pub const VFS: &str = "# kaish Virtual Filesystem (VFS)\n\n## Modes\n\n| Mode | Access | Context |\n|------|--------|---------|\n| **Passthrough** | Full filesystem | REPL (human) |\n| **Sandboxed** | `$HOME` + `/tmp` only | MCP (agent) |\n| **NoLocal** | Memory only | Tests |\n\nIn sandboxed mode, paths look native but access outside `$HOME` fails (except `/tmp`).\n\n## Mount Points\n\n```\n/home/user/ real filesystem (sandboxed to $HOME in MCP mode)\n/tmp/ real /tmp (always accessible, tmpfs on Linux)\n/v/blobs/ memory storage for blobs\n/v/bin/ read-only listing of builtins (can invoke: /v/bin/echo hello)\n/v/jobs/{id}/ live background job state (see below)\n```\n\nGit is the `git` *builtin* (`git status`, `git log`, `git diff`), not a VFS mount.\n\n## /v/jobs \u{2014} Job Observability\n\nEach background job gets a directory:\n\n```\n/v/jobs/{id}/stdout live output (ring buffer, 10MB max)\n/v/jobs/{id}/stderr live error stream\n/v/jobs/{id}/status \"running\" | \"done:0\" | \"failed:N\"\n/v/jobs/{id}/command original command string\n```\n\n```bash\ncargo build &\ncat /v/jobs/1/status # running\ncat /v/jobs/1/stdout # build output so far\njobs --cleanup # remove completed jobs\n```\n\n## /tmp \u{2014} Interop\n\n`/tmp` is the only path outside `$HOME` accessible in sandboxed mode. Use it for data exchange with external commands.\n\n```bash\nwrite /tmp/data.json \'{\"key\": \"value\"}\'\njq \'.key\' /tmp/data.json\n```\n\n## Sandbox Limitations\n\n**External binaries bypass the VFS sandbox.** Sandboxed mode restricts kaish builtins to `$HOME` + `/tmp`, but external commands (anything resolved via PATH), `exec`, and `spawn` access the real filesystem directly.\n\nTo block external command execution, set `allow_external_commands=false` in `KernelConfig`:\n\n```rust\nKernelConfig::mcp().with_allow_external_commands(false)\n```\n\nWhen disabled, PATH lookups return \"command not found\" and the `exec`/`spawn` builtins return errors. `KernelConfig::isolated()` sets this to `false` by default.\n\nPrefer builtins over external commands \u{2014} kaish\'s in-process builtins (grep, sed, jq, etc.) respect VFS boundaries.\n";