voratiq 0.1.0-beta.2 → 0.1.0-beta.21

package/dist/agents/runtime/shim/run-agent-shim.js

@@ -0,0 +1,276 @@
+import { spawn } from "node:child_process";
+import { mkdir, readFile, writeFile } from "node:fs/promises";
+import { dirname, isAbsolute, join, resolve as resolvePath } from "node:path";
+import { fileURLToPath } from "node:url";
+import { composeRestrictedEnvironment } from "../../../utils/env.js";
+import { GIT_AUTHOR_EMAIL, GIT_AUTHOR_NAME, GIT_COMMITTER_EMAIL, GIT_COMMITTER_NAME, } from "../../../utils/git.js";
+import { injectPromptArg } from "./argv.js";
+class ShimError extends Error {
+    exitCode;
+    constructor(message, exitCode = 1) {
+        super(message);
+        this.name = "ShimError";
+        this.exitCode = exitCode;
+    }
+}
+export async function main(argv = process.argv.slice(2)) {
+    try {
+        const { configPath } = parseArguments(argv);
+        const resolvedConfigPath = resolvePath(process.cwd(), configPath);
+        const manifest = await loadManifest(resolvedConfigPath);
+        const agentRoot = resolveAgentRoot(resolvedConfigPath);
+        const prompt = await loadPrompt(agentRoot, manifest.promptPath, resolvedConfigPath);
+        let agentArgv;
+        try {
+            agentArgv = injectPromptArg(manifest.argv, prompt);
+        }
+        catch (error) {
+            throw new ShimError(`Failed to inject prompt into argv: ${error instanceof Error ? error.message : String(error)}`);
+        }
+        const exitCode = await launchAgent({
+            manifest,
+            agentRoot,
+            argv: agentArgv,
+        });
+        return exitCode;
+    }
+    catch (error) {
+        if (error instanceof ShimError) {
+            logError(error.message);
+            return error.exitCode;
+        }
+        const message = error instanceof Error ? error.message : String(error);
+        logError(`Unexpected error: ${message}`);
+        return 1;
+    }
+}
+function parseArguments(args) {
+    let configPath;
+    for (let index = 0; index < args.length; index += 1) {
+        const token = args[index];
+        if (token === "--config") {
+            const next = args[index + 1];
+            if (!next) {
+                throw new ShimError("Missing value for --config option");
+            }
+            configPath = next;
+            index += 1;
+            continue;
+        }
+        throw new ShimError(`Unknown argument: ${token}`);
+    }
+    if (!configPath) {
+        throw new ShimError("Missing required --config <path> argument");
+    }
+    return { configPath };
+}
+async function loadManifest(configPath) {
+    let raw;
+    try {
+        raw = await readFile(configPath, "utf8");
+    }
+    catch (error) {
+        const detail = error instanceof Error ? error.message : String(error);
+        throw new ShimError(`Failed to read manifest at "${configPath}": ${detail}`);
+    }
+    let parsed;
+    try {
+        parsed = JSON.parse(raw);
+    }
+    catch (error) {
+        const detail = error instanceof Error ? error.message : String(error);
+        throw new ShimError(`Manifest JSON at "${configPath}" is invalid: ${detail}`);
+    }
+    return validateManifest(parsed, configPath);
+}
+function validateManifest(data, configPath) {
+    if (typeof data !== "object" || data === null) {
+        throw new ShimError(`Manifest at "${configPath}" must be a JSON object`);
+    }
