labgate 0.5.40 → 0.5.42

package/dist/mcp-bundles/explorer-mcp.bundle.mjs

@@ -7209,6 +7209,7 @@ __export(config_exports, {
   LABGATE_DIR: () => LABGATE_DIR,
   PRIVATE_DIR_MODE: () => PRIVATE_DIR_MODE,
   PRIVATE_FILE_MODE: () => PRIVATE_FILE_MODE,
+  buildConfigFromRaw: () => buildConfigFromRaw,
   ensurePrivateDir: () => ensurePrivateDir,
   ensurePrivateFile: () => ensurePrivateFile,
   findLockedFieldConflicts: () => findLockedFieldConflicts,
@@ -7236,11 +7237,15 @@ __export(config_exports, {
   isKnownPluginId: () => isKnownPluginId,
   loadConfig: () => loadConfig,
   loadEffectiveConfig: () => loadEffectiveConfig,
+  parseRawConfigText: () => parseRawConfigText,
+  readRawConfigFile: () => readRawConfigFile,
   shouldClaudeHeadlessRunWithAllowedPermissions: () => shouldClaudeHeadlessRunWithAllowedPermissions,
-  validateConfig: () => validateConfig
+  stripJsonComments: () => stripJsonComments,
+  validateConfig: () => validateConfig,
+  writeRawConfigFile: () => writeRawConfigFile
 });
-import { readFileSync as readFileSync3, existsSync as existsSync3, chmodSync, mkdirSync } from "fs";
-import { join as join3, resolve } from "path";
+import { readFileSync as readFileSync3, existsSync as existsSync3, chmodSync, mkdirSync, writeFileSync as writeFileSync2 } from "fs";
+import { dirname as dirname2, join as join3, resolve } from "path";
 import { homedir as homedir3 } from "os";
 function isKnownPluginId(pluginId) {
   return KNOWN_PLUGIN_ID_SET.has(pluginId);
@@ -7255,6 +7260,12 @@ function sanitizePluginMap(rawPlugins) {
   }
   return merged;
 }
+function resolveImagesDirOverride(raw) {
+  if (typeof raw !== "string") return null;
+  const trimmed = raw.trim();
+  if (!trimmed) return null;
+  return resolve(trimmed.replace(/^~/, homedir3()));
+}
 function ensurePrivateDir(path) {
   mkdirSync(path, { recursive: true, mode: PRIVATE_DIR_MODE });
   try {
@@ -7278,14 +7289,15 @@ function getSandboxHome() {
   return join3(LABGATE_DIR, "ai-home");
 }
 function getImagesDir() {
-  const override = String(process.env.LABGATE_IMAGES_DIR || "").trim();
-  if (override) {
-    return resolve(override.replace(/^~/, homedir3()));
-  }
+  const envOverride = resolveImagesDirOverride(process.env.LABGATE_IMAGES_DIR);
+  if (envOverride) return envOverride;
+  const configOverride = resolveImagesDirOverride(loadConfig().images_dir);
+  if (configOverride) return configOverride;
   return join3(LABGATE_DIR, "images");
 }
 function isImagesDirOverridden() {
-  return String(process.env.LABGATE_IMAGES_DIR || "").trim().length > 0;
+  if (resolveImagesDirOverride(process.env.LABGATE_IMAGES_DIR)) return true;
+  return resolveImagesDirOverride(loadConfig().images_dir) !== null;
 }
 function getEmptyDir() {
   return join3(LABGATE_DIR, "empty");
@@ -7335,12 +7347,104 @@ function getExplorerLockDir(experimentId) {
 function getExplorerWorktreesDir(experimentId) {
   return join3(getExplorerWorktreesRootDir(), experimentId);
 }
-function shouldClaudeHeadlessRunWithAllowedPermissions(config2) {
-  return config2.headless?.claude_run_with_allowed_permissions !== false;
+function shouldClaudeHeadlessRunWithAllowedPermissions(_config) {
+  return false;
 }
 function cloneConfig(config2) {
   return JSON.parse(JSON.stringify(config2));
 }
+function normalizeLegacyRuntime(rawRuntime, warnOnLegacyRuntime) {
