fix(sandbox): support extra mounts in provisioner mode

[officialasishkumar]

Summary

• Pass configured sandbox mounts through RemoteSandboxBackend to the provisioner create API.
• Add provisioner extra_mounts request support and wire those mounts into Kubernetes hostPath volumes and container volumeMounts.
• Keep provisioner-created /mnt/skills and /mnt/user-data/* mounts from being duplicated while preserving runtime mounts such as /mnt/acp-workspace.
• Document provisioner-mode custom mounts and remove stale task-tool test monkeypatches for the current subagent skill-loading path.

Root Cause

AioSandboxProvider handed configured mounts only to LocalContainerBackend; provisioner mode created pods from a fixed manifest and RemoteSandboxBackend did not send mount metadata. As a result, sandbox.mounts worked in local container mode but was ignored when provisioner_url selected the Kubernetes provisioner backend.

Testing

• cd backend && make lint
• cd backend && make test → 2047 passed, 15 skipped
• cd backend && uv run pytest tests/test_remote_sandbox_backend.py tests/test_provisioner_pvc_volumes.py tests/test_task_tool_core_logic.py::test_task_tool_propagates_tool_groups_to_subagent tests/test_task_tool_core_logic.py::test_task_tool_no_tool_groups_passes_none tests/test_task_tool_core_logic.py::test_task_tool_runtime_none_passes_groups_none -q → 28 passed

Closes #2480

[Copilot]

Pull request overview

This PR extends provisioner-mode sandbox creation to support user-configured “extra mounts” end-to-end (config → RemoteSandboxBackend → provisioner API → K8s Pod volumes/volumeMounts), aligning Kubernetes provisioner behavior with local container mode.

Changes:

• Forward configured sandbox mounts through RemoteSandboxBackend to the provisioner POST /api/sandboxes API.
• Add extra_mounts request handling in the provisioner and wire them into generated Pod volumes and volumeMounts.
• Add/update regression tests and documentation for provisioner-mode custom mounts.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
docker/provisioner/README.md	Documents provisioner API usage including extra_mounts.
docker/provisioner/app.py	Adds extra_mounts request model, validation/normalization, and Pod volume/volumeMount wiring.
config.example.yaml	Documents sandbox mounts configuration for provisioner mode.
backend/tests/test_remote_sandbox_backend.py	Verifies remote backend forwards configured mounts and filters provisioner-built-in runtime mounts.
backend/tests/test_provisioner_pvc_volumes.py	Adds tests ensuring extra mounts become hostPath volumes/mounts and validates rejection cases.
backend/packages/harness/deerflow/community/aio_sandbox/remote_backend.py	Serializes and forwards extra mounts to provisioner create API.
backend/packages/harness/deerflow/community/aio_sandbox/aio_sandbox_provider.py	Passes configured mounts to RemoteSandboxBackend when provisioner_url is set.

[Copilot]

extra_mounts.host_path currently allows any absolute path on the Kubernetes node. Since the provisioner API is unauthenticated and is reverse-proxied under /api/sandboxes by the repo nginx config, this enables mounting sensitive host paths (e.g. /etc, /var/run, kubeconfig) into sandbox Pods. Consider requiring an auth token for the provisioner API and/or restricting host_path to an allow-listed base directory (or disabling extra_mounts unless explicitly enabled via env).

[officialasishkumar]

Added a provisioner-side host-path allowlist in ec0f656, with tests for disabled and outside-allowlist mounts.

[Copilot]

_normalize_extra_mounts() only reserves the exact /mnt/user-data path. That still permits mounts targeting subpaths like /mnt/user-data/workspace, which can shadow the built-in user-data mount and also diverges from RemoteSandboxBackend._is_provisioner_builtin_mount() (which treats /mnt/user-data/* as provisioner-owned). Consider rejecting any container_path that is /mnt/user-data or starts with /mnt/user-data/ (and similarly for /mnt/skills if you want to prevent shadowing).

[officialasishkumar]

Updated both provisioner validation and backend serialization to treat /mnt/user-data, /mnt/user-data/*, /mnt/skills, and /mnt/skills/* as provisioner-owned targets. Commit: 6a8ca39

[Copilot]

Extra hostPath volumes are created with hostPath type Directory, which will fail Pod scheduling if the host directory does not already exist. If the intent is to make these mounts easy to configure (similar to the built-in user-data hostPath), consider using DirectoryOrCreate or explicitly documenting that host_path must pre-exist on every node that might run the Pod.

Suggested change

	type="Directory",
	type="DirectoryOrCreate",

[officialasishkumar]

Changed extra hostPath volumes to use DirectoryOrCreate and updated the regression expectation. Commit: 6a8ca39

[Copilot]

Config-provided mounts (self._config_mounts) are serialized without any normalization or filtering. If a user config includes provisioner-built-in targets (e.g. /mnt/skills or /mnt/user-data) or duplicates, the provisioner will reject the request (422) and sandbox creation will fail. Consider applying the same normalization/dedup logic used for runtime extra_mounts (strip trailing /, skip provisioner-built-in mount paths, and skip duplicates) to config mounts as well.

Suggested change

	for mount in self._config_mounts:
	mounts.append(
	{
	"host_path": mount.host_path,
	"container_path": mount.container_path,
	"read_only": mount.read_only,
	}
	)
	seen_container_paths = {str(mount["container_path"]).rstrip("/") or "/" for mount in mounts}
	seen_container_paths: set[str] = set()
	for mount in self._config_mounts:
	normalized_container_path = mount.container_path.rstrip("/") or "/"
	if self._is_provisioner_builtin_mount(normalized_container_path):
	logger.warning("Skipping provisioner built-in config mount target: %s", mount.container_path)
	continue
	if normalized_container_path in seen_container_paths:
	logger.warning("Skipping duplicate provisioner config mount target: %s", mount.container_path)
	continue
	seen_container_paths.add(normalized_container_path)
	mounts.append(
	{
	"host_path": mount.host_path,
	"container_path": normalized_container_path,
	"read_only": mount.read_only,
	}
	)

[officialasishkumar]

Applied the same normalization/dedup filtering to configured mounts before sending them to the provisioner, with a regression test for built-in and duplicate config targets. Commit: 6a8ca39

[WillemJiang]

@officialasishkumar, thanks for your contribution. Please take a look at the review comments.

[WillemJiang]

@officialasishkumar Please fix the lint error of the code.

[officialasishkumar]

@WillemJiang Fixed the backend lint formatting and pushed 70c1a314.