+    const record = data;
+    const { binary, argv, promptPath, workspace, env } = record;
+    if (typeof binary !== "string" || binary.trim() === "") {
+        throw new ShimError(`Manifest at "${configPath}" is missing required string field "binary"`);
+    }
+    const manifestArgv = ensureStringArray({
+        value: argv,
+        field: "argv",
+        configPath,
+    });
+    if (typeof promptPath !== "string" || promptPath.trim() === "") {
+        throw new ShimError(`Manifest at "${configPath}" is missing required string field "promptPath"`);
+    }
+    if (typeof workspace !== "string" || workspace.trim() === "") {
+        throw new ShimError(`Manifest at "${configPath}" is missing required string field "workspace"`);
+    }
+    const manifestEnv = ensureEnvRecord({
+        value: env,
+        configPath,
+    });
+    return {
+        binary,
+        argv: manifestArgv,
+        promptPath,
+        workspace,
+        env: manifestEnv,
+    };
+}
+function ensureStringArray(options) {
+    const { value, field, configPath } = options;
+    if (!Array.isArray(value)) {
+        throw new ShimError(`Manifest at "${configPath}" must provide "${field}" as an array of strings`);
+    }
+    const result = [];
+    for (const token of value) {
+        if (typeof token !== "string") {
+            throw new ShimError(`Manifest at "${configPath}" must provide "${field}" as an array of strings`);
+        }
+        result.push(token);
+    }
+    return result;
+}
+function ensureEnvRecord(options) {
+    const { value, configPath } = options;
+    if (value === undefined) {
+        return {};
+    }
+    if (typeof value !== "object" || value === null || Array.isArray(value)) {
+        throw new ShimError(`Manifest at "${configPath}" must provide "env" as an object of string values`);
+    }
+    const result = {};
+    for (const [key, entry] of Object.entries(value)) {
+        if (typeof entry !== "string") {
+            throw new ShimError(`Manifest at "${configPath}" must provide "env" as an object of string values`);
+        }
+        result[key] = entry;
+    }
+    return result;
+}
+function resolveAgentRoot(configPath) {
+    return dirname(configPath);
+}
+async function loadPrompt(agentRoot, manifestPromptPath, configPath) {
+    const promptAbsolute = isAbsolute(manifestPromptPath)
+        ? manifestPromptPath
+        : resolvePath(agentRoot, manifestPromptPath);
+    try {
+        return await readFile(promptAbsolute, "utf8");
+    }
+    catch (error) {
+        const detail = error instanceof Error ? error.message : String(error);
+        throw new ShimError(`Failed to read prompt from "${promptAbsolute}" (manifest: "${configPath}", agentRoot: "${agentRoot}", promptPath: "${manifestPromptPath}"): ${detail}`);
+    }
+}
+async function launchAgent(options) {
+    const { manifest, agentRoot, argv } = options;
+    const binaryPath = isAbsolute(manifest.binary)
+        ? manifest.binary
+        : resolvePath(agentRoot, manifest.binary);
+    const workspacePath = isAbsolute(manifest.workspace)
+        ? manifest.workspace
+        : resolvePath(agentRoot, manifest.workspace);
+    await writeShellProfiles(manifest.env);
+    const launchEnv = composeRestrictedEnvironment(manifest.env);
+    // Agent commits generated outside the sandbox reuse this persona via
+    // resolveSandboxPersona in src/commands/run/agents/lifecycle.ts.
