fix(docker): pin container-side workspace and config dirs in compose

lonexreb · lonexreb · commit 18347cf45100 · 2026-05-04T12:58:09.000-05:00
scripts/docker/setup.sh writes the host-side OPENCLAW_WORKSPACE_DIR and OPENCLAW_CONFIG_DIR (e.g. /Users/<you>/.openclaw/...) into .env so Compose can use them as bind-mount sources. Both gateway and CLI services then imported the same .env via env_file, so inside the Linux container the env vars carried host-style paths. After 04.29 this regressed: the first agent reply died with 'EACCES: permission denied, mkdir /Users' when the wizard or runtime resolved a workspace from those env values. Override OPENCLAW_CONFIG_DIR and OPENCLAW_WORKSPACE_DIR in the environment: block on both services so the container always sees /home/node/.openclaw and /home/node/.openclaw/workspace, regardless of what .env carries for Compose substitution. Compose's environment: takes precedence over env_file:, so the bind-mount source still uses the host path while the in-container env stays correct. Add a sync test alongside the existing docker-compose contract tests that locks the override on both services so this contract cannot regress silently. Fixes #77436.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -51,6 +51,7 @@ Docs: https://docs.openclaw.ai
 - fix(device-pair): require pairing scope for pair command [AI]. (#76377) Thanks @pgondhi987.
 - fix(qqbot): keep private commands off framework surface [AI]. (#77212) Thanks @pgondhi987.
 - Memory/wiki: preserve representation from both corpora in `corpus=all` searches while backfilling unused result capacity, so memory hits are not starved by numerically higher wiki integer scores. Fixes #77337. Thanks @hclsys.
+- Docker/compose: pin container-side `OPENCLAW_CONFIG_DIR` and `OPENCLAW_WORKSPACE_DIR` on both gateway and CLI services so the host paths written into `.env` by `scripts/docker/setup.sh` (used as Compose bind-mount sources) cannot leak into runtime code via the `env_file` import. Fixes regressions on macOS Docker setups where the first agent reply died with `EACCES: permission denied, mkdir '/Users'` because the host-style workspace path got persisted into `agents.defaults.workspace`. Fixes #77436. Thanks @lonexreb.
 - Telegram: clean up tool-only draft previews after assistant message boundaries so transient `Surfacing...` tool-status bubbles do not linger when no matching final preview arrives. Thanks @BunsDev.
 - Cron: surface failed isolated-run diagnostics in `cron show`, status, and run history when requested tools are unavailable, so blocked cron runs report the actual tool-policy failure instead of a misleading green result. Fixes #75763. Thanks @RyanSandoval.
 - TUI/escape abort: track the in-flight runId after `chat.send` resolves so pressing Esc during the gap before the first gateway event aborts the run instead of repeatedly printing `no active run`. Fixes #1296. Thanks @Lukavyi and @romneyda.
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -8,6 +8,14 @@ services:
     environment:
       HOME: /home/node
       TERM: xterm-256color
+      # Pin container-side workspace and config paths so host values written to
+      # `.env` (used by Compose for the bind-mount source below) cannot leak
+      # into runtime code that resolves these env vars inside the container.
+      # Without this override, a macOS host path like /Users/<you>/.openclaw/...
+      # imported from .env caused first-reply `mkdir '/Users'` EACCES failures
+      # in Linux Docker (#77436).
+      OPENCLAW_CONFIG_DIR: /home/node/.openclaw
+      OPENCLAW_WORKSPACE_DIR: /home/node/.openclaw/workspace
       OPENCLAW_GATEWAY_TOKEN: ${OPENCLAW_GATEWAY_TOKEN:-}
       OPENCLAW_ALLOW_INSECURE_PRIVATE_WS: ${OPENCLAW_ALLOW_INSECURE_PRIVATE_WS:-}
       # Empty means auto: Bonjour disables itself in detected containers.
@@ -85,6 +93,10 @@ services:
     environment:
       HOME: /home/node
       TERM: xterm-256color
+      # Pin container-side workspace and config paths so host values written to
+      # `.env` cannot leak into runtime code via the env_file import (#77436).
+      OPENCLAW_CONFIG_DIR: /home/node/.openclaw
+      OPENCLAW_WORKSPACE_DIR: /home/node/.openclaw/workspace
       OPENCLAW_GATEWAY_TOKEN: ${OPENCLAW_GATEWAY_TOKEN:-}
       OPENCLAW_ALLOW_INSECURE_PRIVATE_WS: ${OPENCLAW_ALLOW_INSECURE_PRIVATE_WS:-}
       BROWSER: echo
diff --git a/src/docker-setup.e2e.test.ts b/src/docker-setup.e2e.test.ts
@@ -623,4 +623,16 @@ describe("scripts/docker/setup.sh", () => {
     const compose = await readFile(join(repoRoot, "docker-compose.yml"), "utf8");
     expect(compose.match(/TZ: \$\{OPENCLAW_TZ:-UTC\}/g)).toHaveLength(2);
   });
+
+  it("pins container-side workspace and config dirs on both services so host .env paths cannot leak (#77436)", async () => {
+    const compose = await readFile(join(repoRoot, "docker-compose.yml"), "utf8");
+    // Both gateway and CLI services must override the env_file values with the
+    // canonical container paths so a host-style OPENCLAW_WORKSPACE_DIR like
+    // `/Users/<you>/.openclaw/workspace` written to `.env` by docker-setup.sh
+    // cannot reach runtime code inside Linux Docker.
+    expect(compose.match(/OPENCLAW_CONFIG_DIR: \/home\/node\/\.openclaw$/gm)).toHaveLength(2);
+    expect(
+      compose.match(/OPENCLAW_WORKSPACE_DIR: \/home\/node\/\.openclaw\/workspace$/gm),
+    ).toHaveLength(2);
+  });
 });