+  if (rawRuntime === "docker") {
+    if (warnOnLegacyRuntime) {
+      console.error('Warning: runtime "docker" is deprecated. Using "podman".');
+    }
+    return "podman";
+  }
+  if (rawRuntime === "singularity") {
+    if (warnOnLegacyRuntime) {
+      console.error('Warning: runtime "singularity" is deprecated. Using "apptainer".');
+    }
+    return "apptainer";
+  }
+  return rawRuntime;
+}
+function stripJsonComments(rawText) {
+  return rawText.split("\n").filter((line) => !line.trimStart().startsWith("//")).join("\n");
+}
+function parseRawConfigText(rawText) {
+  const stripped = stripJsonComments(rawText).trim();
+  if (!stripped) return {};
+  const parsed = JSON.parse(stripped);
+  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+    throw new Error("Config root must be a JSON object");
+  }
+  return parsed;
+}
+function buildConfigFromRaw(rawInput, options = {}) {
+  const raw = rawInput;
+  const runtime = normalizeLegacyRuntime(
+    raw.runtime,
+    options.warnOnLegacyRuntime ?? false
+  );
+  return {
+    runtime: runtime ?? DEFAULT_CONFIG.runtime,
+    images_dir: raw.images_dir ?? DEFAULT_CONFIG.images_dir,
+    image: raw.image ?? DEFAULT_CONFIG.image,
+    session_timeout_hours: raw.session_timeout_hours ?? DEFAULT_CONFIG.session_timeout_hours,
+    filesystem: {
+      extra_paths: raw.filesystem?.extra_paths ?? [...DEFAULT_CONFIG.filesystem.extra_paths],
+      blocked_patterns: raw.filesystem?.blocked_patterns ?? [...DEFAULT_CONFIG.filesystem.blocked_patterns]
+    },
+    datasets: Array.isArray(raw.datasets) ? raw.datasets : [],
+    commands: {
+      blacklist: raw.commands?.blacklist ?? [...DEFAULT_CONFIG.commands.blacklist],
+      ensure_commands: raw.commands?.ensure_commands ?? [...DEFAULT_CONFIG.commands.ensure_commands ?? []]
+    },
+    network: {
+      mode: raw.network?.mode ?? DEFAULT_CONFIG.network.mode,
+      allowed_domains: raw.network?.allowed_domains ?? [...DEFAULT_CONFIG.network.allowed_domains]
+    },
+    slurm: {
+      enabled: raw.slurm?.enabled ?? DEFAULT_CONFIG.slurm.enabled,
+      poll_interval_seconds: raw.slurm?.poll_interval_seconds ?? DEFAULT_CONFIG.slurm.poll_interval_seconds,
+      sacct_lookback_hours: raw.slurm?.sacct_lookback_hours ?? DEFAULT_CONFIG.slurm.sacct_lookback_hours,
+      mcp_server: raw.slurm?.mcp_server ?? DEFAULT_CONFIG.slurm.mcp_server
+    },
+    audit: {
+      enabled: raw.audit?.enabled ?? DEFAULT_CONFIG.audit.enabled,
+      log_dir: raw.audit?.log_dir ?? DEFAULT_CONFIG.audit.log_dir
+    },
+    automation: {
+      api_key: raw.automation?.api_key ?? DEFAULT_CONFIG.automation?.api_key,
+      model: raw.automation?.model ?? DEFAULT_CONFIG.automation.model,
+      system_prompt: raw.automation?.system_prompt ?? DEFAULT_CONFIG.automation.system_prompt,
+      trigger_patterns: raw.automation?.trigger_patterns ?? [...DEFAULT_CONFIG.automation.trigger_patterns],
+      context_lines: raw.automation?.context_lines ?? DEFAULT_CONFIG.automation.context_lines,
+      delay_ms: raw.automation?.delay_ms ?? DEFAULT_CONFIG.automation.delay_ms,
+      max_turns: raw.automation?.max_turns ?? DEFAULT_CONFIG.automation.max_turns,
+      max_tokens: raw.automation?.max_tokens ?? DEFAULT_CONFIG.automation.max_tokens
+    },
+    headless: {
+      claude_run_with_allowed_permissions: raw.headless?.claude_run_with_allowed_permissions ?? DEFAULT_CONFIG.headless?.claude_run_with_allowed_permissions ?? false,
