#11820: fix(sandbox): remap container paths in sandboxed file tools

## Problem When a sandbox runs with `workspaceAccess: "none"`, the host sandbox directory (e.g. `/data/clawfront-data/{sandbox-id}/`) is bind-mounted into the Docker container at `/workspace`. Both paths point to the same physical files. The agent executes commands inside Docker via `exec`, so it discovers files at container paths like `/workspace/projects/foo/package.json`. When it then tries to use the structured `read`/`write`/`edit` tools with those paths, the gateway-side `assertSandboxPath` rejects them — because `/workspace/...` on the host is not inside the sandbox root. This forces the agent to fall back to `cat`/`echo >` via bash inside Docker, which works but bypasses the structured file tools entirely — losing MIME detection, image sanitization, path normalization, and the sandbox symlink guard. ## Fix Add a `remapContainerPath` step in `wrapSandboxPathGuard` that translates container paths back to host paths before validation. For example, `/workspace/foo.txt` becomes `/data/clawfront-data/{sandbox-id}/foo.txt`. Paths that don't match the container workdir prefix pass through unchanged. ## Test plan - [x] New tests: container-absolute read/write/edit paths resolve to sandbox dir - [x] New test: paths outside the container workspace prefix are still rejected - [x] Existing sandbox + workspace path tests pass - [x] Full test suite passes (`pnpm build && pnpm check && pnpm test`) 🤖 AI-assisted (Claude Code) · fully tested · I understand what the code does 🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- greptile_comment --> <h2>Greptile Overview</h2> <h3>Greptile Summary</h3> This change threads `sandbox.containerWorkdir` into the sandboxed `read`/`write`/`edit` tool wrappers and adds a `remapContainerPath` step inside `wrapSandboxPathGuard` so container-absolute paths (e.g. `/workspace/foo.txt`) are rewritten to the host sandbox root before running `assertSandboxPath`. The accompanying tests extend `pi-tools.workspace-paths.test.ts` to cover container-absolute read/write/edit paths and confirm that non-workdir-prefixed container paths remain blocked. <h3>Confidence Score: 4/5</h3> - This PR is generally safe to merge once a path-traversal edge case in container path remapping is addressed. - The change is localized and backed by new tests, but `remapContainerPath` can join `..` segments from a container path into a host path, which will cause unexpected rejections (and could become risky if surrounding validation changes). - src/agents/pi-tools.read.ts <!-- greptile_other_comments_section --> <!-- /greptile_comment -->