refactor(sandbox): unify scope + per-agent overrides

src/config/types.ts

@@ -625,6 +625,24 @@ export type SandboxDockerSettings = {
   extraHosts?: string[];
 };
 
+export type SandboxBrowserSettings = {
+  enabled?: boolean;
+  image?: string;
+  containerPrefix?: string;
+  cdpPort?: number;
+  vncPort?: number;
+  noVncPort?: number;
+  headless?: boolean;
+  enableNoVnc?: boolean;
+};
+
+export type SandboxPruneSettings = {
+  /** Prune if idle for more than N hours (0 disables). */
+  idleHours?: number;
+  /** Prune if older than N days (0 disables). */
+  maxAgeDays?: number;
+};
+
 export type GroupChatConfig = {
   mentionPatterns?: string[];
   historyLimit?: number;
@@ -663,11 +681,15 @@ export type RoutingConfig = {
         workspaceRoot?: string;
         /** Docker-specific sandbox overrides for this agent. */
         docker?: SandboxDockerSettings;
+        /** Optional sandboxed browser overrides for this agent. */
+        browser?: SandboxBrowserSettings;
         /** Tool allow/deny policy for sandboxed sessions (deny wins). */
         tools?: {
           allow?: string[];
           deny?: string[];
         };
+        /** Auto-prune overrides for this agent. */
+        prune?: SandboxPruneSettings;
       };
       tools?: {
         allow?: string[];
@@ -1093,28 +1115,14 @@ export type ClawdbotConfig = {
       /** Docker-specific sandbox settings. */
       docker?: SandboxDockerSettings;
       /** Optional sandboxed browser settings. */
-      browser?: {
-        enabled?: boolean;
-        image?: string;
-        containerPrefix?: string;
-        cdpPort?: number;
-        vncPort?: number;
-        noVncPort?: number;
-        headless?: boolean;
-        enableNoVnc?: boolean;
-      };
+      browser?: SandboxBrowserSettings;
       /** Tool allow/deny policy (deny wins). */
       tools?: {
         allow?: string[];
         deny?: string[];
       };
       /** Auto-prune sandbox containers. */
-      prune?: {
-        /** Prune if idle for more than N hours (0 disables). */
-        idleHours?: number;
-        /** Prune if older than N days (0 disables). */
-        maxAgeDays?: number;
-      };
+      prune?: SandboxPruneSettings;
     };
     /** Global tool allow/deny policy for all providers (deny wins). */
     tools?: {

src/config/zod-schema.ts

@@ -260,6 +260,33 @@ const SandboxDockerSchema = z
   })
   .optional();
 
+const SandboxBrowserSchema = z
+  .object({
+    enabled: z.boolean().optional(),
+    image: z.string().optional(),
+    containerPrefix: z.string().optional(),
+    cdpPort: z.number().int().positive().optional(),
+    vncPort: z.number().int().positive().optional(),
+    noVncPort: z.number().int().positive().optional(),
+    headless: z.boolean().optional(),
+    enableNoVnc: z.boolean().optional(),
+  })
+  .optional();
+
+const SandboxPruneSchema = z
+  .object({
+    idleHours: z.number().int().nonnegative().optional(),
+    maxAgeDays: z.number().int().nonnegative().optional(),
+  })
+  .optional();
+
+const ToolPolicySchema = z
+  .object({
+    allow: z.array(z.string()).optional(),
+    deny: z.array(z.string()).optional(),
+  })
+  .optional();
+
 const RoutingSchema = z
   .object({
     groupChat: GroupChatSchema,
@@ -302,20 +329,12 @@ const RoutingSchema = z
                 perSession: z.boolean().optional(),
                 workspaceRoot: z.string().optional(),
                 docker: SandboxDockerSchema,
-                tools: z
-                  .object({
-                    allow: z.array(z.string()).optional(),
-                    deny: z.array(z.string()).optional(),
-                  })
-                  .optional(),
-              })
-              .optional(),
-            tools: z
-              .object({
-                allow: z.array(z.string()).optional(),
-                deny: z.array(z.string()).optional(),
+                browser: SandboxBrowserSchema,
+                tools: ToolPolicySchema,
+                prune: SandboxPruneSchema,
               })
               .optional(),
+            tools: ToolPolicySchema,
           })
           .optional(),
       )
@@ -706,30 +725,9 @@ export const ClawdbotSchema = z.object({
           perSession: z.boolean().optional(),
           workspaceRoot: z.string().optional(),
           docker: SandboxDockerSchema,
-          browser: z
-            .object({
-              enabled: z.boolean().optional(),
-              image: z.string().optional(),
-              containerPrefix: z.string().optional(),
-              cdpPort: z.number().int().positive().optional(),
-              vncPort: z.number().int().positive().optional(),
-              noVncPort: z.number().int().positive().optional(),
-              headless: z.boolean().optional(),
-              enableNoVnc: z.boolean().optional(),
-            })
-            .optional(),
-          tools: z
-            .object({
-              allow: z.array(z.string()).optional(),
-              deny: z.array(z.string()).optional(),
-            })
-            .optional(),
-          prune: z
-            .object({
-              idleHours: z.number().int().nonnegative().optional(),
-              maxAgeDays: z.number().int().nonnegative().optional(),
-            })
-            .optional(),
+          browser: SandboxBrowserSchema,
+          tools: ToolPolicySchema,
+          prune: SandboxPruneSchema,
         })
         .optional(),
     })