cowork-harness 0.1.0

package/dist/decide/external-channel.js

@@ -0,0 +1,262 @@
+import { mkdirSync, readdirSync, existsSync, readFileSync, writeFileSync, renameSync, rmSync } from "node:fs";
+import { join } from "node:path";
+import readline from "node:readline";
+import { spawn } from "node:child_process";
+/** A sequential line reader over a stream that buffers across chunk boundaries (readline does this). */
+function lineReader(input) {
+    const rl = readline.createInterface({ input, crlfDelay: Infinity });
+    const queue = [];
+    const waiters = [];
+    let done = false;
+    rl.on("line", (l) => (waiters.length ? waiters.shift()(l) : queue.push(l)));
+    rl.on("close", () => {
+        done = true;
+        while (waiters.length)
+            waiters.shift()(null);
+    });
+    return {
+        next: () => new Promise((resolve) => {
+            if (queue.length)
+                return resolve(queue.shift());
+            if (done)
+                return resolve(null);
+            waiters.push(resolve);
+        }),
+        close: () => rl.close(),
+    };
+}
+const REQ = /^req-\d+\.json$/;
+const RESP = /^resp-\d+\.json$/;
+const seqOf = (f) => Number(f.match(/-(\d+)\.json/)?.[1] ?? 0);
+/** Write the run-complete marker so a `gates --follow` watcher emits an explicit `{done:true}` and exits
+ *  (resolves "silence is ambiguous"). Idempotent + sync (safe from a process exit handler). */
+export function writeDoneMarker(dir) {
+    try {
+        if (!existsSync(join(dir, "done.json")))
+            writeFileSync(join(dir, "done.json"), JSON.stringify({ done: true }) + "\n");
+    }
+    catch {
+        /* dir may be gone */
+    }
+}
+/**
+ * The gate stream behind `cowork-harness gates <dir> --follow` — the harness OWNS the watcher so the
+ * driving agent points ONE Monitor at this instead of hand-writing a zsh-safe find/seen-set/poll loop.
+ * Emits one clean single-line JSON per NEW pending gate (`{seq, ...decision_request}`) and a terminal
+ * `{"done":true}` when the run finishes. Resolves when done (or after one pass if `once`).
+ */
+export function streamGates(dir, write, opts = {}) {
+    const pollMs = opts.pollMs ?? (Number(process.env.COWORK_HARNESS_DECIDER_DIR_POLL_MS) || 500);
+    const seen = new Set();
+    const tries = new Map(); // per-file parse attempts — bound retries so a corrupt file drops loud
+    return new Promise((resolve) => {
+        const tick = () => {
+            let files = [];
+            try {
+                files = readdirSync(dir);
+            }
+            catch {
+                /* not created yet */
+            }
+            for (const f of files.filter((x) => REQ.test(x)).sort((a, b) => seqOf(a) - seqOf(b))) {
+                if (seen.has(f))
+                    continue;
+                try {
+                    const body = readFileSync(join(dir, f), "utf8").trim();
+                    const parsed = JSON.parse(body);
+                    seen.add(f); // only mark consumed AFTER a clean parse — a mid-write is retried next tick
+                    write(JSON.stringify({ seq: seqOf(f), ...parsed }));
+                }
+                catch {
+                    // A transient mid-write is retried next tick; a PERSISTENTLY corrupt file would otherwise be
+                    // retried forever — bound it, then drop loud so the gap is visible (not a silent false-negative).
