[Bug]: write tool intermittently fails to follow symlinks — "directory component must be a directory"

[garbagenetwork]

Bug type

Behavior bug (incorrect output/state without crash)

Beta release blocker

No

Summary

The write tool intermittently fails when the target path traverses a symlink that resolves to a directory. The error message is directory component must be a directory, indicating the path validator sees the symlink as a file instead of resolving it.

Steps to reproduce

Create a symlink in the workspace: ln -s oc_system/memory /home/master/dev/memory
Target is a real directory: /home/master/dev/oc_system/memory/ exists and is drwxrwxr-x
Attempt write to memory/2026-05-20.md — intermittently fails with:

directory component must be a directory

Same call succeeds minutes later, or after writing to a nearby path first

Expected behavior

Expected Behavior:

When the write tool receives a path containing a symlink component that resolves to a directory, it should follow the symlink and write to the target — identical to how read, exec, and the OS itself treat symlinks. Specifically:

• write("memory/2026-05-20.md") where memory/ is a symlink → oc_system/memory/ should behave identically to write("oc_system/memory/2026-05-20.md")
• The path validator should resolve each component via realpath() / os.path.realpath() before checking isDirectory(), not stat() the symlink entry directly
• Behavior should be deterministic: same path, same result, every call — no cold-cache dependency

In short: symlinks should be transparent. The tool should never care whether a directory component is a real directory or a symlink resolving to one.

Actual behavior

Actual Behavior:

On cold cache (first call after session start or context compaction), the write tool's path validator stat()s the symlink entry itself rather than resolving it, sees S_IFLNK instead of S_IFDIR, and rejects the write with:

directory component must be a directory

The failure is intermittent — after successful writes to nearby paths warm the sandbox's internal path cache, subsequent calls to the same symlink path resolve correctly and succeed. This creates inconsistent behavior where:

• write("memory/2026-05-20.md") → ❌ fails immediately after compaction
• write("memory/2026-05-20.md") → ✅ succeeds minutes later
• write("memory/test_new_file.md") → ✅ creating new files through symlink is more reliable
• write("/home/master/dev/oc_system/memory/2026-05-20.md") → ✅ always works (bypasses symlink)
• exec("cat > /home/master/dev/memory/2026-05-20.md") → ✅ always works (shell resolves symlinks natively)

Same filesystem, same target, same permissions — the only variable is whether the sandbox path cache has been warmed.

OpenClaw version

2026.5.x (current)

Operating system

Linux 6.8.0-111-generic (x64) - Ubuntu 22 LTS

Install method

npm global

Model

gemma4:31b

Provider / routing chain

ollama loalhost

Additional provider/model setup details

No response

Logs, screenshots, and evidence

The symlink is valid:
lrwxrwxrwx 1 master master 16 May 11 21:24 /home/master/dev/memory -> oc_system/memory

Writing to the real path ALWAYS works
drwxrwxr-x 2 master master 4096 May 20 18:24 /home/master/dev/oc_system/memory/

Writing through symlinks always works
write("/home/master/dev/oc_system/memory/2026-05-20.md") → ✅

WRiting through the symlink works intermittently
write("memory/2026-05-20.md") → ❌ (fails after context compaction or session start)
write("memory/2026-05-20.md") → ✅ (works after a few successful writes to nearby paths)
write("memory/test.md") → ✅ (creating NEW files through symlink seems more reliable)

other symlink writes work fine:
write("memory_test_symlink/test.md") → ✅ (different symlink to same target works)

Impact and severity

Severity: Low
Impact: Low

Here's the reasoning:

Impact — Low:

• Only affects workspaces that use symlinks under the memory/ path (which is an OpenClaw convention, not a requirement)
• The exec fallback works 100% of the time — no data loss possible
• The tool doesn't corrupt data, it just refuses the write
• Only the write tool is affected; read and exec resolve symlinks fine
• The failure self-heals after cache warming

Severity — Low:

• Intermittent, not deterministic — can't reliably reproduce on every call
• Has a trivial workaround (retry, or use exec to write to the real path)
• No security implication (symlink already points to an allowed path)
• No data loss or corruption risk
• Doesn't affect the memory/ read path at all (session context loads fine)
• The only real annoyance is burning extra turns on retry or falling back to exec

Why not Medium:

• It's not a regression from expected behavior — the memory/ symlink setup is non-standard (pointing into oc_system/)
• Standard workspace setups with real memory/ directories would never hit this
• The failure mode is noisy but harmless

The case for tracking it at all: Even though it's low/low, it's a real sandbox correctness bug — the path validator should resolve symlinks before checking isDirectory(). If someone later adds symlinks for other reasons (shared configs, cross-workspace references, Docker volume mounts), this will bite again. Worth fixing, not worth rushing.

Additional information

Suspected Root Cause

The write tool's path sandbox validates each directory component before writing. On cold cache (first call after compaction/session start), it appears to stat() the symlink entry itself rather than os.path.realpath() / os.path.realpath(), getting S_IFLNK instead of S_IFDIR, and rejecting the path.

After successful writes warm the sandbox's path cache, subsequent calls resolve correctly.
Suggested Fix

In the path validator, ensure symlink components are resolved with os.path.realpath() or fs.realpathSync() before checking isDirectory(). The fix should be in whatever function walks path components and validates each one is a directory.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
Keep open: the report matches a real source-level bug in the host write path. The sandbox bridge already canonicalizes symlink parents, but the host write tool still reaches @openclaw/fs-safe 0.2.7 with a lexical symlink parent, where the dependency can throw the exact reported error.

