Fix sub-agent cwd/workspace separation

[mbelinky]

Summary

Fixes sub-agent runs that need to work in a task repository while still loading agent bootstrap/context files from the configured agent workspace.

• threads cwd separately from workspaceDir through native sub-agent, CLI runner, Codex app-server, session metadata, and transcript mirroring paths
• records spawnedCwd / transcript header cwd so child sessions reflect the task working directory without treating it as the agent workspace
• keeps the cwd override on sessions_spawn / stored child-session lineage instead of exposing a generic public agent cwd override
• updates the sessions protocol schema, generated Swift protocol model, and sub-agent docs for the new child cwd metadata/parameter
• adds regression coverage for native and Codex child runs using a separate task cwd

Release note context: this touches runtime/session/protocol behavior. Maintainers should decide whether the active release/2026.5.26 line needs inclusion.

Verification

• pnpm protocol:gen && pnpm protocol:gen:swift
• node scripts/run-vitest.mjs extensions/codex/src/app-server/run-attempt.test.ts src/config/sessions/transcript.test.ts src/agents/pi-embedded-runner/run/attempt.cwd-split.test.ts src/agents/pi-embedded-runner/session-manager-init.test.ts src/gateway/server-methods/agent.test.ts — 7 files, 520 tests passed on the pre-review head
• node scripts/run-vitest.mjs src/agents/subagent-spawn.test.ts src/gateway/server-methods/agent.test.ts — 4 files, 274 tests passed after the review hardening change
• node scripts/run-tsgo.mjs -p tsconfig.core.json --incremental --tsBuildInfoFile .artifacts/tsgo-cache/core-pr87218-review-fix.tsbuildinfo
• node scripts/run-tsgo.mjs -p test/tsconfig/tsconfig.test.src.json --incremental --tsBuildInfoFile .artifacts/tsgo-cache/test-src-pr87218-review-fix.tsbuildinfo
• git diff --check

Real behavior proof

Behavior addressed: A sub-agent can now load bootstrap files from its configured agent workspace while executing delegated work from a separate task cwd.

Real environment tested: Local current-main source checkout plus a live gateway-style sub-agent run against a temporary task directory; a remote Linux Testbox lane also passed the focused test set earlier in the repair cycle.

Exact steps or command run after this patch: The focused commands listed in Verification were rerun after rebasing onto current origin/main; after review, the public agent cwd override was removed and the affected sub-agent/gateway tests plus type probes were rerun.

Evidence after fix: The child run reported the task cwd, read the task marker from that cwd, and did not require bootstrap files to exist in the task directory. Transcript/session metadata preserved the task cwd while workspace bootstrap loading stayed tied to the agent workspace. The final branch head is 6b505a7325.

Observed result after fix: Focused tests passed, protocol artifacts regenerated cleanly, and type probes passed on the final branch head.

What was not tested: Full repository test suite and full release CI were not run locally. AWS Crabbox was attempted earlier but blocked before command execution by validation-provider capacity, so the remote proof used the available Testbox lane instead.

[clawsweeper]

Codex review: needs real behavior proof before merge. Reviewed May 27, 2026, 10:09 AM ET / 14:09 UTC.

Summary
The PR threads a separate task cwd alongside agent workspaceDir through native/Codex sub-agent runs, session metadata/protocol, transcripts, compaction, docs, and regression tests.

PR surface: Source +230, Tests +618, Docs +4, Other +4. Total +856 across 79 files.

Reproducibility: yes. for the review finding from source inspection: current main maps sessions_spawn.cwd to the child workspace, while the PR adds sandboxed cwd rejection paths. I did not run tests because this was a read-only review.

Review metrics: 2 noteworthy metrics.

• Gateway session metadata fields: 1 added (spawnedCwd). The additive protocol/session field affects operator clients and stored session lineage, so upgrade semantics need review before merge.
• Sandboxed cwd rejection paths: 4 added. The PR adds fail-closed cwd override checks across native spawn, embedded agent, embedded compaction, and Codex app-server paths.