+                    const n = (tries.get(f) ?? 0) + 1;
+                    tries.set(f, n);
+                    if (n >= 3) {
+                        seen.add(f);
+                        process.stderr.write(`::warning:: [gates] ${f} is unreadable/malformed after ${n} tries — dropping\n`);
+                    }
+                }
+            }
+            if (existsSync(join(dir, "done.json"))) {
+                write(JSON.stringify({ done: true }));
+                return resolve();
+            }
+            if (opts.once)
+                return resolve();
+            setTimeout(tick, pollMs);
+        };
+        tick();
+    });
+}
+/** Write a gate answer atomically (temp+rename) with the right wire shape — behind `cowork-harness
+ *  answer`. Hides the atomic write + the `{id, answers}` shape the driver had to hand-build. */
+export function answerGate(dir, seq, answers) {
+    let id;
+    try {
+        id = JSON.parse(readFileSync(join(dir, `req-${seq}.json`), "utf8")).id;
+    }
+    catch {
+        /* req may already be consumed; id is optional */
+    }
+    const tmp = join(dir, `.resp-${seq}.json.tmp`);
+    writeFileSync(tmp, JSON.stringify({ ...(id ? { id } : {}), answers }), { mode: 0o600 });
+    renameSync(tmp, join(dir, `resp-${seq}.json`));
+}
+/** Read a gate's request (for `answer` to map a `--choose` to the question text). */
+export function readGate(dir, seq) {
+    return JSON.parse(readFileSync(join(dir, `req-${seq}.json`), "utf8"));
+}
+/**
+ * Channel C: file rendezvous (`--decider-dir <dir>`). The decision_request is written to `<dir>/req-N.json`
+ * and the harness blocks polling for `<dir>/resp-N.json`. The DRIVING Claude agent arms a Monitor on the
+ * dir (each new req file → a task-notification that wakes it) and writes the answer file — answering the
+ * LIVE AskUserQuestion in-band (no resume, no re-worded question). Strictly serial: write req-N, block for
+ * resp-N, then req-(N+1) — one outstanding gate at a time. The wire protocol is identical to the other
+ * channels (the same ExternalDecider drives it); only the transport differs.
+ */
+export function fileChannel(dir) {
+    mkdirSync(dir, { recursive: true });
+    // H3: do NOT silently clear — fail loud if the dir already holds gate files (forces a fresh dir per run).
+    const stale = readdirSync(dir).filter((f) => REQ.test(f) || RESP.test(f));
+    if (stale.length)
+        throw new Error(`--decider-dir ${dir} already has gate files (${stale.slice(0, 3).join(", ")}…) — use a fresh, empty directory per run`);
+    const pollMs = Number(process.env.COWORK_HARNESS_DECIDER_DIR_POLL_MS) || 300;
+    const timeoutMs = Number(process.env.COWORK_HARNESS_DECIDER_DIR_TIMEOUT_MS) || 600_000; // 10-min backstop → loud UnansweredError
+    let seq = 0;
+    let lastSnapshotSeq = 0; // watermark so a per-scenario snapshot() copies ONLY that scenario's new gates
+    // #49: store the handler so it can be removed on close() — otherwise repeated fileChannel() calls in
+    // one process accumulate "exit" listeners (MaxListenersExceededWarning after >10 channels).
+    // Guarantee a completion marker on EVERY exit path (success, fail()/process.exit, throw) so a
+    // `gates --follow` watcher always gets its terminal {done:true} and never hangs.
+    const exitHandler = () => writeDoneMarker(dir);
+    process.on("exit", exitHandler);
+    return {
+        write: (line) => {
+            seq++;
+            // H1: `line` is single-line JSON (ExternalDecider) — one `cat` = one Monitor event. M2: 0600 (it's on disk).
+            const tmp = join(dir, `.req-${seq}.json.tmp`);
+            writeFileSync(tmp, line.replace(/\n/g, " ") + "\n", { mode: 0o600 });
+            renameSync(tmp, join(dir, `req-${seq}.json`)); // atomic — the watcher never sees a partial file
+            process.stderr.write(`[gate] req-${seq} emitted → waiting for resp-${seq}.json\n`); // O2: lifecycle on stderr (even under --output-format json)
+        },
+        readLine: async () => {
+            const resp = join(dir, `resp-${seq}.json`);
+            const deadline = Date.now() + timeoutMs;
+            while (Date.now() < deadline) {
+                // M3: the agent writes resp via temp+rename (atomic) → if it exists, it's complete. Read+parse ONCE
+                // (a bad parse fails loud in ExternalDecider — no retry-then-hang).
+                if (existsSync(resp)) {
+                    const body = readFileSync(resp, "utf8");
+                    // O4: mark the gate consumed — rename `req-N.json` out of the `req-*.json` glob so the watcher
+                    // can't re-emit it, and the consumed signal is visible mid-run (distinguishes a re-emit from a
+                    // genuine agent re-ask, O3).
+                    try {
+                        renameSync(join(dir, `req-${seq}.json`), join(dir, `req-${seq}.json.done`));
+                    }
+                    catch {
+                        /* best-effort */
+                    }
+                    process.stderr.write(`[gate] resp-${seq} consumed (gate answered)\n`);
+                    return body;
+                }
+                await new Promise((r) => setTimeout(r, pollMs));
+            }
+            return null; // timeout → ExternalDecider throws UnansweredError (loud, never silent)
+        },
+        snapshot: (destDir) => {
+            // Copy THIS scenario's gate wire shapes into the run dir so they survive close()'s cleanup (Part 4).
