skimpyclaw 0.1.9 → 0.3.0

package/dist/cli.js

@@ -43,6 +43,10 @@ Commands:
   tools list              List available tools (built-in + MCP)
   tools install <name>    Add MCP server (--command <cmd> [--args ...] or --url <url>)
   tools remove <name>     Remove MCP server
+  sandbox status          Show active sandbox containers
+  sandbox prune           Force-prune all sandbox containers
+  sandbox init            Auto-setup sandbox runtime/image/config (supports --profile)
+  sandbox doctor          Sandbox-specific diagnostics and hints
   help                    Show this help
 `);
 }
@@ -724,6 +728,211 @@ async function commandTools(args) {
     console.error('Usage: skimpyclaw tools <list|install|remove>');
     return 1;
 }
+const SANDBOX_CLI_BY_PROFILE = {
+    minimal: ['bash', 'curl', 'git', 'gh', 'jq', 'python3', 'rg', 'pnpm'],
+    dev: ['bash', 'curl', 'git', 'gh', 'jq', 'python3', 'rg', 'pnpm', 'gcc', 'g++', 'make'],
+    full: ['bash', 'curl', 'git', 'gh', 'jq', 'python3', 'rg', 'pnpm', 'gcc', 'g++', 'make', 'pip3', 'sqlite3'],
+};
+function defaultSandboxNetwork(runtime) {
+    return runtime === 'container' ? 'default' : 'bridge';
+}
+function detectSandboxRuntime(preferred) {
+    if (preferred === 'container' || preferred === 'docker') {
+        return spawnSync(preferred, ['--version'], { encoding: 'utf-8' }).status === 0 ? preferred : null;
+    }
+    if (spawnSync('container', ['--version'], { encoding: 'utf-8' }).status === 0) {
+        return 'container';
+    }
+    if (spawnSync('docker', ['--version'], { encoding: 'utf-8' }).status === 0) {
+        return 'docker';
+    }
+    return null;
+}
+function isSandboxRuntimeRunning(runtime) {
+    if (runtime === 'container') {
+        return spawnSync('container', ['system', 'status'], { encoding: 'utf-8' }).status === 0;
+    }
+    return spawnSync('docker', ['info'], { encoding: 'utf-8' }).status === 0;
+}
+function sandboxNetworkExists(runtime, network) {
+    if (runtime === 'container') {
+        const result = spawnSync('container', ['network', 'ls'], { encoding: 'utf-8' });
+        if (result.status !== 0)
+            return false;
+        return result.stdout.split('\n').some((line) => line.trim().split(/\s+/)[0] === network);
+    }
+    const result = spawnSync('docker', ['network', 'inspect', network], { encoding: 'utf-8' });
+    return result.status === 0;
+}
+function sandboxImageExists(runtime, image) {
+    return spawnSync(runtime, ['image', 'inspect', image], { encoding: 'utf-8' }).status === 0;
+}
+function resolveSandboxDir() {
+    const cwdSandbox = join(process.cwd(), 'sandbox');
+    if (existsSync(join(cwdSandbox, 'Dockerfile'))) {
+        return cwdSandbox;
+    }
+    return null;
+}
+function parseSandboxOption(args, flag) {
+    const idx = args.indexOf(flag);
+    if (idx === -1 || idx + 1 >= args.length)
+        return undefined;
+    return args[idx + 1];
+}
+function runSandboxImageCheck(runtime, image, network, cmd) {
+    const result = spawnSync(runtime, ['run', '--rm', '--network', network, image, 'sh', '-lc', cmd], { encoding: 'utf-8' });
+    if (result.status === 0) {
+        return { ok: true, detail: (result.stdout || '').trim() || 'ok' };
+    }
+    const detail = `${(result.stderr || '').trim()} ${(result.stdout || '').trim()}`.trim() || `exit ${result.status ?? 1}`;
+    return { ok: false, detail };
+}
+function printSandboxCheck(ok, name, detail, hint) {
+    const prefix = ok ? '✓' : '✗';
+    console.log(`${prefix} ${name}: ${detail}`);
+    if (!ok && hint) {
+        console.log(`  → ${hint}`);
+    }
+}
+async function commandSandbox(args) {
+    const sub = args[0];
+    if (sub === 'status') {
+        const rt = detectSandboxRuntime();
+        if (!rt) {
+            console.log('No container runtime found (install Docker or Apple Containers).');
+            return 1;
+        }
+        const result = spawnSync(rt, ['ps', '--format', '{{.Names}}'], { encoding: 'utf-8' });