+    const personaEnv = {
+        GIT_AUTHOR_NAME,
+        GIT_AUTHOR_EMAIL,
+        GIT_COMMITTER_NAME,
+        GIT_COMMITTER_EMAIL,
+        GIT_TERMINAL_PROMPT: "0",
+    };
+    for (const [key, value] of Object.entries(personaEnv)) {
+        if (launchEnv[key] === undefined) {
+            launchEnv[key] = value;
+        }
+    }
+    return await new Promise((resolve) => {
+        let resolved = false;
+        const child = spawn(binaryPath, argv, {
+            cwd: workspacePath,
+            env: launchEnv,
+            stdio: "inherit",
+        });
+        child.once("error", (error) => {
+            if (resolved) {
+                return;
+            }
+            resolved = true;
+            const detail = error instanceof Error ? error.message : String(error);
+            logError(`Failed to launch agent binary at "${binaryPath}": ${detail}`);
+            resolve(1);
+        });
+        child.once("exit", (code, signal) => {
+            if (resolved) {
+                return;
+            }
+            resolved = true;
+            if (signal) {
+                logError(`Agent terminated by signal ${signal}`);
+                resolve(1);
+                return;
+            }
+            resolve(code ?? 0);
+        });
+    });
+}
+async function writeShellProfiles(env) {
+    const homeDir = env.HOME;
+    if (!homeDir) {
+        return;
+    }
+    const bashrcPath = join(homeDir, ".bashrc");
+    const bashProfilePath = join(homeDir, ".bash_profile");
+    const exports = formatEnvExports(env);
+    const bashrcContents = `# Generated by Voratiq to preserve manifest env\n${exports}\n`;
+    const bashProfileContents = "# Generated by Voratiq to preserve manifest env\n" +
+        'if [ -f "$HOME/.bashrc" ]; then\n' +
+        '  . "$HOME/.bashrc"\n' +
+        "fi\n";
+    try {
+        await mkdir(homeDir, { recursive: true });
+        await writeFile(bashrcPath, bashrcContents, { encoding: "utf8" });
+        await writeFile(bashProfilePath, bashProfileContents, {
+            encoding: "utf8",
+        });
+    }
+    catch {
+        // Best-effort: shell profiles should not block agent startup.
+    }
+}
+function formatEnvExports(env) {
+    const lines = [];
+    const keys = Object.keys(env).sort((a, b) => a.localeCompare(b));
+    for (const key of keys) {
+        const value = env[key];
+        if (value === undefined) {
+            continue;
+        }
+        lines.push(`export ${key}=${shellEscape(value)}`);
+    }
+    return lines.join("\n");
+}
+function shellEscape(value) {
+    if (value.length === 0) {
+        return "''";
+    }
+    const singleQuoteEscape = "'\"'\"'";
+    return `'${value.replace(/'/g, singleQuoteEscape)}'`;
+}
+function logError(message) {
+    console.error(`[voratiq] ${message}`);
+}
+const modulePath = fileURLToPath(import.meta.url);
+const invokedScript = process.argv[1]
+    ? resolvePath(process.argv[1])
+    : undefined;
+if (invokedScript && modulePath === invokedScript) {
+    void main().then((exitCode) => {
+        process.exit(exitCode);
+    }, (error) => {
+        const detail = error instanceof Error ? error.message : String(error);
+        logError(`Unexpected error: ${detail}`);
+        process.exit(1);
+    });
+}

package/dist/agents/runtime/types.d.ts

@@ -0,0 +1,91 @@
+import type { SandboxRuntimeConfig } from "@voratiq/sandbox-runtime";
+import type { AgentDefinition } from "../../configs/agents/types.js";
+import type { EnvironmentConfig } from "../../configs/environment/types.js";
+import type { DenialBackoffConfig } from "../../configs/sandbox/types.js";
+import type { WatchdogMetadata } from "../../domain/run/model/types.js";
+import type { SandboxStageId } from "./policy.js";
+import type { SandboxFailFastInfo } from "./sandbox.js";
+import type { WatchdogTrigger } from "./watchdog.js";
+export interface SandboxPolicyOverrides {
+    readonly allowWrite?: readonly string[];
+    readonly denyWrite?: readonly string[];
+    readonly denyRead?: readonly string[];
+}
+export interface AgentRuntimePaths {
+    /** Base directory for the agent session (contains `runtime/` + `artifacts/`). */
+    readonly agentRoot: string;
+    /** Agent working directory (for example, a worktree or scratch workspace). */
+    readonly workspacePath: string;
+    /** Writable sandbox home directory for auth staging and HOME isolation. */
+    readonly sandboxHomePath: string;
+    /** Where to write runtime manifest (`runtime/manifest.json`). */
+    readonly runtimeManifestPath: string;
+    /** Where to write sandbox settings (`runtime/sandbox.json`). */
+    readonly sandboxSettingsPath: string;
+    /** Path to the runtime directory (`.../runtime`). Used for temp prompt. */
+    readonly runtimePath: string;
+    /** Path to the artifacts directory (`.../artifacts`). Used for read/write protection and stdout/stderr. */
+    readonly artifactsPath: string;
+    /** Process stdout capture. */
+    readonly stdoutPath: string;
+    /** Process stderr capture. */
+    readonly stderrPath: string;
+}
+export type SandboxSettings = SandboxRuntimeConfig;
+export interface AgentRuntimeHarnessInput {
+    readonly root: string;
+    /** Optional caller-provided identifier for global teardown support. */
+    readonly sessionId?: string;
+    readonly agent: AgentDefinition;
+    readonly prompt: string;
+    readonly environment: EnvironmentConfig;
+    readonly paths: AgentRuntimePaths;
+    /** Stage intent used to compose shared baseline sandbox policy rules. */
+    readonly sandboxStageId?: SandboxStageId;
+    /**
+     * Override for sandbox provider used to load sandbox configuration. Defaults to `agent.provider`.
