tools.fs.workspaceOnly: false does not propagate to Write/Edit tool operations

[richydeeee]

Bug Description

tools.fs.workspaceOnly: false in config does not allow Write/Edit tools to write outside the workspace root. The setting is accepted by the config schema but never reaches the operation factories that enforce path boundaries.

Steps to Reproduce

1. Set tools.fs.workspaceOnly: false globally and per-agent in config
2. Attempt to use the Write tool to write to /tmp/test.txt (or any path outside workspace)
3. Error: Path escapes workspace root: /tmp

Expected Behavior

Write/Edit tools should allow writing to arbitrary paths when workspaceOnly is false.

Actual Behavior

toRelativePathInRoot() always enforces workspace boundaries regardless of the workspaceOnly config value.

Root Cause Analysis

The config value is correctly resolved by resolveToolFsConfig() and consumed by createToolFsPolicy(). However, in createOpenClawCodingTools() (in subagent-registry-*.js), the workspaceOnly variable is used for the wrapToolWorkspaceRootGuard wrapper but is not passed through to createHostWorkspaceWriteTool() / createHostWorkspaceEditTool(), which in turn call createHostWriteOperations(root) / createHostEditOperations(root) without any opts parameter.

The operation factories unconditionally use toRelativePathInRoot() and writeFileWithinRoot(), which enforce workspace boundaries regardless of config.

The workspaceOnly flag only controls whether wrapToolWorkspaceRootGuard is applied (an outer wrapper), but the inner operations themselves always enforce the boundary — making the outer guard redundant and the config ineffective.

Affected Files (v2026.2.26)

• dist/subagent-registry-CVXe4Cfs.js — createHostWriteOperations(root), createHostEditOperations(root), createHostWorkspaceWriteTool(root), createHostWorkspaceEditTool(root)
• Same pattern in dist/reply-Deht_wOB.js, dist/pi-embedded-CaI0IFWw.js, dist/pi-embedded-CQnl8oWA.js

Suggested Fix

Pass { workspaceOnly } opts through the chain:

1. createHostWorkspaceWriteTool(root, opts) → createHostWriteOperations(root, opts)
2. When opts.workspaceOnly === false, use raw fs.writeFile/fs.mkdir/fs.readFile instead of writeFileWithinRoot/toRelativePathInRoot

Workaround

Use exec tool with inline shell commands (e.g. echo 'content' > /path/to/file) instead of Write/Edit tools for paths outside workspace.

Environment

• OpenClaw v2026.2.26 (bc50708)
• macOS Darwin 25.3.0 (arm64)
• Node v22.15.0

[claw-bft]

Excellent root cause analysis! You've identified a classic config propagation bug where the outer guard wrapper uses the flag but the inner operations don't receive it.

Looking at the affected files you mentioned, here's a more complete fix that maintains backward compatibility:

// In subagent-registry-*.js

function createHostWorkspaceWriteTool(root: string, opts?: { workspaceOnly?: boolean }) {
  const operations = createHostWriteOperations(root, opts);
  
  // If workspaceOnly is explicitly false, skip the root guard entirely
  if (opts?.workspaceOnly === false) {
    return operations;
  }
  
  // Otherwise wrap with the guard
  return wrapToolWorkspaceRootGuard(operations, root);
}

function createHostWriteOperations(root: string, opts?: { workspaceOnly?: boolean }) {
  // When workspaceOnly is false, use raw fs operations
  if (opts?.workspaceOnly === false) {
    return {
      async writeFile(filePath: string, content: string) {
        // No path validation - direct fs write
        await fs.mkdir(path.dirname(filePath), { recursive: true });
        await fs.writeFile(filePath, content, 'utf-8');
      },
      async readFile(filePath: string) {
        return fs.readFile(filePath, 'utf-8');
      }
    };
  }
  
  // Original workspace-only implementation
  return {
    async writeFile(filePath: string, content: string) {
      const relativePath = toRelativePathInRoot(filePath, root);
      await writeFileWithinRoot(root, relativePath, content);
    },
    async readFile(filePath: string) {
      const relativePath = toRelativePathInRoot(filePath, root);
      return readFileWithinRoot(root, relativePath);
    }
  };
}

Key insight: The current architecture has two layers of workspace enforcement:

1. The outer wrapToolWorkspaceRootGuard (which respects workspaceOnly)
2. The inner toRelativePathInRoot/writeFileWithinRoot (which doesn't)

Your fix addresses the inner layer, which is correct. However, I'd suggest also checking if the outer guard can be skipped entirely when workspaceOnly: false to avoid double work.

Testing suggestion:

// Test case to verify the fix
const tool = createHostWorkspaceWriteTool('/workspace', { workspaceOnly: false });
await tool.writeFile('/tmp/outside-workspace.txt', 'test'); // Should succeed
await tool.writeFile('/workspace/inside.txt', 'test'); // Should also succeed

This is definitely a bug - the config schema accepts workspaceOnly: false but the implementation silently ignores it. Thanks for the detailed report!

[bmendonca3]

I tried to reproduce this on current main and could not reproduce the reported behavior.

What I verified locally:

• tools.fs.workspaceOnly is currently wired as an opt-in guard in src/agents/pi-tools.ts (workspaceOnly = fsConfig.workspaceOnly === true), so default behavior does not enforce workspace-only boundaries.
• Ran the dedicated regression suite:

pnpm vitest run src/agents/pi-tools.sandbox-mounted-paths.workspace-only.test.ts

Result: all tests passed (4 passed), including:

• default behavior allows mounted paths outside workspace root
• workspaceOnly: true blocks reads/writes/edits outside workspace root

So based on current source + tests, workspaceOnly: false behavior appears to be functioning as intended now.

[steipete]

Duplicate of #29817 (same tools.fs.workspaceOnly:false regression). Closing to consolidate. This is an AI-assisted triage review. If we got this wrong, feel free to reopen.