Refactor: move agent settings logic to Definition.ApplySettings; eliminate agent name checks in sandbox layer

- Add ApplySettings func, ShortLivedOAuthWarning bool, and SeedsAllAgents bool
  fields to agent.Definition
- Move injectIdleHook and its shell command constants from sandbox/create.go
  into agent/agent.go — agent-specific logic belongs in the agent package
- Populate ApplySettings for Claude (skipDangerousModePermissionPrompt, sandbox
  disabled, preferredNotifChannel, idle hooks) and Gemini (folderTrust disabled)
- Set ShortLivedOAuthWarning=true on Claude; SeedsAllAgents=true on shell
- Replace switch agentDef.Name blocks in ensureContainerSettings and
  ensureShellContainerSettings with agentDef.ApplySettings(settings) calls
- Replace if agentDef.Name == "shell" routing with if agentDef.SeedsAllAgents
- Replace if agentDef.Name == "claude" in create_seed.go with
  if agentDef.ShortLivedOAuthWarning
- Add tests for ApplySettings, ShortLivedOAuthWarning, and SeedsAllAgents on
  all relevant agents

Adding a new agent with custom settings now requires no changes outside agent/agent.go.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: Karl

agent/agent.go

@@ -76,6 +76,19 @@ type Definition struct {
 	NetworkAllowlist  []string          // domains allowed when network-isolated
 	ContextFile       string            // filename in StateDir for sandbox context reference (e.g., "CLAUDE.md")
 	AgentFilesExclude []string          // glob patterns to skip when copying agent_files (string form)
+
+	// ApplySettings patches the agent's settings map before it is written to disk.
+	// Called with the parsed settings map; mutates it in place.
+	// Nil means no patches are needed.
+	ApplySettings func(settings map[string]any)
+
+	// ShortLivedOAuthWarning, if true, warns users when an OAuth credential file
+	// is copied into the sandbox (used by Claude Code which uses short-lived tokens).
+	ShortLivedOAuthWarning bool
+
+	// SeedsAllAgents, if true, means this agent seeds home configs for all real
+	// agents rather than just itself (used by the shell agent).
+	SeedsAllAgents bool
 }
 
 var agents = map[string]*Definition{
@@ -141,6 +154,19 @@ var agents = map[string]*Definition{
 		NetworkAllowlist:  []string{"api.anthropic.com", "claude.ai", "platform.claude.com", "statsig.anthropic.com", "sentry.io"},
 		ContextFile:       "CLAUDE.md",
 		AgentFilesExclude: []string{"projects/", "statsig/", "todos/", ".credentials.json", "*.log"},
+		ApplySettings: func(s map[string]any) {
+			s["skipDangerousModePermissionPrompt"] = true
+			// Disable Claude Code's built-in sandbox-exec to prevent nesting failures.
+			// sandbox-exec cannot be nested — an inner sandbox-exec inherits the outer
+			// profile's restrictions and typically fails.
+			s["sandbox"] = map[string]any{"enabled": false}
+			// Ensure Claude Code emits BEL for tmux tab highlighting.
+			s["preferredNotifChannel"] = "terminal_bell"
+			// Inject hooks for status tracking. Claude Code's own hook system is
+			// far more reliable than polling tmux capture-pane for a ready pattern.
+			injectIdleHook(s)
+		},
+		ShortLivedOAuthWarning: true,
 	},
 	"gemini": {
 		Name:           "gemini",
@@ -172,6 +198,16 @@ var agents = map[string]*Definition{
 		NetworkAllowlist:  []string{"generativelanguage.googleapis.com", "cloudcode-pa.googleapis.com", "oauth2.googleapis.com"},
 		ContextFile:       "GEMINI.md",
 		AgentFilesExclude: []string{"logs/", "oauth_creds.json", "google_accounts.json"},
+		ApplySettings: func(s map[string]any) {
+			// Preserve existing security settings (e.g. auth.selectedType) while
+			// disabling folder trust — the container is already sandboxed.
+			security, _ := s["security"].(map[string]any)
+			if security == nil {
+				security = map[string]any{}
+			}
+			security["folderTrust"] = map[string]any{"enabled": false}
+			s["security"] = security
+		},
 	},
 	"opencode": {
 		Name:            "opencode",
@@ -353,9 +389,56 @@ func buildShellAgent() *Definition {
 		ModelFlag:        "",
 		ModelAliases:     nil,
 		NetworkAllowlist: networkAllowlist,
+		SeedsAllAgents:   true,
 	}
 }
 