+        const lines = (result.stdout || '').trim().split('\n').filter(Boolean);
+        const containers = lines.filter((line) => line.includes('skimpyclaw-sbx'));
+        if (containers.length === 0) {
+            console.log('No active sandbox containers.');
+        }
+        else {
+            console.log(`Active sandbox containers (${containers.length}):`);
+            containers.forEach((c) => console.log(`  ${c}`));
+        }
+        return 0;
+    }
+    if (sub === 'prune') {
+        const { cleanupOrphans } = await import('./sandbox/index.js');
+        const count = await cleanupOrphans();
+        console.log(`Pruned ${count} sandbox container(s).`);
+        return 0;
+    }
+    if (sub === 'init') {
+        const runtimeFlag = parseSandboxOption(args, '--runtime');
+        const profileFlag = parseSandboxOption(args, '--profile') || 'minimal';
+        const imageFlag = parseSandboxOption(args, '--image');
+        const networkFlag = parseSandboxOption(args, '--network');
+        const validProfiles = ['minimal', 'dev', 'full'];
+        if (!validProfiles.includes(profileFlag)) {
+            console.error(`Invalid profile "${profileFlag}". Use one of: minimal, dev, full`);
+            return 1;
+        }
+        const profile = profileFlag;
+        const runtime = detectSandboxRuntime(runtimeFlag);
+        if (!runtime) {
+            console.error('No supported runtime found. Install Apple Containers or Docker.');
+            return 1;
+        }
+        const network = networkFlag || defaultSandboxNetwork(runtime);
+        const image = imageFlag || 'skimpyclaw-sandbox:latest';
+        if (!isSandboxRuntimeRunning(runtime)) {
+            const hint = runtime === 'container' ? 'Run: container system start' : 'Start Docker Desktop (or run `docker info`).';
+            console.error(`Runtime "${runtime}" is not running.`);
+            console.error(hint);
+            return 1;
+        }
+        if (!sandboxNetworkExists(runtime, network)) {
+            const hint = runtime === 'container'
+                ? 'Create/list networks with `container network ls`.'
+                : 'Create/list networks with `docker network ls`.';
+            console.error(`Sandbox network "${network}" not found for runtime "${runtime}".`);
+            console.error(hint);
+            return 1;
+        }
+        const sandboxDir = resolveSandboxDir();
+        if (!sandboxDir) {
+            console.error('Could not find sandbox/Dockerfile from current directory.');
+            console.error('Run from repo root (contains ./sandbox) or build image manually.');
+            return 1;
+        }
+        console.log(`Building sandbox image "${image}" (runtime=${runtime}, profile=${profile})...`);
+        const build = spawnSync(runtime, ['build', '--build-arg', `SKIMPY_PROFILE=${profile}`, '-t', image, sandboxDir], { stdio: 'inherit' });
+        if (build.status !== 0) {
+            console.error('Sandbox image build failed.');
+            return 1;
+        }
+        const raw = loadRawConfig();
+        const sandbox = raw.sandbox ?? {};
+        sandbox.enabled = true;
+        sandbox.runtime = runtime;
+        sandbox.network = network;
+        sandbox.image = image;
+        raw.sandbox = sandbox;
+        saveConfig(raw);
+        console.log('Updated config: sandbox.enabled=true');
+        console.log(`Updated config: sandbox.runtime="${runtime}"`);
+        console.log(`Updated config: sandbox.network="${network}"`);
+        console.log(`Updated config: sandbox.image="${image}"`);
+        const required = SANDBOX_CLI_BY_PROFILE[profile];
+        const checkCmd = `for c in ${required.join(' ')}; do command -v "$c" >/dev/null || { echo "missing:$c"; exit 1; }; done; echo cli-ok`;
+        const cliCheck = runSandboxImageCheck(runtime, image, network, checkCmd);
+        const netCheck = runSandboxImageCheck(runtime, image, network, 'curl -fsS --max-time 8 https://example.com >/dev/null && echo net-ok');