+            // The channel is reused across scenarios in a `run <dir/>` loop (one monotonic seq), so copy only
+            // files newer than the last snapshot — otherwise scenario N's snapshot would also contain 1..N-1's.
+            try {
+                const files = readdirSync(dir).filter((f) => (REQ.test(f) || RESP.test(f) || f.endsWith(".json.done")) && seqOf(f) > lastSnapshotSeq);
+                if (files.length) {
+                    mkdirSync(destDir, { recursive: true });
+                    for (const f of files)
+                        writeFileSync(join(destDir, f), readFileSync(join(dir, f)));
+                }
+                lastSnapshotSeq = seq; // advance past this scenario's gates
+            }
+            catch {
+                /* dir may be gone / nothing to snapshot */
+            }
+        },
+        close: () => {
+            // #49: remove the exit listener registered for this channel so repeated fileChannel() calls
+            // in one process don't accumulate listeners past the MaxListenersExceededWarning threshold.
+            process.removeListener("exit", exitHandler);
+            // That exit listener was the only writer of done.json — a long-lived embedder that close()s but
+            // keeps running must still release a `gates --follow` watcher. Write the marker here too (idempotent,
+            // and not matched by the cleanup globs below, so it survives).
+            writeDoneMarker(dir);
+            // Best-effort remove processed files on close (req/resp + .done markers + tmp).
+            try {
+                for (const f of readdirSync(dir))
+                    if (REQ.test(f) || RESP.test(f) || f.startsWith(".req-") || f.endsWith(".json.done"))
+                        rmSync(join(dir, f), { force: true });
+            }
+            catch {
+                /* dir may be gone */
+            }
+        },
+    };
+}
+/** A helper spawned once (`shell:true` so `'python answerer.py'` works). Request→its stdin, answer←its stdout. */
+export function spawnChannel(cmd) {
+    // #8: `shell: true` is INTENTIONAL, not an injection surface. `--decider-cmd` is OPERATOR-supplied —
+    // the same trust class as the harness process itself (whoever runs the harness wrote this string). Shell
+    // interpretation is the documented ergonomic so `'python answerer.py'`, pipelines, and env-var prefixes
+    // all work as written. There is no untrusted input here to escape, so we deliberately do NOT parse to argv.
+    const child = spawn(cmd, { shell: true, stdio: ["pipe", "pipe", "inherit"] });
+    const reader = lineReader(child.stdout);
+    // #53: bound the wait on the helper's stdout — a hung-but-alive helper would otherwise block the harness
+    // forever (only fileChannel had a deadline; this mirrors its 10-min backstop). On expiry kill the child
+    // (so a wedged process can't linger) and reject LOUD, never a silent hang.
+    const timeoutMs = Number(process.env.COWORK_HARNESS_DECIDER_CMD_TIMEOUT_MS) || 600_000;
+    let dead = false;
+    child.on("exit", () => (dead = true));
+    child.on("error", () => (dead = true));
+    // A broken-pipe write does NOT throw synchronously — when the helper closes its read end, the EPIPE is
+    // delivered ASYNCHRONOUSLY as an `error` event on stdin. Without a listener Node escalates it to an
+    // uncaughtException (the cross-test "write EPIPE" flake). Handle it: mark dead so the next write()/
+    // readLine() throws the clean "helper exited" error, and swallow the async event itself.
