fix(daemon): confine sandbox project roots and host discovery (#3243)

* fix(daemon): confine sandbox project and host discovery * fix(daemon): resolve sandbox data dir for toolchain discovery * fix(daemon): resolve sandbox data dir for agent env * fix(daemon): fail fast for sandbox imported folders * test(daemon): assert sandbox imported folder rejection * fix(daemon): keep sandbox import guard at run start * fix(daemon): reject sandbox imported project file roots * fix(daemon): preserve imported project detail roots * test(daemon): expect sandbox profiles to stay scoped * fix(daemon): bypass proxies for agent tool callbacks * test(daemon): isolate media policy route memory extraction * fix(daemon): keep loopback no-proxy scoped to sandbox
2026-06-01 03:14:35 +07:00 · 2026-05-30 18:57:04 +02:00 · 2026-05-30 18:57:04 +02:00 · f4c5d22f22
commit f4c5d22f22
parent 9a3424d68c
17 changed files with 474 additions and 33 deletions
--- a/apps/daemon/src/import-export-routes.ts
+++ b/apps/daemon/src/import-export-routes.ts
@ -6,6 +6,7 @@ import {
  inlineRelativeAssets,
  type InlineAssetReader,
 } from './inline-assets.js';
 import { isSandboxModeEnabled } from './sandbox-mode.js';
 export interface RegisterImportRoutesDeps extends RouteDeps<'db' | 'http' | 'uploads' | 'node' | 'ids' | 'paths' | 'imports' | 'auth' | 'projectStore' | 'conversations' | 'projectFiles' | 'validation'> {}
@ -28,6 +29,11 @@ export function registerImportRoutes(app: Express, ctx: RegisterImportRoutesDeps
  const { insertConversation } = ctx.conversations;
  const { setTabs } = ctx.projectFiles;
  const { validateProjectDesignSystemId } = ctx.validation;
  const rejectSandboxFolderImport = () =>
    isSandboxModeEnabled(process.env)
      ? 'folder imports are disabled when OD_SANDBOX_MODE is enabled'
      : null;
  app.post(
    '/api/import/claude-design',
    importUpload.single('file'),
@ -107,6 +113,10 @@ export function registerImportRoutes(app: Express, ctx: RegisterImportRoutesDeps
      if (typeof baseDir !== 'string' || !baseDir.trim()) {
        return sendApiError(res, 400, 'BAD_REQUEST', 'baseDir required');
      }
      const sandboxReason = rejectSandboxFolderImport();
      if (sandboxReason) {
        return sendApiError(res, 400, 'BAD_REQUEST', sandboxReason);
      }
      let trustedPickerImport = false;
      if (isDesktopAuthGateActive()) {
        const secret = desktopAuthSecret();
@ -204,6 +214,10 @@ export function registerImportRoutes(app: Express, ctx: RegisterImportRoutesDeps
      if (typeof baseDir !== 'string' || !baseDir.trim()) {
        return sendApiError(res, 400, 'BAD_REQUEST', 'baseDir required');
      }
      const sandboxReason = rejectSandboxFolderImport();
      if (sandboxReason) {
        return sendApiError(res, 400, 'BAD_REQUEST', sandboxReason);
      }
      let trustedPickerImport = false;
      if (isDesktopAuthGateActive()) {
        const secret = desktopAuthSecret();
--- a/apps/daemon/src/media-config.ts
+++ b/apps/daemon/src/media-config.ts
@ -41,6 +41,7 @@ import path from 'node:path';
 import { MEDIA_PROVIDERS } from './media-models.js';
 import { expandHomePrefix } from './home-expansion.js';
 import { resolveXAIBearer } from './xai-credentials.js';
 import { isSandboxModeEnabled } from './sandbox-mode.js';
 const PROVIDER_IDS = MEDIA_PROVIDERS.map((p) => p.id);
 type ProviderEntry = { apiKey?: string; baseUrl?: string; model?: string };
@ -291,6 +292,7 @@ function apiKeyFromCodexAuth(data: unknown): string {
 }
 async function resolveOpenAIAuthFileCredential(): Promise<OAuthCredential | null> {
  if (isSandboxModeEnabled(process.env)) return null;
  const home = os.homedir();
  const codexAuth = await readJsonIfPresent(
    path.join(home, '.codex', 'auth.json'),
@ -318,6 +320,8 @@ async function resolveXAIOAuthCredential(
    };
  }
  if (isSandboxModeEnabled(process.env)) return null;
  // 2. Borrow the xAI OAuth token Hermes wrote to ~/.hermes/auth.json
  //    when the user ran `hermes auth add xai-oauth`. A user who has already authorized
  //    Hermes doesn't have to run a second OAuth dance inside OD.
