Make sandbox isolation behavior explicit and inspectable

This adds a small runtime sandbox policy/status layer, threads sandbox options through the bash tool, and exposes `/sandbox` status reporting in the CLI. Linux namespace/network isolation is best-effort and intentionally reported as requested vs active so the feature does not overclaim guarantees on unsupported hosts or nested container environments. Constraint: No new dependencies for isolation support Constraint: Must keep filesystem restriction claims honest unless hard mount isolation succeeds Rejected: External sandbox/container wrapper | too heavy for this workspace and request Rejected: Inline bash-only changes without shared status model | weaker testability and poorer CLI visibility Confidence: medium Scope-risk: moderate Reversibility: clean Directive: Treat this as observable best-effort isolation, not a hard security boundary, unless stronger mount enforcement is added later Tested: cargo fmt --all; cargo clippy --workspace --all-targets --all-features -- -D warnings; cargo test --workspace Not-tested: Manual `/sandbox` REPL run on a real nested-container host
2026-04-04 06:44:48 +08:00 · 2026-04-01 01:14:38 +00:00
10 changed files with 744 additions and 594 deletions
--- a/rust/Cargo.lock
+++ b/rust/Cargo.lock
@@ -1431,12 +1431,10 @@ dependencies = [
 name = "tools"
 version = "0.1.0"
 dependencies = [
- "api",
 "reqwest",
 "runtime",
 "serde",
 "serde_json",
- "tokio",
 ]

 [[package]]
--- a/rust/crates/commands/src/lib.rs
+++ b/rust/crates/commands/src/lib.rs
@@ -51,6 +51,12 @@ const SLASH_COMMAND_SPECS: &[SlashCommandSpec] = &[
        argument_hint: None,
        resume_supported: true,
    },
+    SlashCommandSpec {
+        name: "sandbox",
+        summary: "Show sandbox isolation status",
+        argument_hint: None,
+        resume_supported: true,
+    },
    SlashCommandSpec {
        name: "compact",
        summary: "Compact local session history",
@@ -135,6 +141,7 @@ const SLASH_COMMAND_SPECS: &[SlashCommandSpec] = &[
 pub enum SlashCommand {
    Help,
    Status,
+    Sandbox,
    Compact,
    Model {
        model: Option<String>,
@@ -179,6 +186,7 @@ impl SlashCommand {
        Some(match command {
            "help" => Self::Help,
            "status" => Self::Status,
+            "sandbox" => Self::Sandbox,
            "compact" => Self::Compact,
            "model" => Self::Model {
                model: parts.next().map(ToOwned::to_owned),
@@ -279,6 +287,7 @@ pub fn handle_slash_command(
            session: session.clone(),
        }),
        SlashCommand::Status
+        | SlashCommand::Sandbox
        | SlashCommand::Model { .. }
        | SlashCommand::Permissions { .. }
        | SlashCommand::Clear { .. }
@@ -307,6 +316,7 @@ mod tests {
    fn parses_supported_slash_commands() {
        assert_eq!(SlashCommand::parse("/help"), Some(SlashCommand::Help));
        assert_eq!(SlashCommand::parse(" /status "), Some(SlashCommand::Status));
+        assert_eq!(SlashCommand::parse("/sandbox"), Some(SlashCommand::Sandbox));
        assert_eq!(
            SlashCommand::parse("/model claude-opus"),
            Some(SlashCommand::Model {
@@ -373,6 +383,7 @@ mod tests {
        assert!(help.contains("works with --resume SESSION.json"));
        assert!(help.contains("/help"));
        assert!(help.contains("/status"));
+        assert!(help.contains("/sandbox"));
        assert!(help.contains("/compact"));
        assert!(help.contains("/model [model]"));
        assert!(help.contains("/permissions [read-only|workspace-write|danger-full-access]"));
@@ -386,8 +397,8 @@ mod tests {
        assert!(help.contains("/version"));
        assert!(help.contains("/export [file]"));
        assert!(help.contains("/session [list|switch <session-id>]"));
-        assert_eq!(slash_command_specs().len(), 15);
-        assert_eq!(resume_supported_slash_commands().len(), 11);
+        assert_eq!(slash_command_specs().len(), 16);
+        assert_eq!(resume_supported_slash_commands().len(), 12);
    }

    #[test]
@@ -434,6 +445,7 @@ mod tests {
        let session = Session::new();
        assert!(handle_slash_command("/unknown", &session, CompactionConfig::default()).is_none());
        assert!(handle_slash_command("/status", &session, CompactionConfig::default()).is_none());
+        assert!(handle_slash_command("/sandbox", &session, CompactionConfig::default()).is_none());
        assert!(
            handle_slash_command("/model claude", &session, CompactionConfig::default()).is_none()
        );
--- a/rust/crates/runtime/src/bash.rs
+++ b/rust/crates/runtime/src/bash.rs
@@ -1,3 +1,4 @@
+use std::env;
 use std::io;
 use std::process::{Command, Stdio};
 use std::time::Duration;
@@ -7,6 +8,12 @@ use tokio::process::Command as TokioCommand;
 use tokio::runtime::Builder;
 use tokio::time::timeout;

+use crate::sandbox::{
+    build_linux_sandbox_command, resolve_sandbox_status_for_request, FilesystemIsolationMode,
+    SandboxConfig, SandboxStatus,
+};
+use crate::ConfigLoader;
+
 #[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
 pub struct BashCommandInput {
    pub command: String,
@@ -16,6 +23,14 @@ pub struct BashCommandInput {
    pub run_in_background: Option<bool>,
    #[serde(rename = "dangerouslyDisableSandbox")]
    pub dangerously_disable_sandbox: Option<bool>,
+    #[serde(rename = "namespaceRestrictions")]
+    pub namespace_restrictions: Option<bool>,
+    #[serde(rename = "isolateNetwork")]
+    pub isolate_network: Option<bool>,
+    #[serde(rename = "filesystemMode")]
+    pub filesystem_mode: Option<FilesystemIsolationMode>,
+    #[serde(rename = "allowedMounts")]
+    pub allowed_mounts: Option<Vec<String>>,
 }

 #[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
@@ -45,13 +60,17 @@ pub struct BashCommandOutput {
    pub persisted_output_path: Option<String>,
    #[serde(rename = "persistedOutputSize")]
    pub persisted_output_size: Option<u64>,
+    #[serde(rename = "sandboxStatus")]
+    pub sandbox_status: Option<SandboxStatus>,
 }

 pub fn execute_bash(input: BashCommandInput) -> io::Result<BashCommandOutput> {
+    let cwd = env::current_dir()?;
+    let sandbox_status = sandbox_status_for_input(&input, &cwd);
+
    if input.run_in_background.unwrap_or(false) {
-        let child = Command::new("sh")
-            .arg("-lc")
-            .arg(&input.command)
+        let mut child = prepare_command(&input.command, &cwd, &sandbox_status, false);
+        let child = child
            .stdin(Stdio::null())
            .stdout(Stdio::null())
            .stderr(Stdio::null())
@@ -72,16 +91,20 @@ pub fn execute_bash(input: BashCommandInput) -> io::Result<BashCommandOutput> {
            structured_content: None,
            persisted_output_path: None,
            persisted_output_size: None,
+            sandbox_status: Some(sandbox_status),
        });
    }

    let runtime = Builder::new_current_thread().enable_all().build()?;
-    runtime.block_on(execute_bash_async(input))
+    runtime.block_on(execute_bash_async(input, sandbox_status, cwd))
 }

-async fn execute_bash_async(input: BashCommandInput) -> io::Result<BashCommandOutput> {
-    let mut command = TokioCommand::new("sh");
-    command.arg("-lc").arg(&input.command);
+async fn execute_bash_async(
+    input: BashCommandInput,
+    sandbox_status: SandboxStatus,
+    cwd: std::path::PathBuf,
+) -> io::Result<BashCommandOutput> {
+    let mut command = prepare_tokio_command(&input.command, &cwd, &sandbox_status, true);

    let output_result = if let Some(timeout_ms) = input.timeout {
        match timeout(Duration::from_millis(timeout_ms), command.output()).await {
@@ -102,6 +125,7 @@ async fn execute_bash_async(input: BashCommandInput) -> io::Result<BashCommandOu
                    structured_content: None,
                    persisted_output_path: None,
                    persisted_output_size: None,
+                    sandbox_status: Some(sandbox_status),
                });
            }
        }
@@ -136,12 +160,88 @@ async fn execute_bash_async(input: BashCommandInput) -> io::Result<BashCommandOu
        structured_content: None,
        persisted_output_path: None,
        persisted_output_size: None,
+        sandbox_status: Some(sandbox_status),
    })
 }

