Platform
Provider sandbox & model routing
How agent runs are confined to their worktree and matched to a model.
Before launching a CLI provider the daemon refuses an unsafe working directory, then confines the provider to the task worktree and picks a model sized to the run.
Unsafe-cwd refusal
-
Rejects launching in a too-broad directory —
/,/tmp,/var,/Users,/homeor$HOMEitself. -
Requires a
.gitboundary at or above the cwd, so a provider runninggit add -Acannot stage unrelated work from a stale parent repo.
Claude sandbox
-
Adds
--add-dir <worktree>— the only directory the provider may read/write outside its own state. -
Strips any
--dangerously-skip-permissions, so an out-of-tree mutation surfaces as a prompt a non-interactive worker cannot answer (it is refused, not silently executed). -
Injects
--output-format stream-json --verbosefor non-interactive workers so long runs stream live instead of buffering to exit.
Model routing by run purpose
The run’s purpose maps to a difficulty tier, then to a model. An explicit caller hint always wins; otherwise the tier table applies; otherwise the provider default; otherwise a compiled fallback.
| Tier | Purpose | Anthropic model |
|---|---|---|
| Hard | planning · analysis · refine | claude-opus-4-7 |
| Standard | execution | claude-sonnet-4-6 |
| Easy | review · comment-eval | claude-haiku-4-5 |
Non-Claude CLI providers (gemini, qwen) are left to choose their own model; OpenAI maps Hard/Standard/Easy to o1 / gpt-4o / gpt-4o-mini.