--- a/apps/daemon/src/project-root.ts
+++ b/apps/daemon/src/project-root.ts
@ -0,0 +1,23 @@
 import path from 'node:path';
 export function resolveProjectRoot(moduleDir: string): string {
  const base = path.basename(moduleDir);
  const daemonDir =
    base === 'dist' || base === 'src' ? path.dirname(moduleDir) : moduleDir;
  return path.resolve(daemonDir, '../..');
 }
 export function resolveProjectRootFromNestedModule(moduleDir: string): string {
  let current = path.resolve(moduleDir);
  while (true) {
    const base = path.basename(current);
    if (base === 'dist' || base === 'src') {
      return resolveProjectRoot(current);
    }
    const parent = path.dirname(current);
    if (parent === current) {
      return resolveProjectRoot(moduleDir);
    }
    current = parent;
  }
 }
--- a/apps/daemon/src/project-routes.ts
+++ b/apps/daemon/src/project-routes.ts
@ -1,4 +1,5 @@
 import type { Express } from 'express';
 import path from 'node:path';
 import {
  defaultScenarioPluginIdForProjectMetadata,
  type PluginManifest,
@ -21,6 +22,25 @@ import { auditDesignSystemPackage } from './tools-connectors-cli.js';
 export interface RegisterProjectRoutesDeps extends RouteDeps<'db' | 'design' | 'http' | 'paths' | 'projectStore' | 'projectFiles' | 'conversations' | 'templates' | 'status' | 'events' | 'ids' | 'telemetry' | 'validation'> {}
 function projectDetailResolvedDir(
  projectsRoot: string,
  project: any,
  resolveProjectDir: (
    projectsRoot: string,
    projectId: string,
    metadata?: unknown,
    opts?: { allowUnavailableSandboxImportedProject?: boolean },
  ) => string,
 ): string {
  const baseDir = typeof project?.metadata?.baseDir === 'string'
    ? path.normalize(project.metadata.baseDir)
    : null;
  if (baseDir && path.isAbsolute(baseDir)) return baseDir;
  return resolveProjectDir(projectsRoot, project.id, project.metadata, {
    allowUnavailableSandboxImportedProject: true,
  });
 }
 const URL_PREVIEW_SCROLL_BRIDGE = `<script data-od-url-scroll-bridge>
 (function(){
  if (window.__odUrlScrollBridge) return;
@ -419,7 +439,7 @@ export function registerProjectRoutes(app: Express, ctx: RegisterProjectRoutesDe
    const project = getProject(db, req.params.id);
    if (!project)
      return sendApiError(res, 404, 'PROJECT_NOT_FOUND', 'not found');
-    const resolvedDir = resolveProjectDir(PROJECTS_DIR, project.id, project.metadata);
+    const resolvedDir = projectDetailResolvedDir(PROJECTS_DIR, project, resolveProjectDir);
    /** @type {import('@open-design/contracts').ProjectResponse} */
    const body = { project, resolvedDir };
    res.json(body);
--- a/apps/daemon/src/projects.ts
+++ b/apps/daemon/src/projects.ts
@ -26,6 +26,7 @@ import {
  isPublicationGuardedArtifactKind,
 } from './artifact-publication-guard.js';
 import { isIgnoredProjectDirName } from './project-ignored-dirs.js';
 import { isSandboxModeEnabled } from './sandbox-mode.js';
 const FORBIDDEN_SEGMENT = /^$|^\.\.?$/;
 const RESERVED_PROJECT_FILE_SEGMENTS = new Set(['.live-artifacts']);
@ -40,13 +41,42 @@ export function projectDir(projectsRoot, projectId) {
  return path.join(projectsRoot, projectId);
 }
 export class SandboxImportedProjectError extends Error {
  code = 'SANDBOX_IMPORTED_PROJECT_UNAVAILABLE';
  constructor() {
    super(
      'Imported-folder projects are not available in OD_SANDBOX_MODE until their files are mirrored into the managed project directory.',
    );
    this.name = 'SandboxImportedProjectError';
  }
 }
 function hasExternalProjectRoot(metadata?) {
  if (typeof metadata?.baseDir !== 'string') return false;
  return path.isAbsolute(path.normalize(metadata.baseDir));
 }
 export function assertSandboxProjectRootAvailable(metadata?) {
  if (isSandboxModeEnabled(process.env) && hasExternalProjectRoot(metadata)) {
    throw new SandboxImportedProjectError();
  }
 }
 function usesExternalProjectRoot(metadata?) {
  if (isSandboxModeEnabled(process.env)) return false;
  return hasExternalProjectRoot(metadata);
 }
 // Returns the folder a project's files live in. For git-linked projects
 // (metadata.baseDir set), this is the user's own folder. Otherwise falls
 // back to the standard computed path under projectsRoot.
-export function resolveProjectDir(projectsRoot, projectId, metadata?) {
+export function resolveProjectDir(projectsRoot, projectId, metadata?, opts = {}) {
-  if (typeof metadata?.baseDir === 'string') {
+  if (!opts.allowUnavailableSandboxImportedProject) {
-    const p = path.normalize(metadata.baseDir);
+    assertSandboxProjectRootAvailable(metadata);
-    if (path.isAbsolute(p)) return p;
+  }
  if (usesExternalProjectRoot(metadata)) {
    return path.normalize(metadata.baseDir);
  }
  if (!isSafeId(projectId)) throw new Error('invalid project id');
  return path.join(projectsRoot, projectId);
@ -55,7 +85,7 @@ export function resolveProjectDir(projectsRoot, projectId, metadata?) {
 export async function ensureProject(projectsRoot, projectId, metadata?) {
  const dir = resolveProjectDir(projectsRoot, projectId, metadata);
  // Git-linked folders already exist; skip mkdir to avoid side-effects.