+      continuation_in_other_terminals: raw.headless?.continuation_in_other_terminals ?? DEFAULT_CONFIG.headless?.continuation_in_other_terminals ?? true,
+      git_integration: raw.headless?.git_integration ?? DEFAULT_CONFIG.headless?.git_integration ?? false
+    },
+    plugins: sanitizePluginMap(raw.plugins)
+  };
+}
+function readRawConfigFile(configPath = getConfigPath()) {
+  if (!existsSync3(configPath)) return {};
+  ensurePrivateFile(configPath);
+  return parseRawConfigText(readFileSync3(configPath, "utf-8"));
+}
+function writeRawConfigFile(rawConfig, configPath = getConfigPath()) {
+  ensurePrivateDir(dirname2(configPath));
+  writeFileSync2(configPath, JSON.stringify(rawConfig, null, 2) + "\n", {
+    encoding: "utf-8",
+    mode: PRIVATE_FILE_MODE
+  });
+  ensurePrivateFile(configPath);
+}
 function validateConfig(config2) {
   const errors = [];
   const networkMode = config2.network?.mode;
@@ -7348,11 +7452,15 @@ function validateConfig(config2) {
   const blockedPatterns = config2.filesystem?.blocked_patterns;
   const extraPaths = config2.filesystem?.extra_paths;
   const blacklist = config2.commands?.blacklist;
+  const ensureCommands = config2.commands?.ensure_commands;
   const plugins = config2.plugins;
   const headless = config2.headless;
   if (!VALID_RUNTIMES2.includes(config2.runtime)) {
     errors.push(`Invalid runtime: "${config2.runtime}". Must be one of: ${VALID_RUNTIMES2.join(", ")}`);
   }
+  if (config2.images_dir !== void 0 && typeof config2.images_dir !== "string") {
+    errors.push("images_dir must be a string");
+  }
   if (!config2.image || typeof config2.image !== "string") {
     errors.push("image must be a non-empty string");
   }
@@ -7374,6 +7482,22 @@ function validateConfig(config2) {
   if (!Array.isArray(blacklist)) {
     errors.push("commands.blacklist must be an array");
   }
+  if (ensureCommands !== void 0) {
+    if (!Array.isArray(ensureCommands)) {
+      errors.push("commands.ensure_commands must be an array");
+    } else {
+      for (let i = 0; i < ensureCommands.length; i++) {
+        const command = ensureCommands[i];
+        if (typeof command !== "string" || !command.trim()) {
+          errors.push(`commands.ensure_commands[${i}] must be a non-empty string`);
+        } else if (!/^[a-zA-Z0-9._+-]+$/.test(command)) {
+          errors.push(
+            `commands.ensure_commands[${i}] contains invalid characters; use letters, digits, ., _, +, - only`
+          );
+        }
+      }
+    }
+  }
   if (plugins !== void 0) {
     if (!plugins || typeof plugins !== "object" || Array.isArray(plugins)) {
       errors.push("plugins must be an object");
@@ -7500,61 +7624,8 @@ function loadConfig() {
   }
   ensurePrivateFile(configPath);
   try {
-    const rawText = readFileSync3(configPath, "utf-8");
-    const stripped = rawText.split("\n").filter((line) => !line.trimStart().startsWith("//")).join("\n");
-    const raw = JSON.parse(stripped);
-    const rawRuntime = raw.runtime;
-    let runtime = rawRuntime;
-    if (rawRuntime === "docker") {
-      runtime = "podman";
-      console.error('Warning: runtime "docker" is deprecated. Using "podman".');
-    } else if (rawRuntime === "singularity") {
-      runtime = "apptainer";