+fn sandbox_status_for_input(input: &BashCommandInput, cwd: &std::path::Path) -> SandboxStatus {
+    let config = ConfigLoader::default_for(cwd).load().map_or_else(
+        |_| SandboxConfig::default(),
+        |runtime_config| runtime_config.sandbox().clone(),
+    );
+    let request = config.resolve_request(
+        input.dangerously_disable_sandbox.map(|disabled| !disabled),
+        input.namespace_restrictions,
+        input.isolate_network,
+        input.filesystem_mode,
+        input.allowed_mounts.clone(),
+    );
+    resolve_sandbox_status_for_request(&request, cwd)
+}
+
+fn prepare_command(
+    command: &str,
+    cwd: &std::path::Path,
+    sandbox_status: &SandboxStatus,
+    create_dirs: bool,
+) -> Command {
+    if create_dirs {
+        prepare_sandbox_dirs(cwd);
+    }
+
+    if let Some(launcher) = build_linux_sandbox_command(command, cwd, sandbox_status) {
+        let mut prepared = Command::new(launcher.program);
+        prepared.args(launcher.args);
+        prepared.current_dir(cwd);
+        prepared.envs(launcher.env);
+        return prepared;
+    }
+
+    let mut prepared = Command::new("sh");
+    prepared.arg("-lc").arg(command).current_dir(cwd);
+    if sandbox_status.filesystem_active {
+        prepared.env("HOME", cwd.join(".sandbox-home"));
+        prepared.env("TMPDIR", cwd.join(".sandbox-tmp"));
+    }
+    prepared
+}
+
+fn prepare_tokio_command(
+    command: &str,
+    cwd: &std::path::Path,
+    sandbox_status: &SandboxStatus,
+    create_dirs: bool,
+) -> TokioCommand {
+    if create_dirs {
+        prepare_sandbox_dirs(cwd);
+    }
+
+    if let Some(launcher) = build_linux_sandbox_command(command, cwd, sandbox_status) {
+        let mut prepared = TokioCommand::new(launcher.program);
+        prepared.args(launcher.args);
+        prepared.current_dir(cwd);
+        prepared.envs(launcher.env);
+        return prepared;
+    }
+
+    let mut prepared = TokioCommand::new("sh");
+    prepared.arg("-lc").arg(command).current_dir(cwd);
+    if sandbox_status.filesystem_active {
+        prepared.env("HOME", cwd.join(".sandbox-home"));
+        prepared.env("TMPDIR", cwd.join(".sandbox-tmp"));
+    }
+    prepared
+}
+
+fn prepare_sandbox_dirs(cwd: &std::path::Path) {
+    let _ = std::fs::create_dir_all(cwd.join(".sandbox-home"));
+    let _ = std::fs::create_dir_all(cwd.join(".sandbox-tmp"));
+}
+
 #[cfg(test)]
 mod tests {
    use super::{execute_bash, BashCommandInput};
+    use crate::sandbox::FilesystemIsolationMode;

    #[test]
    fn executes_simple_command() {
@@ -151,10 +251,33 @@ mod tests {
            description: None,
            run_in_background: Some(false),
            dangerously_disable_sandbox: Some(false),
+            namespace_restrictions: Some(false),
+            isolate_network: Some(false),
+            filesystem_mode: Some(FilesystemIsolationMode::WorkspaceOnly),
+            allowed_mounts: None,
        })
        .expect("bash command should execute");

        assert_eq!(output.stdout, "hello");
        assert!(!output.interrupted);
+        assert!(output.sandbox_status.is_some());
+    }
+
+    #[test]
+    fn disables_sandbox_when_requested() {
+        let output = execute_bash(BashCommandInput {
+            command: String::from("printf 'hello'"),
+            timeout: Some(1_000),
+            description: None,
+            run_in_background: Some(false),
+            dangerously_disable_sandbox: Some(true),
+            namespace_restrictions: None,
+            isolate_network: None,
+            filesystem_mode: None,
+            allowed_mounts: None,
+        })
+        .expect("bash command should execute");
+
+        assert!(!output.sandbox_status.expect("sandbox status").enabled);
    }
 }
--- a/rust/crates/runtime/src/config.rs
+++ b/rust/crates/runtime/src/config.rs
@@ -4,6 +4,7 @@ use std::fs;
 use std::path::{Path, PathBuf};

 use crate::json::JsonValue;
+use crate::sandbox::{FilesystemIsolationMode, SandboxConfig};

 pub const CLAUDE_CODE_SETTINGS_SCHEMA_NAME: &str = "SettingsSchema";

@@ -40,6 +41,7 @@ pub struct RuntimeFeatureConfig {
    oauth: Option<OAuthConfig>,
    model: Option<String>,
    permission_mode: Option<ResolvedPermissionMode>,
+    sandbox: SandboxConfig,
 }

 #[derive(Debug, Clone, PartialEq, Eq, Default)]
@@ -225,6 +227,7 @@ impl ConfigLoader {
            oauth: parse_optional_oauth_config(&merged_value, "merged settings.oauth")?,
            model: parse_optional_model(&merged_value),
            permission_mode: parse_optional_permission_mode(&merged_value)?,
+            sandbox: parse_optional_sandbox_config(&merged_value)?,
        };

        Ok(RuntimeConfig {
@@ -289,6 +292,11 @@ impl RuntimeConfig {
    pub fn permission_mode(&self) -> Option<ResolvedPermissionMode> {
        self.feature_config.permission_mode
    }
+
+    #[must_use]
+    pub fn sandbox(&self) -> &SandboxConfig {
+        &self.feature_config.sandbox
+    }
 }

 impl RuntimeFeatureConfig {
@@ -311,6 +319,11 @@ impl RuntimeFeatureConfig {
    pub fn permission_mode(&self) -> Option<ResolvedPermissionMode> {
        self.permission_mode
    }
+
+    #[must_use]
+    pub fn sandbox(&self) -> &SandboxConfig {
+        &self.sandbox
+    }
 }

 impl McpConfigCollection {
@@ -445,6 +458,42 @@ fn parse_permission_mode_label(
    }
 }

+fn parse_optional_sandbox_config(root: &JsonValue) -> Result<SandboxConfig, ConfigError> {
+    let Some(object) = root.as_object() else {
+        return Ok(SandboxConfig::default());
+    };
+    let Some(sandbox_value) = object.get("sandbox") else {
+        return Ok(SandboxConfig::default());
+    };
+    let sandbox = expect_object(sandbox_value, "merged settings.sandbox")?;
+    let filesystem_mode = optional_string(sandbox, "filesystemMode", "merged settings.sandbox")?
+        .map(parse_filesystem_mode_label)
+        .transpose()?;
+    Ok(SandboxConfig {
+        enabled: optional_bool(sandbox, "enabled", "merged settings.sandbox")?,
+        namespace_restrictions: optional_bool(
+            sandbox,
+            "namespaceRestrictions",
+            "merged settings.sandbox",
+        )?,
+        network_isolation: optional_bool(sandbox, "networkIsolation", "merged settings.sandbox")?,
+        filesystem_mode,
+        allowed_mounts: optional_string_array(sandbox, "allowedMounts", "merged settings.sandbox")?
+            .unwrap_or_default(),
+    })
+}
+
+fn parse_filesystem_mode_label(value: &str) -> Result<FilesystemIsolationMode, ConfigError> {
+    match value {
+        "off" => Ok(FilesystemIsolationMode::Off),
+        "workspace-only" => Ok(FilesystemIsolationMode::WorkspaceOnly),
+        "allow-list" => Ok(FilesystemIsolationMode::AllowList),
+        other => Err(ConfigError::Parse(format!(
+            "merged settings.sandbox.filesystemMode: unsupported filesystem mode {other}"
+        ))),
+    }
+}
+
 fn parse_optional_oauth_config(
    root: &JsonValue,
    context: &str,
@@ -688,6 +737,7 @@ mod tests {
        CLAUDE_CODE_SETTINGS_SCHEMA_NAME,
    };
    use crate::json::JsonValue;
+    use crate::sandbox::FilesystemIsolationMode;
    use std::fs;
    use std::time::{SystemTime, UNIX_EPOCH};

@@ -792,6 +842,44 @@ mod tests {
        fs::remove_dir_all(root).expect("cleanup temp dir");
    }