 func init() {
 	agents["shell"] = buildShellAgent()
 }
+
+// statusIdleCommand writes idle status to agent-status.json and appends a
+// structured JSONL entry to logs/agent-hooks.jsonl when Claude finishes a
+// response (Notification hook). Uses $YOLOAI_DIR for portability across
+// backends (Docker=/yoloai, seatbelt=sandbox dir).
+const statusIdleCommand = `printf '{"ts":"%s","level":"info","event":"hook.idle","msg":"agent hook: idle","status":"idle"}\n' "$(date -u +%Y-%m-%dT%H:%M:%S.000Z)" >> "${YOLOAI_DIR:-/yoloai}/logs/agent-hooks.jsonl" && printf '{"status":"idle","exit_code":null,"timestamp":%d}\n' "$(date +%s)" > "${YOLOAI_DIR:-/yoloai}/agent-status.json"`
+
+// statusActiveCommand writes active status to agent-status.json and appends a
+// structured JSONL entry to logs/agent-hooks.jsonl when Claude starts working
+// (PreToolUse hook). This ensures the title updates from "> name" back to
+// "name" when the user submits a new prompt.
+const statusActiveCommand = `printf '{"ts":"%s","level":"info","event":"hook.active","msg":"agent hook: active","status":"active"}\n' "$(date -u +%Y-%m-%dT%H:%M:%S.000Z)" >> "${YOLOAI_DIR:-/yoloai}/logs/agent-hooks.jsonl" && printf '{"status":"active","exit_code":null,"timestamp":%d}\n' "$(date +%s)" > "${YOLOAI_DIR:-/yoloai}/agent-status.json"`
+
+// injectIdleHook merges hooks into Claude Code's settings map for status tracking.
+// Notification → idle (turn complete), PreToolUse → running (work started).
+// Preserves any existing hooks the user may have configured.
+func injectIdleHook(settings map[string]any) {
+	hooks, _ := settings["hooks"].(map[string]any)
+	if hooks == nil {
+		hooks = map[string]any{}
+	}
+
+	// Notification hook: mark idle when Claude finishes a response.
+	idleHook := map[string]any{
+		"type":    "command",
+		"command": statusIdleCommand,
+	}
+	idleGroup := map[string]any{
+		"hooks": []any{idleHook},
+	}
+	existingNotif, _ := hooks["Notification"].([]any)
+	hooks["Notification"] = append(existingNotif, idleGroup)
+
+	// PreToolUse hook: mark active when Claude starts using tools.
+	activeHook := map[string]any{
+		"type":    "command",
+		"command": statusActiveCommand,
+	}
+	activeGroup := map[string]any{
+		"hooks": []any{activeHook},
+	}
+	existingPre, _ := hooks["PreToolUse"].([]any)
+	hooks["PreToolUse"] = append(existingPre, activeGroup)
+
+	settings["hooks"] = hooks
+}