+     */
+    readonly sandboxProviderId?: string;
+    /**
+     * Filesystem policy overrides applied on top of the provider defaults.
+     * Reads are allowed by default; writes are restricted via allow/deny lists.
+     */
+    readonly sandboxPolicyOverrides?: SandboxPolicyOverrides;
+    /**
+     * Extra paths that must be write-protected from the sandboxed process (e.g., run-specific verification dirs).
+     */
+    readonly extraWriteProtectedPaths?: readonly string[];
+    /**
+     * Extra paths that must be read-protected from the sandboxed process (optional).
+     */
+    readonly extraReadProtectedPaths?: readonly string[];
+    /** Denial backoff config used by watchdog; falls back to provider config or defaults. */
+    readonly denialBackoff?: DenialBackoffConfig;
+    /** Disable chat capture entirely. */
+    readonly captureChat?: boolean;
+    /**
+     * When false, defer auth teardown to session-level cleanup.
+     * Defaults to true.
+     */
+    readonly teardownAuthOnExit?: boolean;
+    /** Optional hook for immediate watchdog UI updates. */
+    readonly onWatchdogTrigger?: (trigger: WatchdogTrigger, reason: string, failFast?: SandboxFailFastInfo) => void;
+}
+export interface AgentRuntimeChatResult {
+    readonly captured: boolean;
+    readonly format?: "json" | "jsonl";
+    readonly artifactPath?: string;
+    readonly sourceCount?: number;
+    readonly error?: unknown;
+}
+export interface AgentRuntimeHarnessResult {
+    readonly exitCode: number;
+    readonly errorMessage?: string;
+    readonly signal?: NodeJS.Signals | null;
+    readonly watchdog?: WatchdogMetadata;
+    readonly failFast?: SandboxFailFastInfo;
+    readonly sandboxSettings: SandboxSettings;
+    readonly chat?: AgentRuntimeChatResult;
+    /** The environment used by the sandboxed agent (includes PATH adjustments and staged auth vars). */
+    readonly manifestEnv: Record<string, string>;
+}

package/dist/{commands/run/agents → agents/runtime}/watchdog.d.ts

@@ -1,7 +1,7 @@
 import type { ChildProcess } from "node:child_process";
 import type { Writable } from "node:stream";
-import type { DenialBackoffConfig } from "../../../configs/sandbox/types.js";
-import { type SandboxFailFastInfo } from "../sandbox.js";
+import type { DenialBackoffConfig } from "../../configs/sandbox/types.js";
+import { type SandboxFailFastInfo } from "./sandbox.js";
 /**
  * Watchdog types and constants for enforcing per-agent process timeouts.
