feat: require sandbox_create approval before sandbox operations

agent/tools/sandbox_tool.py

@@ -149,14 +149,11 @@ def _make_tool_handler(sandbox_tool_name: str):
     """Factory: create a handler for a sandbox operation tool."""
 
     async def handler(args: dict[str, Any], session: Any = None) -> tuple[str, bool]:
-        # Auto-create sandbox if not present
-        try:
-            sb, error = await _ensure_sandbox(session)
-        except Exception as e:
-            return f"Failed to auto-create sandbox: {e}", False
+        # Require sandbox to exist — user must approve sandbox_create first
+        if not session or not getattr(session, "sandbox", None):
+            return "No sandbox running. Call sandbox_create first to start one.", False
 
-        if error:
-            return error, False
+        sb = session.sandbox
 
         try:
             result = await asyncio.to_thread(sb.call_tool, sandbox_tool_name, args)

frontend/src/components/Chat/ToolCallGroup.tsx

@@ -104,6 +104,20 @@ function InlineApproval({
 
   return (
     <Box sx={{ px: 1.5, py: 1.5, borderTop: '1px solid var(--tool-border)' }}>
+      {toolName === 'sandbox_create' && args && (
+        <Box sx={{ mb: 1.5 }}>
+          <Typography variant="body2" sx={{ color: 'var(--muted-text)', fontSize: '0.75rem', mb: 1 }}>
+            Create sandbox on{' '}
+            <Box component="span" sx={{ fontWeight: 500, color: 'var(--text)' }}>
+              {String(args.hardware || 'cpu-basic')}
+            </Box>
+            {args.private && (
+              <Box component="span" sx={{ color: 'var(--muted-text)' }}> (private)</Box>
+            )}
+          </Typography>
+        </Box>
+      )}
+
       {toolName === 'hf_jobs' && args && (
         <Box sx={{ mb: 1.5 }}>
           <Typography variant="body2" sx={{ color: 'var(--muted-text)', fontSize: '0.75rem', mb: 1 }}>