+        const hostCheck = runSandboxImageCheck(runtime, image, network, 'hostname');
+        printSandboxCheck(hostCheck.ok, 'sandbox_hostname', hostCheck.detail);
+        printSandboxCheck(cliCheck.ok, 'sandbox_tools', cliCheck.detail, 'Rebuild image or choose a lighter profile.');
+        printSandboxCheck(netCheck.ok, 'sandbox_network_egress', netCheck.detail, 'Try a different sandbox.network or check runtime DNS/network settings.');
+        if (!hostCheck.ok || !cliCheck.ok || !netCheck.ok) {
+            return 1;
+        }
+        console.log('\nSandbox init complete. Restart Skimpy to apply runtime config.');
+        return 0;
+    }
+    if (sub === 'doctor') {
+        const config = loadConfig();
+        const runtime = detectSandboxRuntime(config.sandbox?.runtime);
+        const image = config.sandbox?.image || 'skimpyclaw-sandbox:latest';
+        const network = config.sandbox?.network || (runtime ? defaultSandboxNetwork(runtime) : 'unknown');
+        const profileFlag = parseSandboxOption(args, '--profile') || 'minimal';
+        const profile = (['minimal', 'dev', 'full'].includes(profileFlag) ? profileFlag : 'minimal');
+        let failed = false;
+        printSandboxCheck(config.sandbox?.enabled === true, 'sandbox_enabled', config.sandbox?.enabled ? 'enabled' : 'disabled', 'Run: skimpyclaw sandbox init');
+        if (!config.sandbox?.enabled)
+            failed = true;
+        printSandboxCheck(!!runtime, 'runtime_detected', runtime || 'none', 'Install Docker or Apple Containers.');
+        if (!runtime)
+            return 1;
+        printSandboxCheck(isSandboxRuntimeRunning(runtime), 'runtime_running', runtime, runtime === 'container' ? 'Run: container system start' : 'Start Docker Desktop.');
+        if (!isSandboxRuntimeRunning(runtime))
+            failed = true;
+        const networkOk = sandboxNetworkExists(runtime, network);
+        printSandboxCheck(networkOk, 'network_exists', network, `Use "${runtime === 'container' ? 'container' : 'docker'} network ls" and update sandbox.network.`);
+        if (!networkOk)
+            failed = true;
+        const imageOk = sandboxImageExists(runtime, image);
+        printSandboxCheck(imageOk, 'image_exists', image, `Build image: ${runtime} build -t ${image} sandbox/`);
+        if (!imageOk)
+            failed = true;
+        if (imageOk && networkOk) {
+            const required = SANDBOX_CLI_BY_PROFILE[profile];
+            const checkCmd = `for c in ${required.join(' ')}; do command -v "$c" >/dev/null || { echo "missing:$c"; exit 1; }; done; echo cli-ok`;
+            const cliCheck = runSandboxImageCheck(runtime, image, network, checkCmd);
+            printSandboxCheck(cliCheck.ok, 'image_toolchain', cliCheck.detail, 'Rebuild with: skimpyclaw sandbox init --profile dev');
+            if (!cliCheck.ok)
+                failed = true;
+            const netCheck = runSandboxImageCheck(runtime, image, network, 'curl -fsS --max-time 8 https://api.duckduckgo.com/?q=skimpyclaw&format=json >/dev/null && echo net-ok');
+            printSandboxCheck(netCheck.ok, 'network_egress', netCheck.detail, 'Some sources may timeout; verify DNS/network in runtime.');
+            if (!netCheck.ok)
+                failed = true;
+        }
+        return failed ? 1 : 0;
+    }
+    console.log('Usage: skimpyclaw sandbox <status|prune|init|doctor>');
+    return 1;
+}
 export async function runCli(argv = process.argv.slice(2)) {
     const [command, ...args] = argv;
     if (!command || command === 'help' || command === '--help' || command === '-h') {
@@ -787,6 +996,9 @@ export async function runCli(argv = process.argv.slice(2)) {
         if (command === 'tools') {
             return await commandTools(args);
         }
+        if (command === 'sandbox') {
+            return await commandSandbox(args);
+        }
         console.error(`Unknown command: ${command}`);
         printHelp();
         return 1;

