tools.fs.workspaceOnly defaults to restricted when unset, contradicting documented default

[deltaclaw]

Bug: tools.fs.workspaceOnly defaults to restricted even when unset

Observed behavior

When tools.fs.workspaceOnly is not configured (neither globally at tools.fs.workspaceOnly nor per-agent at agents.list[].tools.fs.workspaceOnly), the write and edit tools reject paths outside the agent workspace with:

Path escapes workspace root: /tmp

Expected behavior

Per the type definition in src/config/types.tools.ts, the documented default is false (unrestricted):

export type FsToolsConfig = {
  /**
   * Restrict filesystem tools (read/write/edit/apply_patch) to the agent workspace directory.
   * Default: false (unrestricted, matches legacy behavior).
   */
  workspaceOnly?: boolean;
};

When not set, agents should be able to write outside their workspace (matching legacy behavior).

Root cause

There is a mismatch between the policy resolution layer and the implementation layer:

Policy layer (src/agents/tool-fs-policy.ts:10) correctly resolves undefined to false:

export function createToolFsPolicy(params: { workspaceOnly?: boolean }): ToolFsPolicy {
  return {
    workspaceOnly: params.workspaceOnly === true, // undefined === true → false ✓
  };
}

Implementation layer (src/agents/pi-tools.read.ts:761) treats undefined as true:

function createHostWriteOperations(root: string, options?: { workspaceOnly?: boolean }) {
  const workspaceOnly = options?.workspaceOnly !== false; // undefined !== false → true ✗
  // ...

The !== false guard means only an explicit false unlocks writes. If undefined arrives at this function (through any code path that doesn't go through the policy layer), it silently defaults to restricted.

The same pattern exists in createHostEditOperations and createHostReadOperations.

#28822 partially addressed this for the explicit workspaceOnly: false case, but the default/unset case still behaves as restricted.

Reproduction

# No tools.fs.workspaceOnly set in config
openclaw agent --agent main -m "Write a file at /tmp/test.txt with content 'ok'"
# → "Path escapes workspace root: /tmp"

Agent config:

{
  "id": "main",
  "tools": { "allow": ["*"] }
  // No sandbox, no tools.fs config
}

Global config: no tools.fs section set.

Suggested fix

Either:

A) Change the implementation guard to match the documented default:

const workspaceOnly = options?.workspaceOnly ?? false;

B) Or, if restricted-by-default is the intended secure posture, update the type documentation and ensure the policy layer matches:

// types.tools.ts
workspaceOnly?: boolean; // Default: true (restricted to workspace)

Environment

• OpenClaw version: 2026.2.27
• Platform: Ubuntu 24.04 (Linux)
• Agent sandbox mode: off (default)

[steipete]

Fixed and landed on main. Thanks for the report.

Landing details:

• PR: fix: align fs workspaceOnly default with documented policy #31128
• SHA: 65e13c7b6

[anyech]

+1 — Confirming This Issue (Single-User VPS Deployment)

Affected Deployment:

• OpenClaw Version: 2026.2.26
• Host: Ubuntu 22.04 LTS VPS (arm64)
• Trust Model: Single trusted operator (personal assistant)
• Workspace: ~/.openclaw/workspace

---

Impact on Our Deployment

Use Case: Blog publishing workflow

Problem: Agent cannot use edit tool on files outside workspace root, even for legitimate single-user workflows.

Example Error:

⚠️ 📝 Edit: in ~/[blog-directory]/index.html (1036 chars) failed: 
File not found: /home/[user]/[blog-directory]/index.html

Root Cause: Path validation rejects absolute paths outside workspace, forcing agent to fall back to exec + cat/sed commands.

Impact:

• Significantly higher token usage (exec commands vs. native edit tool)
• Less reliable file operations (no atomic edits, no diff/patch)
• Increased friction for common single-user workflows (blog publishing, code maintenance)
• Agent must "figure out alternative ways" instead of using purpose-built tools

---

Configuration Attempted

{
  "tools": {
    "fs": {
      "workspaceOnly": false  // Explicitly set to allow outside-workspace edits
    }
  },
  "agents": {
    "defaults": {
      "workspace": "~/.openclaw/workspace"
    }
  }
}

Result: Still fails with "Path escapes workspace root" error, confirming the bug described in #30927 and #30416.

---

Trust Model Context

Why workspaceOnly: false is appropriate for our deployment:

Per OpenClaw security docs, the workspace restriction is designed for:

• Multi-user deployments with adversarial users
• Preventing prompt injection from untrusted senders
• Limiting blast radius in shared environments

Our deployment:

• ✅ Single trusted operator (no adversarial users)
• ✅ VPS isolated (no other users on host)
• ✅ Gateway on loopback only
• ✅ Telegram allowlist configured (only trusted sender)
• ✅ No public exposure

Risk Assessment: For single-trusted-user VPS deployments, allowing file access outside workspace is low risk because:

• No untrusted users can message the bot
• Host is already isolated from other systems
• Operator trusts themselves not to prompt-inject themselves

---

Request

Please prioritize this fix for single-user deployments where:

1. Operator explicitly sets tools.fs.workspaceOnly: false
2. Trust model is single trusted operator (not multi-tenant)
3. Files outside workspace are legitimate work targets (blog, code repos, etc.)

Current workaround: Using symlinks to bring external files into workspace, but this is unintuitive and breaks some tooling.

---

Related Issues

• tools.fs.workspaceOnly defaults to restricted when unset, contradicting documented default #30927: tools.fs.workspaceOnly defaults to restricted when unset
• Regression: tools.fs.workspaceOnly=false still blocks write/edit outside workspace (Path escapes workspace root) #30416: workspaceOnly=false still blocks write/edit outside workspace
• tools.fs.workspaceOnly: false does not allow write/edit outside workspace (regression in pi-* 0.55.1) #29817: Regression in pi-* 0.55.1

All appear to have the same root cause: implementation layer treats undefined as true (restricted), contradicting documented default.

---

Deployment context: Single-user personal assistant, VPS-hosted, trusted operator model