From c96192bb024987d1a45711f9322d4f6e9f251c5f Mon Sep 17 00:00:00 2001
From: Bryan Tegomoh <bryan.tegomoh@gmail.com>
Date: Fri, 20 Mar 2026 23:05:50 -0500
Subject: [PATCH] narrow sandbox slug fix to shared/agent scopes only

---
 src/agents/sandbox/browser.ts | 11 +++++++----
 src/agents/sandbox/docker.ts  | 11 +++++++----
 2 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/src/agents/sandbox/browser.ts b/src/agents/sandbox/browser.ts
index 2a9d2370d1a..5ee35d088d7 100644
--- a/src/agents/sandbox/browser.ts
+++ b/src/agents/sandbox/browser.ts
@@ -141,11 +141,14 @@ export async function ensureSandboxBrowser(params: {
     return null;
   }
 
-  // Include workspaceDir in the slug so co-hosted instances with different HOME
-  // dirs produce distinct container names (fixes #51363).
+  // Include workspaceDir in the slug for shared/agent scopes so co-hosted
+  // instances with different HOME dirs produce distinct container names
+  // (fixes #51363). Session-scope containers are already collision-free via
+  // their per-session unique key, so we leave those names unchanged to avoid
+  // orphaning existing containers on upgrade.
   const slug = slugifySessionKey(
-    params.cfg.scope === "shared"
-      ? `shared:${params.workspaceDir}`
+    params.cfg.scope === "session"
+      ? params.scopeKey
       : `${params.scopeKey}:${params.workspaceDir}`,
   );
   const name = `${params.cfg.browser.containerPrefix}${slug}`;
diff --git a/src/agents/sandbox/docker.ts b/src/agents/sandbox/docker.ts
index 77d585b9aa1..2aafcca03cd 100644
--- a/src/agents/sandbox/docker.ts
+++ b/src/agents/sandbox/docker.ts
@@ -496,11 +496,14 @@ export async function ensureSandboxContainer(params: {
   cfg: SandboxConfig;
 }) {
   const scopeKey = resolveSandboxScopeKey(params.cfg.scope, params.sessionKey);
-  // Include workspaceDir in the slug so co-hosted instances with different HOME
-  // dirs produce distinct container names (fixes #51363).
+  // Include workspaceDir in the slug for shared/agent scopes so co-hosted
+  // instances with different HOME dirs produce distinct container names
+  // (fixes #51363). Session-scope containers are already collision-free via
+  // their per-session unique key, so we leave those names unchanged to avoid
+  // orphaning existing containers on upgrade.
   const slug = slugifySessionKey(
-    params.cfg.scope === "shared"
-      ? `shared:${params.workspaceDir}`
+    params.cfg.scope === "session"
+      ? scopeKey
       : `${scopeKey}:${params.workspaceDir}`,
   );
   const name = `${params.cfg.docker.containerPrefix}${slug}`;