fix(harness): allow agent read access to /mnt/skills in local sandbox (#1178)

* fix(harness): allow agent read access to /mnt/skills in local sandbox

Skill files under /mnt/skills/ were blocked by the path validator,
preventing agents from reading skill definitions. This change:

- Refactors `resolve_local_tool_path` into `validate_local_tool_path`,
  a pure security gate that no longer resolves paths (left to the sandbox)
- Permits read-only access to the skills container path (/mnt/skills by
  default, configurable via config.skills.container_path)
- Blocks write access to skills paths (PermissionError)
- Allows /mnt/skills in bash command path validation
- Adds `LocalSandbox.update_path_mappings` and injects per-thread
  user-data mappings into the sandbox so all virtual-path resolution
  is handled uniformly by the sandbox layer
- Covers all new behaviour with tests

Fixes #1177

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* refactor(sandbox): unify all virtual path resolution in tools.py

Move skills path resolution from LocalSandbox into tools.py so that all
virtual-to-host path translation (user-data and skills) lives in one
layer.  LocalSandbox becomes a pure execution layer that receives only
real host paths — no more path_mappings, _resolve_path, or reverse
resolve logic.

This addresses architecture feedback that path resolution was split
across two layers (tools.py for user-data, LocalSandbox for skills),
making the flow hard to follow.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(sandbox): address Copilot review — cache-on-success and error path masking

- Replace @lru_cache with manual cache-on-success for _get_skills_container_path
  and _get_skills_host_path so transient failures at startup don't permanently
  disable skills access.
- Add _sanitize_error() helper that masks host filesystem paths in error
  messages via mask_local_paths_in_output before returning them to the agent.
- Apply _sanitize_error() to all catch-all (Exception/OSError) handlers in
  sandbox tool functions to prevent host path leakage in error output.
- Remove unused lru_cache import.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/packages/harness/deerflow/sandbox/local/local_sandbox_provider.py

@@ -6,42 +6,10 @@ _singleton: LocalSandbox | None = None
 
 
 class LocalSandboxProvider(SandboxProvider):
-    def __init__(self):
-        """Initialize the local sandbox provider with path mappings."""
-        self._path_mappings = self._setup_path_mappings()
-
-    def _setup_path_mappings(self) -> dict[str, str]:
-        """
-        Setup path mappings for local sandbox.
-
-        Maps container paths to actual local paths, including skills directory.
-
-        Returns:
-            Dictionary of path mappings
-        """
-        mappings = {}
-
-        # Map skills container path to local skills directory
-        try:
-            from deerflow.config import get_app_config
-
-            config = get_app_config()
-            skills_path = config.skills.get_skills_path()
-            container_path = config.skills.container_path
-
-            # Only add mapping if skills directory exists
-            if skills_path.exists():
-                mappings[container_path] = str(skills_path)
-        except Exception as e:
-            # Log but don't fail if config loading fails
-            print(f"Warning: Could not setup skills path mapping: {e}")
-
-        return mappings
-
     def acquire(self, thread_id: str | None = None) -> str:
         global _singleton
         if _singleton is None:
-            _singleton = LocalSandbox("local", path_mappings=self._path_mappings)
+            _singleton = LocalSandbox("local")
         return _singleton.id
 
     def get(self, sandbox_id: str) -> Sandbox | None: