest(
   return { stdout, stderr, exitCode, commandStr };
 }
 
+/**
+ * Saves large stdout/stderr to files in the agent's tmp/ directory and returns
+ * placeholder strings pointing to those files. Small outputs are returned as-is.
+ */
+export async function truncateLargeOutput(
+  stdout: string,
+  stderr: string,
+  requestId: string,
+  agentId: string | undefined
+): Promise<{ stdout: string; stderr: string }> {
+  const agentDir = await resolveAgentDir(agentId, getWorkspaceRoot());
+  const tmpDir = path.join(agentDir, 'tmp');
+  const needsTmpDir =
+    stdout.length >= MAX_INLINE_OUTPUT_LENGTH || stderr.length >= MAX_INLINE_OUTPUT_LENGTH;
+
+  if (needsTmpDir) {
+    await fs.mkdir(tmpDir, { recursive: true });
+  }
+
+  if (stdout.length >= MAX_INLINE_OUTPUT_LENGTH) {
+    await fs.writeFile(path.join(tmpDir, `stdout-${requestId}.txt`), stdout, 'utf-8');
+    stdout = `stdout is ${stdout.length} characters, saved to ./tmp/stdout-${requestId}.txt\n`;
+  }
+
+  if (stderr.length >= MAX_INLINE_OUTPUT_LENGTH) {
+    await fs.writeFile(path.join(tmpDir, `stderr-${requestId}.txt`), stderr, 'utf-8');
+    stderr = `stderr is ${stderr.length} characters, saved to ./tmp/stderr-${requestId}.txt\n`;
+  }
+
+  return { stdout, stderr };
+}
+
 export async function generateRequestPreview(request: PolicyRequest): Promise<string> {
   let previewContent = `Sandbox Policy Request: ${request.commandName}\n`;
   previewContent += `ID: ${request.id}\n`;

package/src/daemon/request-store.ts

@@ -15,6 +15,8 @@ const PolicyRequestSchema = z.object({
   rejectionReason: z.string().optional(),
   chatId: z.string(),
   agentId: z.string(),
+  subagentId: z.string().optional(),
+  cwd: z.string().optional(),
 });
 
 function isENOENT(err: unknown): boolean {
@@ -46,6 +48,35 @@ export class RequestStore {
     await fs.writeFile(filePath, JSON.stringify(request, null, 2), 'utf8');
   }
 
+  async delete(id: string): Promise<void> {
+    const normalizedId = normalizePolicyId(id);
+    const filePath = this.getFilePath(normalizedId);
+    try {
+      await fs.unlink(filePath);
+    } catch (err: unknown) {
+      if (!isENOENT(err)) throw err;
+    }
+  }
+
+  async cleanupCompleted(): Promise<number> {
+    let removed = 0;
+    try {
+      const files = await fs.readdir(this.baseDir);
+      for (const file of files) {
+        if (!file.endsWith('.json')) continue;
+        const id = path.basename(file, '.json');
+        const req = await this.load(id);
+        if (req && req.state !== 'Pending') {
+          await this.delete(id);
+          removed++;
+        }
+      }
+    } catch (err: unknown) {
+      if (!isENOENT(err)) throw err;
+    }
+    return removed;
+  }
+
   async load(id: string): Promise<PolicyRequest | null> {
     const normalizedId = normalizePolicyId(id);
     const filePath = this.getFilePath(normalizedId);

package/src/daemon/routers/session-timeout.ts

@@ -35,6 +35,10 @@ export function createSessionTimeoutRouter(config: SessionTimeoutConfig = {}) {
       return state;
     }
 
+    if (state.subagentId) {
+      return state;
+    }
+
     const sessionId = state.sessionId || crypto.randomUUID();
     const jobId = `__session_timeout__${sessionId}`;