  *
@@ -9,6 +9,7 @@ import { type SandboxFailFastInfo } from "../sandbox.js";
  * voratiq run pipeline by enforcing silence, wall-clock, and fatal pattern limits.
  */
 export type WatchdogTrigger = "silence" | "wall-clock" | "fatal-pattern" | "sandbox-denial";
+export type WatchdogOutputSource = "stdout" | "stderr";
 export declare const WATCHDOG_DEFAULTS: {
     readonly silenceTimeoutMs: number;
     readonly wallClockCapMs: number;
@@ -31,7 +32,7 @@ export interface WatchdogOptions {
 }
 export declare function createWatchdog(child: ChildProcess, stderrStream: Writable, options: WatchdogOptions): WatchdogController;
 export interface WatchdogController {
-    handleOutput: (chunk: Buffer | string) => void;
+    handleOutput: (chunk: Buffer | string, source?: WatchdogOutputSource) => void;
     cleanup: () => void;
     getState: () => {
         triggered: WatchdogTrigger | null;

package/dist/{commands/run/agents → agents/runtime}/watchdog.js

@@ -1,4 +1,4 @@
-import { DenialBackoffTracker, parseSandboxDenialLine, resolveDenialBackoffConfig, } from "../sandbox.js";
+import { DenialBackoffTracker, parseSandboxDenialLine, resolveDenialBackoffConfig, } from "./sandbox.js";
 export const WATCHDOG_DEFAULTS = {
     silenceTimeoutMs: 15 * 60 * 1000,
     wallClockCapMs: 120 * 60 * 1000,
@@ -7,10 +7,92 @@ export const WATCHDOG_DEFAULTS = {
     /** Hard abort timeout after SIGKILL (ensures process promise resolves). */
     hardAbortMs: 10 * 1000,
 };
-export const FATAL_PATTERNS = new Map([
-    ["gemini", [/You have exhausted your capacity on this model\./i]],
-    ["codex", [/Connection failed: error sending request for url\./i]],
+const FATAL_PATTERN_RULES = new Map([
+    [
+        "gemini",
+        [
+            { pattern: /PERMISSION_DENIED/i },
+            { pattern: /RESOURCE_EXHAUSTED/i },
+            { pattern: /MODEL_CAPACITY_EXHAUSTED/i },
+            { pattern: /No capacity available for model/i },
+        ],
+    ],
+    [
+        "codex",
+        [
+            { pattern: /invalid_request_error/i, requiresProviderErrorContext: true },
+            { pattern: /unsupported_value/i, requiresProviderErrorContext: true },
+            {
+                pattern: /^\s*thread\s+.+\s+panicked at\b/i,
+                allowedSources: ["stderr"],
+            },
+        ],
+    ],
+    [
+        "claude",
+        [
+            { pattern: /OAuth token revoked/i },
+            { pattern: /OAuth token has expired/i },
+            { pattern: /Please run \/login/i },
+            { pattern: /invalid.*api.*key/i },
+            { pattern: /insufficient_quota/i },
+        ],
+    ],
 ]);
+export const FATAL_PATTERNS = new Map(Array.from(FATAL_PATTERN_RULES, ([providerId, rules]) => [
+    providerId,
+    rules.map((rule) => rule.pattern),
+]));
+function hasCodexErrorContext(line) {
+    const trimmed = line.trim();
+    if (!trimmed) {
+        return false;
+    }
+    if (/^\s*(?:openai|codex)(?:\s+api)?\s+error\b/i.test(trimmed) ||
+        /^\s*api\s+error\b/i.test(trimmed)) {
+        return true;
+    }
+    if (/^\s*\{.*"error"\s*:/i.test(trimmed) ||
+        /^\s*"error"\s*:/i.test(trimmed)) {
+        return true;
+    }
+    if (/^\s*\{.*"type"\s*:\s*"invalid_request_error"/i.test(trimmed) ||
+        /^\s*"type"\s*:\s*"invalid_request_error"/i.test(trimmed)) {
+        return true;
+    }
+    if (/^\s*\{.*"code"\s*:\s*"unsupported_value"/i.test(trimmed) ||
+        /^\s*"code"\s*:\s*"unsupported_value"/i.test(trimmed)) {
+        return true;
+    }
+    return false;
+}
+function hasProviderErrorContext(providerId, line) {
+    if (providerId === "codex") {
+        return hasCodexErrorContext(line);
+    }
+    return true;
+}
+function findFatalPatternMatch(providerId, line, source, rules) {
+    const trimmedLine = line.trim();
+    if (!trimmedLine) {
+        return undefined;
+    }
+    for (const rule of rules) {
+        if (rule.allowedSources &&
+            !rule.allowedSources.some((allowedSource) => allowedSource === source)) {