-  if (typeof metadata?.baseDir !== 'string') {
+  if (!usesExternalProjectRoot(metadata)) {
    await mkdir(dir, { recursive: true });
  }
  return dir;
@ -67,7 +97,7 @@ export async function listFiles(projectsRoot, projectId, opts = {}) {
  const out = [];
  // Skip build/install dirs for linked folders so node_modules doesn't stall
  // the walk on large repos.
-  const skipDirs = metadata?.baseDir ? isIgnoredProjectDirName : undefined;
+  const skipDirs = usesExternalProjectRoot(metadata) ? isIgnoredProjectDirName : undefined;
  await collectFiles(dir, '', out, skipDirs, dir);
  // Newest first — matches the visual order users expect after generating.
  out.sort((a, b) => b.mtime - a.mtime);
--- a/apps/daemon/src/runtimes/env.ts
+++ b/apps/daemon/src/runtimes/env.ts
@ -1,9 +1,12 @@
 import path from 'node:path';
 import { fileURLToPath } from 'node:url';
 import { mergeProxyAwareEnv, resolveSystemProxyEnv } from '@open-design/platform';
 import { resolveProjectRelativePath } from '../home-expansion.js';
 import { expandConfiguredEnv } from './paths.js';
 import { resolveAmrOpenCodeExecutable } from './executables.js';
 import { amrVelaProfileEnv } from '../integrations/vela-profile.js';
 import { resolveProjectRootFromNestedModule } from '../project-root.js';
 import {
  applySandboxRuntimeEnv,
  isSandboxModeEnabled,
@ -13,6 +16,10 @@ import {
 type RuntimeEnvMap = NodeJS.ProcessEnv | Record<string, string>;
 const RUNTIME_MODULE_PROJECT_ROOT = resolveProjectRootFromNestedModule(
  path.dirname(fileURLToPath(import.meta.url)),
 );
 // Build the env passed to spawn() for a given agent adapter.
 //
 // The claude adapter strips ANTHROPIC_API_KEY so Claude Code's own auth
@ -87,7 +94,11 @@ function sandboxRuntimeConfigForBaseEnv(
  if (!isSandboxModeEnabled(baseEnv)) return null;
  const dataDir = baseEnv.OD_DATA_DIR?.trim();
  if (!dataDir) return null;
-  return resolveSandboxRuntimeConfig(true, dataDir);
+  const resolvedDataDir = resolveProjectRelativePath(
    dataDir,
    RUNTIME_MODULE_PROJECT_ROOT,
  );
  return resolveSandboxRuntimeConfig(true, resolvedDataDir);
 }
 function reapplySandboxRuntimeEnv(
--- a/apps/daemon/src/runtimes/local-profiles.ts
+++ b/apps/daemon/src/runtimes/local-profiles.ts
@ -192,11 +192,11 @@ function createLocalAgentDef(
 export function readLocalAgentProfileDefs(
  baseDefs: RuntimeAgentDef[],
 ): RuntimeAgentDef[] {
  const profilesFile = localAgentProfilesFile();
  if (profilesFile == null) return [];
  let parsed: unknown;
  try {
-    const file = localAgentProfilesFile();
+    parsed = JSON.parse(readFileSync(profilesFile, 'utf8'));
    if (!file) return [];
    parsed = JSON.parse(readFileSync(file, 'utf8'));
  } catch {
    return [];
  }
--- a/apps/daemon/src/server.ts
+++ b/apps/daemon/src/server.ts
@ -25,7 +25,10 @@ import {
  shouldRenderCodexImagegenOverride,
 } from './prompts/system.js';
 import { expandHomePrefix, resolveProjectRelativePath } from './home-expansion.js';
 import { resolveProjectRoot } from './project-root.js';
 import { userFacingAgentLabel } from './user-facing-agent-label.js';
 export { resolveProjectRoot };
 import { createCommandInvocation } from '@open-design/platform';
 import { SIDECAR_DEFAULTS, SIDECAR_ENV } from '@open-design/sidecar-proto';
 import {
@ -258,6 +261,7 @@ import {
  type ObservabilityEventRequest,
 } from '@open-design/contracts/analytics';
 import {
  mergeNoProxyWithLoopbackDefaults,
  redactSecrets,
  testAgentConnection,
  testProviderConnection,
@ -341,6 +345,7 @@ import {
  buildBatchArchive,
  decodeMultipartFilename,
  deleteProjectFile,
  assertSandboxProjectRootAvailable,
  detectEntryFile,
  ensureProject,
  isSafeId,
@ -352,6 +357,7 @@ import {
  renameProjectFile,
  removeProjectDir,
  resolveProjectDir,
  SandboxImportedProjectError,
  sanitizeName,
  searchProjectFiles,
  resolveProjectDir,
@ -482,13 +488,6 @@ const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
 const require = createRequire(import.meta.url);
 const DAEMON_CLI_PATH_ENV = 'OD_DAEMON_CLI_PATH';
 export function resolveProjectRoot(moduleDir: string): string {
  const base = path.basename(moduleDir);
  const daemonDir =
    base === 'dist' || base === 'src' ? path.dirname(moduleDir) : moduleDir;
  return path.resolve(daemonDir, '../..');
 }
 function cleanOptionalPath(value: string | undefined): string | null {
  return typeof value === 'string' && value.trim().length > 0
    ? path.resolve(value)
@ -1653,6 +1652,13 @@ export function createAgentRuntimeEnv(
  if (typeof sidecarIpcPath === 'string' && sidecarIpcPath.length > 0) {
    env[SIDECAR_ENV.IPC_PATH] = sidecarIpcPath;
  }
  if (SANDBOX_RUNTIME.enabled) {
    const noProxy = mergeNoProxyWithLoopbackDefaults(env.NO_PROXY ?? env.no_proxy);
    if (noProxy) {
      env.NO_PROXY = noProxy;
      if (process.platform !== 'win32') env.no_proxy = noProxy;
    }
  }
  // Ensure the node binary directory is on PATH so agent sub-processes —
  // in particular npm .cmd shims on Windows that run `"node" script.js` —
@ -10777,14 +10783,13 @@ export async function startServer({
      try {
        const chatProject = getProject(db, projectId);
        const chatMeta = chatProject?.metadata;
-        if (chatMeta?.baseDir) {
+        assertSandboxProjectRootAvailable(chatMeta);
-          cwd = path.normalize(chatMeta.baseDir);
+        cwd = await ensureProject(PROJECTS_DIR, projectId, chatMeta);
-          existingProjectFiles = await listFiles(PROJECTS_DIR, projectId, { metadata: chatMeta });
+        existingProjectFiles = await listFiles(PROJECTS_DIR, projectId, { metadata: chatMeta });
-        } else {
+      } catch (err) {
-          cwd = await ensureProject(PROJECTS_DIR, projectId);
+        if (err instanceof SandboxImportedProjectError) {
-          existingProjectFiles = await listFiles(PROJECTS_DIR, projectId);
+          return design.runs.fail(run, 'BAD_REQUEST', err.message);
        }
      } catch {
        cwd = null;
      }
    }
--- a/apps/daemon/tests/agent-runtime-env.test.ts
+++ b/apps/daemon/tests/agent-runtime-env.test.ts
@ -87,6 +87,19 @@ describe('agent runtime tool environment', () => {
    expect(env.OD_DATA_DIR).toBe(process.env.OD_DATA_DIR);
  });
  it('keeps non-sandbox NO_PROXY behavior unchanged', () => {
    const env = createAgentRuntimeEnv(
      { PATH: '/bin', HTTP_PROXY: 'http://127.0.0.1:9', NO_PROXY: '' },
      'http://127.0.0.1:7456',
      { token: 'fresh-token' },
      '/opt/open-design/bin/node',
    );
    expect(env.HTTP_PROXY).toBe('http://127.0.0.1:9');
    expect(env.NO_PROXY).toBe('');
    expect(env.no_proxy).toBeUndefined();
  });
  it('passes the daemon sidecar IPC path from the explicit base env into agent wrapper sessions', () => {
    const env = createAgentRuntimeEnv(
      { PATH: '/bin', [SIDECAR_ENV.IPC_PATH]: '/tmp/open-design/ipc/daemon.sock' },
--- a/apps/daemon/tests/folder-import-projects.test.ts
+++ b/apps/daemon/tests/folder-import-projects.test.ts
@ -4,7 +4,24 @@ import { tmpdir } from 'node:os';
 import path from 'node:path';
 import { afterEach, beforeEach, describe, expect, it } from 'vitest';
-import { detectEntryFile, listFiles, resolveProjectDir } from '../src/projects.js';
+import {
  assertSandboxProjectRootAvailable,
  detectEntryFile,
  listFiles,
  resolveProjectDir,
  SandboxImportedProjectError,
 } from '../src/projects.js';
 function withSandboxMode<T>(run: () => T): T {
  const previous = process.env.OD_SANDBOX_MODE;
  process.env.OD_SANDBOX_MODE = '1';
  try {
    return run();
  } finally {
    if (previous == null) delete process.env.OD_SANDBOX_MODE;
    else process.env.OD_SANDBOX_MODE = previous;
  }
 }
 describe('resolveProjectDir', () => {
  const projectsRoot = '/var/od/projects';
@ -50,6 +67,22 @@ describe('resolveProjectDir', () => {
      }),
    ).not.toThrow();
  });
  it('rejects metadata.baseDir in sandbox mode before resolving a project file root', () => {
    withSandboxMode(() => {
      const baseDir = '/Users/me/projects/site';
      expect(
        () => resolveProjectDir(projectsRoot, projectId, { kind: 'prototype', baseDir }),
      ).toThrowError(SandboxImportedProjectError);
      expect(() =>
        assertSandboxProjectRootAvailable({ kind: 'prototype', baseDir }),
      ).toThrowError(SandboxImportedProjectError);
      expect(() => resolveProjectDir(projectsRoot, '../escape', {
        kind: 'prototype',
        baseDir,
      })).toThrowError();
    });
  });
 });
 describe('detectEntryFile', () => {
--- a/apps/daemon/tests/folder-import-route.test.ts
+++ b/apps/daemon/tests/folder-import-route.test.ts
@ -45,6 +45,37 @@ describe('POST /api/import/folder', () => {
    });
  }
  async function withSandboxMode<T>(run: () => Promise<T>): Promise<T> {
    const previous = process.env.OD_SANDBOX_MODE;
    process.env.OD_SANDBOX_MODE = '1';
    try {
      return await run();
    } finally {
      if (previous == null) delete process.env.OD_SANDBOX_MODE;
      else process.env.OD_SANDBOX_MODE = previous;
    }
  }
  async function waitForRunStatus(
    runId: string,
  ): Promise<{ status: string; error?: string | null; errorCode?: string | null }> {
    let lastStatus = 'unknown';
    for (let attempt = 0; attempt < 200; attempt += 1) {
      const statusResponse = await fetch(`${baseUrl}/api/runs/${runId}`);
      const statusBody = (await statusResponse.json()) as {
        status: string;
        error?: string | null;
        errorCode?: string | null;
      };
      lastStatus = statusBody.status;
      if (statusBody.status !== 'queued' && statusBody.status !== 'running') {
        return statusBody;
      }
      await new Promise((resolve) => setTimeout(resolve, 25));
    }
    throw new Error(`run did not reach a terminal status; last status: ${lastStatus}`);
  }
  it('creates a project rooted at the submitted folder', async () => {
    const folder = makeFolder();
    await writeFile(path.join(folder, 'index.html'), '<!doctype html>');
@ -62,6 +93,80 @@ describe('POST /api/import/folder', () => {
    expect(body.entryFile).toBe('index.html');
  });
  it('rejects folder imports in sandbox mode', async () => {
    await withSandboxMode(async () => {
      const folder = makeFolder();
      await writeFile(path.join(folder, 'index.html'), '<!doctype html>');
      const resp = await importFolder({ baseDir: folder });
      expect(resp.status).toBe(400);
      const body = (await resp.json()) as { error?: { message?: string } };
      expect(body.error?.message).toMatch(/OD_SANDBOX_MODE/i);
    });
  });
  it('fails sandbox runs for imported folders instead of using an empty managed project', async () => {
    const folder = makeFolder();
    await writeFile(path.join(folder, 'index.html'), '<!doctype html>');
    const importResp = await importFolder({ baseDir: folder });
    expect(importResp.status).toBe(200);
    const { project } = (await importResp.json()) as { project: { id: string } };
    await withSandboxMode(async () => {
      const runResp = await fetch(`${baseUrl}/api/runs`, {
        method: 'POST',
        headers: { 'Content-Type': 'application/json' },
        body: JSON.stringify({
          agentId: 'claude',
          projectId: project.id,
          message: 'Inspect the imported project.',
        }),
      });
      expect(runResp.status).toBe(202);
      const { runId } = (await runResp.json()) as { runId: string };
      const status = await waitForRunStatus(runId);
      expect(status.status).toBe('failed');
      expect(status.errorCode).toBe('BAD_REQUEST');
      expect(status.error).toMatch(/imported-folder projects.*OD_SANDBOX_MODE/i);
    });
  });
  it('still opens an imported-folder project record in sandbox mode', async () => {
    const folder = makeFolder();
    await writeFile(path.join(folder, 'index.html'), '<!doctype html>');
    const importResp = await importFolder({ baseDir: folder });
    expect(importResp.status).toBe(200);
    const { project } = (await importResp.json()) as { project: { id: string } };
    await withSandboxMode(async () => {
      const resp = await fetch(`${baseUrl}/api/projects/${project.id}`);
      expect(resp.status).toBe(200);
      const body = (await resp.json()) as {
        project?: { id?: string; metadata?: { baseDir?: string } };
      };
      expect(body.project?.id).toBe(project.id);
      expect(body.project?.metadata?.baseDir).toBeTruthy();
    });
  });
  it('rejects imported-folder project file listing in sandbox mode', async () => {
    const folder = makeFolder();
    await writeFile(path.join(folder, 'index.html'), '<!doctype html>');
    const importResp = await importFolder({ baseDir: folder });
    expect(importResp.status).toBe(200);
    const { project } = (await importResp.json()) as { project: { id: string } };
    await withSandboxMode(async () => {
      const resp = await fetch(`${baseUrl}/api/projects/${project.id}/files`);
      expect(resp.status).toBe(400);
      const body = (await resp.json()) as { error?: { message?: string } };
      expect(body.error?.message).toMatch(/imported-folder projects.*OD_SANDBOX_MODE/i);
    });
  });
  it('auto-detects the entry file when present', async () => {
    const folder = makeFolder();
    await writeFile(path.join(folder, 'index.html'), '');
--- a/apps/daemon/tests/media-config.test.ts
+++ b/apps/daemon/tests/media-config.test.ts
@ -30,6 +30,7 @@ describe('media-config OpenAI auth-file fallback', () => {
  );
  const originalMediaConfigDir = process.env.OD_MEDIA_CONFIG_DIR;
  const originalDataDir = process.env.OD_DATA_DIR;
  const originalSandboxMode = process.env.OD_SANDBOX_MODE;
  let homedirSpy: ReturnType<typeof vi.spyOn>;
  beforeEach(async () => {
@ -42,6 +43,7 @@ describe('media-config OpenAI auth-file fallback', () => {
    }
    delete process.env.OD_MEDIA_CONFIG_DIR;
    delete process.env.OD_DATA_DIR;
    delete process.env.OD_SANDBOX_MODE;
  });
  afterEach(async () => {
@ -67,6 +69,11 @@ describe('media-config OpenAI auth-file fallback', () => {
    } else {
      process.env.OD_DATA_DIR = originalDataDir;
    }
    if (originalSandboxMode == null) {
      delete process.env.OD_SANDBOX_MODE;
    } else {
      process.env.OD_SANDBOX_MODE = originalSandboxMode;
    }
    homedirSpy.mockRestore();
    await rm(homeDir, { recursive: true, force: true });
    await rm(projectRoot, { recursive: true, force: true });
@ -124,6 +131,30 @@ describe('media-config OpenAI auth-file fallback', () => {
    });
  });
  it('does not read host OpenAI auth files in sandbox mode', async () => {
    process.env.OD_SANDBOX_MODE = '1';
    await writeHomeJson('.hermes/auth.json', {
      providers: {
        'openai-codex': {
          tokens: { access_token: 'hermes-oauth-token' },
        },
      },
    });
    await writeHomeJson('.codex/auth.json', {
      tokens: { access_token: 'codex-oauth-token' },
      OPENAI_API_KEY: 'host-codex-api-key',
    });
    const resolved = await resolveProviderConfig(projectRoot, 'openai');
    const masked = await readMaskedConfig(projectRoot);
    expect(resolved.apiKey).toBe('');
    expect(openaiProvider(masked)).toMatchObject({
      configured: false,
      source: 'unset',
    });
  });
  it('uses explicit OPENAI_API_KEY from Codex auth files', async () => {
    await writeHomeJson('.codex/auth.json', {
      tokens: { access_token: 'codex-oauth-token' },
--- a/apps/daemon/tests/media-policy-routes.test.ts
+++ b/apps/daemon/tests/media-policy-routes.test.ts
@ -1,11 +1,12 @@
 import type http from 'node:http';
-import { chmod, mkdtemp, readFile, rm, writeFile } from 'node:fs/promises';
+import { chmod, mkdir, mkdtemp, readFile, rm, writeFile } from 'node:fs/promises';
 import { randomUUID } from 'node:crypto';
 import os from 'node:os';
 import path from 'node:path';
 import { afterEach, beforeEach, describe, expect, it } from 'vitest';
 import { startServer } from '../src/server.js';
 import { memoryDir, writeMemoryConfig } from '../src/memory.js';
 type FakeMediaEndpoint = 'tool' | 'legacy';
@ -19,6 +20,7 @@ describe('run-scoped media policy routes', () => {
  let binDir: string;
  let oldPath: string | undefined;
  let oldCapture: string | undefined;
  let oldMemoryConfigRaw: string | null = null;
  let server: http.Server | null = null;
  let shutdown: (() => Promise<void> | void) | undefined;
@ -28,6 +30,12 @@ describe('run-scoped media policy routes', () => {
    oldPath = process.env.PATH;
    oldCapture = process.env.OD_CAPTURE_MEDIA_RESPONSE;
    process.env.PATH = `${binDir}${path.delimiter}${oldPath ?? ''}`;
    const memoryConfig = memoryConfigPath();
    oldMemoryConfigRaw = await readFile(memoryConfig, 'utf8').catch(() => null);
    await writeMemoryConfig(process.env.OD_DATA_DIR!, {
      chatExtractionEnabled: false,
      extraction: null,
    });
  });
  afterEach(async () => {
@ -41,6 +49,14 @@ describe('run-scoped media policy routes', () => {
    else process.env.PATH = oldPath;
    if (oldCapture === undefined) delete process.env.OD_CAPTURE_MEDIA_RESPONSE;
    else process.env.OD_CAPTURE_MEDIA_RESPONSE = oldCapture;
    const memoryConfig = memoryConfigPath();
    if (oldMemoryConfigRaw === null) {
      await rm(memoryConfig, { force: true });
    } else {
      await mkdir(path.dirname(memoryConfig), { recursive: true });
      await writeFile(memoryConfig, oldMemoryConfigRaw);
    }
    oldMemoryConfigRaw = null;
    await rm(tempDir, { recursive: true, force: true });
    await rm(binDir, { recursive: true, force: true });
  });
@ -468,6 +484,10 @@ describe('run-scoped media policy routes', () => {
    };
  }
  function memoryConfigPath(): string {
    return path.join(memoryDir(process.env.OD_DATA_DIR!), '.config.json');
  }
  async function writeFakeAgent(
    capturePath: string,
    requestBody: unknown,
