fix(sandbox): pass real workspace to sessions_spawn when workspaceAccess is ro#40601
fix(sandbox): pass real workspace to sessions_spawn when workspaceAccess is ro#40601dsantoreis wants to merge 6 commits intoopenclaw:mainfrom
Conversation
…ration retry Covers the two safety guards introduced to fix openclaw#40037: - Last-tab guard: isLastRemainingTab prevents Target.closeTarget from killing the browser process when only one tab remains. Tests cover single tab, multiple tabs, null/sparse entries, empty array, and non-array defensive cases. - Rehydration retry: isMissingTabError classifies debugger errors so validateAttachedTab knows when to retry (transient busy/navigation) vs give up immediately (tab genuinely gone). Tests cover all known error message patterns. - Reconnect backoff: exponential delay curve stays within bounds and never goes negative. All 32 extension tests pass (15 new + 11 existing utils + 6 options).
The allowInsecurePath approach (5a353d0) is correct but depends on resolve.ts passing the flag through to assertSecurePath in readFileProviderPayload. That fix is tracked in PR openclaw#40486. Until it lands, add the platform skip guard so Windows CI is unblocked now.
…Windows Adds two test cases for resolveGatewayStateDir when only USERPROFILE is set (no HOME), which is the normal Windows environment. Specifically guards against the path concatenation bug reported in openclaw#40563 where the state dir was resolved as C:\Users\alice.openclaw instead of C:\Users\alice\.openclaw. The tests verify that the separator between the username and .openclaw is never missing, regardless of whether the username is alphabetic or numeric.
…ess is ro When a session runs inside a read-only sandbox, the effective workspace (passed to file tools) is the sandboxed copy of the workspace directory, not the actual agent workspace. Before this change, createSessionsSpawnTool received the sandboxed copy as its workspaceDir, which subagents would then inherit as their sandbox agentWorkspaceDir. This caused the /agent/ mount in subagent containers to point to the parent session's sandbox dir instead of the actual configured workspace (regression since v2026.3.7). Fix: thread a separate spawnWorkspaceDir through createOpenClawCodingTools → createOpenClawTools → createSessionsSpawnTool. In attempt.ts, when a read-only sandbox is active, spawnWorkspaceDir is set to resolvedWorkspace (the real workspace) so spawned subagents inherit the correct path. File tools continue to use effectiveWorkspace (the sandbox copy) for isolation. Fixes openclaw#40582.
openclaw-barnacle
bot
added
app: macos
|
Closing this PR because the author has more than 10 active PRs in this repo. Please reduce the active PR queue and reopen or resubmit once it is back under the limit. You can close your own PRs to get back under the limit. |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 1d88da482f
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| spawnWorkspaceDir: | ||
| sandbox?.enabled && sandbox.workspaceAccess !== "rw" ? resolvedWorkspace : undefined, |
There was a problem hiding this comment.
The new spawnWorkspaceDir override is applied whenever workspaceAccess !== "rw", which includes workspaceAccess: "none" (the default sandbox mode). In none, the parent agent can write to its sandbox workspace, and subagents are expected to inherit that effective workspace; forcing resolvedWorkspace here makes children re-seed from the host workspace instead, so they miss parent sandbox edits and break parent→child handoff flows. This should be limited to the "ro" case described in the fix rationale.
Useful? React with 👍 / 👎.
Greptile SummaryThis PR fixes a regression (introduced in v2026.3.7) where spawned subagents in a read-only sandbox session inherited the sandbox copy of the workspace directory instead of the real agent workspace path. Core fix (pi-tools.ts, attempt.ts, openclaw-tools.ts): Threads a new Verification: The PR includes many test additions and other changes beyond the core sandbox fix, but the sandbox workspace mechanism itself is sound. Confidence Score: 5/5
Last reviewed commit: 1d88da4 |
1 participant
When a session runs inside a read-only sandbox, the effective workspace sent to file tools is the sandboxed copy of the workspace directory, not the actual agent workspace. Before this change,
createSessionsSpawnToolreceived the sandboxed copy as itsworkspaceDir, which subagents then inherited as theiragentWorkspaceDir. This caused the/agent/mount in subagent Docker containers to point to the parent session's sandbox dir instead of the configured workspace (regression since v2026.3.7).The docker inspect symptoms from #40582:
Root cause: commit
fee91fefc(context plugin system, v2026.3.7) addedworkspaceDir: effectiveWorkspaceto the tools call inattempt.ts. WhenworkspaceAccess === "ro",effectiveWorkspace = sandbox.workspaceDir(sandbox copy), which propagated intocreateSessionsSpawnToolas the workspace for subagents to inherit.Fix: add a
spawnWorkspaceDirfield threaded throughcreateOpenClawCodingTools→createOpenClawTools→createSessionsSpawnTool. Inattempt.ts, when a read-only sandbox is active,spawnWorkspaceDiris set toresolvedWorkspace(the real workspace path). File tools continue to useeffectiveWorkspace(the sandbox copy) for isolation. No behavior change whenworkspaceAccess === "rw"or no sandbox.Testing: build passes, spawned-context and subagent tests pass. The pre-existing test failures in
pi-embedded-subscribe.*andweb-search.redirectare unrelated to this change (reproduce on main).