+    #[test]
+    fn parses_sandbox_config() {
+        let root = temp_dir();
+        let cwd = root.join("project");
+        let home = root.join("home").join(".claude");
+        fs::create_dir_all(cwd.join(".claude")).expect("project config dir");
+        fs::create_dir_all(&home).expect("home config dir");
+
+        fs::write(
+            cwd.join(".claude").join("settings.local.json"),
+            r#"{
+              "sandbox": {
+                "enabled": true,
+                "namespaceRestrictions": false,
+                "networkIsolation": true,
+                "filesystemMode": "allow-list",
+                "allowedMounts": ["logs", "tmp/cache"]
+              }
+            }"#,
+        )
+        .expect("write local settings");
+
+        let loaded = ConfigLoader::new(&cwd, &home)
+            .load()
+            .expect("config should load");
+
+        assert_eq!(loaded.sandbox().enabled, Some(true));
+        assert_eq!(loaded.sandbox().namespace_restrictions, Some(false));
+        assert_eq!(loaded.sandbox().network_isolation, Some(true));
+        assert_eq!(
+            loaded.sandbox().filesystem_mode,
+            Some(FilesystemIsolationMode::AllowList)
+        );
+        assert_eq!(loaded.sandbox().allowed_mounts, vec!["logs", "tmp/cache"]);
+
+        fs::remove_dir_all(root).expect("cleanup temp dir");
+    }
+
    #[test]
    fn parses_typed_mcp_and_oauth_config() {
        let root = temp_dir();
--- a/rust/crates/runtime/src/lib.rs
+++ b/rust/crates/runtime/src/lib.rs
@@ -12,6 +12,7 @@ mod oauth;
 mod permissions;
 mod prompt;
 mod remote;
+mod sandbox;
 mod session;
 mod usage;

@@ -73,6 +74,12 @@ pub use remote::{
    RemoteSessionContext, UpstreamProxyBootstrap, UpstreamProxyState, DEFAULT_REMOTE_BASE_URL,
    DEFAULT_SESSION_TOKEN_PATH, DEFAULT_SYSTEM_CA_BUNDLE, NO_PROXY_HOSTS, UPSTREAM_PROXY_ENV_KEYS,
 };
+pub use sandbox::{
+    build_linux_sandbox_command, detect_container_environment, detect_container_environment_from,
+    resolve_sandbox_status, resolve_sandbox_status_for_request, ContainerEnvironment,
+    FilesystemIsolationMode, LinuxSandboxCommand, SandboxConfig, SandboxDetectionInputs,
+    SandboxRequest, SandboxStatus,
+};
 pub use session::{ContentBlock, ConversationMessage, MessageRole, Session, SessionError};
 pub use usage::{
    format_usd, pricing_for_model, ModelPricing, TokenUsage, UsageCostEstimate, UsageTracker,
--- a/rust/crates/runtime/src/permissions.rs
+++ b/rust/crates/runtime/src/permissions.rs
@@ -5,6 +5,8 @@ pub enum PermissionMode {
    ReadOnly,
    WorkspaceWrite,
    DangerFullAccess,
+    Prompt,
+    Allow,
 }

 impl PermissionMode {
@@ -14,6 +16,8 @@ impl PermissionMode {
            Self::ReadOnly => "read-only",
            Self::WorkspaceWrite => "workspace-write",
            Self::DangerFullAccess => "danger-full-access",
+            Self::Prompt => "prompt",
+            Self::Allow => "allow",
        }
    }
 }
@@ -90,7 +94,7 @@ impl PermissionPolicy {
    ) -> PermissionOutcome {
        let current_mode = self.active_mode();
        let required_mode = self.required_mode_for(tool_name);
-        if current_mode >= required_mode {
+        if current_mode == PermissionMode::Allow || current_mode >= required_mode {
            return PermissionOutcome::Allow;
        }

@@ -101,8 +105,9 @@ impl PermissionPolicy {
            required_mode,
        };

