fix(sandbox): allow mkdirp on existing workspace directories

[liuxiaopai-ai]

Summary

Describe the problem and fix in 2–5 bullets:

• Problem: sandbox mkdirp safety checks used file-open validation, which treats an already-existing directory target as a validation failure.
• Why it matters: sandboxed write/edit flows call mkdir on parent paths first, so valid /workspace/... writes could fail with Sandbox boundary checks failed even with workspaceAccess: rw.
• What changed: mkdirp now allows the specific existing-directory validation case, while still running canonical mount and writability checks; added regression coverage for existing /workspace directory targets.
• What did NOT change (scope boundary): no changes to read/write/edit path resolution semantics, no expansion of mount permissions, no changes to non-mkdirp safety policy.
• AI-assisted: yes (Codex). Testing degree: fully tested for targeted unit/regression scope.

Change Type (select all)

• Bug fix
• Feature
• Refactor
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes [Bug]: Sandbox write/edit tools fail with 'boundary checks failed' despite workspaceAccess: rw #30513
• Related fix: distinguish outside-workspace errors from not-found in fs-safe #29715

User-visible / Behavior Changes

• Sandboxed write/edit flows no longer fail when creating or reusing existing parent directories under /workspace with workspaceAccess: rw.

Security Impact (required)

• New permissions/capabilities? (No)
• Secrets/tokens handling changed? (No)
• New/changed network calls? (No)
• Command/tool execution surface changed? (No)
• Data access scope changed? (No)
• If any Yes, explain risk + mitigation:

Repro + Verification

Environment

• OS: macOS
• Runtime/container: sandbox FS bridge unit tests (docker exec mocked)
• Model/provider: N/A
• Integration/channel (if any): N/A
• Relevant config (redacted): agents.defaults.sandbox.workspaceAccess: rw

Steps

1. Configure sandbox with workspaceAccess: rw.
2. Trigger sandboxed file write/edit targeting /workspace/... where parent directories may already exist.
3. Observe mkdirp safety validation behavior.

Expected

• Parent directory validation passes for in-boundary existing directories; write/edit proceeds.

Actual

• Before fix, existing directory targets could fail with Sandbox boundary checks failed; cannot create directories: ....

Evidence

Attach at least one:

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Passing after patch:

• pnpm vitest src/agents/sandbox/fs-bridge.test.ts
• pnpm vitest src/agents/pi-tools.workspace-paths.test.ts
• pnpm oxfmt --check src/agents/sandbox/fs-bridge.ts src/agents/sandbox/fs-bridge.test.ts
• pnpm oxlint --type-aware src/agents/sandbox/fs-bridge.ts src/agents/sandbox/fs-bridge.test.ts

Human Verification (required)

What you personally verified (not just CI), and how:

• Verified scenarios: added/ran regression test confirming bridge.mkdirp({ filePath: "/workspace/skills" }) succeeds when directory already exists; verified docker command path arg remains /workspace/skills.
• Edge cases checked: existing read-only bind-mount write guard test remains passing; canonical path and writable checks still execute after directory-validation allowance.
• What you did not verify: full end-to-end live gateway + real docker sandbox run on a production-like host.

Compatibility / Migration

• Backward compatible? (Yes)
• Config/env changes? (No)
• Migration needed? (No)
• If yes, exact upgrade steps:

Failure Recovery (if this breaks)

• How to disable/revert this change quickly: revert this PR commit.
• Files/config to restore: src/agents/sandbox/fs-bridge.ts, src/agents/sandbox/fs-bridge.test.ts, CHANGELOG.md.
• Known bad symptoms reviewers should watch for: unexpected boundary-pass on unsafe paths (none observed in targeted tests).

Risks and Mitigations

List only real risks for this PR. Add/remove entries as needed. If none, write None.

• Risk: allowing one additional validation case in mkdirp could accidentally relax safety checks.
  • Mitigation: allowance is restricted to existing-directory targets only, and canonical mount + writability checks still run before command execution.

[greptile-apps]

Greptile Summary

Fixed a sandbox filesystem bug where mkdirp operations would fail with "Sandbox boundary checks failed" when the target directory already existed. The root cause was that file validation treats directories as validation failures. The fix adds an allowExistingDirectory option specifically for mkdirp, allowing it to proceed when the target is an existing directory while still enforcing all security checks (canonical mount verification and writability).

• Added allowExistingDirectory parameter to PathSafetyOptions and enabled it only for mkdirp operations
• Modified assertPathSafety to allow validation failures when the target is an existing directory and allowExistingDirectory is true
• All security checks (canonical mount boundaries and writability) remain intact and execute after the directory validation allowance
• Added regression test confirming mkdirp succeeds on existing workspace directories
• The fix is narrowly scoped and doesn't affect other filesystem operations

Confidence Score: 5/5

• This PR is safe to merge with minimal risk - the fix is narrowly scoped to mkdirp operations and maintains all existing security boundaries
• The implementation correctly handles the specific case of existing directories during mkdirp while preserving all canonical mount and writability checks. The logic properly short-circuits unnecessary checks using boolean operators, and the regression test confirms the fix addresses the reported issue without introducing new vulnerabilities
• No files require special attention

_{Last reviewed commit: 67af7ea}

[steipete]

Thanks for the PR! Multiple PRs address the same fix. Keeping #28853 as the earliest submission. Closing to reduce noise. This is an AI-assisted triage review. If we got this wrong, feel free to reopen — happy to revisit.