fix(sandbox): allow write mkdir step on existing workspace directories

[rylena]

Summary

Fixes a sandbox regression where write failed on existing in-workspace paths because the internal mkdir boundary guard treated existing directories as invalid non-file targets.

Closes #28745

Root cause

SandboxFsBridge.assertPathSafety() uses openBoundaryFile(), which validates files only. During mkdirp, when the target directory already existed, this returned a validation failure and was surfaced as a sandbox boundary error even though the path was inside an allowed writable mount.

Changes

• Allow create directories safety checks to accept an already-existing directory target.
• Keep canonical container-path enforcement and mount writability checks unchanged.
• Add a regression test covering mkdirp on an existing in-workspace directory.

Validation

• pnpm vitest src/agents/sandbox/fs-bridge.test.ts
• pnpm vitest src/agents/pi-tools.sandbox-mounted-paths.workspace-only.test.ts

Risk

Low: behavior change is narrowly scoped to directory-creation safety checks and still enforces mount/boundary constraints.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 452b32225b

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Keep symlink-escape validation for existing mkdirp directories

openBoundaryFile reports symlink-boundary violations as reason === "validation", but this new allowance treats any validation failure as safe when lstatSync(target.hostPath).isDirectory() is true. That means mkdirp now bypasses the host-side symlink escape guard for paths like workspace/link/existing when link is an intermediate symlink outside the mount and existing already exists, because lstatSync follows intermediate links and returns directory; this is a regression from the previous strict boundary behavior and can let escaped paths proceed to container-side execution.

Useful? React with 👍 / 👎.

[greptile-apps]

Greptile Summary

Fixed sandbox regression where mkdirp failed on existing workspace directories. The root cause was that openBoundaryFile validates files only - when a target directory already existed, it returned a validation failure even though the path was within allowed mounts.

The fix adds a targeted exemption in assertPathSafety for existing directories when called from mkdirp, while maintaining all other security checks:

• Lexical and canonical path boundary validation still enforced
• Mount writability checks still enforced
• Only change: allow mkdir -p on existing directories (which is idempotent and safe)

The implementation uses lstatSync (doesn't follow symlinks) to verify the path is actually a directory, preventing symlink-based escapes.

Confidence Score: 5/5

• Safe to merge - well-scoped fix with maintained security properties
• Narrowly scoped change that fixes a legitimate regression without compromising security. All boundary checks, canonical path resolution, and writability validation remain in place. The exemption only applies to the idempotent mkdir operation on verified existing directories.
• No files require special attention

_{Last reviewed commit: 452b322}

[nikolasdehor]

Duplicate of #28863, which has a cleaner implementation. If this one is preferred, the test should use a relative filePath and add try/finally cleanup. The lstatSync check here is more defensive but introduces TOCTOU and the nested control flow is harder to follow.

[openclaw-barnacle]

This pull request has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.