-        if current_mode == PermissionMode::WorkspaceWrite
-            && required_mode == PermissionMode::DangerFullAccess
+        if current_mode == PermissionMode::Prompt
+            || (current_mode == PermissionMode::WorkspaceWrite
+                && required_mode == PermissionMode::DangerFullAccess)
        {
            return match prompter.as_mut() {
                Some(prompter) => match prompter.decide(&request) {
--- a/rust/crates/runtime/src/sandbox.rs
+++ b/rust/crates/runtime/src/sandbox.rs
@@ -0,0 +1,364 @@
+use std::env;
+use std::fs;
+use std::path::{Path, PathBuf};
+
+use serde::{Deserialize, Serialize};
+
+#[derive(Debug, Clone, Copy, Serialize, Deserialize, PartialEq, Eq, Default)]
+#[serde(rename_all = "kebab-case")]
+pub enum FilesystemIsolationMode {
+    Off,
+    #[default]
+    WorkspaceOnly,
+    AllowList,
+}
+
+impl FilesystemIsolationMode {
+    #[must_use]
+    pub fn as_str(self) -> &'static str {
+        match self {
+            Self::Off => "off",
+            Self::WorkspaceOnly => "workspace-only",
+            Self::AllowList => "allow-list",
+        }
+    }
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq, Default)]
+pub struct SandboxConfig {
+    pub enabled: Option<bool>,
+    pub namespace_restrictions: Option<bool>,
+    pub network_isolation: Option<bool>,
+    pub filesystem_mode: Option<FilesystemIsolationMode>,
+    pub allowed_mounts: Vec<String>,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq, Default)]
+pub struct SandboxRequest {
+    pub enabled: bool,
+    pub namespace_restrictions: bool,
+    pub network_isolation: bool,
+    pub filesystem_mode: FilesystemIsolationMode,
+    pub allowed_mounts: Vec<String>,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq, Default)]
+pub struct ContainerEnvironment {
+    pub in_container: bool,
+    pub markers: Vec<String>,
+}
+
+#[allow(clippy::struct_excessive_bools)]
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq, Default)]
+pub struct SandboxStatus {
+    pub enabled: bool,
+    pub requested: SandboxRequest,
+    pub supported: bool,
+    pub active: bool,
+    pub namespace_supported: bool,
+    pub namespace_active: bool,
+    pub network_supported: bool,
+    pub network_active: bool,
+    pub filesystem_mode: FilesystemIsolationMode,
+    pub filesystem_active: bool,
+    pub allowed_mounts: Vec<String>,
+    pub in_container: bool,
+    pub container_markers: Vec<String>,
+    pub fallback_reason: Option<String>,
+}
+
+#[derive(Debug, Clone, PartialEq, Eq)]
+pub struct SandboxDetectionInputs<'a> {
+    pub env_pairs: Vec<(String, String)>,
+    pub dockerenv_exists: bool,
+    pub containerenv_exists: bool,
+    pub proc_1_cgroup: Option<&'a str>,
+}
+
+#[derive(Debug, Clone, PartialEq, Eq)]
+pub struct LinuxSandboxCommand {
+    pub program: String,
+    pub args: Vec<String>,
+    pub env: Vec<(String, String)>,
+}
+
+impl SandboxConfig {
+    #[must_use]
+    pub fn resolve_request(
+        &self,
+        enabled_override: Option<bool>,
+        namespace_override: Option<bool>,
+        network_override: Option<bool>,
+        filesystem_mode_override: Option<FilesystemIsolationMode>,
+        allowed_mounts_override: Option<Vec<String>>,
+    ) -> SandboxRequest {
+        SandboxRequest {
+            enabled: enabled_override.unwrap_or(self.enabled.unwrap_or(true)),
+            namespace_restrictions: namespace_override
+                .unwrap_or(self.namespace_restrictions.unwrap_or(true)),
+            network_isolation: network_override.unwrap_or(self.network_isolation.unwrap_or(false)),
+            filesystem_mode: filesystem_mode_override
+                .or(self.filesystem_mode)
+                .unwrap_or_default(),
+            allowed_mounts: allowed_mounts_override.unwrap_or_else(|| self.allowed_mounts.clone()),
+        }
+    }
+}
+
+#[must_use]
+pub fn detect_container_environment() -> ContainerEnvironment {
+    let proc_1_cgroup = fs::read_to_string("/proc/1/cgroup").ok();
+    detect_container_environment_from(SandboxDetectionInputs {
+        env_pairs: env::vars().collect(),
+        dockerenv_exists: Path::new("/.dockerenv").exists(),
+        containerenv_exists: Path::new("/run/.containerenv").exists(),
+        proc_1_cgroup: proc_1_cgroup.as_deref(),
+    })
+}
+
+#[must_use]
+pub fn detect_container_environment_from(
+    inputs: SandboxDetectionInputs<'_>,
+) -> ContainerEnvironment {
+    let mut markers = Vec::new();
+    if inputs.dockerenv_exists {
+        markers.push("/.dockerenv".to_string());
+    }
+    if inputs.containerenv_exists {
+        markers.push("/run/.containerenv".to_string());
+    }
+    for (key, value) in inputs.env_pairs {
+        let normalized = key.to_ascii_lowercase();
+        if matches!(
+            normalized.as_str(),
+            "container" | "docker" | "podman" | "kubernetes_service_host"
+        ) && !value.is_empty()
+        {
+            markers.push(format!("env:{key}={value}"));
+        }
+    }
+    if let Some(cgroup) = inputs.proc_1_cgroup {
+        for needle in ["docker", "containerd", "kubepods", "podman", "libpod"] {
+            if cgroup.contains(needle) {
+                markers.push(format!("/proc/1/cgroup:{needle}"));
+            }
+        }
+    }
+    markers.sort();
+    markers.dedup();
+    ContainerEnvironment {
+        in_container: !markers.is_empty(),
+        markers,
+    }
+}
+
+#[must_use]
+pub fn resolve_sandbox_status(config: &SandboxConfig, cwd: &Path) -> SandboxStatus {
+    let request = config.resolve_request(None, None, None, None, None);
+    resolve_sandbox_status_for_request(&request, cwd)
+}
+
+#[must_use]
+pub fn resolve_sandbox_status_for_request(request: &SandboxRequest, cwd: &Path) -> SandboxStatus {
+    let container = detect_container_environment();
+    let namespace_supported = cfg!(target_os = "linux") && command_exists("unshare");
+    let network_supported = namespace_supported;
+    let filesystem_active =
+        request.enabled && request.filesystem_mode != FilesystemIsolationMode::Off;
+    let mut fallback_reasons = Vec::new();
+
+    if request.enabled && request.namespace_restrictions && !namespace_supported {
+        fallback_reasons
+            .push("namespace isolation unavailable (requires Linux with `unshare`)".to_string());
+    }
+    if request.enabled && request.network_isolation && !network_supported {
+        fallback_reasons
+            .push("network isolation unavailable (requires Linux with `unshare`)".to_string());
+    }
+    if request.enabled
+        && request.filesystem_mode == FilesystemIsolationMode::AllowList
+        && request.allowed_mounts.is_empty()
+    {
+        fallback_reasons
+            .push("filesystem allow-list requested without configured mounts".to_string());
+    }
+
+    let active = request.enabled
+        && (!request.namespace_restrictions || namespace_supported)
+        && (!request.network_isolation || network_supported);
+
+    let allowed_mounts = normalize_mounts(&request.allowed_mounts, cwd);
+
+    SandboxStatus {
+        enabled: request.enabled,
+        requested: request.clone(),
+        supported: namespace_supported,
+        active,
+        namespace_supported,
+        namespace_active: request.enabled && request.namespace_restrictions && namespace_supported,
+        network_supported,
+        network_active: request.enabled && request.network_isolation && network_supported,
+        filesystem_mode: request.filesystem_mode,
+        filesystem_active,
+        allowed_mounts,
+        in_container: container.in_container,
+        container_markers: container.markers,
+        fallback_reason: (!fallback_reasons.is_empty()).then(|| fallback_reasons.join("; ")),
+    }
+}
+
+#[must_use]
+pub fn build_linux_sandbox_command(
+    command: &str,
+    cwd: &Path,
+    status: &SandboxStatus,
+) -> Option<LinuxSandboxCommand> {
+    if !cfg!(target_os = "linux")
+        || !status.enabled
+        || (!status.namespace_active && !status.network_active)
+    {
+        return None;
+    }
+
+    let mut args = vec![
+        "--user".to_string(),
+        "--map-root-user".to_string(),
+        "--mount".to_string(),
+        "--ipc".to_string(),
+        "--pid".to_string(),
+        "--uts".to_string(),
+        "--fork".to_string(),
+    ];
+    if status.network_active {
+        args.push("--net".to_string());
+    }
+    args.push("sh".to_string());
+    args.push("-lc".to_string());
+    args.push(command.to_string());
+
+    let sandbox_home = cwd.join(".sandbox-home");
+    let sandbox_tmp = cwd.join(".sandbox-tmp");
+    let mut env = vec![
+        ("HOME".to_string(), sandbox_home.display().to_string()),
+        ("TMPDIR".to_string(), sandbox_tmp.display().to_string()),
+        (
+            "CLAWD_SANDBOX_FILESYSTEM_MODE".to_string(),
+            status.filesystem_mode.as_str().to_string(),
+        ),
+        (
+            "CLAWD_SANDBOX_ALLOWED_MOUNTS".to_string(),
+            status.allowed_mounts.join(":"),
+        ),
+    ];
+    if let Ok(path) = env::var("PATH") {
+        env.push(("PATH".to_string(), path));
+    }
+
+    Some(LinuxSandboxCommand {
+        program: "unshare".to_string(),
+        args,
+        env,
+    })
+}
+
+fn normalize_mounts(mounts: &[String], cwd: &Path) -> Vec<String> {
+    let cwd = cwd.to_path_buf();
+    mounts
+        .iter()
+        .map(|mount| {
+            let path = PathBuf::from(mount);
+            if path.is_absolute() {
+                path
+            } else {
+                cwd.join(path)
+            }
+        })
+        .map(|path| path.display().to_string())
+        .collect()
+}
+
+fn command_exists(command: &str) -> bool {
+    env::var_os("PATH")
+        .is_some_and(|paths| env::split_paths(&paths).any(|path| path.join(command).exists()))
+}
+
+#[cfg(test)]
+mod tests {
+    use super::{
+        build_linux_sandbox_command, detect_container_environment_from, FilesystemIsolationMode,
+        SandboxConfig, SandboxDetectionInputs,
+    };
+    use std::path::Path;
+
+    #[test]
+    fn detects_container_markers_from_multiple_sources() {
+        let detected = detect_container_environment_from(SandboxDetectionInputs {
+            env_pairs: vec![("container".to_string(), "docker".to_string())],
+            dockerenv_exists: true,
+            containerenv_exists: false,
+            proc_1_cgroup: Some("12:memory:/docker/abc"),
+        });
+
+        assert!(detected.in_container);
+        assert!(detected
+            .markers
+            .iter()
+            .any(|marker| marker == "/.dockerenv"));
+        assert!(detected
+            .markers
+            .iter()
+            .any(|marker| marker == "env:container=docker"));
+        assert!(detected
+            .markers
+            .iter()
+            .any(|marker| marker == "/proc/1/cgroup:docker"));
+    }
+
+    #[test]
+    fn resolves_request_with_overrides() {
+        let config = SandboxConfig {
+            enabled: Some(true),
+            namespace_restrictions: Some(true),
+            network_isolation: Some(false),
+            filesystem_mode: Some(FilesystemIsolationMode::WorkspaceOnly),
+            allowed_mounts: vec!["logs".to_string()],
+        };
+
+        let request = config.resolve_request(
+            Some(true),
+            Some(false),
+            Some(true),
+            Some(FilesystemIsolationMode::AllowList),
+            Some(vec!["tmp".to_string()]),
+        );
+
+        assert!(request.enabled);
+        assert!(!request.namespace_restrictions);
+        assert!(request.network_isolation);
+        assert_eq!(request.filesystem_mode, FilesystemIsolationMode::AllowList);
+        assert_eq!(request.allowed_mounts, vec!["tmp"]);
+    }
+
+    #[test]
+    fn builds_linux_launcher_with_network_flag_when_requested() {
+        let config = SandboxConfig::default();
+        let status = super::resolve_sandbox_status_for_request(
+            &config.resolve_request(
+                Some(true),
+                Some(true),
+                Some(true),
+                Some(FilesystemIsolationMode::WorkspaceOnly),
+                None,
+            ),
+            Path::new("/workspace"),
+        );
+
+        if let Some(launcher) =
+            build_linux_sandbox_command("printf hi", Path::new("/workspace"), &status)
+        {
+            assert_eq!(launcher.program, "unshare");
+            assert!(launcher.args.iter().any(|arg| arg == "--mount"));
+            assert!(launcher.args.iter().any(|arg| arg == "--net") == status.network_active);
+        }
+    }
+}
--- a/rust/crates/rusty-claude-cli/src/main.rs
+++ b/rust/crates/rusty-claude-cli/src/main.rs
@@ -23,8 +23,8 @@ use compat_harness::{extract_manifest, UpstreamPaths};
 use render::{Spinner, TerminalRenderer};
 use runtime::{
    clear_oauth_credentials, generate_pkce_pair, generate_state, load_system_prompt,
-    parse_oauth_callback_request_target, save_oauth_credentials, ApiClient, ApiRequest,
-    AssistantEvent, CompactionConfig, ConfigLoader, ConfigSource, ContentBlock,
+    parse_oauth_callback_request_target, resolve_sandbox_status, save_oauth_credentials, ApiClient,
+    ApiRequest, AssistantEvent, CompactionConfig, ConfigLoader, ConfigSource, ContentBlock,
    ConversationMessage, ConversationRuntime, MessageRole, OAuthAuthorizationRequest,
    OAuthTokenExchangeRequest, PermissionMode, PermissionPolicy, ProjectContext, RuntimeError,
    Session, TokenUsage, ToolError, ToolExecutor, UsageTracker,
@@ -591,6 +591,7 @@ struct StatusContext {
    memory_file_count: usize,
    project_root: Option<PathBuf>,
    git_branch: Option<String>,
+    sandbox_status: runtime::SandboxStatus,
 }