+            continue;
+        }
+        if (!rule.pattern.test(trimmedLine)) {
+            continue;
+        }
+        if (rule.requiresProviderErrorContext &&
+            !hasProviderErrorContext(providerId, trimmedLine)) {
+            continue;
+        }
+        return rule.pattern;
+    }
+    return undefined;
+}
 export function createWatchdog(child, stderrStream, options) {
     const { silenceTimeoutMs, wallClockCapMs, killGraceMs, hardAbortMs } = WATCHDOG_DEFAULTS;
     const denialBackoff = resolveDenialBackoffConfig(options.denialBackoff);
@@ -20,15 +102,26 @@ export function createWatchdog(child, stderrStream, options) {
         killGraceTimer: null,
         hardAbortTimer: null,
         fatalPatternFirstSeen: null,
+        fatalLineBufferBySource: {
+            stdout: "",
+            stderr: "",
+        },
+        fatalCurrentLineMatchedBySource: {
+            stdout: false,
+            stderr: false,
+        },
         triggered: null,
         triggeredReason: null,
         sandboxFailFast: null,
         denialBackoff: new DenialBackoffTracker(denialBackoff),
-        lineBuffer: "",
+        sandboxLineBufferBySource: {
+            stdout: "",
+            stderr: "",
+        },
         delayInProgress: false,
         abortController: new AbortController(),
     };
-    const fatalPatterns = FATAL_PATTERNS.get(options.providerId) ?? [];
+    const fatalPatternRules = FATAL_PATTERN_RULES.get(options.providerId) ?? [];
     const resetSilenceTimer = () => {
         if (state.silenceTimer) {
             clearTimeout(state.silenceTimer);
@@ -77,38 +170,74 @@ export function createWatchdog(child, stderrStream, options) {
         }
         terminateProcess(child, state, { killGraceMs, hardAbortMs });
     };
-    const checkFatalPattern = (text) => {
-        if (state.triggered || fatalPatterns.length === 0) {
+    const registerFatalPatternMatch = () => {
+        const now = Date.now();
+        if (state.fatalPatternFirstSeen === null) {
+            state.fatalPatternFirstSeen = now;
             return;
         }
-        for (const pattern of fatalPatterns) {
-            if (pattern.test(text)) {
-                const now = Date.now();
-                if (state.fatalPatternFirstSeen === null) {
-                    state.fatalPatternFirstSeen = now;
-                    return;
-                }
-                const elapsed = now - state.fatalPatternFirstSeen;
-                if (elapsed <= WATCHDOG_DEFAULTS.fatalRetryWindowMs) {
-                    triggerWatchdog("fatal-pattern", `Fatal error pattern detected: ${pattern.source}`);
-                }
+        const elapsed = now - state.fatalPatternFirstSeen;
+        if (elapsed <= WATCHDOG_DEFAULTS.fatalRetryWindowMs) {
+            triggerWatchdog("fatal-pattern", "Fatal provider error detected repeatedly. Inspect `stderr.log` for details.");
+        }
+    };
+    const checkFatalPatternLine = (line, source) => {
+        if (state.triggered || fatalPatternRules.length === 0) {
+            return false;
+        }
+        const pattern = findFatalPatternMatch(options.providerId, line, source, fatalPatternRules);
+        if (!pattern) {
+            return false;
+        }
+        registerFatalPatternMatch();
+        return true;
+    };
+    const checkFatalPattern = (text, source) => {
+        if (state.triggered || fatalPatternRules.length === 0) {
+            return;
+        }
+        state.fatalLineBufferBySource[source] += text;
+        const lines = state.fatalLineBufferBySource[source].split(/\r?\n/);
+        state.fatalLineBufferBySource[source] = lines.pop() ?? "";
+        const hadMatchedTrailingPartial = state.fatalCurrentLineMatchedBySource[source];
+        for (const [index, line] of lines.entries()) {
+            if (state.triggered) {
                 return;
             }
+            // If the trailing partial line was already matched in a prior chunk,
+            // skip exactly its completed replay on this chunk boundary.
