fix(sandbox): keep none workspaces writable

[whyuds]

Summary

• restore workspaceAccess: "none" so sandbox sessions keep a writable isolated /workspace instead of inheriting read-only behavior from ro
• align sandbox mounts, fs bridge, and memory flush gating so none means isolated-but-writable while ro remains the only read-only mode
• add regression coverage for mounts, write/edit tool availability, fs bridge writes, and memory flush behavior

Test plan

• pnpm test src/agents/sandbox/workspace-mounts.test.ts src/agents/sandbox/browser.create.test.ts src/agents/sandbox/fs-paths.test.ts src/agents/sandbox/fs-bridge.test.ts src/agents/pi-tools.create-openclaw-coding-tools.adds-claude-style-aliases-schemas-without-dropping-d.test.ts src/agents/sandbox/docker.config-hash-recreate.test.ts
• pnpm exec vitest run --config vitest.e2e.config.ts src/auto-reply/reply/agent-runner.runreplyagent.e2e.test.ts

[greptile-apps]

Greptile Summary

This PR fixes a bug where workspaceAccess: "none" sandbox sessions incorrectly inherited read-only behavior from the ro path, preventing writes to the isolated /workspace. The fix updates the three places that gate write access — workspace-mounts.ts, fs-paths.ts, and fs-bridge.ts — to use access !== "ro" instead of access === "rw", consistently making none behave as isolated-but-writable. The memory flush gating in agent-runner-memory.ts is aligned with the same logic, and documentation and regression tests are added across all affected layers.

• workspace-mounts.ts: mainWorkspaceMountSuffix now returns :ro only for "ro" access; "none" mounts are writable.
• fs-paths.ts: buildSandboxFsMounts workspace entry now sets writable: sandbox.workspaceAccess !== "ro", making the primary mount writable for none.
• fs-bridge.ts: allowsWrites updated from === "rw" to !== "ro", unblocking write/edit tool operations in none sessions.
• agent-runner-memory.ts: Memory flush gating aligned so none sessions can still flush memory (only ro is skipped).
• All changes are internally consistent with the unchanged agentWorkspaceMountSuffix logic (the agent workspace mount is never added for none, so access === "rw" on that branch remains correct).

Confidence Score: 5/5

• Safe to merge — fixes a clear inconsistency in write-access gating with no new surface area or breaking changes.
• The three source-code changes are minimal, symmetric, and internally consistent. The none mode previously conflicted with its own documented semantics (isolated-but-writable), and the fix correctly threads through all enforcement layers (Docker mount args, FS-mount metadata, FS-bridge write guard, and memory-flush gate). Regression coverage was added at every affected call-site, including an e2e test for the memory-flush path. No unrelated code paths were touched.
• No files require special attention.

_{Last reviewed commit: 9604e7d}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 9604e7de08

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Bump sandbox hash for workspaceAccess=none mount change

Switching workspaceAccess: "none" from :ro to writable here only affects newly created containers, because existing sandbox/browser containers are reused when their openclaw.configHash still matches (the hash inputs in ensureSandboxContainer / ensureSandboxBrowser did not get a mount-semantics epoch bump). For users upgrading with already-created none containers, /workspace stays read-only until manual recreate/prune, so write/edit (and the newly enabled memory flush path) can still fail despite this fix.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 285c2e3c01

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Bump config hash epoch for workspaceAccess=none behavior

Changing mainWorkspaceMountSuffix so workspaceAccess: "none" becomes writable changes runtime mount semantics, but existing containers are still reused because the hash inputs in computeSandboxConfigHash/computeSandboxBrowserConfigHash are unchanged and ensureSandboxContainer/ensureSandboxBrowser only recreate on openclaw.configHash mismatch. On upgrade, previously created none containers keep the old :ro mount until manual recreate/prune, so write/edit (and now memory flush) can still fail despite this fix. Fresh evidence: this commit updates docker.config-hash-recreate.test.ts expected mount behavior for none but does not change src/agents/sandbox/config-hash.ts or add an epoch bump.

Useful? React with 👍 / 👎.

[openclaw-barnacle]

This pull request has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

[openclaw-barnacle]

Closing due to inactivity.
If you believe this PR should be revived, post in #pr-thunderdome-dangerzone on Discord to talk to a maintainer.
That channel is the escape hatch for high-quality PRs that get auto-closed.