 #[derive(Debug, Clone, Copy)]
@@ -840,6 +841,18 @@ fn run_resume_command(
                )),
            })
        }
+        SlashCommand::Sandbox => {
+            let cwd = env::current_dir()?;
+            let loader = ConfigLoader::default_for(&cwd);
+            let runtime_config = loader.load()?;
+            Ok(ResumeCommandOutcome {
+                session: session.clone(),
+                message: Some(format_sandbox_report(&resolve_sandbox_status(
+                    runtime_config.sandbox(),
+                    &cwd,
+                ))),
+            })
+        }
        SlashCommand::Cost => {
            let usage = UsageTracker::from_session(session).cumulative_usage();
            Ok(ResumeCommandOutcome {
@@ -1091,6 +1104,10 @@ impl LiveCli {
                self.print_status();
                false
            }
+            SlashCommand::Sandbox => {
+                Self::print_sandbox_status();
+                false
+            }
            SlashCommand::Compact => {
                self.compact()?;
                false
@@ -1162,6 +1179,18 @@ impl LiveCli {
        );
    }

+    fn print_sandbox_status() {
+        let cwd = env::current_dir().expect("current dir");
+        let loader = ConfigLoader::default_for(&cwd);
+        let runtime_config = loader
+            .load()
+            .unwrap_or_else(|_| runtime::RuntimeConfig::empty());
+        println!(
+            "{}",
+            format_sandbox_report(&resolve_sandbox_status(runtime_config.sandbox(), &cwd))
+        );
+    }
+
    fn set_model(&mut self, model: Option<String>) -> Result<bool, Box<dyn std::error::Error>> {
        let Some(model) = model else {
            println!(
@@ -1534,10 +1563,10 @@ fn status_context(
    let loader = ConfigLoader::default_for(&cwd);
    let discovered_config_files = loader.discover().len();
    let runtime_config = loader.load()?;
-    let discovered_config_files = discovered_config_files.max(runtime_config.loaded_entries().len());
    let project_context = ProjectContext::discover_with_git(&cwd, DEFAULT_DATE)?;
    let (project_root, git_branch) =
        parse_git_status_metadata(project_context.git_status.as_deref());
+    let sandbox_status = resolve_sandbox_status(runtime_config.sandbox(), &cwd);
    Ok(StatusContext {
        cwd,
        session_path: session_path.map(Path::to_path_buf),
@@ -1546,6 +1575,7 @@ fn status_context(
        memory_file_count: project_context.instruction_files.len(),
        project_root,
        git_branch,
+        sandbox_status,
    })
 }

@@ -1598,6 +1628,7 @@ fn format_status_report(
            context.discovered_config_files,
            context.memory_file_count,
        ),
+        format_sandbox_report(&context.sandbox_status),
    ]
    .join(
        "
@@ -1606,6 +1637,49 @@ fn format_status_report(
    )
 }

+fn format_sandbox_report(status: &runtime::SandboxStatus) -> String {
+    format!(
+        "Sandbox
+  Enabled           {}
+  Active            {}
+  Supported         {}
+  In container      {}
+  Requested ns      {}
+  Active ns         {}
+  Requested net     {}
+  Active net        {}
+  Filesystem mode   {}
+  Filesystem active {}
+  Allowed mounts    {}
+  Markers           {}
+  Fallback reason   {}",
+        status.enabled,
+        status.active,
+        status.supported,
+        status.in_container,
+        status.requested.namespace_restrictions,
+        status.namespace_active,
+        status.requested.network_isolation,
+        status.network_active,
+        status.filesystem_mode.as_str(),
+        status.filesystem_active,
+        if status.allowed_mounts.is_empty() {
+            "<none>".to_string()
+        } else {
+            status.allowed_mounts.join(", ")
+        },
+        if status.container_markers.is_empty() {
+            "<none>".to_string()
+        } else {
+            status.container_markers.join(", ")
+        },
+        status
+            .fallback_reason
+            .clone()
+            .unwrap_or_else(|| "<none>".to_string()),
+    )
+}
+
 fn render_config_report(section: Option<&str>) -> Result<String, Box<dyn std::error::Error>> {
    let cwd = env::current_dir()?;
    let loader = ConfigLoader::default_for(&cwd);
@@ -2602,6 +2676,7 @@ mod tests {
        assert!(help.contains("REPL"));
        assert!(help.contains("/help"));
        assert!(help.contains("/status"));
+        assert!(help.contains("/sandbox"));
        assert!(help.contains("/model [model]"));
        assert!(help.contains("/permissions [read-only|workspace-write|danger-full-access]"));
        assert!(help.contains("/clear [--confirm]"));
@@ -2626,8 +2701,8 @@ mod tests {
        assert_eq!(
            names,
            vec![
-                "help", "status", "compact", "clear", "cost", "config", "memory", "init", "diff",
-                "version", "export",
+                "help", "status", "sandbox", "compact", "clear", "cost", "config", "memory",
+                "init", "diff", "version", "export",
            ]
        );
    }
@@ -2745,6 +2820,7 @@ mod tests {
                memory_file_count: 4,
                project_root: Some(PathBuf::from("/tmp")),
                git_branch: Some("main".to_string()),
+                sandbox_status: runtime::SandboxStatus::default(),
            },
        );
        assert!(status.contains("Status"));
@@ -2798,7 +2874,7 @@ mod tests {
    fn status_context_reads_real_workspace_metadata() {
        let context = status_context(None).expect("status context should load");
        assert!(context.cwd.is_absolute());
-        assert!(context.discovered_config_files >= 3);
+        assert_eq!(context.discovered_config_files, 5);
        assert!(context.loaded_config_files <= context.discovered_config_files);
    }

@@ -2906,3 +2982,17 @@ mod tests {
        assert!(done.contains("contents"));
    }
 }
+
+#[cfg(test)]
+mod sandbox_report_tests {
+    use super::format_sandbox_report;
+
+    #[test]
+    fn sandbox_report_renders_expected_fields() {
+        let report = format_sandbox_report(&runtime::SandboxStatus::default());
+        assert!(report.contains("Sandbox"));
+        assert!(report.contains("Enabled"));
+        assert!(report.contains("Filesystem mode"));
+        assert!(report.contains("Fallback reason"));
+    }
+}
--- a/rust/crates/tools/Cargo.toml
+++ b/rust/crates/tools/Cargo.toml
@@ -6,12 +6,10 @@ license.workspace = true
 publish.workspace = true

 [dependencies]
-api = { path = "../api" }
 runtime = { path = "../runtime" }
 reqwest = { version = "0.12", default-features = false, features = ["blocking", "rustls-tls"] }
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
-tokio = { version = "1", features = ["rt-multi-thread"] }

 [lints]
 workspace = true
--- a/rust/crates/tools/src/lib.rs
+++ b/rust/crates/tools/src/lib.rs
@@ -3,17 +3,10 @@ use std::path::{Path, PathBuf};
 use std::process::Command;
 use std::time::{Duration, Instant};