-      console.error('Warning: runtime "singularity" is deprecated. Using "apptainer".');
-    }
-    const config2 = {
-      runtime: runtime ?? DEFAULT_CONFIG.runtime,
-      image: raw.image ?? DEFAULT_CONFIG.image,
-      session_timeout_hours: raw.session_timeout_hours ?? DEFAULT_CONFIG.session_timeout_hours,
-      filesystem: {
-        extra_paths: raw.filesystem?.extra_paths ?? [...DEFAULT_CONFIG.filesystem.extra_paths],
-        blocked_patterns: raw.filesystem?.blocked_patterns ?? [...DEFAULT_CONFIG.filesystem.blocked_patterns]
-      },
-      datasets: Array.isArray(raw.datasets) ? raw.datasets : [],
-      commands: {
-        blacklist: raw.commands?.blacklist ?? [...DEFAULT_CONFIG.commands.blacklist]
-      },
-      network: {
-        mode: raw.network?.mode ?? DEFAULT_CONFIG.network.mode,
-        allowed_domains: raw.network?.allowed_domains ?? [...DEFAULT_CONFIG.network.allowed_domains]
-      },
-      slurm: {
-        enabled: raw.slurm?.enabled ?? DEFAULT_CONFIG.slurm.enabled,
-        poll_interval_seconds: raw.slurm?.poll_interval_seconds ?? DEFAULT_CONFIG.slurm.poll_interval_seconds,
-        sacct_lookback_hours: raw.slurm?.sacct_lookback_hours ?? DEFAULT_CONFIG.slurm.sacct_lookback_hours,
-        mcp_server: raw.slurm?.mcp_server ?? DEFAULT_CONFIG.slurm.mcp_server
-      },
-      audit: {
-        enabled: raw.audit?.enabled ?? DEFAULT_CONFIG.audit.enabled,
-        log_dir: raw.audit?.log_dir ?? DEFAULT_CONFIG.audit.log_dir
-      },
-      automation: {
-        api_key: raw.automation?.api_key ?? DEFAULT_CONFIG.automation?.api_key,
-        model: raw.automation?.model ?? DEFAULT_CONFIG.automation.model,
-        system_prompt: raw.automation?.system_prompt ?? DEFAULT_CONFIG.automation.system_prompt,
-        trigger_patterns: raw.automation?.trigger_patterns ?? [...DEFAULT_CONFIG.automation.trigger_patterns],
-        context_lines: raw.automation?.context_lines ?? DEFAULT_CONFIG.automation.context_lines,
-        delay_ms: raw.automation?.delay_ms ?? DEFAULT_CONFIG.automation.delay_ms,
-        max_turns: raw.automation?.max_turns ?? DEFAULT_CONFIG.automation.max_turns,
-        max_tokens: raw.automation?.max_tokens ?? DEFAULT_CONFIG.automation.max_tokens
-      },
-      headless: {
-        claude_run_with_allowed_permissions: raw.headless?.claude_run_with_allowed_permissions ?? DEFAULT_CONFIG.headless?.claude_run_with_allowed_permissions ?? true,
-        continuation_in_other_terminals: raw.headless?.continuation_in_other_terminals ?? DEFAULT_CONFIG.headless?.continuation_in_other_terminals ?? true,
-        git_integration: raw.headless?.git_integration ?? DEFAULT_CONFIG.headless?.git_integration ?? false
-      },
-      plugins: sanitizePluginMap(raw.plugins)
-    };
+    const raw = readRawConfigFile(configPath);
+    const config2 = buildConfigFromRaw(raw, { warnOnLegacyRuntime: true });
     const errors = validateConfig(config2);
     if (errors.length > 0) {
       console.error(`Warning: invalid config in ${configPath}:`);
@@ -7631,6 +7702,7 @@ var init_config = __esm({
     "use strict";
     DEFAULT_CONFIG = {
       runtime: "auto",
+      images_dir: "",
       // Default sandbox image: includes python3 + basic build tools (git/make/g++).
       // Note: pip/venv are not included by default in Debian; users may still need a
       // custom image for richer Python workflows.