package/dist/code-agents/executor.js

@@ -10,6 +10,7 @@ import { buildCodeAgentArgs, notifyCodeAgentResult } from './utils.js';
 import { parseStreamJsonForLive, parseClaudeOutput, parseCodexOutput } from './parser.js';
 import { startTrace, addEvent, endTrace } from '../audit.js';
 import { buildUsageRecord, recordUsage } from '../usage.js';
+import { ensureContainer, SANDBOX_DEFAULTS, getRuntime } from '../sandbox/index.js';
 const CANCELLED_MESSAGE = 'Cancelled by user';
 /** Run build/test validation. Shared by solo agents and team orchestrator. */
 export function runValidation(workdir) {
@@ -87,6 +88,13 @@ export async function runCodeAgentBackground(id, agent, task, workdir, validate,
     logStream.write(`Task: ${task.slice(0, 500)}\n`);
     logStream.write(`Workdir: ${workdir}\n\n`);
     try {
+        // Resolve sandbox container name if enabled (used for spawn wrapping)
+        let sandboxContainer;
+        if (options?.sandboxConfig?.enabled) {
+            const merged = { ...SANDBOX_DEFAULTS, ...options.sandboxConfig };
+            sandboxContainer = await ensureContainer(`code-${id}`, merged, options.allowedPaths || [workdir]);
+            console.log(`[code-agent] Running in sandbox container: ${sandboxContainer}`);
+        }
         ensureNotCancelled();
         const exitCode = await new Promise((resolvePromise, reject) => {
             const spawnEnv = { ...process.env };
@@ -94,8 +102,11 @@ export async function runCodeAgentBackground(id, agent, task, workdir, validate,
             // Apply extra env vars (e.g. team mode feature flag)
             if (options?.env)
                 Object.assign(spawnEnv, options.env);
-            const proc = spawn(cmd, args, {
-                cwd: workdir,
+            // When sandbox is enabled, wrap the spawn: container exec <name> <cmd> <args>
+            const spawnCmd = sandboxContainer ? getRuntime() : cmd;
+            const spawnArgs = sandboxContainer ? ['exec', sandboxContainer, cmd, ...args] : args;
+            const proc = spawn(spawnCmd, spawnArgs, {
+                cwd: sandboxContainer ? undefined : workdir, // container has its own cwd
                 stdio: ['ignore', 'pipe', 'pipe'],
                 env: spawnEnv,
             });
@@ -277,8 +288,10 @@ export async function runCodeAgentBackground(id, agent, task, workdir, validate,
                 const retryExitCode = await new Promise((resolveRetry, rejectRetry) => {
                     const spawnEnv = { ...process.env };
                     delete spawnEnv.CLAUDECODE;
-                    const retryProc = spawn(retryCmd, retryArgs, {
-                        cwd: workdir,
+                    const retrySpawnCmd = sandboxContainer ? getRuntime() : retryCmd;
+                    const retrySpawnArgs = sandboxContainer ? ['exec', sandboxContainer, retryCmd, ...retryArgs] : retryArgs;
+                    const retryProc = spawn(retrySpawnCmd, retrySpawnArgs, {
+                        cwd: sandboxContainer ? undefined : workdir,
                         stdio: ['ignore', 'pipe', 'pipe'],
                         env: spawnEnv,
                     });

package/dist/code-agents/types.d.ts

@@ -1,3 +1,4 @@
+import type { SandboxConfig } from '../types.js';
 export interface CodeAgentTask {
     id: string;
     agent: string;
@@ -44,6 +45,10 @@ export interface CodeAgentBackgroundOptions {
     maxTimeoutMinutes?: number;
     /** Skip sending notification on completion (parent handles it) */
     skipNotification?: boolean;
+    /** Sandbox configuration — when enabled, run CLI inside container */
+    sandboxConfig?: SandboxConfig;
+    /** Paths to mount into the sandbox container */
+    allowedPaths?: string[];
 }
 export interface BuildCodeAgentArgsInput {
     task: string;

package/dist/cron.d.ts

@@ -23,6 +23,12 @@ export declare function parseDualOutput(response: string): {
     voice: string | null;
     text: string;
 };
+/**
+ * Post-run guard for the pr-review cron job.
+ * Validates that the agent actually used code_with_agent when PRs were found.
+ * Non-throwing — logs a warning and returns an alert message (or null if OK).
+ */
+export declare function validatePrReviewOutput(output: string): string | null;
 export declare function getCronJobs(): {
     id: string;
     name: string;