agent/agent_test.go

@@ -293,3 +293,99 @@ func TestGetAgent_Unknown(t *testing.T) {
 	assert.Nil(t, GetAgent("unknown"))
 	assert.Nil(t, GetAgent(""))
 }
+
+func TestApplySettings_Claude(t *testing.T) {
+	def := GetAgent("claude")
+	require.NotNil(t, def)
+	require.NotNil(t, def.ApplySettings, "claude should have ApplySettings set")
+
+	settings := map[string]any{}
+	def.ApplySettings(settings)
+
+	assert.Equal(t, true, settings["skipDangerousModePermissionPrompt"])
+	assert.Equal(t, map[string]any{"enabled": false}, settings["sandbox"])
+	assert.Equal(t, "terminal_bell", settings["preferredNotifChannel"])
+
+	// Verify idle hooks were injected
+	hooks, ok := settings["hooks"].(map[string]any)
+	require.True(t, ok, "hooks should be a map")
+	assert.NotNil(t, hooks["Notification"], "Notification hook should be set")
+	assert.NotNil(t, hooks["PreToolUse"], "PreToolUse hook should be set")
+}
+
+func TestApplySettings_ClaudePreservesExistingHooks(t *testing.T) {
+	def := GetAgent("claude")
+	require.NotNil(t, def)
+
+	existingHook := map[string]any{"type": "command", "command": "echo existing"}
+	existingGroup := map[string]any{"hooks": []any{existingHook}}
+	settings := map[string]any{
+		"hooks": map[string]any{
+			"Notification": []any{existingGroup},
+		},
+	}
+	def.ApplySettings(settings)
+
+	hooks := settings["hooks"].(map[string]any)
+	notifHooks := hooks["Notification"].([]any)
+	assert.Len(t, notifHooks, 2, "should preserve existing hook and append idle hook")
+}
+
+func TestApplySettings_Gemini(t *testing.T) {
+	def := GetAgent("gemini")
+	require.NotNil(t, def)
+	require.NotNil(t, def.ApplySettings, "gemini should have ApplySettings set")
+
+	settings := map[string]any{}
+	def.ApplySettings(settings)
+
+	security, ok := settings["security"].(map[string]any)
+	require.True(t, ok, "security should be a map")
+	folderTrust, ok := security["folderTrust"].(map[string]any)
+	require.True(t, ok, "folderTrust should be a map")
+	assert.Equal(t, false, folderTrust["enabled"])
+}
+
+func TestApplySettings_GeminiPreservesExistingSecurityFields(t *testing.T) {
+	def := GetAgent("gemini")
+	require.NotNil(t, def)
+
+	settings := map[string]any{
+		"security": map[string]any{"auth": map[string]any{"selectedType": "oauth"}},
+	}
+	def.ApplySettings(settings)
+
+	security := settings["security"].(map[string]any)
+	// Existing field should be preserved
+	assert.Equal(t, map[string]any{"selectedType": "oauth"}, security["auth"])
+	// folderTrust should be added
+	assert.Equal(t, map[string]any{"enabled": false}, security["folderTrust"])
+}
+
+func TestApplySettings_OtherAgentsNil(t *testing.T) {
+	for _, name := range []string{"aider", "codex", "opencode", "test", "idle"} {
+		def := GetAgent(name)
+		require.NotNil(t, def, "agent %q should exist", name)
+		assert.Nil(t, def.ApplySettings, "agent %q should have nil ApplySettings", name)
+	}
+}
+
+func TestShortLivedOAuthWarning(t *testing.T) {
+	assert.True(t, GetAgent("claude").ShortLivedOAuthWarning, "claude should have ShortLivedOAuthWarning=true")
+
+	for _, name := range []string{"aider", "gemini", "codex", "opencode", "test", "idle", "shell"} {
+		def := GetAgent(name)
+		require.NotNil(t, def, "agent %q should exist", name)
+		assert.False(t, def.ShortLivedOAuthWarning, "agent %q should have ShortLivedOAuthWarning=false", name)
+	}
+}
+
+func TestSeedsAllAgents(t *testing.T) {
+	assert.True(t, GetAgent("shell").SeedsAllAgents, "shell should have SeedsAllAgents=true")
+
+	for _, name := range []string{"aider", "claude", "gemini", "codex", "opencode", "test", "idle"} {
+		def := GetAgent(name)
+		require.NotNil(t, def, "agent %q should exist", name)
+		assert.False(t, def.SeedsAllAgents, "agent %q should have SeedsAllAgents=false", name)
+	}
+}

sandbox/create.go

@@ -1354,16 +1354,15 @@ func copySeedFiles(agentDef *agent.Definition, sandboxDir string, hasAPIKey bool
 }
 
