[Bug]: tools.fs.workspaceOnly=false does not allow write/read/edit outside workspace (sandbox off) #28763
Description
Summary
After upgrading to 2026.2.26, FS tools remain restricted to the agent workspace even when tools.fs.workspaceOnly=false (and tools.exec.applyPatch.workspaceOnly=false) with sandbox mode off.
Steps to reproduce
Set config:
- tools.fs.workspaceOnly=false
- tools.exec.applyPatch.workspaceOnly=false
- Restart gateway and confirm config is loaded.
- Verify sandbox mode is off via openclaw sandbox explain.
- Call FS tool write with path /tmp/openclaw-write-test.txt.
Expected behavior
With sandbox off and both workspaceOnly flags set to false, FS operations should be allowed outside the workspace (or docs should clearly state otherwise).
Actual behavior
write fails with: Path escapes workspace root: /tmp
OpenClaw version
2026.2.26 (bc50708)
Operating system
Ubuntu 24.04
Install method
npm global
Logs, screenshots, and evidence
- openclaw sandbox explain output shows:
- runtime: direct
- mode: off
- workspaceAccess: none
- sessionKey/mainSessionKey: agent:first:main
- openclaw gateway status shows CLI config and service config pointing to same file.
- Relevant config values are confirmed as:
- tools.fs.workspaceOnly=false
- tools.exec.applyPatch.workspaceOnly=false
- Repro error message: Path escapes workspace root: /tmpImpact and severity
Affected: users expecting host-level FS access outside workspace in direct runtime
Severity: Medium–High (blocks expected file workflows and automation)
Frequency: 100% reproducible
Consequence: cannot write/read/edit files outside workspace despite explicit config, causing failed automations and confusion about config behavior
Additional information
Unclear whether this is intended behavior (hard workspace boundary for FS tools) or a regression/bug where tools.fs.workspaceOnly is not applied in this runtime mode.
If intended, documentation should clarify the exact scope difference between FS tools and exec.applyPatch.