package/dist/cron.js

@@ -9,6 +9,7 @@ import { startTrace, addEvent, endTrace } from './audit.js';
 import { sendActiveChannelProactiveMessage, sendActiveChannelProactiveVoice, getActiveChannelId } from './channels.js';
 import { parseAndSaveDigest } from './digests.js';
 import { synthesizeSpeech } from './voice.js';
+import { ensureContainer, SANDBOX_DEFAULTS, sandboxBash } from './sandbox/index.js';
 const scheduledJobs = new Map();
 let configWatcher = null;
 function getCronLogDir() {
@@ -138,7 +139,7 @@ async function executeJobPayload(jobDef, config) {
                 channel: getActiveChannelId() || 'telegram',
                 trigger: 'cron',
                 sessionId: jobDef.id,
-                metadata: { jobName: jobDef.name },
+                metadata: { jobName: jobDef.name, isCronJob: true },
             });
             appendCronLogLine(jobDef.id, `Agent turn completed (${response.length} chars)`);
             // Parse dual output (voice + text) if delimiters present
@@ -148,6 +149,19 @@ async function executeJobPayload(jobDef, config) {
             }
             // Use text portion for log output and notifications
             logEntry.output = textPortion.slice(0, 5000);
+            // Post-run guard for pr-review job
+            if (jobDef.id === 'pr-review') {
+                const guardAlert = validatePrReviewOutput(textPortion);
+                if (guardAlert) {
+                    appendCronLogLine(jobDef.id, guardAlert);
+                    try {
+                        await sendActiveChannelProactiveMessage(config, guardAlert);
+                    }
+                    catch {
+                        // Non-critical
+                    }
+                }
+            }
             // Parse and save digest from the text portion
             try {
                 parseAndSaveDigest(jobDef.id, jobDef.name, textPortion);
@@ -189,7 +203,7 @@ async function executeJobPayload(jobDef, config) {
             });
             appendCronLogLine(jobDef.id, `Script started: ${(jobDef.payload.script || '').slice(0, 100)}`);
             try {
-                const output = await executeScript(jobDef);
+                const output = await executeScript(jobDef, config);
                 logEntry.output = output.slice(0, 50000);
                 appendCronLogLine(jobDef.id, `Script completed (${output.length} chars)`);
                 addEvent(scriptTraceId, {
@@ -248,7 +262,7 @@ async function executeJobPayload(jobDef, config) {
         }
     }
 }
-async function executeScript(jobDef) {
+async function executeScript(jobDef, config) {
     const script = expandVariables(jobDef.payload.script || '');
     if (!script) {
         throw new Error(`Script payload is empty for job: ${jobDef.id}`);
@@ -258,6 +272,19 @@ async function executeScript(jobDef) {
         throw new Error(`Working directory does not exist: ${cwd}`);
     }
     const timeoutMs = jobDef.payload.timeoutMs || 600000; // 10 min default
+    // Sandbox routing for script payloads
+    const sandboxCfg = config.sandbox;
+    if (sandboxCfg?.enabled) {
+        const merged = { ...SANDBOX_DEFAULTS, ...sandboxCfg };
+        const containerName = await ensureContainer(`cron-${jobDef.id}`, merged, jobDef.payload.tools?.allowedPaths || []);
+        console.log(`[cron:script] Running in sandbox container: ${containerName}`);
+        console.log(`[cron:script] Running: ${script.slice(0, 100)}${script.length > 100 ? '...' : ''}`);
+        if (cwd)
+            console.log(`[cron:script] cwd: ${cwd}`);
+        const output = await sandboxBash(containerName, script, cwd, timeoutMs);
+        console.log(`[cron:script] Sandbox completed (${output.length} chars)`);
+        return output;
+    }
     return new Promise((resolve, reject) => {
         const startTime = Date.now();
         console.log(`[cron:script] Running: ${script.slice(0, 100)}${script.length > 100 ? '...' : ''}`);
@@ -342,6 +369,35 @@ export function parseDualOutput(response) {
         text: text || response,
     };
 }
+/**
+ * Post-run guard for the pr-review cron job.
+ * Validates that the agent actually used code_with_agent when PRs were found.
+ * Non-throwing — logs a warning and returns an alert message (or null if OK).
+ */
+export function validatePrReviewOutput(output) {
+    // Check for the machine-readable result line
+    const resultMatch = output.match(/\[PR_REVIEW_RESULT:\s*(.+?)\]/);
+    if (!resultMatch) {
+        return '⚠️ PR Pre-Review: Missing [PR_REVIEW_RESULT] line in output. The agent may not have followed the prompt correctly.';
+    }
+    const resultLine = resultMatch[1].trim();
+    // NO_CANDIDATES is fine — nothing to review
+    if (resultLine === 'NO_CANDIDATES') {
+        return null;
+    }
+    // Parse CANDIDATES=N CODE_AGENT_CALLS=M BLOCKED=B
+    const candidatesMatch = resultLine.match(/CANDIDATES=(\d+)/);
+    const callsMatch = resultLine.match(/CODE_AGENT_CALLS=(\d+)/);
+    const blockedMatch = resultLine.match(/BLOCKED=(\d+)/);
+    const candidates = candidatesMatch ? parseInt(candidatesMatch[1], 10) : 0;
+    const calls = callsMatch ? parseInt(callsMatch[1], 10) : 0;
+    const blocked = blockedMatch ? parseInt(blockedMatch[1], 10) : 0;
+    // If there were candidates but zero code_with_agent calls (and not all blocked), alert
+    if (candidates > 0 && calls === 0 && blocked < candidates) {
+        return `⚠️ PR Pre-Review: Found ${candidates} PR candidate(s) but code_with_agent was never called (blocked: ${blocked}). The agent likely wrote inline commentary instead of delegating.`;
+    }
+    return null;
+}
 function expandVariables(message) {
     const now = new Date();
     const date = now.toLocaleDateString('en-US', {

