✨ feat: add boxsh sandbox foundation

[vaayne]

Stack

• Base PR in stack
• Next: ✨ feat: wire runner and config through sandbox backend #97 wire runner and config through sandbox backend
• Then: ✨ feat: mediate sandbox-aware tools through hostfs #94 mediate sandbox-aware tools through hostfs
• Docs follow in 📝 docs: document sandbox backend rollout #96

Summary

• add the boxsh sandbox backend foundation and session model
• add boxsh RPC client, shared backend, policy contracts, and core tool mediation primitives
• add sandbox preflight validation, managed boxsh download wiring, and backend test coverage

Testing

• mise run test

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 9e4711f247

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Remove client timeout from streaming HTTP connections

OpenHTTPStream builds an http.Client with Timeout set, but in Go that timeout applies to the full request lifecycle including response body reads. For long-lived SSE/streamable HTTP sessions, this forces healthy streams to terminate once the timeout (default 30s here) is reached, which breaks streaming transports on the local backend.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Drain process pipes before waiting for exit

Wait blocks on cmd.Wait() before consuming stdout/stderr, so a child that writes enough output to fill either pipe can block on write and never exit. In that case Wait hangs until context cancellation, so callers that rely on Wait to collect output (without concurrently reading pipes themselves) can deadlock on verbose commands.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Iterate registered backends during auto selection

The auto-selection path only checks boxsh and local explicitly, so any additional backend registered through Register is ignored when policy.Backend is empty. This can cause CreateSession to fail with “no registered backend can satisfy this policy” even when a compatible registered backend exists.

Useful? React with 👍 / 👎.