--- a/apps/daemon/tests/projects-routes.test.ts
+++ b/apps/daemon/tests/projects-routes.test.ts
@ -77,6 +77,35 @@ describe('GET /api/projects/:id resolvedDir', () => {
    expect(detail.resolvedDir).toBe(baseDir);
  });
  it('keeps imported-folder resolvedDir stable in sandbox mode', async () => {
    const folder = makeFolder();
    await writeFile(path.join(folder, 'index.html'), '<!doctype html>');
    const importResp = await fetch(`${baseUrl}/api/import/folder`, {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify({ baseDir: folder }),
    });
    expect(importResp.status).toBe(200);
    const importBody = (await importResp.json()) as {
      project: { id: string; metadata?: { baseDir?: string } };
    };
    const projectId = importBody.project.id;
    const baseDir = importBody.project.metadata?.baseDir;
    expect(baseDir).toBeTruthy();
    await withSandboxMode(async () => {
      const detailResp = await fetch(`${baseUrl}/api/projects/${projectId}`);
      expect(detailResp.status).toBe(200);
      const detail = (await detailResp.json()) as {
        project: { id: string };
        resolvedDir: string;
      };
      expect(detail.project.id).toBe(projectId);
      expect(detail.resolvedDir).toBe(baseDir);
    });
  });
  it('returns resolvedDir under <projects root>/<id> for a native project', async () => {
    const projectId = `proj-routes-${Date.now()}`;
    const createResp = await fetch(`${baseUrl}/api/projects`, {
@ -269,3 +298,14 @@ describe('GET /api/projects/:id resolvedDir', () => {
    expect(body.error?.message).toMatch(/fromTrustedPicker/i);
  });
 });
 async function withSandboxMode<T>(run: () => Promise<T>): Promise<T> {
  const previous = process.env.OD_SANDBOX_MODE;
  process.env.OD_SANDBOX_MODE = '1';
  try {
    return await run();
  } finally {
    if (previous == null) delete process.env.OD_SANDBOX_MODE;
    else process.env.OD_SANDBOX_MODE = previous;
  }
 }
--- a/apps/daemon/tests/runtimes/env-and-detection.test.ts
+++ b/apps/daemon/tests/runtimes/env-and-detection.test.ts
@ -1,6 +1,8 @@
 import { symlinkSync } from 'node:fs';
 import { test, vi } from 'vitest';
 import { homedir } from 'node:os';
 import { dirname, relative, resolve } from 'node:path';
 import { fileURLToPath } from 'node:url';
 import * as platform from '@open-design/platform';
 import {
  assert, chmodSync, detectAgents, inspectAgentExecutableResolution, join, minimalAgentDef, mkdirSync, mkdtempSync, opencode, resolveAgentExecutable, rmSync, spawnEnvForAgent, tmpdir, withEnvSnapshot, withPlatform, writeFileSync,
@ -8,6 +10,7 @@ import {
 import { isCursorAuthFailureText } from '../../src/runtimes/auth.js';
 const fsTest = process.platform === 'win32' ? test.skip : test;
 const repoRoot = resolve(dirname(fileURLToPath(import.meta.url)), '../../../..');
 // Issue #398: Claude Code prefers ANTHROPIC_API_KEY over `claude login`
 // credentials, silently billing API usage. Strip it for the claude
@ -135,6 +138,33 @@ test('spawnEnvForAgent keeps sandbox roots pinned to the base OD_DATA_DIR', () =
  }
 });
 test('spawnEnvForAgent resolves relative OD_DATA_DIR before applying sandbox roots', () => {
  const dataDir = mkdtempSync(join(tmpdir(), 'od-agent-env-sandbox-relative-'));
  try {
    const relativeDataDir = relative(repoRoot, dataDir);
    const env = spawnEnvForAgent(
      'codex',
      {
        OD_DATA_DIR: relativeDataDir,
        OD_SANDBOX_MODE: '1',
        PATH: '/usr/bin',
      },
      {
        CODEX_HOME: '/Users/test/.codex-host',
      },
    );
    assert.equal(
      env.CODEX_HOME,
      join(dataDir, 'sandbox', 'agent-home', '.codex'),
    );
    assert.equal(env.CLAUDE_CONFIG_DIR, join(dataDir, 'sandbox', 'config', 'claude'));
    assert.equal(env.HOME, join(dataDir, 'sandbox', 'agent-home'));
  } finally {
    rmSync(dataDir, { recursive: true, force: true });
  }
 });
 test('spawnEnvForAgent applies system proxy env to all agent runtimes before base env overrides', () => {
  const env = spawnEnvForAgent(
    'gemini',
--- a/apps/daemon/tests/runtimes/executables.test.ts
+++ b/apps/daemon/tests/runtimes/executables.test.ts
@ -1,4 +1,5 @@
 import { test } from 'vitest';
 import { relative, resolve } from 'node:path';
 import {
  assert, chmodSync, claude, deepseek, gemini, join, minimalAgentDef, mkdirSync, mkdtempSync, resolveAgentExecutable, rmSync, tmpdir, withEnvSnapshot, withPlatform, writeFileSync,
 } from './helpers/test-helpers.js';
@ -408,40 +409,76 @@ fsTest(
 );
 fsTest(
-  'OD_SANDBOX_MODE derives agent-home isolation from OD_DATA_DIR during detection',
+  'OD_SANDBOX_MODE scopes fallback toolchain discovery to OD_DATA_DIR',
  () => {
    const dataDir = mkdtempSync(join(tmpdir(), 'od-agents-sandbox-data-'));
    const emptyPath = mkdtempSync(join(tmpdir(), 'od-agents-empty-path-'));
    const realPrefix = mkdtempSync(join(tmpdir(), 'od-agents-real-prefix-'));
    const realPrefixBin = join(realPrefix, 'bin');
    try {
      return withEnvSnapshot(
-        ['OD_SANDBOX_MODE', 'OD_DATA_DIR', 'OD_AGENT_HOME', 'PATH', 'NPM_CONFIG_PREFIX'],
+        ['PATH', 'OD_AGENT_HOME', 'OD_DATA_DIR', 'OD_SANDBOX_MODE', 'NPM_CONFIG_PREFIX'],
        () => {
          mkdirSync(realPrefixBin, { recursive: true });
          writeFileSync(join(realPrefixBin, 'gemini'), '');
          chmodSync(join(realPrefixBin, 'gemini'), 0o755);
          process.env.OD_SANDBOX_MODE = '1';
          process.env.OD_DATA_DIR = dataDir;
          delete process.env.OD_AGENT_HOME;
-          process.env.PATH = '/usr/bin:/bin';
+          process.env.OD_DATA_DIR = dataDir;
          process.env.OD_SANDBOX_MODE = '1';
          process.env.PATH = emptyPath;
          process.env.NPM_CONFIG_PREFIX = realPrefix;
          const resolved = resolveAgentExecutable(minimalAgentDef({ bin: 'gemini' }));
          assert.equal(
            resolved,
            null,
-            `sandbox mode must not see the real $NPM_CONFIG_PREFIX bin; got ${resolved}`,
+            `sandbox mode must not see the host $NPM_CONFIG_PREFIX bin; got ${resolved}`,
          );
        },
      );
    } finally {
      rmSync(dataDir, { recursive: true, force: true });
      rmSync(emptyPath, { recursive: true, force: true });
      rmSync(realPrefix, { recursive: true, force: true });
    }
  },
 );
 fsTest(
  'OD_SANDBOX_MODE resolves relative OD_DATA_DIR before fallback toolchain discovery',
  () => {
    const projectRoot = resolve(process.cwd(), '../..');
    const parent = mkdtempSync(join(tmpdir(), 'od-agents-relative-data-parent-'));
    const dataDir = join(parent, 'data');
    const sandboxBin = join(dataDir, 'sandbox', 'agent-home', '.local', 'bin');
    const emptyPath = mkdtempSync(join(tmpdir(), 'od-agents-empty-path-'));
    try {
      return withEnvSnapshot(
        ['PATH', 'OD_AGENT_HOME', 'OD_DATA_DIR', 'OD_SANDBOX_MODE', 'NPM_CONFIG_PREFIX'],
        () => {
          mkdirSync(sandboxBin, { recursive: true });
          const geminiPath = join(sandboxBin, 'gemini');
          writeFileSync(geminiPath, '');
          chmodSync(geminiPath, 0o755);
          delete process.env.OD_AGENT_HOME;
          delete process.env.NPM_CONFIG_PREFIX;
          process.env.OD_DATA_DIR = relative(projectRoot, dataDir);
          process.env.OD_SANDBOX_MODE = '1';
          process.env.PATH = emptyPath;
          const resolved = resolveAgentExecutable(minimalAgentDef({ bin: 'gemini' }));
          assert.equal(resolved, geminiPath);
        },
      );
    } finally {
      rmSync(parent, { recursive: true, force: true });
      rmSync(emptyPath, { recursive: true, force: true });
    }
  },
 );
 fsTest(
  'OD_AGENT_HOME isolates resolution from $VP_HOME leakage',
  () => {
--- a/apps/daemon/tests/runtimes/registry-and-args.test.ts
+++ b/apps/daemon/tests/runtimes/registry-and-args.test.ts
@ -102,6 +102,31 @@ test('local agent profiles skip explicit unknown baseAgent without falling back'
  }
 });
 test('sandbox mode ignores implicit and host explicit local agent profiles', async () => {
  const dir = mkdtempSync(join(tmpdir(), 'od-local-agent-profiles-sandbox-'));
  try {
    await withEnvSnapshot(['OD_AGENT_PROFILES_CONFIG', 'OD_SANDBOX_MODE', 'OD_DATA_DIR'], async () => {
      const config = join(dir, 'agents.local.json');
      writeFileSync(
        config,
        JSON.stringify({
          agents: [{ id: 'explicit-wrapper', bin: 'explicit-wrapper' }],
        }),
      );
      process.env.OD_SANDBOX_MODE = '1';
      delete process.env.OD_DATA_DIR;
      delete process.env.OD_AGENT_PROFILES_CONFIG;
      assert.deepEqual(readLocalAgentProfileDefs(), []);
      process.env.OD_AGENT_PROFILES_CONFIG = config;
      assert.deepEqual(readLocalAgentProfileDefs(), []);
    });
  } finally {
    rmSync(dir, { recursive: true, force: true });
  }
 });
 test('codex args disable plugins when OD_CODEX_DISABLE_PLUGINS is 1', () => {
  process.env.OD_CODEX_DISABLE_PLUGINS = '1';