@@ -7663,7 +7735,8 @@ var init_config = __esm({
           "mkfs",
           "reboot",
           "shutdown"
-        ]
+        ],
+        ensure_commands: ["git"]
       },
       network: {
         mode: "host",
@@ -7689,13 +7762,9 @@ var init_config = __esm({
       },
       plugins: {
         files: true,
+        activity: true,
         datasets: false,
         results: false,
-        charting: true,
-        molecular: true,
-        genomics: true,
-        phylogenetics: true,
-        network: true,
         slurm: true,
         explorer: true,
         automation: false
@@ -7716,7 +7785,7 @@ var init_config = __esm({
         max_tokens: 1024
       },
       headless: {
-        claude_run_with_allowed_permissions: true,
+        claude_run_with_allowed_permissions: false,
         continuation_in_other_terminals: true,
         git_integration: false
       }
@@ -36397,14 +36466,14 @@ var StdioServerTransport = class {
 
 // src/lib/explorer-mcp.ts
 init_config();
-import { mkdirSync as mkdirSync10, writeFileSync as writeFileSync8 } from "fs";
+import { mkdirSync as mkdirSync10, writeFileSync as writeFileSync9 } from "fs";
 import { join as join11 } from "path";
 
 // src/lib/explorer-store.ts
 init_config();
 import { randomUUID } from "crypto";
-import { chmodSync as chmodSync2, existsSync as existsSync4, mkdirSync as mkdirSync2, readFileSync as readFileSync4, writeFileSync as writeFileSync2 } from "fs";
-import { dirname as dirname2 } from "path";
+import { chmodSync as chmodSync2, existsSync as existsSync4, mkdirSync as mkdirSync2, readFileSync as readFileSync4, writeFileSync as writeFileSync3 } from "fs";
+import { dirname as dirname3 } from "path";
 
 // src/lib/explorer-retention.ts
 var DEFAULT_RETENTION_POLICY = {
@@ -36642,7 +36711,7 @@ function mapEventRow(row) {
 var ExplorerStore = class {
   constructor(dbPath = getExplorerDbPath()) {
     this.dbPath = dbPath;
-    const dir = dirname2(dbPath);
+    const dir = dirname3(dbPath);
     if (!existsSync4(dir)) {
       mkdirSync2(dir, { recursive: true, mode: 448 });
     }
@@ -37293,7 +37362,7 @@ var ExplorerStore = class {
   flushJson() {
     if (!this.jsonPath) return;
     try {
-      writeFileSync2(this.jsonPath, JSON.stringify(this.jsonStore, null, 2) + "\n", {
+      writeFileSync3(this.jsonPath, JSON.stringify(this.jsonStore, null, 2) + "\n", {
         encoding: "utf-8",
         mode: 384
       });
@@ -37308,7 +37377,7 @@ var ExplorerStore = class {
 
 // src/lib/explorer-git.ts
 import { existsSync as existsSync5, mkdirSync as mkdirSync3 } from "fs";
-import { dirname as dirname3, resolve as resolve2 } from "path";
+import { dirname as dirname4, resolve as resolve2 } from "path";
 import { execFileSync, spawnSync } from "child_process";
 function runGit(args, cwd) {
   return execFileSync("git", args, {
@@ -37353,7 +37422,7 @@ function resolveGitSha(repoPath, ref = "HEAD") {
 function cloneRepository(sourceRepoPath, targetRepoPath) {
   const source = resolve2(sourceRepoPath);
   const target = resolve2(targetRepoPath);
-  const targetParent = dirname3(target);
+  const targetParent = dirname4(target);
   if (!existsSync5(targetParent)) {
     mkdirSync3(targetParent, { recursive: true, mode: 448 });
   }
@@ -37369,7 +37438,7 @@ function createRunWorkspace(repoPath, worktreePath, parentSha, experimentId, run
   const expPart = sanitizeBranchPart(experimentId) || "exp";
   const runPart = sanitizeBranchPart(runId) || "run";
   const branchName = `explorer/${expPart}/${runPart}`;
-  const parentDir = dirname3(fullWorktree);
+  const parentDir = dirname4(fullWorktree);
   if (!existsSync5(parentDir)) {
     mkdirSync3(parentDir, { recursive: true, mode: 448 });
   }
@@ -37438,7 +37507,7 @@ function cleanupWorkspace(repoPath, worktreePath, branchName) {
 }
 
 // src/lib/explorer-eval.ts
