fix(security): classify dangerous Windows sandbox binds first

[luoyanglang]

Summary

• classify blocked Windows sandbox bind sources before the non-absolute fallback
• keep dangerous home credential binds on Windows in the critical blocked-path lane
• add regression coverage for Windows credential binds while preserving the existing non-absolute behavior for generic Windows paths

Testing

• pnpm.cmd exec vitest run src/security/audit-sandbox-docker-config.test.ts src/agents/sandbox/validate-sandbox-security.test.ts
• pnpm.cmd exec oxlint src/agents/sandbox/validate-sandbox-security.ts src/agents/sandbox/validate-sandbox-security.test.ts src/security/audit-sandbox-docker-config.test.ts

[greptile-apps]

Greptile Summary

This PR fixes a security classification bug in getBlockedBindReason: Windows credential paths such as C:\Users ester\.docker\config.json were previously short-circuited by the !sourceRaw.startsWith("/") guard and returned as kind: "non_absolute" before the blocked-path check ran. Moving that guard after getBlockedReasonForSourcePath means dangerous Windows home-credential binds are now correctly classified as kind: "targets". The new test covers the fixed case and the existing test's snapshot helper is updated for portability.

Confidence Score: 5/5

Safe to merge — the reordering fix is correct, the new test validates the changed behavior, and no regressions are introduced.

The change is small and surgical: a 4-line block moved 8 lines down. Both the old and new code always throw for dangerous binds; the only difference is the kind field, which is now accurate for Windows paths. The new test directly exercises the fixed path. No P0/P1 findings.

No files require special attention.

Vulnerabilities

No new security concerns introduced. The PR closes a classification gap where Windows-style credential paths were misidentified as non_absolute instead of targets, ensuring consistent security enforcement across platforms.

_{Reviews (1): Last reviewed commit: "fix(security): classify dangerous Window..." | Re-trigger Greptile}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c4219d19d5

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Make Windows bind-path expectation platform-aware

This new assertion hard-codes blockedPath: "C:/Users/tester/.docker", but home roots are derived via resolveRequiredHomeDir(...)->path.resolve(...); on Linux/macOS, HOME="C:\\Users\\tester" resolves under the current working directory, so getBlockedBindReason(...) remains kind: "non_absolute" instead of targets. Since this test is unconditional, non-Windows CI lanes can fail even though the Windows-specific behavior is fine; gate this case to Windows or compute the expected path through the same normalization path used by production code.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 0dedf04ea4

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Make Windows bind expectation platform-aware

This assertion assumes getBlockedBindReason will classify a Windows-style source as kind: "targets", but on non-Windows runners resolveRequiredHomeDir uses host path.resolve semantics, so HOME="C:\\Users\\tester" normalizes under the POSIX cwd and the bind remains kind: "non_absolute". That makes this test fail in Linux/macOS CI even though the Windows-specific behavior is fine; gate the case to Windows or derive the expected blocked path through the same normalization path used by production code.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e40fc89dcb

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Make Windows-home bind assertion host-aware

This assertion is not portable across CI hosts: when this test runs on Linux/macOS, the home roots are derived through host path.resolve, so a Windows-style HOME value like C:\Users\tester is resolved under the POSIX cwd and does not match C:/Users/tester/.docker, causing getBlockedBindReason(...) to return kind: "non_absolute" instead of targets. Fresh evidence: on Linux, path.resolve("C:\\Users\\tester") resolves to /workspace/openclaw/C:\\Users\\tester, which explains the mismatch. This makes the new regression test fail off Windows unless the expectation is gated by platform or computed via the same normalization path as production code.

Useful? React with 👍 / 👎.

[clawsweeper]

Codex review: found issues before merge.

Summary
The PR reorders sandbox bind classification for Windows credential sources, adds raw Windows home roots and regression coverage, and includes Windows-portability fixes for Mattermost policy exports plus path-sensitive tests/scripts.

Reproducibility: yes. Current-main source shows the non-absolute return runs before blocked-path classification, and the audit collector then downgrades that path to the warn check instead of the critical dangerous-bind check.

Next step before merge
This is an open security-sensitive implementation PR with one mechanical changelog blocker, so the next step is maintainer security review and current CI/rebase validation rather than an automated replacement branch.

Security
Cleared: The diff tightens sandbox classification and uses existing SDK/path helpers without adding dependencies, workflow permissions, lifecycle hooks, package-resolution changes, or new secret-handling surfaces.

Review findings

• [P2] Add the required changelog entry — src/agents/sandbox/validate-sandbox-security.ts:117

Review details

Best possible solution:

Land or replace this with a security-reviewed sandbox fix that classifies Windows home credential bind sources as critical dangerous binds, with a changelog entry, while leaving generic Windows bind acceptance to the broader Windows bind work.

Do we have a high-confidence way to reproduce the issue?