+            if (hadMatchedTrailingPartial && index === 0) {
+                continue;
+            }
+            checkFatalPatternLine(line, source);
+        }
+        if (lines.length > 0) {
+            state.fatalCurrentLineMatchedBySource[source] = false;
+        }
+        if (state.triggered) {
+            return;
+        }
+        if (!state.fatalLineBufferBySource[source]) {
+            state.fatalCurrentLineMatchedBySource[source] = false;
+            return;
+        }
+        if (!state.fatalCurrentLineMatchedBySource[source]) {
+            state.fatalCurrentLineMatchedBySource[source] = checkFatalPatternLine(state.fatalLineBufferBySource[source], source);
         }
     };
-    const handleOutput = (chunk) => {
+    const handleOutput = (chunk, source = "stderr") => {
         resetSilenceTimer();
         const text = typeof chunk === "string" ? chunk : chunk.toString("utf8");
-        checkFatalPattern(text);
-        handleSandboxDenialText(text);
+        checkFatalPattern(text, source);
+        handleSandboxDenialText(text, source);
     };
-    const handleSandboxDenialText = (text) => {
+    const handleSandboxDenialText = (text, source) => {
         if (state.triggered) {
             return;
         }
-        state.lineBuffer += text;
-        const lines = state.lineBuffer.split("\n");
-        state.lineBuffer = lines.pop() ?? "";
+        state.sandboxLineBufferBySource[source] += text;
+        const lines = state.sandboxLineBufferBySource[source].split("\n");
+        state.sandboxLineBufferBySource[source] = lines.pop() ?? "";
         for (const line of lines) {
             if (state.triggered) {
                 return;

package/dist/auth/providers/codex.js

@@ -29,6 +29,7 @@ export const codexAuthProvider = {
             codex: [".codex"],
             logs: ["Library", "Logs", "Codex"],
             support: ["Library", "Application Support", "Codex"],
+            tmp: ["tmp"],
         });
         await ensureDirectories(Object.values(sandboxPaths));
         const secretHandles = [];
@@ -42,7 +43,9 @@ export const codexAuthProvider = {
                 fileLabel: CODEX_AUTH_FILENAME,
             });
             secretHandles.push(handle);
-            await copyOptionalConfig(options, sandboxPaths.codex);
+            if (options.includeConfigToml !== false) {
+                await copyOptionalConfig(options, sandboxPaths.codex);
+            }
         }
         catch (error) {
             await disposeHandles(secretHandles);
@@ -51,7 +54,9 @@ export const codexAuthProvider = {
         registerSandboxSecrets(sandboxPaths.home, secretHandles);
         const envResult = composeSandboxEnvResult(sandboxPaths.home, {
             CODEX_HOME: sandboxPaths.codex,
-            RUST_BACKTRACE: "1",
+            TMPDIR: sandboxPaths.tmp,
+            TEMP: sandboxPaths.tmp,
+            TMP: sandboxPaths.tmp,
         });
         return envResult;
     },