fix(sandbox): block home credential binds

[eleqtrizit]

Summary

• Tightens sandbox bind validation for credential-bearing home-directory paths
• Keeps the existing system-path denylist behavior unchanged outside those user credential roots

Changes

• Added home-directory bind blocking for .aws, .cargo, .config, .docker, .gnupg, .netrc, .npm, and .ssh
• Checked both the effective OpenClaw home and the OS home so overrides do not leave the real user credential paths unprotected
• Added focused regression coverage for direct bind checks and validateBindMounts() enforcement

Validation

• Ran corepack pnpm test -- src/agents/sandbox/validate-sandbox-security.test.ts
• Ran PATH="/app/.local/bin:$PATH" corepack pnpm check
• Ran PATH="/app/.local/bin:$PATH" claude -p "/review"; it exited without actionable code feedback in this environment after stopping on an approval prompt

Notes

• Residual risk or follow-up: this change is intentionally limited to common credential-bearing home paths and does not broaden the reverted external bind-source policy

[openclaw-barnacle]

Closing this PR because the author has more than 10 active PRs in this repo. Please reduce the active PR queue and reopen or resubmit once it is back under the limit. You can close your own PRs to get back under the limit.

[greptile-apps]

Greptile Summary

This PR tightens sandbox bind validation by blocking eight credential-bearing home-directory subpaths (.aws, .cargo, .config, .docker, .gnupg, .netrc, .npm, .ssh) under both the effective OpenClaw home and the OS home directory, with symlink-resolution so alias paths cannot bypass the check. Test coverage is focused and well-structured, with proper afterEach(vi.unstubAllEnvs()) teardown.

Confidence Score: 5/5

Safe to merge; the security fix is correct and well-tested, with one minor documentation inaccuracy to clean up.

All findings are P2 (stale JSDoc claiming "no filesystem I/O" on getBlockedBindReason). The security logic is sound, both home roots are properly blocked, symlink aliases are resolved, and test coverage is comprehensive. No correctness or data-integrity issues found.

The JSDoc and inline comment on getBlockedBindReason in validate-sandbox-security.ts should be updated to remove the "no filesystem I/O" claim.

Prompt To Fix All With AI

This is a comment left during a code review.
Path: src/agents/sandbox/validate-sandbox-security.ts
Line: 104-117

Comment:
**Stale "no filesystem I/O" JSDoc contract**

The exported JSDoc on `getBlockedBindReason` explicitly states "String-only blocked-path check (no filesystem I/O)", but after this PR the function calls `getBlockedHostPaths()` → `getBlockedHomeRoots()` → `resolveSandboxHostPathViaExistingAncestor()` which in turn calls `fs.existsSync` and `fs.realpathSync` to canonicalize the home directory. The inline comment at the call-site in `validateBindMounts` ("Fast string-only check") has the same inaccuracy. Callers such as `src/security/audit-extra.sync.ts` happen to tolerate synchronous I/O, but the published contract is now wrong and will mislead future readers.

How can I resolve this? If you propose a fix, please make it concise.

_{Reviews (4): Last reviewed commit: "fix(sandbox): harden blocked credential ..." | Re-trigger Greptile}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 52a4930ca4

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[eleqtrizit]

@codex review

[eleqtrizit]

@greptile review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Delightful!

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[openclaw-barnacle]

Closing this PR because the author has more than 10 active PRs in this repo. Please reduce the active PR queue and reopen or resubmit once it is back under the limit. You can close your own PRs to get back under the limit.