Spawn agents — local-first, by default

mooter spawn "fix bug in Hero.tsx" classifies the task with the same classify.js doctrine that routes everything else, cuts an isolated git worktree, wraps the process in a 4-layer sandbox, and streams the output to a log you can tail.

The 4 mandatory layers

• Network egress — --unshare-net for pure-compute spawns.
• Filesystem — read-only root; the worktree is the single writable mount; secret dirs masked.
• Secrets — cleared env + whitelist; ANTHROPIC_API_KEY never reaches a local spawn.
• Config — settings.json read-only.

There is no --no-sandbox. Run mooter security spawn-test to verify the sandbox blocks the escape — on real bubblewrap, every release.