fix: distinguish outside-workspace errors from not-found in fs-safe

[YuzuruS]

Summary

Describe the problem and fix in 2–5 bullets:

• Problem: When the Edit tool tries to open a file outside the workspace root, SafeOpenError throws with code "invalid-path" and message "path escapes root". Consumers cannot distinguish this from other invalid-path cases (hardlinks, symlinks, non-files) and often fall back to a misleading "File not found" message.
• Why it matters: Users see "File not found" when the real cause is "file is outside workspace", making debugging confusing.
• What changed: Added a new "outside-workspace" error code to SafeOpenErrorCode. All path-escapes-root checks in openFileWithinRoot / writeFileWithinRoot now use this code. Consumers (pi-tools.read.ts, browser/paths.ts, media/server.ts) handle it with specific, accurate messages.
• What did NOT change (scope boundary): Other "invalid-path" uses (hardlinks, symlinks, non-files) remain unchanged. readLocalFileSafely is unaffected (no root boundary check).

Change Type (select all)

• Bug fix
• Feature
• Refactor
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes #
• Related write tool rejects paths outside workspace root (e.g. Obsidian vault) #28427, [Bug]: tools.fs.workspaceOnly=false does not allow write/read/edit outside workspace (sandbox off) #28763, Edit/Write tools restricted to workspace root even with tools.fs.workspaceOnly=false #29612

User-visible / Behavior Changes

• Edit/Write tools now report "file is outside workspace root" or "File is outside {scopeLabel}" instead of "File not found" or "Invalid path" when targeting a file outside the workspace.
• Media server returns 400 "file is outside workspace root" instead of 400 "invalid path" for outside-workspace requests.
• Sandbox FS errors for outside-workspace paths report EACCES instead of rethrowing a raw SafeOpenError.

Security Impact (required)

• New permissions/capabilities? No
• Secrets/tokens handling changed? No
• New/changed network calls? No
• Command/tool execution surface changed? No
• Data access scope changed? No

Repro + Verification

Environment

• OS: macOS Darwin 24.0.0
• Runtime/container: Node.js via pnpm
• Model/provider: N/A
• Integration/channel (if any): N/A
• Relevant config (redacted): N/A

Steps

1. Create a workspace directory and a file outside it
2. Call openFileWithinRoot with a relative path that escapes the root (e.g. ../outside/file.txt)
3. Observe the error code and message

Expected

• SafeOpenError with code "outside-workspace" and message "file is outside workspace root"

Actual

• Previously: SafeOpenError with code "invalid-path" and message "path escapes root"

Evidence

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

pnpm vitest run src/infra/fs-safe.test.ts — all 11 tests pass, including updated traversal expectations ("outside-workspace").

Human Verification (required)

What you personally verified (not just CI), and how:

• Verified scenarios: pnpm build, pnpm tsgo, pnpm lint, pnpm vitest run src/infra/fs-safe.test.ts all pass
• Edge cases checked: read traversal, write traversal, symlink escape (via existing tests)
• What you did not verify: Windows CI (no Windows environment available locally), end-to-end Edit tool UX in the CLI

Compatibility / Migration

• Backward compatible? No — code that matches err.code === "invalid-path" for path-escapes-root will no longer trigger; they need to also check "outside-workspace".
• Config/env changes? No
• Migration needed? No — consumers in this repo are updated in this PR. External consumers of the plugin-sdk SafeOpenErrorCode type will get a compile error if they have exhaustive switches, which is the desired behavior.

Failure Recovery (if this breaks)

• How to disable/revert this change quickly: Revert this commit; change "outside-workspace" back to "invalid-path" with "path escapes root" message
• Files/config to restore: src/infra/fs-safe.ts, src/agents/pi-tools.read.ts, src/browser/paths.ts, src/media/server.ts, src/infra/fs-safe.test.ts
• Known bad symptoms reviewers should watch for: Any consumer that matches only "invalid-path" for workspace boundary errors would silently miss the new code and fall through to a generic handler

Risks and Mitigations

• Risk: External plugin-sdk consumers with exhaustive SafeOpenErrorCode switches get a compile error
  • Mitigation: This is intentional — the new type variant forces them to handle the case explicitly. The .d.ts is auto-generated from source.

[greptile-apps]

Greptile Summary

Added new "outside-workspace" error code to SafeOpenErrorCode to distinguish path-escapes-root errors from generic invalid-path errors. Previously, these cases used "invalid-path" leading to misleading "File not found" messages in some consumers.