-use api::{
-    resolve_startup_auth_source, AnthropicClient, ContentBlockDelta, InputContentBlock,
-    InputMessage, MessageRequest, OutputContentBlock, StreamEvent as ApiStreamEvent, ToolChoice,
-    ToolDefinition, ToolResultContentBlock,
-};
 use reqwest::blocking::Client;
 use runtime::{
-    edit_file, execute_bash, glob_search, grep_search, load_system_prompt, read_file, write_file,
-    ApiClient, ApiRequest, AssistantEvent, BashCommandInput, ConfigLoader, ContentBlock,
-    ConversationMessage, ConversationRuntime, GrepSearchInput, MessageRole, PermissionMode,
-    PermissionPolicy, RuntimeError, Session, TokenUsage, ToolError, ToolExecutor,
+    edit_file, execute_bash, glob_search, grep_search, read_file, write_file, BashCommandInput,
+    GrepSearchInput, PermissionMode,
 };
 use serde::{Deserialize, Serialize};
 use serde_json::{json, Value};
@@ -69,7 +62,11 @@ pub fn mvp_tool_specs() -> Vec<ToolSpec> {
                    "timeout": { "type": "integer", "minimum": 1 },
                    "description": { "type": "string" },
                    "run_in_background": { "type": "boolean" },
-                    "dangerouslyDisableSandbox": { "type": "boolean" }
+                    "dangerouslyDisableSandbox": { "type": "boolean" },
+                    "namespaceRestrictions": { "type": "boolean" },
+                    "isolateNetwork": { "type": "boolean" },
+                    "filesystemMode": { "type": "string", "enum": ["off", "workspace-only", "allow-list"] },
+                    "allowedMounts": { "type": "array", "items": { "type": "string" } }
                },
                "required": ["command"],
                "additionalProperties": false
@@ -241,8 +238,7 @@ pub fn mvp_tool_specs() -> Vec<ToolSpec> {
        },
        ToolSpec {
            name: "Agent",
-            description:
-                "Launch and execute a specialized child agent conversation with bounded recursion.",
+            description: "Launch a specialized agent task and persist its handoff metadata.",
            input_schema: json!({
                "type": "object",
                "properties": {
@@ -250,8 +246,7 @@ pub fn mvp_tool_specs() -> Vec<ToolSpec> {
                    "prompt": { "type": "string" },
                    "subagent_type": { "type": "string" },
                    "name": { "type": "string" },
-                    "model": { "type": "string" },
-                    "max_depth": { "type": "integer", "minimum": 0 }
+                    "model": { "type": "string" }
                },
                "required": ["description", "prompt"],
                "additionalProperties": false
@@ -588,7 +583,6 @@ struct AgentInput {
    subagent_type: Option<String>,
    name: Option<String>,
    model: Option<String>,
-    max_depth: Option<usize>,
 }

 #[derive(Debug, Deserialize)]
@@ -722,16 +716,6 @@ struct AgentOutput {
    subagent_type: Option<String>,
    model: Option<String>,
    status: String,
-    #[serde(rename = "maxDepth")]
-    max_depth: usize,
-    #[serde(rename = "depth")]
-    depth: usize,
-    #[serde(rename = "result")]
-    result: Option<String>,
-    #[serde(rename = "assistantMessages")]
-    assistant_messages: Vec<String>,
-    #[serde(rename = "toolResults")]
-    tool_results: Vec<AgentToolResult>,
    #[serde(rename = "outputFile")]
    output_file: String,
    #[serde(rename = "manifestFile")]
@@ -740,15 +724,6 @@ struct AgentOutput {
    created_at: String,
 }

-#[derive(Debug, Clone, Serialize, Deserialize)]
-struct AgentToolResult {
-    #[serde(rename = "toolName")]
-    tool_name: String,
-    output: String,
-    #[serde(rename = "isError")]
-    is_error: bool,
-}
-
 #[derive(Debug, Serialize)]
 struct ToolSearchOutput {
    matches: Vec<String>,
@@ -1360,14 +1335,6 @@ fn execute_agent(input: AgentInput) -> Result<AgentOutput, String> {
        return Err(String::from("prompt must not be empty"));
    }

-    let depth = current_agent_depth()?;
-    let max_depth = input.max_depth.unwrap_or(3);
-    if depth >= max_depth {
-        return Err(format!(
-            "Agent max_depth exceeded: current depth {depth} reached limit {max_depth}"
-        ));
-    }
-
    let agent_id = make_agent_id();
    let output_dir = agent_store_dir()?;
    std::fs::create_dir_all(&output_dir).map_err(|error| error.to_string())?;
@@ -1381,31 +1348,35 @@ fn execute_agent(input: AgentInput) -> Result<AgentOutput, String> {
        .filter(|name| !name.is_empty())
        .unwrap_or_else(|| slugify_agent_name(&input.description));
    let created_at = iso8601_now();
-    let model = input.model.clone().or_else(agent_default_model);

-    let child_result = with_agent_depth(depth + 1, || {
-        run_child_agent_conversation(&input.prompt, model.clone(), max_depth)
-    })?;
+    let output_contents = format!(
+        "# Agent Task
+
+- id: {}
+- name: {}
+- description: {}
+- subagent_type: {}
+- created_at: {}
+
+## Prompt
+
+{}
+",
+        agent_id, agent_name, input.description, normalized_subagent_type, created_at, input.prompt
+    );
+    std::fs::write(&output_file, output_contents).map_err(|error| error.to_string())?;

    let manifest = AgentOutput {
        agent_id,
        name: agent_name,
        description: input.description,
        subagent_type: Some(normalized_subagent_type),
-        model,
-        status: String::from("completed"),
-        max_depth,
-        depth,
-        result: child_result.result.clone(),
-        assistant_messages: child_result.assistant_messages.clone(),
-        tool_results: child_result.tool_results.clone(),
+        model: input.model,
+        status: String::from("queued"),
        output_file: output_file.display().to_string(),
        manifest_file: manifest_file.display().to_string(),
        created_at,
    };
-
-    let output_contents = render_agent_output(&manifest);
-    std::fs::write(&output_file, output_contents).map_err(|error| error.to_string())?;
    std::fs::write(
        &manifest_file,
        serde_json::to_string_pretty(&manifest).map_err(|error| error.to_string())?,
@@ -1415,461 +1386,6 @@ fn execute_agent(input: AgentInput) -> Result<AgentOutput, String> {
    Ok(manifest)
 }