+    child.stdin?.on("error", () => (dead = true));
+    return {
+        write: (line) => {
+            if (dead)
+                throw new Error(`--decider-cmd helper exited before answering`);
+            try {
+                child.stdin.write(line + "\n"); // EPIPE if the helper died mid-run → surface as an error
+            }
+            catch {
+                throw new Error(`--decider-cmd helper closed its input (EPIPE) before answering`);
+            }
+        },
+        readLine: () => {
+            let timer;
+            const timeout = new Promise((_, reject) => {
+                timer = setTimeout(() => {
+                    if (!dead)
+                        try {
+                            child.kill("SIGKILL");
+                        }
+                        catch {
+                            /* already gone */
+                        }
+                    reject(new Error(`--decider-cmd helper timed out before answering after ${timeoutMs}ms`));
+                }, timeoutMs);
+            });
+            return Promise.race([reader.next(), timeout]).finally(() => clearTimeout(timer));
+        },
+        close: () => {
+            reader.close();
+            if (!dead)
+                try {
+                    child.kill();
+                }
+                catch {
+                    /* already gone */
+                }
+        },
+    };
+}

package/dist/decide/llm-transport.js

@@ -0,0 +1,52 @@
+import { spawn } from "node:child_process";
+/**
+ * The default `LlmDecider` transport: shell out to the host `claude -p` (one-shot, headless). Chosen
+ * over a direct `POST /v1/messages` (Opus H1): the harness PROCESS is not behind the egress proxy
+ * (only the spawned agent child is), so a direct API call would bypass the very allowlist the harness
+ * enforces. `claude -p` reuses the run's own auth path and is dogfood-consistent. One short, tool-less
+ * call per gate on a small model — bounded cost/latency, no recursion into the harness.
+ */
+export const claudeCliComplete = (prompt, model) => new Promise((resolve, reject) => {
+    const bin = process.env.COWORK_HARNESS_CLAUDE_BIN || "claude";
+    // #53: bound the `claude -p` spawn — a hung-but-alive child would otherwise block the harness forever.
+    // On expiry SIGKILL the child and reject LOUD; clear the timer on close/error so a fast call never leaks it.
+    const timeoutMs = Number(process.env.COWORK_HARNESS_LLM_TIMEOUT_MS) || 600_000;
+    const child = spawn(bin, ["-p", prompt, "--model", model], { stdio: ["ignore", "pipe", "ignore"] });
+    const timer = setTimeout(() => {
+        try {
+            child.kill("SIGKILL");
+        }
+        catch {
+            /* already gone */
+        }
+        reject(new Error(`LLM decider transport (${bin} -p) timed out after ${timeoutMs}ms`));
+    }, timeoutMs);
+    // Bound stdout too — the wall-clock timeout above caps a fully-hung child, but not one that is
+    // actively spewing. Past the cap, SIGKILL and reject loud rather than growing the buffer unbounded.
+    const maxBytes = Number(process.env.COWORK_HARNESS_LLM_MAX_BYTES) || 8 * 1024 * 1024;
+    let out = "";
+    let bytes = 0;
+    child.stdout.on("data", (d) => {
+        bytes += d.length;
+        if (bytes > maxBytes) {
+            try {
+                child.kill("SIGKILL");
+            }
+            catch {
+                /* already gone */
+            }
+            clearTimeout(timer);
+            reject(new Error(`LLM decider transport (${bin} -p) exceeded ${maxBytes} bytes — aborting`));
+            return;
+        }
+        out += d;
+    });
+    child.on("error", (e) => {
+        clearTimeout(timer);
+        reject(new Error(`LLM decider transport (${bin} -p) failed to spawn: ${e.message}`));
+    });
+    child.on("close", (code) => {
+        clearTimeout(timer);
+        code === 0 ? resolve(out) : reject(new Error(`LLM decider transport (${bin} -p) exited ${code}`));
+    });
+});

package/dist/dotenv.js

@@ -0,0 +1,52 @@
+import { existsSync, readFileSync } from "node:fs";
+import { resolve } from "node:path";
+/**
+ * Minimal `.env` loader (no dependency). Loads `KEY=VALUE` lines from `./.env` into `process.env`
+ * at CLI startup so credentials (e.g. `CLAUDE_CODE_OAUTH_TOKEN`) don't have to be `export`ed each
+ * run. Standard dotenv semantics: comments (`#`), surrounding quotes, an optional `export ` prefix,
+ * and — importantly — **existing `process.env` values win** (an exported var is never overwritten).
+ *
+ * SECURITY: `.env` is a HOST-side credential store. It is read into this process's env and is NEVER
+ * mounted into the sandbox. Keep it at the repo/working-dir root — do NOT place a `.env` inside a
+ * mounted skill/project folder, or its contents would be copied into the agent's filesystem. The
+ * token value is also scrubbed from all persisted run logs regardless of source.
