Sandbox write fails for existing subdirectories with workspaceAccess: rw (2026.2.26 regression)

[glitch418x]

Bug

write tool fails with "Sandbox boundary checks failed; cannot create directories: /workspace/memory/kemik" even though:

1. The directory exists on the host workspace
2. The directory exists inside the container (docker exec ... ls confirms)
3. The container user can write to it (docker exec ... touch succeeds)
4. workspaceAccess is "rw"

Regression

Worked on 2026-02-20, broke after updating to 2026.2.26. Likely caused by the security hardening in 2026.2.26:

• "Security/Sandbox path alias guard: reject broken symlink targets by resolving through existing ancestors and failing closed on out-of-root targets"
• "Security/Workspace FS boundary aliases: harden canonical boundary resolution for non-existent-leaf symlink aliases"

The new boundary checks appear to reject mkdir -p (or equivalent pre-write directory creation) for subdirectories that already exist within the workspace mount.

Config

{
  "sandbox": {
    "mode": "all",
    "workspaceAccess": "rw",
    "scope": "agent",
    "docker": {
      "network": "bridge"
    }
  }
}

Steps to Reproduce

1. Create an agent with sandbox mode: "all", workspaceAccess: "rw"
2. Ensure workspace has a subdirectory structure (e.g. memory/group-name/)
3. Use the write tool to create a file in that subdirectory
4. Observe: "Sandbox boundary checks failed; cannot create directories: /workspace/memory/group-name"

Expected

Write succeeds — the directory is within the workspace boundary and already exists.

Actual

Write rejected by sandbox boundary check before reaching the filesystem.

Environment

• OpenClaw 2026.2.26
• macOS (arm64)
• Docker (Colima)

[glitch418x]

Root Cause

Found the bug in the source. In assertPathSafety, the boundary check calls openBoundaryFile → openVerifiedFileSync, which does:

if (!preOpenStat.isFile()) return { ok: false, reason: "validation" };

When mkdirp calls assertPathSafety on a directory path, this check fails because directories are not files. The returned reason: "validation" then triggers the throw in assertPathSafety:

if (!guarded.ok) {
    if (guarded.reason !== "path" || options.allowMissingTarget === false)
        throw new Error(`Sandbox boundary checks failed; cannot ${options.action}: ${target.containerPath}`);
}

The flow is: write tool → ensureDir → mkdirp(parent) → assertPathSafety → openBoundaryFile → openVerifiedFileSync → isFile() fails for directory → boundary check rejects it.

The openVerifiedFileSync validator was designed for file paths only, but mkdirp passes directory paths through it.