fix(agents): map sandbox workdir container paths to host

[liuxiaopai-ai]

Summary

• Problem: sandbox exec validates workdir on the host path tree, so container-native paths like /workspace fail validation and fall back.
• Why it matters: containerized runs can end up in the wrong directory (or an unavailable fallback), breaking scripts that rely on explicit workdir.
• What changed: resolveSandboxWorkdir now maps container workdir prefixes (default /workspace, plus custom containerWorkdir) back to host workspace paths before sandbox-path validation.
• What did NOT change (scope boundary): this PR does not change stdout/background capture behavior from [Bug]: Sandbox exec: workdir path not mapped + stdout lost on background transition #30711.

Change Type (select all)

• Bug fix
• Feature
• Refactor
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes #
• Related [Bug]: Sandbox exec: workdir path not mapped + stdout lost on background transition #30711

User-visible / Behavior Changes

• exec with sandbox-enabled container workdirs now correctly accepts container path inputs (for example /workspace and nested paths) by mapping them to the mounted host workspace before validation.

Security Impact (required)

• New permissions/capabilities? (No)
• Secrets/tokens handling changed? (No)
• New/changed network calls? (No)
• Command/tool execution surface changed? (No)
• Data access scope changed? (No)
• If any Yes, explain risk + mitigation:

Repro + Verification

Environment

• OS: macOS
• Runtime/container: OpenClaw sandbox path resolution logic in src/agents
• Model/provider: N/A
• Integration/channel (if any): N/A
• Relevant config (redacted): containerWorkdir=/workspace

Steps

1. Resolve sandbox workdir with workdir: "/workspace" and a temp host workspace root.
2. Resolve nested workdir under /workspace/....
3. Resolve custom container root prefix (/sandbox-root/...).

Expected

• Host path resolves inside workspace root and container path remains the requested logical path.

Actual

• Verified with new tests; all scenarios resolve without warnings and with expected host/container mappings.

Evidence

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

What you personally verified (not just CI), and how:

• Verified scenarios: root /workspace, nested /workspace/scripts/runner, and custom container root mapping.
• Edge cases checked: non-root container prefix mapping + unchanged fallback warnings path for invalid directories.
• What you did not verify: live end-to-end sandbox run against a real container image in this PR.

Compatibility / Migration

• Backward compatible? (Yes)
• Config/env changes? (No)
• Migration needed? (No)
• If yes, exact upgrade steps:

Failure Recovery (if this breaks)

• How to disable/revert this change quickly: revert this PR commit.
• Files/config to restore: src/agents/bash-tools.shared.ts.
• Known bad symptoms reviewers should watch for: unexpected fallback warning for valid container workdirs.

Risks and Mitigations

• Risk: over-mapping non-container host paths that happen to share prefix text.
  • Mitigation: mapping only applies to exact container root or containerRoot/-prefixed paths and still passes through assertSandboxPath root constraints.

[greptile-apps]

Greptile Summary

Fixes sandbox exec workdir validation for container-native paths by mapping container paths (like /workspace) to host workspace paths before validation. This prevents containerized runs from falling back to invalid directories when using explicit container workdirs.

Key changes:

• Added mapContainerWorkdirToHost to convert container paths to host equivalents before sandbox validation
• Added normalizeContainerPath helper for safe POSIX path normalization
• Updated resolveSandboxWorkdir to attempt container-to-host mapping before fallback
• Added comprehensive test coverage for root, nested, and custom container workdir scenarios

Implementation notes:

• Path traversal safety preserved: mapped paths still pass through assertSandboxPath validation
• Backward compatible: unmapped paths fall back to original validation behavior
• Similar logic exists in mapContainerWorkspacePath (sandbox-paths.ts) for media paths, though that function is hardcoded to /workspace while this implementation respects the configured containerWorkdir

Confidence Score: 5/5

• This PR is safe to merge with minimal risk
• The implementation is sound with proper path normalization, security validation, and fallback handling. Test coverage validates the documented use cases. The fix is narrowly scoped to workdir mapping without touching other behaviors as stated in the PR description.
• No files require special attention

_{Last reviewed commit: 4454036}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4454036dab

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Skip remapping for host paths already inside workspace

The prefix check here treats any workdir beginning with containerWorkdir as a container path, so host paths can be remapped incorrectly when the host workspace itself is under that prefix (for example workspaceDir=/workspace/project and workdir=/workspace/project/src). In that case rel becomes project/src, and the resolved host directory becomes /workspace/project/project/src, which can either fall back unexpectedly or run commands from the wrong directory; before this change, the original host path would resolve correctly.

Useful? React with 👍 / 👎.

[steipete]

Landed via temp rebase onto main.

• Gate: pnpm -s vitest run src/agents/bash-tools.shared.test.ts
• Land commit: b95c3a9
• Merge commit: ee0d7ba

Thanks @liuxiaopai-ai!

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b95c3a958d

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Skip remapping when workdir is already a host path

mapContainerWorkdirToHost currently treats any workdir that starts with containerWorkdir + "/" as a container path, so valid host paths can be rewritten incorrectly when the host workspace itself is under that prefix (for example workspaceDir=/workspace/openclaw, containerWorkdir=/workspace, workdir=/workspace/openclaw/src becomes /workspace/openclaw/openclaw/src). Fresh evidence: I reproduced this by calling resolveSandboxWorkdir with those values, and it fell back with a warning even though /workspace/openclaw/src exists, which means sandbox exec can run from the wrong directory or silently degrade to the fallback path.

Useful? React with 👍 / 👎.