 // ensureContainerSettings merges required container settings into agent-state/settings.json.
-// Agent-specific adjustments:
-//   - Claude Code: skip --dangerously-skip-permissions prompt, disable nested sandbox-exec.
-//   - Gemini CLI: disable folder-trust prompt (the container IS the sandbox).
-//   - Shell: apply each real agent's settings into home-seed subdirectories.
+// Agent-specific adjustments are driven by each agent's ApplySettings field.
+// Shell agents (SeedsAllAgents=true) apply each real agent's settings into
+// home-seed subdirectories instead.
 func ensureContainerSettings(agentDef *agent.Definition, sandboxDir, isolation string) error {
-	if agentDef.Name == "shell" {
+	if agentDef.SeedsAllAgents {
 		return ensureShellContainerSettings(sandboxDir, isolation)
 	}
 
-	if agentDef.StateDir == "" {
+	if agentDef.StateDir == "" || agentDef.ApplySettings == nil {
 		return nil
 	}
 
@@ -1376,133 +1375,37 @@ func ensureContainerSettings(agentDef *agent.Definition, sandboxDir, isolation s
 	}
 	settingsPath := filepath.Join(agentStateDir, "settings.json")
 
-	switch agentDef.Name {
-	case "claude":
-		settings, err := readJSONMap(settingsPath)
-		if err != nil {
-			return err
-		}
-		settings["skipDangerousModePermissionPrompt"] = true
-		// Disable Claude Code's built-in sandbox-exec to prevent nesting failures.
-		// sandbox-exec cannot be nested — an inner sandbox-exec inherits the outer
-		// profile's restrictions and typically fails.
-		settings["sandbox"] = map[string]interface{}{"enabled": false}
-		// Ensure Claude Code emits BEL for tmux tab highlighting
-		settings["preferredNotifChannel"] = "terminal_bell"
-		// Inject hooks for status tracking. Claude Code's own hook system is
-		// far more reliable than polling tmux capture-pane for a ready pattern.
-		injectIdleHook(settings)
-		return writeJSONMap(settingsPath, settings)
-
-	case "gemini":
-		settings, err := readJSONMap(settingsPath)
-		if err != nil {
-			return err
-		}
-		// Preserve existing security settings (e.g. auth.selectedType) while
-		// disabling folder trust — the container is already sandboxed.
-		security, _ := settings["security"].(map[string]interface{})
-		if security == nil {
-			security = map[string]interface{}{}
-		}
-		security["folderTrust"] = map[string]interface{}{"enabled": false}
-		settings["security"] = security
-		return writeJSONMap(settingsPath, settings)
-
-	default:
-		return nil
+	settings, err := readJSONMap(settingsPath)
+	if err != nil {
+		return err
 	}
+	agentDef.ApplySettings(settings)
+	return writeJSONMap(settingsPath, settings)
 }
 
 // ensureShellContainerSettings applies each real agent's container settings
 // to its home-seed subdirectory (e.g., home-seed/.claude/settings.json).
-func ensureShellContainerSettings(sandboxDir, isolation string) error {
+func ensureShellContainerSettings(sandboxDir string, _ string) error {
 	for _, name := range agent.RealAgents() {
 		def := agent.GetAgent(name)
-		if def.StateDir == "" {
+		if def.StateDir == "" || def.ApplySettings == nil {
 			continue
 		}
 		dirBase := filepath.Base(def.StateDir)
 		settingsPath := filepath.Join(sandboxDir, "home-seed", dirBase, "settings.json")
 
-		switch name {
-		case "claude":
-			settings, err := readJSONMap(settingsPath)
-			if err != nil {
-				return err
-			}
-			settings["skipDangerousModePermissionPrompt"] = true
-			settings["sandbox"] = map[string]interface{}{"enabled": false}
-			injectIdleHook(settings)
-			if err := writeJSONMap(settingsPath, settings); err != nil {
-				return err
-			}
-
-		case "gemini":
-			settings, err := readJSONMap(settingsPath)
-			if err != nil {
-				return err
-			}
-			security, _ := settings["security"].(map[string]interface{})
-			if security == nil {
-				security = map[string]interface{}{}
-			}
-			security["folderTrust"] = map[string]interface{}{"enabled": false}
-			settings["security"] = security
-			if err := writeJSONMap(settingsPath, settings); err != nil {
-				return err
-			}
+		settings, err := readJSONMap(settingsPath)
+		if err != nil {
+			return err
+		}
+		def.ApplySettings(settings)
+		if err := writeJSONMap(settingsPath, settings); err != nil {
+			return err
 		}
 	}
 	return nil
 }
 