-import { mkdirSync as mkdirSync4, writeFileSync as writeFileSync3 } from "fs";
+import { mkdirSync as mkdirSync4, writeFileSync as writeFileSync4 } from "fs";
 import { join as join4, resolve as resolve3 } from "path";
 import { spawnSync as spawnSync2 } from "child_process";
 function parseLastNonEmptyLine(text) {
@@ -37453,13 +37522,13 @@ function shellForCurrentPlatform() {
   if (process.platform === "win32") {
     return process.env.COMSPEC || "cmd.exe";
   }
-  return process.env.SHELL || "/bin/sh";
+  return "/bin/sh";
 }
 function shellArgsForCommand(command) {
   if (process.platform === "win32") {
     return ["/d", "/s", "/c", command];
   }
-  return ["-lc", command];
+  return ["-c", command];
 }
 function runEvaluation(opts) {
   const worktreePath = resolve3(opts.worktree_path);
@@ -37482,8 +37551,8 @@ function runEvaluation(opts) {
   const finishedAt = new Date(started + runtimeMs).toISOString();
   const stdout = String(result.stdout || "");
   const stderr = String(result.stderr || "");
-  writeFileSync3(stdoutPath, stdout, "utf-8");
-  writeFileSync3(stderrPath, stderr, "utf-8");
+  writeFileSync4(stdoutPath, stdout, "utf-8");
+  writeFileSync4(stderrPath, stderr, "utf-8");
   if (result.error && (result.error.code === "ETIMEDOUT" || result.signal === "SIGTERM")) {
     return {
       status: "timeout",
@@ -37597,13 +37666,13 @@ import { join as join10, resolve as resolve7 } from "path";
 
 // src/lib/explorer-autopilot.ts
 init_config();
-import { existsSync as existsSync7, mkdirSync as mkdirSync7, writeFileSync as writeFileSync6 } from "fs";
+import { existsSync as existsSync7, mkdirSync as mkdirSync7, writeFileSync as writeFileSync7 } from "fs";
 import { join as join7, resolve as resolve5 } from "path";
 import { spawnSync as spawnSync4 } from "child_process";
 
 // src/lib/explorer-lock.ts
 init_config();
-import { closeSync, mkdirSync as mkdirSync5, openSync, readFileSync as readFileSync5, unlinkSync, writeFileSync as writeFileSync4 } from "fs";
+import { closeSync, mkdirSync as mkdirSync5, openSync, readFileSync as readFileSync5, unlinkSync, writeFileSync as writeFileSync5 } from "fs";
 import { join as join5 } from "path";
 function parseLockPid(raw) {
   const firstLine = raw.split(/\r?\n/, 1)[0] || "";
@@ -37654,7 +37723,7 @@ function acquireExperimentLock(experimentId, lockName = "autopilot.lock") {
     return null;
   }
   try {
-    writeFileSync4(fd, `${process.pid}
+    writeFileSync5(fd, `${process.pid}
 `, { encoding: "utf-8" });
   } catch (err) {
     try {
@@ -37684,12 +37753,13 @@ function acquireExperimentLock(experimentId, lockName = "autopilot.lock") {
 
 // src/lib/explorer-claude.ts
 init_config();
-import { existsSync as existsSync6, mkdirSync as mkdirSync6, writeFileSync as writeFileSync5 } from "fs";
-import { basename, dirname as dirname4, join as join6, resolve as resolve4 } from "path";
+import { existsSync as existsSync6, mkdirSync as mkdirSync6, writeFileSync as writeFileSync6 } from "fs";
+import { basename, dirname as dirname5, join as join6, resolve as resolve4 } from "path";
 import { homedir as homedir4 } from "os";
 import { spawnSync as spawnSync3 } from "child_process";
 
 // src/lib/container.ts
+import { randomBytes as randomBytes2, createHash } from "crypto";
 var import_fast_glob = __toESM(require_out4());
 init_config();
 
@@ -37918,9 +37988,16 @@ init_config();
 // src/lib/slurm-cli-passthrough.ts
 init_config();
 
+// src/lib/startup-stage-lock.ts
+var DEFAULT_STAGE_LOCK_WAIT_TIMEOUT_MS = 5 * 60 * 1e3;
+var DEFAULT_STAGE_LOCK_STALE_AFTER_MS = 15 * 60 * 1e3;
+
 // src/lib/container.ts
 function imageToSifName(image) {
-  return image.replace(/[/:]/g, "_") + ".sif";
+  const normalized = String(image || "").trim();
+  const readable = normalized.replace(/[^a-zA-Z0-9._-]+/g, "_").replace(/^_+|_+$/g, "").slice(0, 160) || "image";
+  const hash2 = createHash("sha256").update(normalized).digest("hex").slice(0, 12);
