fix: harden workspace boundary path resolution

src/agents/sandbox/host-paths.ts

@@ -1,5 +1,5 @@
-import { existsSync, realpathSync } from "node:fs";
 import { posix } from "node:path";
+import { resolvePathViaExistingAncestorSync } from "../../infra/boundary-path.js";
 
 /**
  * Normalize a POSIX host path: resolve `.`, `..`, collapse `//`, strip trailing `/`.
@@ -17,31 +17,5 @@ export function resolveSandboxHostPathViaExistingAncestor(sourcePath: string): s
   if (!sourcePath.startsWith("/")) {
     return sourcePath;
   }
-
-  const normalized = normalizeSandboxHostPath(sourcePath);
-  let current = normalized;
-  const missingSegments: string[] = [];
-
-  while (current !== "/" && !existsSync(current)) {
-    missingSegments.unshift(posix.basename(current));
-    const parent = posix.dirname(current);
-    if (parent === current) {
-      break;
-    }
-    current = parent;
-  }
-
-  if (!existsSync(current)) {
-    return normalized;
-  }
-
-  try {
-    const resolvedAncestor = normalizeSandboxHostPath(realpathSync.native(current));
-    if (missingSegments.length === 0) {
-      return resolvedAncestor;
-    }
-    return normalizeSandboxHostPath(posix.join(resolvedAncestor, ...missingSegments));
-  } catch {
-    return normalized;
-  }
+  return normalizeSandboxHostPath(resolvePathViaExistingAncestorSync(sourcePath));
 }