Key changes:

• Added "outside-workspace" to the error code union type in fs-safe.ts
• Updated 5 locations in fs-safe.ts where path-escapes-root checks occur (both in openFileWithinRoot and writeFileWithinRoot)
• Updated consumers to handle the new error code with specific messages:
  • pi-tools.read.ts: Maps to EACCES error
  • paths.ts: Returns "File is outside {scopeLabel}" message
  • server.ts: Returns 400 with "file is outside workspace root"
• Updated test expectations to verify "outside-workspace" error code

Additional files with SafeOpenError handling (not updated, use generic error handling):

• src/web/media.ts: Falls through to generic "Local media path is not safe to read"
• src/gateway/server-methods/agents.ts: Falls through to "unsafe workspace file" (appropriate for security errors)
• src/media/store.ts: Has comprehensive error handling but maps "outside-workspace" to generic "invalid-path" via default case (see comment)

Confidence Score: 5/5

• Safe to merge - clean refactoring that improves error specificity with minimal risk
• All changes are backwards compatible (existing "invalid-path" handlers still work), new error code is used consistently across core functions, tests are comprehensive and passing, and all updated consumers handle the new code appropriately
• No files require special attention - optional improvement suggested in src/media/store.ts for consistency

_{Last reviewed commit: a6f9988}

[greptile-apps]

_{5 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Additional Comments (1)

src/media/store.ts
add case for "outside-workspace" to provide more specific error message

function toSaveMediaSourceError(err: SafeOpenError): SaveMediaSourceError {
  switch (err.code) {
    case "symlink":
      return new SaveMediaSourceError("invalid-path", "Media path must not be a symlink", {
        cause: err,
      });
    case "not-file":
      return new SaveMediaSourceError("not-file", "Media path is not a file", { cause: err });
    case "path-mismatch":
      return new SaveMediaSourceError("path-mismatch", "Media path changed during read", {
        cause: err,
      });
    case "too-large":
      return new SaveMediaSourceError("too-large", "Media exceeds 5MB limit", { cause: err });
    case "not-found":
      return new SaveMediaSourceError("not-found", "Media path does not exist", { cause: err });
    case "outside-workspace":
      return new SaveMediaSourceError("invalid-path", "Media path is outside workspace root", {
        cause: err,
      });
    case "invalid-path":
    default:
      return new SaveMediaSourceError("invalid-path", "Media path is not safe to read", {
        cause: err,
      });
  }
}

Prompt To Fix With AI

This is a comment left during a code review.
Path: src/media/store.ts
Line: 228-249

Comment:
add case for `"outside-workspace"` to provide more specific error message

```suggestion
function toSaveMediaSourceError(err: SafeOpenError): SaveMediaSourceError {
  switch (err.code) {
    case "symlink":
      return new SaveMediaSourceError("invalid-path", "Media path must not be a symlink", {
        cause: err,
      });
    case "not-file":
      return new SaveMediaSourceError("not-file", "Media path is not a file", { cause: err });
    case "path-mismatch":
      return new SaveMediaSourceError("path-mismatch", "Media path changed during read", {
        cause: err,
      });
    case "too-large":
      return new SaveMediaSourceError("too-large", "Media exceeds 5MB limit", { cause: err });
    case "not-found":
      return new SaveMediaSourceError("not-found", "Media path does not exist", { cause: err });
    case "outside-workspace":
      return new SaveMediaSourceError("invalid-path", "Media path is outside workspace root", {
        cause: err,
      });
    case "invalid-path":
    default:
      return new SaveMediaSourceError("invalid-path", "Media path is not safe to read", {
        cause: err,
      });
  }
}
```

How can I resolve this? If you propose a fix, please make it concise.

[YuzuruS]

Addressed Greptile's suggestion: added "outside-workspace" case to toSaveMediaSourceError in src/media/store.ts (da82d02). Returns "Media path is outside workspace root" instead of falling through to the generic message.

[YuzuruS]

Hi. Thank you for maintaining openclaw. This PR is ready for review. @obviyus

[obviyus]

Landed via temp rebase onto main.

• Gate: pnpm check && pnpm build && pnpm test (check/build passed; test run had pre-existing failure in src/docker-setup.test.ts)
• Land commit: f70ee96
• Merge commit: f0c8603

Thanks @YuzuruS!