+  return `${readable}-${hash2}.sif`;
 }
 
 // src/lib/explorer-claude.ts
@@ -38080,12 +38157,37 @@ function runApptainer(args, cwd, timeoutSec) {
 function ensureDisplayDbFile() {
   const displayDbPath = getDisplayDbPath();
   if (existsSync6(displayDbPath)) return;
-  ensurePrivateDir(dirname4(displayDbPath));
-  writeFileSync5(displayDbPath, JSON.stringify({ version: 1, events: [] }, null, 2) + "\n", {
+  ensurePrivateDir(dirname5(displayDbPath));
+  writeFileSync6(displayDbPath, JSON.stringify({ version: 1, events: [] }, null, 2) + "\n", {
     encoding: "utf-8",
     mode: PRIVATE_FILE_MODE
   });
 }
+function buildClaudeHeadlessAddDirArgs(config2) {
+  const dirs = /* @__PURE__ */ new Set();
+  let hasExtraMounts = false;
+  let hasDatasets = false;
+  for (const mount of config2.filesystem.extra_paths || []) {
+    if (!mount || typeof mount.path !== "string") continue;
+    const resolved = mount.path.replace(/^~/, homedir4());
+    const target = `/mnt/${basename(resolved)}`;
+    hasExtraMounts = true;
+    dirs.add(target);
+  }
+  for (const ds of config2.datasets || []) {
+    if (!ds || typeof ds.name !== "string") continue;
+    const name = ds.name.trim();
+    if (!name) continue;
+    hasDatasets = true;
+    dirs.add(`/datasets/${name}`);
+  }
+  if (hasExtraMounts) dirs.add("/mnt");
+  if (hasDatasets) dirs.add("/datasets");
+  return Array.from(dirs).flatMap((dir) => ["--add-dir", dir]);
+}
+function buildClaudeHeadlessAllowedToolsArgs() {
+  return ["--allowed-tools", "Glob,Read,Grep,WebFetch"];
+}
 function buildContainerPrefixArgs(config2, worktreePath, sifPath) {
   const sandboxHome = getSandboxHome();
   const args = [
@@ -38181,7 +38283,8 @@ function normalizeTimeout(raw) {
   return Math.max(30, Math.min(4 * 60 * 60, Math.floor(parsed)));
 }
 function runClaudeHeadlessInWorktree(input) {
-  const worktreePath = resolve4(String(input.worktree_path || "").trim());
+  const worktreePathRaw = String(input.worktree_path || "").trim();
+  const worktreePath = worktreePathRaw ? resolve4(worktreePathRaw) : "";
   const prompt = String(input.prompt || "").trim();
   const resumeSessionId = String(input.resume_session_id || "").trim();
   const timeoutSec = normalizeTimeout(input.timeout_sec);
@@ -38210,6 +38313,8 @@ function runClaudeHeadlessInWorktree(input) {
     "--output-format",
     "stream-json",
     "--include-partial-messages",
+    ...buildClaudeHeadlessAddDirArgs(config2),
+    ...buildClaudeHeadlessAllowedToolsArgs(),
     ...shouldClaudeHeadlessRunWithAllowedPermissions(config2) ? ["--dangerously-skip-permissions"] : [],
     ...resumeSessionId ? ["--resume", resumeSessionId] : [],
     prompt
@@ -38517,13 +38622,13 @@ function writeAgentDebugArtifacts(artifactDir, debug) {
   if (!debug) return;
   try {
     if (debug.activity_log) {
-      writeFileSync6(join7(artifactDir, "agent.log"), debug.activity_log, "utf-8");
+      writeFileSync7(join7(artifactDir, "agent.log"), debug.activity_log, "utf-8");
     }
     if (debug.stdout) {
-      writeFileSync6(join7(artifactDir, "claude.stdout.log"), debug.stdout, "utf-8");
+      writeFileSync7(join7(artifactDir, "claude.stdout.log"), debug.stdout, "utf-8");
     }
     if (debug.stderr) {
-      writeFileSync6(join7(artifactDir, "claude.stderr.log"), debug.stderr, "utf-8");
+      writeFileSync7(join7(artifactDir, "claude.stderr.log"), debug.stderr, "utf-8");
     }
   } catch {
   }
@@ -38570,7 +38675,7 @@ function recoverStaleActiveRuns(experimentId, store, staleAfterSec) {
     ].join("\n");
     try {
       mkdirSync7(run.artifact_dir, { recursive: true, mode: 448 });
-      writeFileSync6(join7(run.artifact_dir, "summary.md"), summary, "utf-8");
+      writeFileSync7(join7(run.artifact_dir, "summary.md"), summary, "utf-8");
     } catch {
     }
     const updated = store.recordRunResult(run.id, {
