* feat(models): allow private network via models.providers.*.request
Add optional request.allowPrivateNetwork for operator-controlled self-hosted
OpenAI-compatible bases (LAN/overlay/split DNS). Plumbs the flag into
resolveProviderRequestPolicyConfig for streaming provider HTTP and OpenAI
responses WebSocket so SSRF policy can allow private-resolved model URLs
when explicitly enabled.
Updates zod schema, config help/labels, and unit tests for sanitize/merge.
* agents thread provider request into websocket stream
* fix(config): scope allowPrivateNetwork to model requests
* fix(agents): refresh websocket manager on request changes
* fix(agents): scope runtime private-network overrides to models
* fix: allow private network provider request opt-in (#63671) (thanks @qas)
---------
Co-authored-by: Ayaan Zaidi <hi@obviy.us>
* refactor(sandbox): remove socat proxy and fix chromium keyring deadlock
* fix(sandbox): address review feedback by reinstating cdp isolation and stability flags
* fix(sandbox): increase entrypoint cdp timeout to 20s to honor autoStartTimeoutMs
* fix(sandbox): align implementation with PR description (keyring bypass, fail-fast, watchdog)
* fix
* fix(sandbox): remove bash CDP watchdog to eliminate dual-timeout race
* fix(sandbox): apply final fail-fast and lifecycle bindings
* fix(sandbox): restore noVNC and CDP port offset
* fix(sandbox): add max-time to curl to prevent HTTP hang
* fix(sandbox): align timeout with host and restore env flags
* fix(sandbox): pass auto-start timeout to container and restore wait -n
* fix(sandbox): update hash input type to include autoStartTimeoutMs
* fix(sandbox): implement production-grade lifecycle and timeout management
- Add strict integer validation for port and timeout environment variables
- Implement robust two-stage trap cleanup (SIGTERM with SIGKILL fallback) to prevent zombie processes
- Refactor CDP readiness probe to use absolute millisecond-precision deadlines
- Add early fail-fast detection if Chromium crashes during the startup phase
- Track all daemon PIDs explicitly for reliable teardown via wait -n
* fix(sandbox): allow renderer process limit to be 0 for chromium default
* fix(sandbox): add autoStartTimeoutMs to SandboxBrowserHashInput type
* test(sandbox): cover browser timeout cleanup
---------
Co-authored-by: Ayaan Zaidi <hi@obviy.us>