-#[derive(Debug, Clone)]
-struct ChildConversationResult {
-    result: Option<String>,
-    assistant_messages: Vec<String>,
-    tool_results: Vec<AgentToolResult>,
-}
-
-fn run_child_agent_conversation(
-    prompt: &str,
-    model: Option<String>,
-    _max_depth: usize,
-) -> Result<ChildConversationResult, String> {
-    let mut runtime = ConversationRuntime::new(
-        Session::new(),
-        build_agent_api_client(model.unwrap_or_else(default_agent_model))?,
-        AgentToolExecutor,
-        agent_permission_policy(),
-        build_agent_system_prompt()?,
-    )
-    .with_max_iterations(16);
-
-    let summary = runtime
-        .run_turn(prompt, None)
-        .map_err(|error| error.to_string())?;
-
-    let assistant_messages = summary
-        .assistant_messages
-        .iter()
-        .filter_map(extract_message_text)
-        .collect::<Vec<_>>();
-    let tool_results = summary
-        .tool_results
-        .iter()
-        .filter_map(extract_agent_tool_result)
-        .collect::<Vec<_>>();
-    let result = assistant_messages.last().cloned();
-
-    Ok(ChildConversationResult {
-        result,
-        assistant_messages,
-        tool_results,
-    })
-}
-
-fn render_agent_output(output: &AgentOutput) -> String {
-    let mut lines = vec![
-        "# Agent Task".to_string(),
-        String::new(),
-        format!("- id: {}", output.agent_id),
-        format!("- name: {}", output.name),
-        format!("- description: {}", output.description),
-        format!(
-            "- subagent_type: {}",
-            output.subagent_type.as_deref().unwrap_or("general-purpose")
-        ),
-        format!("- status: {}", output.status),
-        format!("- depth: {}", output.depth),
-        format!("- max_depth: {}", output.max_depth),
-        format!("- created_at: {}", output.created_at),
-        String::new(),
-        "## Result".to_string(),
-        String::new(),
-        output
-            .result
-            .clone()
-            .unwrap_or_else(|| String::from("<no final assistant text>")),
-    ];
-
-    if !output.tool_results.is_empty() {
-        lines.push(String::new());
-        lines.push("## Tool Results".to_string());
-        lines.push(String::new());
-        lines.extend(output.tool_results.iter().map(|result| {
-            format!(
-                "- {} [{}]: {}",
-                result.tool_name,
-                if result.is_error { "error" } else { "ok" },
-                result.output
-            )
-        }));
-    }
-
-    lines.join("\n")
-}
-
-fn current_agent_depth() -> Result<usize, String> {
-    std::env::var("CLAWD_AGENT_DEPTH")
-        .ok()
-        .map(|value| {
-            value
-                .parse::<usize>()
-                .map_err(|error| format!("invalid CLAWD_AGENT_DEPTH: {error}"))
-        })
-        .transpose()
-        .map(|value| value.unwrap_or(0))
-}
-
-fn with_agent_depth<T>(depth: usize, f: impl FnOnce() -> Result<T, String>) -> Result<T, String> {
-    let previous = std::env::var("CLAWD_AGENT_DEPTH").ok();
-    std::env::set_var("CLAWD_AGENT_DEPTH", depth.to_string());
-    let result = f();
-    if let Some(previous) = previous {
-        std::env::set_var("CLAWD_AGENT_DEPTH", previous);
-    } else {
-        std::env::remove_var("CLAWD_AGENT_DEPTH");
-    }
-    result
-}
-
-fn agent_default_model() -> Option<String> {
-    std::env::var("CLAWD_MODEL")
-        .ok()
-        .filter(|value| !value.trim().is_empty())
-}
-
-fn default_agent_model() -> String {
-    agent_default_model().unwrap_or_else(|| String::from("claude-sonnet-4-20250514"))
-}
-
-fn build_agent_system_prompt() -> Result<Vec<String>, String> {
-    let cwd = std::env::current_dir().map_err(|error| error.to_string())?;
-    let date = std::env::var("CLAWD_CURRENT_DATE").unwrap_or_else(|_| String::from("2026-04-01"));
-    load_system_prompt(cwd, &date, std::env::consts::OS, "unknown")
-        .map_err(|error| error.to_string())
-}
-
-fn agent_permission_policy() -> PermissionPolicy {
-    mvp_tool_specs().into_iter().fold(
-        PermissionPolicy::new(PermissionMode::DangerFullAccess),
-        |policy, spec| policy.with_tool_requirement(spec.name, spec.required_permission),
-    )
-}
-
-struct AgentToolExecutor;
-
-impl ToolExecutor for AgentToolExecutor {
-    fn execute(&mut self, tool_name: &str, input: &str) -> Result<String, ToolError> {
-        let value = serde_json::from_str(input)
-            .map_err(|error| ToolError::new(format!("invalid tool input JSON: {error}")))?;
-        execute_tool(tool_name, &value).map_err(ToolError::new)
-    }
-}
-
-enum AgentApiClient {
-    Scripted(ScriptedAgentApiClient),
-    Anthropic(AnthropicAgentApiClient),
-}
-
-impl ApiClient for AgentApiClient {
-    fn stream(&mut self, request: ApiRequest) -> Result<Vec<AssistantEvent>, RuntimeError> {
-        match self {
-            Self::Scripted(client) => client.stream(request),
-            Self::Anthropic(client) => client.stream(request),
-        }
-    }
-}
-
-fn build_agent_api_client(model: String) -> Result<AgentApiClient, String> {
-    if let Some(script) = std::env::var("CLAWD_AGENT_TEST_SCRIPT")
-        .ok()
-        .filter(|value| !value.trim().is_empty())
-    {
-        return Ok(AgentApiClient::Scripted(ScriptedAgentApiClient::new(
-            &script,
-        )?));
-    }
-
-    Ok(AgentApiClient::Anthropic(AnthropicAgentApiClient::new(
-        model,
-    )?))
-}
-
-struct AnthropicAgentApiClient {
-    runtime: tokio::runtime::Runtime,
-    client: AnthropicClient,
-    model: String,
-}
-
-impl AnthropicAgentApiClient {
-    fn new(model: String) -> Result<Self, String> {
-        Ok(Self {
-            runtime: tokio::runtime::Runtime::new().map_err(|error| error.to_string())?,
-            client: AnthropicClient::from_auth(resolve_agent_auth_source()?),
-            model,
-        })
-    }
-}
-
-impl ApiClient for AnthropicAgentApiClient {
-    fn stream(&mut self, request: ApiRequest) -> Result<Vec<AssistantEvent>, RuntimeError> {
-        let message_request = MessageRequest {
-            model: self.model.clone(),
-            max_tokens: 32,
-            messages: convert_agent_messages(&request.messages),
-            system: (!request.system_prompt.is_empty()).then(|| {
-                request.system_prompt.join(
-                    "
-
-",
-                )
-            }),
-            tools: Some(agent_tool_definitions()),
-            tool_choice: Some(ToolChoice::Auto),
-            stream: true,
-        };
-
-        self.runtime.block_on(async {
-            let mut stream = self
-                .client
-                .stream_message(&message_request)
-                .await
-                .map_err(|error| RuntimeError::new(error.to_string()))?;
-            let mut events = Vec::new();
-            let mut pending_tool: Option<(String, String, String)> = None;
-            let mut saw_stop = false;
-
-            while let Some(event) = stream
-                .next_event()
-                .await
-                .map_err(|error| RuntimeError::new(error.to_string()))?
-            {
-                match event {
-                    ApiStreamEvent::MessageStart(start) => {
-                        push_agent_output_blocks(
-                            start.message.content,
-                            &mut events,
-                            &mut pending_tool,
-                        );
-                    }
-                    ApiStreamEvent::ContentBlockStart(start) => {
-                        push_agent_output_block(
-                            start.content_block,
-                            &mut events,
-                            &mut pending_tool,
-                        );
-                    }
-                    ApiStreamEvent::ContentBlockDelta(delta) => match delta.delta {
-                        ContentBlockDelta::TextDelta { text } => {
-                            if !text.is_empty() {
-                                events.push(AssistantEvent::TextDelta(text));
-                            }
-                        }
-                        ContentBlockDelta::InputJsonDelta { partial_json } => {
-                            if let Some((_, _, input)) = &mut pending_tool {
-                                input.push_str(&partial_json);
-                            }
-                        }
-                    },
-                    ApiStreamEvent::ContentBlockStop(_) => {
-                        if let Some((id, name, input)) = pending_tool.take() {
-                            events.push(AssistantEvent::ToolUse { id, name, input });
-                        }
-                    }
-                    ApiStreamEvent::MessageDelta(delta) => {
-                        events.push(AssistantEvent::Usage(TokenUsage {
-                            input_tokens: delta.usage.input_tokens,
-                            output_tokens: delta.usage.output_tokens,
-                            cache_creation_input_tokens: delta.usage.cache_creation_input_tokens,
-                            cache_read_input_tokens: delta.usage.cache_read_input_tokens,
-                        }));
-                    }
-                    ApiStreamEvent::MessageStop(_) => {
-                        saw_stop = true;
-                        events.push(AssistantEvent::MessageStop);
-                    }
-                }
-            }
-
-            if !saw_stop {
-                events.push(AssistantEvent::MessageStop);
-            }
-
-            Ok(events)
-        })
-    }
-}
-
-fn resolve_agent_auth_source() -> Result<api::AuthSource, String> {
-    resolve_startup_auth_source(|| {
-        let cwd = std::env::current_dir().map_err(api::ApiError::from)?;
-        let config = ConfigLoader::default_for(&cwd).load().map_err(|error| {
-            api::ApiError::Auth(format!("failed to load runtime OAuth config: {error}"))
-        })?;
-        Ok(config.oauth().cloned())
-    })
-    .map_err(|error| error.to_string())
-}
-
-fn agent_tool_definitions() -> Vec<ToolDefinition> {
-    mvp_tool_specs()
-        .into_iter()
-        .map(|spec| ToolDefinition {
-            name: spec.name.to_string(),
-            description: Some(spec.description.to_string()),
-            input_schema: spec.input_schema,
-        })
-        .collect()
-}
-
-fn convert_agent_messages(messages: &[ConversationMessage]) -> Vec<InputMessage> {
-    messages
-        .iter()
-        .filter_map(|message| {
-            let role = match message.role {
-                MessageRole::System | MessageRole::User | MessageRole::Tool => "user",
-                MessageRole::Assistant => "assistant",
-            };
-            let content = message
-                .blocks
-                .iter()
-                .map(|block| match block {
-                    ContentBlock::Text { text } => InputContentBlock::Text { text: text.clone() },
-                    ContentBlock::ToolUse { id, name, input } => InputContentBlock::ToolUse {
-                        id: id.clone(),
-                        name: name.clone(),
-                        input: serde_json::from_str(input)
-                            .unwrap_or_else(|_| serde_json::json!({ "raw": input })),
-                    },
-                    ContentBlock::ToolResult {
-                        tool_use_id,
-                        output,
-                        is_error,
-                        ..
-                    } => InputContentBlock::ToolResult {
-                        tool_use_id: tool_use_id.clone(),
-                        content: vec![ToolResultContentBlock::Text {
-                            text: output.clone(),
-                        }],
-                        is_error: *is_error,
-                    },
-                })
-                .collect::<Vec<_>>();
-            (!content.is_empty()).then(|| InputMessage {
-                role: role.to_string(),
-                content,
-            })
-        })
-        .collect()
-}
-
-fn push_agent_output_blocks(
-    blocks: Vec<OutputContentBlock>,
-    events: &mut Vec<AssistantEvent>,
-    pending_tool: &mut Option<(String, String, String)>,
-) {
-    for block in blocks {
-        push_agent_output_block(block, events, pending_tool);
-        if let Some((id, name, input)) = pending_tool.take() {
-            events.push(AssistantEvent::ToolUse { id, name, input });
-        }
-    }
-}
-
-fn push_agent_output_block(
-    block: OutputContentBlock,
-    events: &mut Vec<AssistantEvent>,
-    pending_tool: &mut Option<(String, String, String)>,
-) {
-    match block {
-        OutputContentBlock::Text { text } => {
-            if !text.is_empty() {
-                events.push(AssistantEvent::TextDelta(text));
-            }
-        }
-        OutputContentBlock::ToolUse { id, name, input } => {
-            *pending_tool = Some((id, name, input.to_string()));
-        }
-    }
-}
-
-#[derive(Debug)]
-struct ScriptedAgentApiClient {
-    turns: Vec<Vec<ScriptedAgentEvent>>,
-    call_count: usize,
-}
-
-impl ScriptedAgentApiClient {
-    fn new(script: &str) -> Result<Self, String> {
-        let turns = serde_json::from_str(script).map_err(|error| error.to_string())?;
-        Ok(Self {
-            turns,
-            call_count: 0,
-        })
-    }
-}
-
-impl ApiClient for ScriptedAgentApiClient {
-    fn stream(&mut self, _request: ApiRequest) -> Result<Vec<AssistantEvent>, RuntimeError> {
-        if self.call_count >= self.turns.len() {
-            return Err(RuntimeError::new("scripted agent client exhausted"));
-        }
-        let events = self.turns[self.call_count]
-            .iter()
-            .map(ScriptedAgentEvent::to_runtime_event)
-            .chain(std::iter::once(AssistantEvent::MessageStop))
-            .collect();
-        self.call_count += 1;
-        Ok(events)
-    }
-}
-
-#[derive(Debug, Clone, Deserialize)]
-#[serde(tag = "type", rename_all = "snake_case")]
-enum ScriptedAgentEvent {
-    Text {
-        text: String,
-    },
-    ToolUse {
-        id: String,
-        name: String,
-        input: Value,
-    },
-}
-
-impl ScriptedAgentEvent {
-    fn to_runtime_event(&self) -> AssistantEvent {
-        match self {
-            Self::Text { text } => AssistantEvent::TextDelta(text.clone()),
-            Self::ToolUse { id, name, input } => AssistantEvent::ToolUse {
-                id: id.clone(),
-                name: name.clone(),
-                input: input.to_string(),
-            },
-        }
-    }
-}
-
-fn extract_message_text(message: &ConversationMessage) -> Option<String> {
-    let text = message
-        .blocks
-        .iter()
-        .filter_map(|block| match block {
-            ContentBlock::Text { text } => Some(text.as_str()),
-            _ => None,
-        })
-        .collect::<String>();
-    (!text.is_empty()).then_some(text)
-}
-
-fn extract_agent_tool_result(message: &ConversationMessage) -> Option<AgentToolResult> {
-    message.blocks.iter().find_map(|block| match block {
-        ContentBlock::ToolResult {
-            tool_name,
-            output,
-            is_error,
-            ..
-        } => Some(AgentToolResult {
-            tool_name: tool_name.clone(),
-            output: output.clone(),
-            is_error: *is_error,
-        }),
-        _ => None,
-    })
-}
-
 #[allow(clippy::needless_pass_by_value)]
 fn execute_tool_search(input: ToolSearchInput) -> ToolSearchOutput {
    let deferred = deferred_tool_specs();
@@ -2702,6 +2218,7 @@ fn execute_shell_command(
            structured_content: None,
            persisted_output_path: None,
            persisted_output_size: None,
+            sandbox_status: None,
        });
    }