+ */
+export function loadDotenv(file = resolve(process.cwd(), ".env")) {
+    if (!existsSync(file))
+        return [];
+    const loaded = [];
+    let text;
+    try {
+        text = readFileSync(file, "utf8");
+    }
+    catch {
+        return [];
+    }
+    for (const raw of text.split("\n")) {
+        const line = raw.trim();
+        if (!line || line.startsWith("#"))
+            continue;
+        const m = line.match(/^(?:export\s+)?([A-Za-z_][A-Za-z0-9_]*)\s*=\s*(.*)$/);
+        if (!m)
+            continue;
+        const key = m[1];
+        let val = m[2];
+        const quoted = /^["']/.test(val);
+        if (quoted && val.length >= 2 && val[0] === val[val.length - 1]) {
+            val = val.slice(1, -1);
+        }
+        else {
+            // strip a trailing inline comment from an unquoted value
+            val = val.replace(/\s+#.*$/, "").trim();
+        }
+        // An empty value (`KEY=`) means "not provided" — skip it, so a blank template placeholder is
+        // harmless and a later non-empty line (or an exported var) still wins.
+        if (val === "")
+            continue;
+        if (process.env[key] === undefined) {
+            process.env[key] = val;
+            loaded.push(key);
+        }
+    }
+    return loaded;
+}

package/dist/egress/proxy.js

@@ -0,0 +1,138 @@
+import http from "node:http";
+import net from "node:net";
+import { appendFileSync } from "node:fs";
+export function startEgressProxy(opts) {
+    const allow = compile(opts.allow);
+    const log = (host, decision) => {
+        opts.onDecision?.(host, decision);
+        if (opts.logPath)
+            appendFileSync(opts.logPath, JSON.stringify({ ts: Date.now(), host, decision }) + "\n");
+    };
+    const server = http.createServer((req, res) => {
+        const host = hostOf(req.url ?? "", req.headers.host).toLowerCase();
+        if (!allow(host)) {
+            log(host, "deny");
+            res.writeHead(403, { "content-type": "text/plain" });
+            res.end(`egress denied: ${host} not on allowlist`);
+            return;
+        }
+        // Minimal HTTP forward (CONNECT covers HTTPS below; this handles plain HTTP).
+        // #33: `hostOf` falls back to the Host header for a relative/malformed req.url, so the
+        // allow check can pass while `new URL(req.url)` still throws. Fail loud with a clean 400
+        // instead of letting the uncaught throw take the callback (and the proxy) down.
+        let target;
+        try {
+            target = new URL(req.url);
+        }
+        catch {
+            res.writeHead(400, { "content-type": "text/plain" });
+            res.end("bad request: malformed proxy URL");
+            return;
+        }
+        // Log `allow` only once the request is valid and we're about to forward. Logging before
+        // the parse would record an `allow` for a malformed URL that never reached an upstream,
+        // false-passing `egress_allowed` assertions.
+        log(host, "allow");
+        const proxyReq = http.request({ host: target.hostname, port: target.port || 80, path: target.pathname + target.search, method: req.method, headers: req.headers }, (proxyRes) => {
+            res.writeHead(proxyRes.statusCode ?? 502, proxyRes.headers);
+            proxyRes.pipe(res);
+        });
+        proxyReq.on("error", () => {
+            res.writeHead(502);
+            res.end("upstream error");
+        });
+        req.pipe(proxyReq);
+    });
+    // HTTPS via CONNECT tunneling — allow/deny by SNI host, then blind-pipe.
+    server.on("connect", (req, clientSocket, head) => {
+        // A reset on either side must never crash the proxy (ECONNRESET is normal at
+        // connection teardown). Attach error handlers before any I/O.
+        clientSocket.on("error", () => clientSocket.destroy());
+        // Parse the CONNECT authority bracket-aware so `[2001:db8::1]:443` yields the right
+        // host/port — a bare `split(":")` reads `[` as the host and `2001` as the port. The
+        // matcher lowercases, so DNS-case variants of the SNI host match the allowlist too.
+        const { host, port } = parseAuthority(req.url ?? "");
+        if (!allow(host)) {
+            log(host, "deny");
+            clientSocket.write("HTTP/1.1 403 Forbidden\r\n\r\n");
+            clientSocket.end();
+            return;
+        }
+        log(host, "allow");
+        const upstream = net.connect(port, host, () => {
+            clientSocket.write("HTTP/1.1 200 Connection Established\r\n\r\n");
+            upstream.write(head);
+            upstream.pipe(clientSocket);
+            clientSocket.pipe(upstream);
+        });
+        upstream.on("error", () => clientSocket.destroy());
+    });
+    // Last-resort guards so a single bad socket can never take the proxy down.
