Bug: image tool allowed-path list doesn't inherit channels.imessage.attachmentRoots

[Nickanbe]

Summary

When an iMessage attachment is passed to the image tool via a local path (e.g. /Users/.../Library/Messages/Attachments/...), the tool rejects it with:

Local media path is not under an allowed directory: /Users/straylight/Library/Messages/Attachments/...

Config

The iMessage channel is correctly configured with attachmentRoots:

"channels": {
  "imessage": {
    "includeAttachments": true,
    "attachmentRoots": ["/Users/straylight/Library/Messages/Attachments"]
  }
}

Expected Behavior

The image tool (and other media tools) should recognize paths under channels.imessage.attachmentRoots as allowed. The iMessage plugin has already been granted operator-level trust for that directory via attachmentRoots — the image tool's path validation should inherit that trust rather than enforcing a separate, narrower allowlist.

Actual Behavior

The image tool enforces its own hardcoded allowed-path list that does not include the Messages Attachments directory, even when attachmentRoots is explicitly configured.

Impact

iMessage attachments (photos, screenshots) cannot be analyzed by the agent using the image tool. The workaround is to share images via URL or copy them to the workspace manually, which defeats the purpose of includeAttachments: true.

Suggested Fix

When building the image tool's allowed-path set, include paths from channels.<channel>.attachmentRoots for any enabled channel with attachment support.

[clawsweeper]

Thanks for the context here. I swept through the related work, and this is now duplicate or superseded.

This is a valid current-main gap, but the same remaining image-tool/iMessage attachment-root work is already tracked by an open maintainer PR and the broader configurable-root discussion, so the safest cleanup is to close this duplicate and keep review focused there.

So I’m closing this here and keeping the remaining discussion on the canonical linked item.

Review details

Best possible solution:

Review, refresh, or replace the existing maintainer PR for the narrow iMessage attachment-root fix, while leaving the broader configurable local-root contract in the existing open product/security discussion.

Do we have a high-confidence way to reproduce the issue?

Yes. Source inspection gives a high-confidence path: configure channels.imessage.attachmentRoots, call the explicit image tool with a local path under that external root, and the image tool still validates against only default/workspace roots.

Is this the best way to solve the issue?

Yes. Closing this as a duplicate is the best cleanup path because the remaining code change is already represented by an open maintainer PR, and splitting another active issue would fragment the same fix review.

Security review:

Security review needs attention: No patch is under review, but the eventual fix changes local media read allowlists and needs careful security review.

• [medium] Preserve local media root boundaries — src/media/local-media-access.ts:32
  Any implementation should only trust configured channel attachment roots, reject filesystem-root or unsafe wildcard expansion, and preserve workspaceOnly semantics where intended.
  Confidence: 0.88

What I checked:

• image-tool-root-resolver-omits-channel-roots: resolveMediaToolLocalRoots currently returns default local media roots plus the workspace, or only the workspace under workspaceOnly; it does not read cfg.channels.imessage.attachmentRoots. (src/agents/tools/media-tool-shared.ts:527, 0456672aaf1f)
• image-tool-passes-those-roots-to-loader: The explicit image tool computes mediaLocalRoots with resolveMediaToolLocalRoots(...) and passes them to loadWebMedia as localRoots, so local-path rejection follows that narrower root set. (src/agents/tools/image-tool.ts:583, 0456672aaf1f)
• imessage-root-contract-exists: The iMessage plugin resolves configured account/channel attachment roots with default /Users/*/Library/Messages/Attachments, and exposes them through the channel media contract. (extensions/imessage/src/media-contract.ts:5, 0456672aaf1f)
• media-understanding-partial-path: Current main already merges channel inbound attachment roots for the pre-agent media-understanding cache, but that path does not make the explicit image tool inherit the roots. (src/media-understanding/runner.ts:269, 0456672aaf1f)
• canonical-open-pr: The open maintainer PR Agents/media: restore agent-scoped and iMessage attachment roots #39034 explicitly says it merges iMessage attachment roots into agent-scoped media roots, uses those roots in the image tool, and closes the earlier canonical report Regression (2026.2.26): image tool can't read iMessage attachments — mediaLocalRoots doesn't include attachmentRoots #30170. (56b5340a72dd)
• broader-open-canonical-discussion: The broader configurable media-local-root request remains open at Feature: configurable mediaLocalRoots for image tool #47856 and explicitly notes the overlap with the open iMessage attachment-root PR.

Likely related people:

• vincentkoc: Authored the open maintainer PR that targets the exact iMessage attachment-root/image-tool behavior and includes tests for configured attachment roots. (role: recent related implementation owner; confidence: high; commits: 28b17181f6e5, df2db2175e6b, 56b5340a72dd; files: src/agents/openclaw-tools.ts, src/agents/tools/image-tool.ts, src/media/local-roots.ts)
• jacobtomlinson: Merged PR fix(media): keep local roots configuration-derived #57770, which kept local media roots configuration-derived and touched the same shared resolver and tests. (role: recent local-root policy maintainer; confidence: medium; commits: eb51a31c4965, 1ce82897a4ef, 075da101e9d3; files: src/agents/tools/media-tool-shared.ts, src/agents/tools/media-tool-shared.test.ts, src/media/local-roots.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 0456672aaf1f.