fix(sandbox): make missing sandbox.mounts host_path a loud ERROR (#3244) (#3250)

In Docker production deployments, LocalSandboxProvider runs inside the
deer-flow-gateway container, so any `sandbox.mounts[].host_path` from
config.yaml is resolved against the gateway container's filesystem — not
the host machine. When the path isn't also bind-mounted into the gateway
service, the mount was silently dropped with only a WARNING log, leaving
agents reading an empty directory in production while the same config
worked under `make dev`.

Escalate the missing-host_path branch to logger.error with explicit
guidance about Docker bind mounts and docker-compose, so the failure is
hard to miss in default log configurations. Skip behaviour is preserved
to avoid breaking existing deployments.

Also clarify the misleading `VolumeMountConfig.host_path` field
description so it documents reality for both providers:

  - LocalSandboxProvider checks host_path from inside the gateway process
    (host in `make dev`, container in `make up`).
  - AioSandboxProvider (DooD) passes host_path straight to `docker -v`
    for the sandbox container, where the host Docker daemon resolves it
    from the host machine's perspective.

config.example.yaml's `sandbox.mounts` comment gets a Note: block
pointing operators at the docker-compose bind-mount requirement so the
Docker-mode gotcha is discoverable from the canonical template.

Adds a regression test that:
  - confirms missing host_path is still skipped (no behaviour break);
  - asserts an ERROR record is emitted referencing the offending paths;
  - asserts the message contains actionable Docker/gateway/docker-compose
    keywords so future refactors can't quietly downgrade it.

Refs: https://github.com/bytedance/deer-flow/issues/3244

backend/packages/harness/deerflow/config/sandbox_config.py

@@ -4,7 +4,20 @@ from pydantic import BaseModel, ConfigDict, Field
 class VolumeMountConfig(BaseModel):
     """Configuration for a volume mount."""
 
-    host_path: str = Field(..., description="Path on the host machine")
+    host_path: str = Field(
+        ...,
+        description=(
+            "Source path for the mount. Resolution depends on the active provider: "
+            "``LocalSandboxProvider`` checks this path from the gateway process — in "
+            "``make dev`` that is the host machine, but in Docker deployments "
+            "(``make up`` / docker-compose) it is the path *inside* the "
+            "``deer-flow-gateway`` container, so the host directory must also be "
+            "bind-mounted into the gateway service for the mount to take effect. "
+            "``AioSandboxProvider`` (DooD) passes this value straight to ``docker -v`` "
+            "for the sandbox container, where it is resolved by the host Docker daemon "
+            "from the host machine's perspective."
+        ),
+    )
     container_path: str = Field(..., description="Path inside the container")
     read_only: bool = Field(default=False, description="Whether the mount is read-only")
 

backend/packages/harness/deerflow/sandbox/local/local_sandbox_provider.py

@@ -147,7 +147,17 @@ class LocalSandboxProvider(SandboxProvider):
                             mount.container_path,
                         )
                         continue
-                    # Ensure the host path exists before adding mapping
+                    # Ensure the host path exists before adding mapping.
+                    #
+                    # ``host_path`` is resolved against the filesystem of the
+                    # process running this provider — for ``make dev`` that is
+                    # the host machine, but for ``make up`` it is the
+                    # ``deer-flow-gateway`` container, so any host path that
+                    # isn't bind-mounted into the gateway image will be missing
+                    # here. Skipping silently makes this a high-cost-to-debug
+                    # silent failure (sandbox skill / tool reads an empty dir
+                    # instead of the configured mount), so escalate to ERROR
+                    # and include actionable guidance. See #3244.
                     if host_path.exists():
                         mappings.append(
                             PathMapping(
@@ -157,10 +167,16 @@ class LocalSandboxProvider(SandboxProvider):
                             )
                         )
                     else:
-                        logger.warning(
-                            "Mount host_path does not exist, skipping: %s -> %s",
+                        logger.error(
+                            "sandbox.mounts entry %s -> %s ignored: host_path %s does not exist from the "
+                            "perspective of the gateway process. In Docker deployments (make up / docker-compose), "
+                            "this path must also be bind-mounted into the gateway container — add a matching "
+                            "volume entry under services.gateway.volumes in docker/docker-compose.yaml (and use "
+                            "the in-container path here), or run in local mode (make dev) where the gateway sees "
+                            "the host filesystem directly.",
                             mount.host_path,
                             mount.container_path,
+                            mount.host_path,
                         )
         except Exception as e:
             # Log but don't fail if config loading fails