+    server.on("clientError", (_e, sock) => {
+        try {
+            sock.destroy();
+        }
+        catch {
+            /* already gone */
+        }
+    });
+    // #50: store the handler so it can be removed when the server is closed — otherwise each
+    // startEgressProxy() call in one process stacks another uncaughtException handler, causing
+    // benign ECONNRESET/EPIPE to be swallowed N times by stale handlers after their server is gone.
+    const uncaughtHandler = (e) => {
+        if (e?.code === "ECONNRESET" || e?.code === "EPIPE")
+            return; // benign socket teardown
+        throw e;
+    };
+    process.on("uncaughtException", uncaughtHandler);
+    server.listen(opts.port ?? 8080);
+    // Wrap close() so the uncaughtException handler is cleaned up when the server stops.
+    const origClose = server.close.bind(server);
+    server.close = (cb) => {
+        process.removeListener("uncaughtException", uncaughtHandler);
+        return origClose(cb);
+    };
+    return server;
+}
+export function compile(patterns) {
+    const exact = new Set();
+    const suffixes = [];
+    // DNS hostnames are case-insensitive: store patterns lowercased and lowercase the candidate
+    // host in the matcher, so `HTTPS://API.ANTHROPIC.COM` matches an `api.anthropic.com` allow.
+    for (const p0 of patterns) {
+        const p = p0.toLowerCase();
+        if (p === "*")
+            return () => true; // unrestricted
+        if (p.startsWith("*."))
+            suffixes.push(p.slice(1)); // ".claude.ai"
+        else
+            exact.add(p);
+    }
+    return (host) => {
+        const h = host.toLowerCase();
+        return exact.has(h) || suffixes.some((s) => h.endsWith(s));
+    };
+}
+function hostOf(url, hostHeader) {
+    try {
+        return new URL(url).hostname || (hostHeader ?? "").split(":")[0];
+    }
+    catch {
+        return (hostHeader ?? "").split(":")[0];
+    }
+}
+/**
+ * Parse a CONNECT authority (`host:port`, or `[ipv6]:port`) into a bare host (IPv6 brackets
+ * stripped, lowercased) and a numeric port (default 443). Uses the WHATWG URL parser so
+ * bracketed IPv6 literals are handled correctly; falls back to a best-effort split.
+ */
+function parseAuthority(authority) {
+    try {
+        const u = new URL("http://" + authority);
+        const host = u.hostname.replace(/^\[|\]$/g, "").toLowerCase();
+        return { host, port: u.port ? Number(u.port) : 443 };
+    }
+    catch {
+        return { host: authority.split(":")[0].toLowerCase(), port: 443 };
+    }
+}

package/dist/egress/sidecar.js

@@ -0,0 +1,125 @@
+import { spawnSync } from "node:child_process";
+import { mkdirSync, readFileSync, existsSync } from "node:fs";
+import { join, resolve } from "node:path";
+import { fileURLToPath } from "node:url";
+const PROXY_IMAGE = process.env.COWORK_PROXY_IMAGE ?? "cowork-egress-proxy:1";
+export function startEgressSidecar(allow, outDir, runId) {
+    const runner = process.env.COWORK_CONTAINER_RUNTIME ?? "docker";
+    const intNet = `cowork-int-${runId}`;
+    const outNet = `cowork-out-${runId}`;
+    const proxyName = `cowork-proxy-${runId}`;
+    const logDir = join(resolve(outDir), "proxy");
+    mkdirSync(logDir, { recursive: true });
+    const logFileHost = join(logDir, "egress.log");
+    ensureProxyImage(runner);
+    // #37: create the two networks and the proxy container in sequence, tracking each created
+    // resource so a mid-sequence failure (image start, network connect) rolls back the rest
+    // instead of orphaning networks/containers. Undo runs in reverse (container before networks).
+    const rollback = [];
+    try {
+        d(runner, ["network", "create", "--internal", intNet]);
+        rollback.push(() => d(runner, ["network", "rm", intNet], true));
+        d(runner, ["network", "create", outNet]);
+        rollback.push(() => d(runner, ["network", "rm", outNet], true));
+        // Proxy on the internal net first (so the agent can resolve it), then also wire
+        // it to the external net so it alone can reach allowlisted hosts.