Merge readiness
Overall: 🧂 unranked krab
Proof: 🦪 silver shellfish
Patch quality: 🦐 gold shrimp
Result: blocked until stronger real behavior proof is added.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Preserve sandboxed task-cwd delegation or get explicit maintainer approval for the fail-closed break.
• Add inspectable redacted real behavior proof, such as terminal output or logs from a live gateway-style sub-agent run.
• Remove the normal-PR CHANGELOG.md edit.

Proof guidance:
Needs stronger real behavior proof before merge: The PR body gives a narrative and test output summary, but no inspectable terminal output, logs, recording, or linked artifact showing the after-fix live cwd/workspace split; add redacted proof before merge. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Risk before merge

• Existing sandboxed sessions_spawn.cwd callers that currently run by treating cwd as the child workspace would receive a forbidden response after this PR.
• The cwd/workspace split crosses runtime filesystem roots and sandbox policy; maintainers need explicit upgrade and boundary proof before accepting a fail-closed path.
• The PR still needs inspectable real behavior proof beyond tests and narrative before merge.

Maintainer options:

1. Preserve sandboxed cwd delegation (recommended)
   Repair the branch so sandboxed native/Codex child runs can still execute in the requested task cwd while bootstrap files remain rooted in the agent workspace, with focused sandbox coverage.
2. Approve the fail-closed contract
   Maintainers can intentionally accept the sandboxed cwd rejection, but the PR should document the break and provide upgrade/release-note context before merge.
3. Pause for sandbox design
   If preserving cwd inside sandbox needs a larger filesystem-mapping design, pause this PR rather than landing a partial behavior change.

Next step before merge
Manual review is needed because the remaining blocker is a sandbox compatibility and security-boundary contract decision plus contributor-supplied real behavior proof.

Security
Cleared: No concrete secret, dependency, or supply-chain regression was found, but the sandbox/filesystem cwd boundary remains a merge-risk decision.

Review findings

• [P1] Preserve sandboxed cwd spawns — src/agents/subagent-spawn.ts:894-900
• [P3] Remove the release-owned changelog entry — CHANGELOG.md:15

Review details

Best possible solution:

Land a version that preserves sandboxed task-cwd delegation by safely mapping the task cwd into the sandbox while keeping bootstrap files in the agent workspace, or get explicit maintainer approval and docs for a fail-closed break; keep release-note context in the PR body instead of CHANGELOG.md.

Do we have a high-confidence way to reproduce the issue?

Yes for the review finding from source inspection: current main maps sessions_spawn.cwd to the child workspace, while the PR adds sandboxed cwd rejection paths. I did not run tests because this was a read-only review.

Is this the best way to solve the issue?

No: separating runtime cwd from bootstrap workspace is the right direction, but the current fail-closed sandbox behavior is not the safest compatibility path without maintainer approval and upgrade proof.

Full review comments:

• [P1] Preserve sandboxed cwd spawns — src/agents/subagent-spawn.ts:894-900
  Current main treats sessions_spawn.cwd as the child workspace, so sandboxed child runs can execute in that requested cwd through the existing sandboxed workspace path. This new rejection turns those calls into forbidden instead of preserving the behavior with a safe task-cwd sandbox mapping, which can break existing sandboxed delegation workflows.
  Confidence: 0.87
• [P3] Remove the release-owned changelog entry — CHANGELOG.md:15
CHANGELOG.md is release-owned in this repo, and normal PRs should keep release-note context in the PR body or commit message instead. Please drop this entry so release generation remains the source of truth.
  Confidence: 0.93

Overall correctness: patch is incorrect
Overall confidence: 0.86

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 4d099c354b69.