Yes. Current-main source shows the non-absolute return runs before blocked-path classification, and the audit collector then downgrades that path to the warn check instead of the critical dangerous-bind check.

Is this the best way to solve the issue?

Yes for the narrow bug. Checking normalized blocked paths before the fallback and adding raw Windows home roots is the maintainable direction; broad Windows bind support should remain separate in #42174.

Full review comments:

• [P2] Add the required changelog entry — src/agents/sandbox/validate-sandbox-security.ts:117
  This user-facing security fix changes the audit severity for Windows credential binds, but the PR does not update CHANGELOG.md. Repo policy requires fix/security behavior changes to add an Unreleased entry, so please add a single-line Fixes entry crediting the contributor before merge.
  Confidence: 0.86

Overall correctness: patch is incorrect
Overall confidence: 0.82

Acceptance criteria:

• pnpm test src/agents/sandbox/validate-sandbox-security.test.ts src/security/audit-sandbox-docker-config.test.ts
• pnpm test extensions/mattermost/src/mattermost/monitor-auth.test.ts test/openclaw-npm-postpublish-verify.test.ts src/infra/update-runner.test.ts src/secrets/runtime-core-snapshots.test.ts
• pnpm exec oxfmt --check --threads=1 src/agents/sandbox/validate-sandbox-security.ts src/agents/sandbox/validate-sandbox-security.test.ts src/security/audit-sandbox-docker-config.test.ts extensions/mattermost/src/mattermost/monitor-auth.ts extensions/mattermost/src/mattermost/policy-shared.ts scripts/openclaw-npm-postpublish-verify.ts test/openclaw-npm-postpublish-verify.test.ts CHANGELOG.md

What I checked:

• current-main-nonabsolute-first: Current main returns kind: "non_absolute" before normalizing the bind source or checking blocked host credential paths, so a Windows drive-letter source is routed away from the dangerous-bind lane. (src/agents/sandbox/validate-sandbox-security.ts:118, 9772ce6ce975)
• audit-severity-contract: The audit collector maps non_absolute to sandbox.bind_mount_non_absolute with warn severity and maps covers/targets to sandbox.dangerous_bind_mount with critical severity. (src/security/audit-extra.sync.ts:723, 9772ce6ce975)
• documented-audit-severities: The public audit-checks table documents non-absolute bind mounts as warn and dangerous bind mounts as critical, so the classification changes user-visible security audit severity. Public docs: docs/gateway/security/audit-checks.md. (docs/gateway/security/audit-checks.md:82, 9772ce6ce975)
• pr-diff-targets-root-cause: The PR head moves blocked-path classification ahead of the non-absolute fallback and adds OPENCLAW_HOME, HOME, and USERPROFILE raw candidates to blocked home roots, addressing the earlier platform-aware test concern. (src/agents/sandbox/validate-sandbox-security.ts:117, 3b219e794794)
• missing-changelog-entry: CHANGELOG.md has no entry for this PR or the Windows sandbox credential-bind security classification change, despite the repo policy requiring user-facing fix/security changes to be listed under Unreleased. (CHANGELOG.md:20, 9772ce6ce975)
• related-broader-windows-bind-pr: Related open PR fix: false error of Windows path when binding the host path to the sandbox. #42174 covers general Windows drive-letter bind acceptance; this PR is narrower and keeps generic Windows bind support separate from credential-bind severity classification.

Likely related people:

• steipete: Local commit metadata and prior review context show recent work on sandbox credential-bind audit coverage and security docs around the affected audit lane. (role: recent maintainer and sandbox audit owner; confidence: high; commits: 46cb493ac89f, 1ae356c40c0f, 9b7aafa141e3; files: src/security/audit-extra.sync.ts, src/security/audit-sandbox-docker-config.test.ts, docs/gateway/security/audit-checks.md)
• eleqtrizit: Merged PR fix(sandbox): block home credential binds #59157 added the home credential bind blocking behavior that this PR refines for Windows-style home paths. (role: introduced adjacent behavior; confidence: medium; commits: 18bb362204e2; files: src/agents/sandbox/validate-sandbox-security.ts, src/agents/sandbox/validate-sandbox-security.test.ts)
• Vincent Koc: Current checkout history attributes the latest large static-runtime-assets refactor touching the sandbox file, Mattermost public artifacts, and postpublish verification script to this author. (role: recent adjacent maintainer; confidence: medium; commits: c7bbb3f9af36; files: src/agents/sandbox/validate-sandbox-security.ts, extensions/mattermost/policy-api.ts, scripts/openclaw-npm-postpublish-verify.ts)

Remaining risk / open question:

• I did not run validation commands because this was a read-only review; the verdict is source- and diff-based.
• The PR touches Mattermost policy exports and package verification tests beyond the sandbox fix, so maintainers should keep the scope intentional during final review.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 9772ce6ce975.