+        d(runner, [
+            "run",
+            "-d",
+            "--name",
+            proxyName,
+            "--network",
+            intNet,
+            "-e",
+            `COWORK_ALLOW=${allow.join(",")}`,
+            "-e",
+            "COWORK_PROXY_LOG=/log/egress.log",
+            "-v",
+            `${logDir}:/log`,
+            PROXY_IMAGE,
+        ]);
+        rollback.push(() => d(runner, ["rm", "-f", proxyName], true));
+        d(runner, ["network", "connect", outNet, proxyName]);
+    }
+    catch (e) {
+        for (const undo of rollback.reverse())
+            undo();
+        throw e;
+    }
+    return {
+        proxyUrl: `http://${proxyName}:8080`,
+        network: intNet,
+        collect() {
+            if (!existsSync(logFileHost))
+                return [];
+            return readFileSync(logFileHost, "utf8")
+                .trim()
+                .split("\n")
+                .filter(Boolean)
+                .map(parseEgressLine)
+                .filter((x) => x !== null);
+        },
+        teardown() {
+            d(runner, ["rm", "-f", proxyName], true);
+            d(runner, ["network", "rm", intNet], true);
+            d(runner, ["network", "rm", outNet], true);
+        },
+    };
+}
+/**
+ * Parse one egress log line into a typed decision, or `null` if it must be dropped.
+ *
+ * #43: previously this (a) silently swallowed an unparseable line and (b) coerced any
+ * unknown/missing `decision` to "allow" via `o.decision === "deny" ? "deny" : "allow"` —
+ * a silent false-green that could mask a real deny. Now both failure modes emit a
+ * `::warning::` and DROP the line; we never invent an "allow" from corrupt input.
+ */
+export function parseEgressLine(line) {
+    let o;
+    try {
+        o = JSON.parse(line);
+    }
+    catch {
+        process.stderr.write(`::warning:: [egress] proxy log line is not valid JSON — dropping: ${line.slice(0, 200)}\n`);
+        return null;
+    }
+    // Valid JSON that isn't a non-null object (e.g. `null`, a number, an array) would throw on the
+    // field reads below, OUTSIDE the parse catch — crashing collect() at teardown. Drop it loudly.
+    if (o === null || typeof o !== "object" || Array.isArray(o)) {
+        process.stderr.write(`::warning:: [egress] proxy log line is not a JSON object — dropping: ${line.slice(0, 200)}\n`);
+        return null;
+    }
+    const host = String(o.host);
+    if (o.decision !== "allow" && o.decision !== "deny") {
+        process.stderr.write(`::warning:: [egress] unknown decision "${o.decision}" for host ${host} — dropping (not coercing to allow)\n`);
+        return null;
+    }
+    return { host, decision: o.decision };
+}
+function ensureProxyImage(runner) {
+    const have = spawnSync(runner, ["image", "inspect", PROXY_IMAGE], { stdio: "ignore" });
+    if (have.status === 0)
+        return;
+    // Build from the repo (Dockerfile.proxy). Context is the repo root. #39: use fileURLToPath, not
+    // `.pathname`, so an install path with spaces / URL-escaped chars yields a valid build context.
+    const repoRoot = resolve(fileURLToPath(new URL("../..", import.meta.url)));
+    // #38: Dockerfile.proxy COPYs the SHIPPED dist/egress; running from source (tsx) before
+    // `npm run build` leaves it absent, so the image build would fail confusingly. Build dist/ first.
+    if (!existsSync(join(repoRoot, "dist", "egress", "proxy.js"))) {
+        process.stderr.write(`::warning:: [egress] dist/egress missing — running \`npm run build\` before the proxy image build\n`);
+        const built = spawnSync("npm", ["run", "build"], { cwd: repoRoot, stdio: "inherit" });
+        if (built.status !== 0)
+            throw new Error("failed to build dist/ for the egress proxy image (npm run build)");
+    }
+    const build = spawnSync(runner, ["build", "-t", PROXY_IMAGE, "-f", join(repoRoot, "docker", "Dockerfile.proxy"), repoRoot], {
+        stdio: "inherit",
+    });
+    if (build.status !== 0)
+        throw new Error(`failed to build ${PROXY_IMAGE}`);
+}
+function d(runner, args, ignoreError = false) {
+    const r = spawnSync(runner, args, { encoding: "utf8" });
+    if (r.status !== 0 && !ignoreError) {
+        throw new Error(`${runner} ${args.slice(0, 2).join(" ")} failed: ${(r.stderr || r.stdout || "").trim().slice(0, 200)}`);
+    }
+}