Reproducibility: yes. from source inspection: a workspace-only host write to memory/file.md where memory is a symlinked directory reaches fs-safe 0.2.7 with lexical parent memory, and its directory guard rejects symlinks with the reported message. I did not run the live intermittent session path.

Next step
A focused repair can add a regression for host write through an in-workspace symlink parent and fix canonicalization without changing product policy.

Review details

Best possible solution:

Canonicalize in-root symlink parents before pinned write operations, preferably in @openclaw/fs-safe with an OpenClaw dependency bump, and add an OpenClaw regression for the host write tool through an in-workspace symlink parent.

Do we have a high-confidence way to reproduce the issue?

Yes, from source inspection: a workspace-only host write to memory/file.md where memory is a symlinked directory reaches fs-safe 0.2.7 with lexical parent memory, and its directory guard rejects symlinks with the reported message. I did not run the live intermittent session path.

Is this the best way to solve the issue?

No, current main only solves the sandboxed write variant; the host write/fs-safe path still needs a targeted fix. The safest implementation should preserve outside-root symlink rejection while following symlink parents that resolve inside the workspace.

Label changes:

• add P2: This is a normal-priority write-tool correctness bug with a clear but limited symlink-parent blast radius.
• add issue-rating: 🦞 diamond lobster: Current issue advisory state selects this label.
• add clawsweeper:source-repro: Current issue advisory state selects this label.
• add clawsweeper:queueable-fix: Current issue advisory state selects this label.
• add clawsweeper:fix-shape-clear: Current issue advisory state selects this label.

Label justifications:

• P2: This is a normal-priority write-tool correctness bug with a clear but limited symlink-parent blast radius.

Acceptance criteria:

• node scripts/run-vitest.mjs src/agents/pi-tools.workspace-paths.test.ts src/agents/pi-tools.workspace-only-false.test.ts src/infra/fs-safe.test.ts
• node scripts/run-vitest.mjs src/agents/sandbox/fs-bridge.anchored-ops.test.ts
• node scripts/crabbox-wrapper.mjs run --provider blacksmith-testbox --shell -- "pnpm check:changed"

What I checked:

• Host write path delegates to fs-safe root.write: OpenClaw's workspace-only host write operation converts the requested absolute path to a relative workspace path, then calls root.write(relative, content, { mkdir: true }), so symlink-parent behavior depends on the fs-safe root write implementation. (src/agents/pi-tools.read.ts:886, 9e4eca00ff0f)
• Current dependency versions: The current repo pins @earendil-works/pi-coding-agent 0.75.3 and @openclaw/fs-safe 0.2.7 for the write tool and root-bounded write implementation. (package.json:1774, 9e4eca00ff0f)
• pi-coding-agent write contract: The upstream write tool first creates the parent directory via ops.mkdir(dir) and then writes the file, so OpenClaw's injected mkdir/write operations are the relevant contract surface. (package/dist/core/tools/write.js (@earendil-works/pi-coding-agent 0.75.3):157, a7d8dd3d5db7)
• fs-safe pinned write uses lexical parent: @openclaw/fs-safe 0.2.7 computes relativeParentPath from the lexical resolved path, so memory/file.md keeps memory as the parent even when memory is a symlink to an in-root directory. (package/dist/root-impl.js (@openclaw/fs-safe 0.2.7):848, d649786af91d)
• Exact reported error source: The dependency's directory guard rejects symlink directory components with directory component must be a directory, which matches the issue's observed failure text. (package/dist/directory-guard.js (@openclaw/fs-safe 0.2.7):7, d649786af91d)
• Sandbox write is already covered separately: Current sandbox write code resolves symlink parents to canonical pinned paths, and the existing regression test asserts that alias/note.txt writes through /workspace/real, not the alias. (src/agents/sandbox/fs-bridge.anchored-ops.test.ts:153, 9e4eca00ff0f)

Likely related people:

• Ayaan Zaidi: Blame, git log -G, and shortlog for the central sandbox write canonicalization files and regression test point to d41f595. (role: recent area contributor; confidence: medium; commits: d41f595c752d; files: src/agents/sandbox/fs-bridge.ts, src/agents/sandbox/fs-bridge-path-safety.ts, src/agents/sandbox/fs-bridge.anchored-ops.test.ts)
• openclaw/openclaw-secops: CODEOWNERS assigns src/agents/sandbox/ to this team, and the issue sits on the agent filesystem boundary where symlink safety matters. (role: CODEOWNERS routing team; confidence: medium; files: .github/CODEOWNERS, src/agents/sandbox/fs-bridge.ts, src/agents/pi-tools.read.ts)

Remaining risk / open question:

• I did not run a live OpenClaw session reproduction because this was a read-only review, so the exact cold-cache timing remains unverified.
• The cleanest root fix may belong in @openclaw/fs-safe; an OpenClaw-side workaround should avoid weakening symlink escape protections or silently diverging from the dependency contract.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 9e4eca00ff0f.

[JulyanXu]

I can take a focused pass on this. I’ll keep it narrow to host workspace-only write/edit through in-workspace symlink parents, preserve outside-root symlink rejection, and add the focused regression tests from the ClawSweeper acceptance list.