@@ -2739,6 +2256,7 @@ fn execute_shell_command(
                    structured_content: None,
                    persisted_output_path: None,
                    persisted_output_size: None,
+                    sandbox_status: None,
                });
            }
            if started.elapsed() >= Duration::from_millis(timeout_ms) {
@@ -2769,6 +2287,7 @@ Command exceeded timeout of {timeout_ms} ms",
                    structured_content: None,
                    persisted_output_path: None,
                    persisted_output_size: None,
+                    sandbox_status: None,
                });
            }
            std::thread::sleep(Duration::from_millis(10));
@@ -2795,6 +2314,7 @@ Command exceeded timeout of {timeout_ms} ms",
        structured_content: None,
        persisted_output_path: None,
        persisted_output_size: None,
+        sandbox_status: None,
    })
 }

@@ -3251,28 +2771,12 @@ mod tests {
    }

    #[test]
-    fn agent_executes_child_conversation_and_persists_results() {
+    fn agent_persists_handoff_metadata() {
        let _guard = env_lock()
            .lock()
            .unwrap_or_else(std::sync::PoisonError::into_inner);
        let dir = temp_path("agent-store");
        std::env::set_var("CLAWD_AGENT_STORE", &dir);
-        std::env::set_var(
-            "CLAWD_AGENT_TEST_SCRIPT",
-            serde_json::to_string(&vec![
-                vec![json!({
-                    "type": "tool_use",
-                    "id": "tool-1",
-                    "name": "StructuredOutput",
-                    "input": {"ok": true, "items": [1, 2, 3]}
-                })],
-                vec![json!({
-                    "type": "text",
-                    "text": "Child agent completed successfully."
-                })],
-            ])
-            .expect("script json"),
-        );

        let result = execute_tool(
            "Agent",
@@ -3284,35 +2788,22 @@ mod tests {
            }),
        )
        .expect("Agent should succeed");
-        std::env::remove_var("CLAWD_AGENT_TEST_SCRIPT");
        std::env::remove_var("CLAWD_AGENT_STORE");

        let output: serde_json::Value = serde_json::from_str(&result).expect("valid json");
        assert_eq!(output["name"], "ship-audit");
        assert_eq!(output["subagentType"], "Explore");
-        assert_eq!(output["status"], "completed");
-        assert_eq!(output["depth"], 0);
-        assert_eq!(output["maxDepth"], 3);
-        assert_eq!(output["result"], "Child agent completed successfully.");
-        assert_eq!(output["toolResults"][0]["toolName"], "StructuredOutput");
-        assert_eq!(output["toolResults"][0]["isError"], false);
+        assert_eq!(output["status"], "queued");
+        assert!(output["createdAt"].as_str().is_some());
        let manifest_file = output["manifestFile"].as_str().expect("manifest file");
        let output_file = output["outputFile"].as_str().expect("output file");
        let contents = std::fs::read_to_string(output_file).expect("agent file exists");
        let manifest_contents =
            std::fs::read_to_string(manifest_file).expect("manifest file exists");
-        assert!(contents.contains("Child agent completed successfully."));
-        assert!(contents.contains("StructuredOutput [ok]"));
+        assert!(contents.contains("Audit the branch"));
+        assert!(contents.contains("Check tests and outstanding work."));
        assert!(manifest_contents.contains("\"subagentType\": \"Explore\""));

-        std::env::set_var(
-            "CLAWD_AGENT_TEST_SCRIPT",
-            serde_json::to_string(&vec![vec![json!({
-                "type": "text",
-                "text": "Normalized alias check."
-            })]])
-            .expect("script json"),
-        );
        let normalized = execute_tool(
            "Agent",
            &json!({
@@ -3322,19 +2813,10 @@ mod tests {
            }),
        )
        .expect("Agent should normalize built-in aliases");
-        std::env::remove_var("CLAWD_AGENT_TEST_SCRIPT");
        let normalized_output: serde_json::Value =
            serde_json::from_str(&normalized).expect("valid json");
        assert_eq!(normalized_output["subagentType"], "Explore");

-        std::env::set_var(
-            "CLAWD_AGENT_TEST_SCRIPT",
-            serde_json::to_string(&vec![vec![json!({
-                "type": "text",
-                "text": "Name normalization check."
-            })]])
-            .expect("script json"),
-        );
        let named = execute_tool(
            "Agent",
            &json!({
@@ -3344,14 +2826,13 @@ mod tests {
            }),
        )
        .expect("Agent should normalize explicit names");
-        std::env::remove_var("CLAWD_AGENT_TEST_SCRIPT");
        let named_output: serde_json::Value = serde_json::from_str(&named).expect("valid json");
        assert_eq!(named_output["name"], "ship-audit");
        let _ = std::fs::remove_dir_all(dir);
    }

    #[test]
-    fn agent_rejects_blank_required_fields_and_enforces_max_depth() {
+    fn agent_rejects_blank_required_fields() {
        let missing_description = execute_tool(
            "Agent",
            &json!({
@@ -3371,22 +2852,6 @@ mod tests {
        )
        .expect_err("blank prompt should fail");
        assert!(missing_prompt.contains("prompt must not be empty"));
-
-        let _guard = env_lock()
-            .lock()
-            .unwrap_or_else(std::sync::PoisonError::into_inner);
-        std::env::set_var("CLAWD_AGENT_DEPTH", "1");
-        let depth_error = execute_tool(
-            "Agent",
-            &json!({
-                "description": "Nested agent",
-                "prompt": "Do nested work.",
-                "max_depth": 1
-            }),
-        )
-        .expect_err("max depth should fail");
-        std::env::remove_var("CLAWD_AGENT_DEPTH");
-        assert!(depth_error.contains("max_depth exceeded"));
    }

    #[test]