write tool rejects paths outside workspace root (e.g. Obsidian vault)

[nilsh895]

Describe the bug

The write tool (file write) refuses to write to any path outside the configured workspace root (~/openclaw/workspace), even when those paths are legitimate, user-configured locations like the Obsidian vault.

Steps to Reproduce

1. Configure an Obsidian vault at /home/openclaw/.openclaw/obsidian-vault/
2. Try to write a file to that path using the write tool
3. Error: Path escapes workspace root: /home/openclaw/.openclaw/obsidian-vault

Expected Behavior

The write tool should be able to write to any path the agent has access to, or at minimum respect configured integration paths (like the Obsidian vault path) as trusted locations.

Actual Behavior

{
  "status": "error",
  "tool": "write",
  "error": "Path escapes workspace root: /home/openclaw/.openclaw/obsidian-vault"
}

Workaround

Using exec with a heredoc works, but is clunky and bypasses any write tool safety logic:

cat > /home/openclaw/.openclaw/obsidian-vault/MyNote.md << 'EOF'
content here
EOF

Context

• OpenClaw version: 2026.2.24 (51d76eb)
• OS: Linux 6.8.0-100-generic (x64)
• Workspace root: /home/openclaw/.openclaw/workspace
• Obsidian vault path: /home/openclaw/.openclaw/obsidian-vault/