package/dist/discord.js

@@ -47,8 +47,8 @@ const chatHistory = new Map();
 const loadedFromDisk = new Set();
 const DEFAULT_DISCORD_TOOLS = {
     enabled: true,
-    allowedPaths: [join(homedir(), '.skimpyclaw'), process.cwd()],
-    maxIterations: 100,
+    allowedPaths: [join(homedir(), '.skimpyclaw')],
+    maxIterations: 30,
     bashTimeout: 15000,
 };
 let client = null;

package/dist/doctor/checks.d.ts

@@ -15,4 +15,5 @@ export declare function checkVoiceDependencies(config: Config): Promise<DoctorCh
 export declare function checkMcpConfig(config: Config): Promise<DoctorCheckResult>;
 export declare function checkGatewayHostBindable(host: string): Promise<DoctorCheckResult>;
 export declare function checkSkimpyclawDirWritable(): Promise<DoctorCheckResult>;
+export declare function checkSandboxAvailable(config: Config): Promise<DoctorCheckResult>;
 export declare function checkPortAvailability(port: number): Promise<DoctorCheckResult>;

package/dist/doctor/checks.js

@@ -341,6 +341,53 @@ export async function checkSkimpyclawDirWritable() {
         return fail(name, category, `Directory not writable: ${base}`, 'Fix permissions for ~/.skimpyclaw.');
     }
 }
+export async function checkSandboxAvailable(config) {
+    const name = 'sandbox_available';
+    const category = 'runtime';
+    if (!config.sandbox?.enabled) {
+        return ok(name, category, 'Sandbox disabled');
+    }
+    // Determine which runtime to check
+    const explicit = config.sandbox.runtime;
+    let rt = null;
+    if (explicit) {
+        const check = spawnSync(explicit, ['--version'], { encoding: 'utf-8' });
+        if (check.status !== 0) {
+            return fail(name, category, `${explicit} CLI not found`, `Install ${explicit} or change sandbox.runtime in config.`);
+        }
+        rt = explicit;
+    }
+    else {
+        // Auto-detect: prefer container, fall back to docker
+        const containerCheck = spawnSync('container', ['--version'], { encoding: 'utf-8' });
+        if (containerCheck.status === 0) {
+            rt = 'container';
+        }
+        else {
+            const dockerCheck = spawnSync('docker', ['--version'], { encoding: 'utf-8' });
+            if (dockerCheck.status === 0) {
+                rt = 'docker';
+            }
+        }
+        if (!rt) {
+            return fail(name, category, 'No container runtime found', 'Install Apple Containers or Docker, or disable sandbox in config.');
+        }
+    }
+    // For Apple Containers, check system is running
+    if (rt === 'container') {
+        const systemCheck = spawnSync('container', ['system', 'status'], { encoding: 'utf-8' });
+        if (systemCheck.status !== 0) {
+            return fail(name, category, 'Container system not running', 'Run "container system start" to start the container runtime.');
+        }
+    }
+    // Check if sandbox image exists
+    const image = config.sandbox.image || 'skimpyclaw-sandbox';
+    const imageCheck = spawnSync(rt, ['image', 'inspect', image], { encoding: 'utf-8' });
+    if (imageCheck.status !== 0) {
+        return fail(name, category, `Sandbox image "${image}" not found`, `Build it: ${rt} build -t ${image} sandbox/`);
+    }
+    return ok(name, category, `Runtime: ${rt}, image "${image}" available`);
+}
 export async function checkPortAvailability(port) {
     const name = 'gateway_port_available';
     const category = 'runtime';