@@ -38694,7 +38799,7 @@ function autopilotTick(input) {
     writeAgentDebugArtifacts(artifactDir, agentResult.debug);
     if (!agentResult.ok) {
       const summary2 = buildSummary(run.id, parentScore, "failed_build", null, "", agentResult.error, agentResult.error);
-      writeFileSync6(join7(artifactDir, "summary.md"), summary2, "utf-8");
+      writeFileSync7(join7(artifactDir, "summary.md"), summary2, "utf-8");
       store.recordRunResult(run.id, {
         status: "failed_build",
         metrics_json: JSON.stringify(agentResult.metrics || {}),
@@ -38710,7 +38815,7 @@ function autopilotTick(input) {
     }
     store.recordRunCommit(run.id, agentResult.commit_sha);
     const diffText = getDiff(experiment.repo_path, parent.parent_commit_sha, agentResult.commit_sha);
-    writeFileSync6(join7(artifactDir, "diff.patch"), diffText, "utf-8");
+    writeFileSync7(join7(artifactDir, "diff.patch"), diffText, "utf-8");
     const evalResult = runEvaluation({
       worktree_path: workspace.worktree_path,
       eval_command: experiment.eval_command,
@@ -38731,7 +38836,7 @@ function autopilotTick(input) {
       stderr_path: evalResult.stderr_path,
       error: evalResult.error || null
     };
-    writeFileSync6(join7(artifactDir, "eval.json"), JSON.stringify(evalPayload, null, 2) + "\n", "utf-8");
+    writeFileSync7(join7(artifactDir, "eval.json"), JSON.stringify(evalPayload, null, 2) + "\n", "utf-8");
     const runStatus = evalResult.status;
     const runScore = Number.isFinite(evalResult.score) ? Number(evalResult.score) : null;
     const mergedMetrics = {
@@ -38747,7 +38852,7 @@ function autopilotTick(input) {
       evalResult.error,
       agentResult.note
     );
-    writeFileSync6(join7(artifactDir, "summary.md"), summary, "utf-8");
+    writeFileSync7(join7(artifactDir, "summary.md"), summary, "utf-8");
     store.recordRunResult(run.id, {
       status: runStatus,
       score: runScore,
@@ -38789,7 +38894,7 @@ function autopilotTick(input) {
           if (inFlightArtifactDir) {
             try {
               mkdirSync7(inFlightArtifactDir, { recursive: true, mode: 448 });
-              writeFileSync6(join7(inFlightArtifactDir, "summary.md"), summary, "utf-8");
+              writeFileSync7(join7(inFlightArtifactDir, "summary.md"), summary, "utf-8");
             } catch {
             }
           }
@@ -39090,7 +39195,7 @@ function experimentGc(experimentId, store, options) {
 // src/lib/explorer-compare.ts
 init_config();
 import { execFileSync as execFileSync3 } from "child_process";
-import { mkdirSync as mkdirSync8, writeFileSync as writeFileSync7 } from "fs";
+import { mkdirSync as mkdirSync8, writeFileSync as writeFileSync8 } from "fs";
 import { join as join9 } from "path";
 function runGit2(repoPath, args) {
   return String(execFileSync3("git", ["-C", repoPath, ...args], {
@@ -39215,7 +39320,7 @@ function runCompare(input, store) {
     const safeB = (bRunId || "base").replace(/[^a-zA-Z0-9._-]+/g, "_");
     const target = join9(compareDir, `${aRun.id}_vs_${safeB}.patch`);
     const patchText = runGit2(experiment.repo_path, ["diff", "--binary", `${bCommitSha}..${aRun.commit_sha}`]);
-    writeFileSync7(target, patchText, "utf-8");
+    writeFileSync8(target, patchText, "utf-8");
     patchPath = target;
   }
   const aMetrics = parseMetrics(aRun.metrics_json);
@@ -39551,7 +39656,7 @@ function runExperimentBaselineInit(experimentId, store) {
     error: baseline.error || null
   };
   mkdirSync10(artifactDir, { recursive: true, mode: 448 });
-  writeFileSync8(join11(artifactDir, "eval.json"), JSON.stringify(evalPayload, null, 2) + "\n", "utf-8");
+  writeFileSync9(join11(artifactDir, "eval.json"), JSON.stringify(evalPayload, null, 2) + "\n", "utf-8");
   store.createEvent(experiment.id, "note", {
     message: "experiment initialized with baseline evaluation",
     status: baseline.status,