-// statusIdleCommand writes idle status to agent-status.json and appends a
-// structured JSONL entry to logs/agent-hooks.jsonl when Claude finishes a
-// response (Notification hook). Uses $YOLOAI_DIR for portability across
-// backends (Docker=/yoloai, seatbelt=sandbox dir).
-const statusIdleCommand = `printf '{"ts":"%s","level":"info","event":"hook.idle","msg":"agent hook: idle","status":"idle"}\n' "$(date -u +%Y-%m-%dT%H:%M:%S.000Z)" >> "${YOLOAI_DIR:-/yoloai}/logs/agent-hooks.jsonl" && printf '{"status":"idle","exit_code":null,"timestamp":%d}\n' "$(date +%s)" > "${YOLOAI_DIR:-/yoloai}/agent-status.json"`
-
-// statusActiveCommand writes active status to agent-status.json and appends a
-// structured JSONL entry to logs/agent-hooks.jsonl when Claude starts working
-// (PreToolUse hook). This ensures the title updates from "> name" back to
-// "name" when the user submits a new prompt.
-const statusActiveCommand = `printf '{"ts":"%s","level":"info","event":"hook.active","msg":"agent hook: active","status":"active"}\n' "$(date -u +%Y-%m-%dT%H:%M:%S.000Z)" >> "${YOLOAI_DIR:-/yoloai}/logs/agent-hooks.jsonl" && printf '{"status":"active","exit_code":null,"timestamp":%d}\n' "$(date +%s)" > "${YOLOAI_DIR:-/yoloai}/agent-status.json"`
-
-// injectIdleHook merges hooks into Claude Code's settings map for status tracking.
-// Notification → idle (turn complete), PreToolUse → running (work started).
-// Preserves any existing hooks the user may have configured.
-func injectIdleHook(settings map[string]any) {
-	hooks, _ := settings["hooks"].(map[string]any)
-	if hooks == nil {
-		hooks = map[string]any{}
-	}
-
-	// Notification hook: mark idle when Claude finishes a response.
-	idleHook := map[string]any{
-		"type":    "command",
-		"command": statusIdleCommand,
-	}
-	idleGroup := map[string]any{
-		"hooks": []any{idleHook},
-	}
-	existingNotif, _ := hooks["Notification"].([]any)
-	hooks["Notification"] = append(existingNotif, idleGroup)
-
-	// PreToolUse hook: mark active when Claude starts using tools.
-	activeHook := map[string]any{
-		"type":    "command",
-		"command": statusActiveCommand,
-	}
-	activeGroup := map[string]any{
-		"hooks": []any{activeHook},
-	}
-	existingPre, _ := hooks["PreToolUse"].([]any)
-	hooks["PreToolUse"] = append(existingPre, activeGroup)
-
-	settings["hooks"] = hooks
-}
-
 // ensureHomeSeedConfig patches home-seed/.claude.json to set installMethod to
 // "npm-global". The host file typically has "native" since the user's local
 // Claude Code uses the native installer, but inside the container we install

sandbox/create_seed.go

@@ -18,8 +18,8 @@ func (m *Manager) seedSandbox(agentDef *agent.Definition, sandboxDir, isolation
 		return false, fmt.Errorf("copy seed files: %w", err)
 	}
 
-	// Warn when Claude is using short-lived OAuth credentials instead of a long-lived token.
-	if agentDef.Name == "claude" && copiedAuth {
+	// Warn when an agent is using short-lived OAuth credentials instead of a long-lived token.
+	if agentDef.ShortLivedOAuthWarning && copiedAuth {
 		fmt.Fprintln(m.output, "Warning: using OAuth credentials from ~/.claude/.credentials.json")                         //nolint:errcheck // best-effort warning
 		fmt.Fprintln(m.output, "  These tokens expire after ~30 minutes and may fail in long-running sessions.")            //nolint:errcheck // best-effort warning
 		fmt.Fprintln(m.output, "  For reliable auth, run 'claude setup-token' and export CLAUDE_CODE_OAUTH_TOKEN instead.") //nolint:errcheck // best-effort warning