package/dist/doctor/runner.js

@@ -1,5 +1,5 @@
 import { loadConfig } from '../config.js';
-import { checkNodeVersion, checkPackageManagerAvailable, checkTypeScriptCompile, checkConfigExistsAndValidJson, checkRequiredEnvVars, checkEnvVarPatterns, checkAllowedPathsWritable, checkProviderAuth, checkTelegramToken, checkDiscordToken, checkBrowserBinaryIfEnabled, checkVoiceDependencies, checkMcpConfig, checkGatewayHostBindable, checkSkimpyclawDirWritable, checkPortAvailability, } from './checks.js';
+import { checkNodeVersion, checkPackageManagerAvailable, checkTypeScriptCompile, checkConfigExistsAndValidJson, checkRequiredEnvVars, checkEnvVarPatterns, checkAllowedPathsWritable, checkProviderAuth, checkTelegramToken, checkDiscordToken, checkBrowserBinaryIfEnabled, checkVoiceDependencies, checkMcpConfig, checkGatewayHostBindable, checkSkimpyclawDirWritable, checkPortAvailability, checkSandboxAvailable, } from './checks.js';
 export function computeExitCode(report) {
     if (report.checks.some((check) => !check.ok && check.fatal)) {
         return 2;
@@ -104,6 +104,7 @@ export async function runDoctor() {
     checks.push(await runSafe('gateway_host_bindable', 'runtime', () => checkGatewayHostBindable(config.gateway.host ?? '127.0.0.1')));
     checks.push(await runSafe('skimpyclaw_dirs_writable', 'runtime', () => checkSkimpyclawDirWritable()));
     checks.push(await runSafe('gateway_port_available', 'runtime', () => checkPortAvailability(config.gateway.port)));
+    checks.push(await runSafe('sandbox_available', 'runtime', () => checkSandboxAvailable(config)));
     const report = buildReport(startedAt, checks);
     return { report, exitCode: report.exitCode };
 }

package/dist/exec-approval.d.ts

@@ -3,6 +3,10 @@ export interface RiskClassification {
     tier: RiskTier;
     reason: string;
 }
+export declare function tokenizeShellCommand(command: string): string[];
+export declare function getCommandSegments(command: string): string[][];
+export declare function getSegmentCommandIndex(segment: string[]): number;
+export declare function getExecutableName(token: string): string;
 /**
  * Classify the risk tier of a shell command.
  * Returns the highest-tier match found.

package/dist/exec-approval.js

@@ -1,7 +1,7 @@
 // Exec Approval Gate — risk classification and pending approval registry for Bash commands
 import { randomUUID } from 'crypto';
 import { EventEmitter } from 'events';
-function tokenizeShellCommand(command) {
+export function tokenizeShellCommand(command) {
     const tokens = [];
     let current = '';
     let quote = null;
@@ -71,7 +71,7 @@ function tokenizeShellCommand(command) {
 function isCommandSeparator(token) {
     return token === '&&' || token === '||' || token === '|' || token === ';';
 }
-function getCommandSegments(command) {
+export function getCommandSegments(command) {
     const tokens = tokenizeShellCommand(command);
     const segments = [];
     let start = 0;
@@ -135,14 +135,14 @@ function isGitForcePushSegment(segment) {
     }
     return false;
 }
-function getSegmentCommandIndex(segment) {
+export function getSegmentCommandIndex(segment) {
     let idx = 0;
     while (idx < segment.length && segment[idx].includes('=') && !segment[idx].startsWith('-')) {
         idx++;
     }
     return idx;
 }
-function getExecutableName(token) {
+export function getExecutableName(token) {
     const normalized = token.toLowerCase();
     const slash = normalized.lastIndexOf('/');
     return slash >= 0 ? normalized.slice(slash + 1) : normalized;

