fix(exec): resolve login shell PATH when exec host defaults to "sandbox" without sandbox runtime

[yarnovo]

Bug Summary

When tools.exec.host is not configured (defaults to "sandbox") and agents.defaults.sandbox.mode is "off" (default), the exec tool enters a "phantom sandbox" state where:

• No Docker sandbox is used (mode=off)
• Login shell PATH resolution does NOT run (only triggers for host === "gateway")
• process.env.PATH is used directly, which on macOS LaunchAgent is incomplete (missing nvm/fnm/volta versioned bin dirs)

This causes node (and other version-manager-installed tools) to be command not found when agents execute shell commands.

Root Cause

Two separate issues contribute:

1. LaunchAgent plist PATH construction is incomplete for nvm

The gateway's LaunchAgent plist includes ~/.nvm in PATH but NOT ~/.nvm/versions/node/<version>/bin/. The ~/.nvm directory itself doesn't contain node binaries — nvm requires sourcing nvm.sh to set the versioned PATH entry.

2. exec tool doesn't resolve login shell PATH in "phantom sandbox" mode

In src/agents/bash-tools.exec.ts:384:

if (!sandbox && host === "gateway" && !params.env?.PATH) {
  const shellPath = getShellPathFromLoginShell({...});
  applyShellPath(env, shellPath);
}

The login shell PATH resolution only runs when host === "gateway". When host defaults to "sandbox" but no actual sandbox runtime exists (mode=off, Docker not running), the code falls through without resolving the login shell PATH.

Suggested fix for issue 2

// Change condition to also cover "phantom sandbox" case:
if (!sandbox && (host === "gateway" || host === "sandbox") && !params.env?.PATH) {

Reproduction

1. Install Node.js via nvm on macOS
2. Run OpenClaw gateway as LaunchAgent (default setup)
3. Do NOT configure tools.exec.host (leave default)
4. Have an agent exec node --version
5. Result: command not found: node

Workaround

Set tools.exec.host to "gateway" in ~/.openclaw/openclaw.json:

{
  "tools": {
    "exec": {
      "host": "gateway"
    }
  }
}

Impact

Affects all users who:

• Install Node.js via nvm, fnm, or volta
• Run gateway as macOS LaunchAgent (default)
• Don't explicitly configure tools.exec.host

[benclawbot]

For the PATH issue, check your shell profile (.bashrc/.zshrc) and make sure the PATH is exported correctly. You can also try using absolute paths in your exec config.

[benclawbot]

Check your shell PATH in .bashrc or .zshrc. Export PATH properly. Need paid help? tmuxsupremeorbit@agentmail.to

[heavenlost]

We validated a broader version of this issue locally on released dist bundles, not just the PATH symptom.

What we confirmed

• Reproduced on 2026.3.11 and 2026.3.13 release installs.
• When tools.exec.host is unset, the effective host still resolves to "sandbox".
• If sandbox runtime is unavailable, exec can still fall through to direct host execution instead of failing closed.
• That means runtime behavior can diverge from:
  • approval / allowlist expectations
  • audit wording
  • operator expectations of sandbox isolation

Why this matters

This is not only a PATH-resolution problem. It also creates a hidden direct-host fallback path where operators can think sandbox / approvals are still the enforcement boundary, while runtime has already escaped that path.

Local fix that worked

We fixed it locally by making the rejection depend on the effective resolved host:

• if host === "sandbox" && !sandboxRuntime => fail closed
• do not distinguish between explicit sandbox and implicit/default sandbox at the rejection point

Why I’m commenting here

PR #23398 suggests this direction was already intended upstream, but the released dist behavior we validated in 2026.3.11 / 2026.3.13 still shows the fallback path. So this may be a regression, incomplete coverage, or a release-dist mismatch rather than a brand-new bug.

If useful, I can turn this into a minimal repro focused on:

1. implicit default sandbox
2. sandbox runtime unavailable
3. direct host fallback still occurring
4. approvals / audit mismatch

[heavenlost]

Opened a focused follow-up PR for the broader fail-closed / effective-sandbox-host regression here: #46713

[onevcat]

+1, same issue

[steipete]

Closing as superseded by the landed fix on main: 276ccd2

The PATH symptom here came from the same "phantom sandbox" branch: implicit exec was still flowing through a sandbox-named default path even when no sandbox runtime existed, so it skipped the normal gateway-path behavior and produced confusing host-side outcomes.

The landed refactor removes that ambiguity by making the implicit default host=auto:

• auto resolves to sandbox only when a sandbox runtime exists
• otherwise it resolves to the real gateway host path
• explicit host=sandbox still fails closed without sandbox

That makes the effective host selection explicit and consistent again. This was not a security issue; it was a confusing runtime/docs/internal-naming mismatch. Closing as duplicate/superseded by the landed refactor.