Label changes

Label justifications:

• P1: The PR changes a core sub-agent runtime path and can break sandboxed delegated work for existing users.
• merge-risk: 🚨 compatibility: Sandboxed sessions_spawn.cwd requests that current main accepts can become forbidden after merge.
• merge-risk: 🚨 security-boundary: The patch changes filesystem cwd routing across native/Codex tools and sandboxed paths, so the sandbox boundary needs maintainer review beyond green tests.
• rating: 🧂 unranked krab: Overall readiness is 🧂 unranked krab; proof is 🦪 silver shellfish and patch quality is 🦐 gold shrimp.
• status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs stronger real behavior proof before merge: The PR body gives a narrative and test output summary, but no inspectable terminal output, logs, recording, or linked artifact showing the after-fix live cwd/workspace split; add redacted proof before merge. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Evidence reviewed

PR surface:

Source +230, Tests +618, Docs +4, Other +4. Total +856 across 79 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	49	302	72	+230
Tests	27	631	13	+618
Docs	2	4	0	+4
Config	0	0	0	0
Generated	0	0	0	0
Other	1	4	0	+4
Total	79	941	85	+856

Acceptance criteria:

• node scripts/run-vitest.mjs src/agents/subagent-spawn.test.ts src/agents/subagent-spawn.workspace.test.ts src/agents/pi-embedded-runner/run/attempt.cwd-split.test.ts src/gateway/server-methods/agent.test.ts
• node scripts/run-vitest.mjs extensions/codex/src/app-server/run-attempt.test.ts src/agents/pi-embedded-runner/compact.hooks.test.ts src/agents/command/cli-compaction.test.ts
• node scripts/run-tsgo.mjs -p tsconfig.core.json --incremental --tsBuildInfoFile .artifacts/tsgo-cache/core-pr87218-review.tsbuildinfo

What I checked:

• Current main cwd behavior: Current main maps sessions_spawn params.cwd into explicitWorkspaceDir, so a caller-provided cwd becomes the child workspace instead of being rejected at spawn time. (src/agents/subagent-spawn.ts:818, 4d099c354b69)
• Current sandbox policy: Current docs only say sandboxed requester sessions reject unsandboxed targets; they do not define a sandboxed-cwd rejection for sessions_spawn. Public docs: docs/tools/subagents.md. (docs/tools/subagents.md:350, 4d099c354b69)
• PR fail-closed behavior: The PR adds a childRuntime.sandboxed && spawnedCwd !== spawnedWorkspaceCwd rejection in native sub-agent spawn, and similar cwd-override rejection points for Codex app-server, embedded runs, and embedded compaction. (src/agents/subagent-spawn.ts:894, 85b92d638d6d)
• Repository compatibility policy: Root review policy treats fail-closed changes, stricter validation, provider/plugin behavior changes, and fallback changes as compatibility-sensitive merge risk even with green CI. (AGENTS.md:26, 4d099c354b69)
• Changelog policy: Root policy says CHANGELOG.md is release-owned and should not be edited for normal PRs; this branch adds a normal PR release-note line there. (AGENTS.md:191, 4d099c354b69)
• Real behavior proof gap: The PR body lists focused test and typecheck commands and narrates a live gateway-style run, but it does not attach inspectable terminal output, logs, a recording, or a linked artifact showing the after-fix cwd/workspace split. (85b92d638d6d)

Likely related people:

• Vincent Koc: Blame in the current checkout points the central sub-agent spawn, Pi tools, and gateway agent handling code to commit 1d4537a; history is grafted, so this is a routing signal rather than full ownership proof. (role: current area contributor; confidence: low; commits: 1d4537add32f; files: src/agents/subagent-spawn.ts, src/agents/pi-tools.ts, src/gateway/server-methods/agent.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[clawsweeper]

ClawSweeper PR egg

🎁 Pass real behavior proof to wake the egg and unlock a hatchable treat.

Where did the egg go?

• The egg game starts only after the PR passes the real-behavior proof check.
• Before that, no creature or rarity is rolled. The treat waits for real proof.
• This is still just collectible flavor: proof affects review readiness, not creature quality.

[mbelinky]

Merged via squash.

• Prepared head SHA: f47b073830f5f158153ad472eb09286b971f89fb
• Merge commit: 7299c5695317f74ddbe4a1a68efafd723a38c6c1

Thanks @mbelinky!