package/dist/gateway.js

@@ -3,6 +3,7 @@ import Fastify from 'fastify';
 import { existsSync } from 'fs';
 import { fileURLToPath } from 'url';
 import { join } from 'path';
+import { timingSafeEqual } from 'crypto';
 import { runAgentTurn } from './agent.js';
 import { getCronJobs, runCronJob } from './cron.js';
 import { registerDashboardAPI } from './api.js';
@@ -32,6 +33,15 @@ export async function createGateway(cfg) {
             level: 'info',
         },
     });
+    // Block cross-origin requests — deny all CORS preflight and tag responses
+    fastify.addHook('onRequest', async (request, reply) => {
+        if (request.method === 'OPTIONS') {
+            return reply.code(403).send({ error: 'CORS not allowed' });
+        }
+    });
+    fastify.addHook('onSend', async (_request, reply) => {
+        reply.header('Access-Control-Allow-Origin', 'null'); // deny all origins
+    });
     // Health check
     fastify.get('/health', async () => {
         return { status: 'ok', uptime: Date.now() - startTime.getTime() };
@@ -96,10 +106,31 @@ export async function createGateway(cfg) {
     fastify.post('/reload', async () => {
         return { status: 'ok', note: 'Restart required for config changes' };
     });
-    // Ensure dashboard token exists and print it
+    // Ensure dashboard token exists
     const dashboardToken = ensureDashboardToken(config);
-    console.log(`[dashboard] Access token: ${dashboardToken}`);
     console.log(`[dashboard] URL: http://localhost:${config.gateway.port}/dashboard`);
+    // Auth guard for gateway write endpoints (same token as dashboard)
+    const PROTECTED_ROUTES = new Set(['/message', '/model', '/reload']);
+    fastify.addHook('onRequest', async (request, reply) => {
+        const url = request.url;
+        // Protect write endpoints + cron trigger
+        if (!PROTECTED_ROUTES.has(url) && !url.startsWith('/cron/'))
+            return;
+        if (request.method === 'GET')
+            return; // GET /health, GET /status are fine
+        if (!dashboardToken)
+            return; // No token configured, allow access
+        const authHeader = request.headers.authorization;
+        if (!authHeader || !authHeader.startsWith('Bearer ')) {
+            return reply.code(401).send({ error: 'Unauthorized: Bearer token required' });
+        }
+        const provided = authHeader.slice(7);
+        const tokenBuf = Buffer.from(dashboardToken, 'utf8');
+        const providedBuf = Buffer.from(provided, 'utf8');
+        if (tokenBuf.length !== providedBuf.length || !timingSafeEqual(tokenBuf, providedBuf)) {
+            return reply.code(401).send({ error: 'Unauthorized: Invalid token' });
+        }
+    });
     // Register dashboard API routes (includes auth hook)
     registerDashboardAPI(fastify, config);
     // Register dashboard frontend (framework app)

package/dist/heartbeat.js

@@ -6,6 +6,7 @@
 import { join } from 'path';
 import { homedir } from 'os';
 import { runAgentTurn } from './agent.js';
+import { pruneIdle, SANDBOX_DEFAULTS } from './sandbox/index.js';
 import { getActiveChannelId, isActiveChannelSilenced, sendActiveChannelProactiveMessage, } from './channels.js';
 let heartbeatTimer = null;
 let running = false;
@@ -78,6 +79,8 @@ export function stopHeartbeat() {
     }
 }
 export async function runHeartbeatCheck(config) {
+    // Prune idle sandbox containers
+    pruneIdle(config.sandbox?.idleTimeoutMs ?? SANDBOX_DEFAULTS.idleTimeoutMs ?? 3_600_000).catch(() => { });
     if (running) {
         console.log('[heartbeat] Skipping — previous check still running');
         return 'Skipped — previous check still running';

package/dist/providers/anthropic.js

@@ -122,7 +122,7 @@ export async function chatWithToolsAnthropic(params) {
     const modelId = stripProvider(options.model);
     const maxIterations = toolConfig.maxIterations || 20;
     // Resolve tools once at start of agent loop
-    const includeSpawn = !!(toolContext?.chatId && toolContext?.fullConfig);
+    const includeSpawn = !!(toolContext?.fullConfig && (toolContext?.chatId || toolContext?.isCronJob));
     const toolDefs = await getToolDefinitions(toolConfig, { includeSpawnSubagent: includeSpawn, projects: toolContext?.fullConfig?.projects });
     // Enable prompt caching for system + tools
     const cacheEnabled = config.models?.promptCaching !== false;

package/dist/providers/codex.js

@@ -286,7 +286,7 @@ export async function chatWithToolsCodex(params) {
     }
     // Get tool definitions
     const { getToolDefinitions } = await import('../tools.js');
-    const includeSpawn = !!(toolContext?.chatId && toolContext?.fullConfig);
+    const includeSpawn = !!(toolContext?.fullConfig && (toolContext?.chatId || toolContext?.isCronJob));
     const toolDefs = await getToolDefinitions(toolConfig, {
         includeSpawnSubagent: includeSpawn,
         includeMcp: false,