fix(sandbox): mount workspace skills read-only

[jason-allen-oneal]

Summary

Fixes #17931.

This PR protects workspace skill paths exposed to sandboxes from in-sandbox writes.

In workspaceAccess: "rw", the normal workspace remains writable, but existing workspace skill roots are protected:

• <workspace>/skills -> /workspace/skills:ro,z
• <workspace>/.agents/skills -> /workspace/.agents/skills:ro,z

In workspaceAccess: "ro" and "none", the existing read-only /workspace mount provides the protection without adding a stale nested /workspace/skills bind.

What changed

• Added read-only Docker overlays for existing workspace skill roots in rw mode.
• Kept ro and none on the existing read-only /workspace mount.
• Removed chmod-based copied-skill protection.
• Added stable skill-mount hash state so old containers are recreated when protected skill roots appear.
• Bumped SANDBOX_MOUNT_FORMAT_VERSION from 2 to 3.
• Added generic fs bridge policy coverage so existing protected skill roots resolve read-only through OpenClaw file operations.
• Added remote fs bridge policy coverage with existing-root filtering to preserve normal writes under absent skills/ roots.
• Added tests for Docker mount behavior, hash behavior, bridge read-only resolution, and absent-root remote write compatibility.

Security impact

This prevents sandboxed agents from rewriting existing workspace skill instructions they are executing under. Normal workspace writes in rw mode still work, but writes under existing protected skill paths now fail. Absent skills/ roots continue to behave as normal workspace paths until they exist and become protected roots.

Validation

Targeted command:

OPENCLAW_VITEST_MAX_WORKERS=1 node scripts/run-vitest.mjs run \
  src/agents/sandbox/workspace-mounts.test.ts \
  src/agents/sandbox/config-hash.test.ts \
  src/agents/sandbox.resolveSandboxContext.test.ts \
  src/agents/sandbox/workspace-skills-bridge-readonly.test.ts \
  src/agents/skills.build-workspace-skills-prompt.syncs-merged-skills-into-target-workspace.test.ts

Real behavior proof

Behavior addressed: Workspace skill instructions exposed to Docker sandboxes are protected from in-sandbox writes while the normal workspace remains writable. The generic and remote OpenClaw fs bridge write paths classify existing /workspace/skills and /workspace/.agents/skills roots as read-only, so OpenClaw file operations do not bypass the Docker mount policy. The remote bridge also preserves compatibility for absent skills/ roots by allowing normal workspace writes there until the protected root exists.

Real environment tested: Repository openclaw/openclaw, PR #85591, branch jason-allen-oneal:fix/sandbox-readonly-skill-mounts, current PR head 69d60b0efc1266c1e4d6ca380954102ae0c1c2ea. Proof was run from detached worktree /tmp/openclaw-85591-proof using the current branch head, Docker image openclaw-sandbox:bookworm-slim, a temporary workspace with existing skill roots, a temporary workspace with an absent skills root, the generic OpenClaw fs bridge, and the remote OpenClaw fs bridge runtime path.

Exact steps or command run after this patch: Ran .tmp-pr85591-current-proof.ts from /tmp/openclaw-85591-proof at current head 69d60b0efc1266c1e4d6ca380954102ae0c1c2ea. The script created existing skills/demo/SKILL.md and .agents/skills/demo/SKILL.md roots, created a Docker sandbox with /workspace writable and both existing skill roots mounted read-only, wrote a normal workspace file through the generic OpenClaw fs bridge, attempted writes to both existing protected skill roots through the generic bridge, wrote a normal workspace file through the remote OpenClaw fs bridge, attempted writes to both existing protected skill roots through the remote bridge, then verified remote bridge compatibility by writing under an absent skills/ root.

Evidence after fix: Copied terminal output from the current-head proof run:

head=69d60b0efc1266c1e4d6ca380954102ae0c1c2ea
workspace=/redacted/proof/workspace
docker mount: /redacted/proof/workspace/.agents/skills -> /workspace/.agents/skills RW=false
docker mount: /redacted/proof/workspace -> /workspace RW=true
docker mount: /redacted/proof/workspace/skills -> /workspace/skills RW=false
OK: generic OpenClaw fs bridge wrote normal workspace file
OK: generic bridge write to existing /workspace/skills blocked: Sandbox path is read-only; cannot write files: /workspace/skills/demo/SKILL.md
OK: generic bridge write to existing /workspace/.agents/skills blocked: Sandbox path is read-only; cannot write files: /workspace/.agents/skills/demo/SKILL.md
docker readback normal.txt=generic-normal-ok
OK: remote OpenClaw fs bridge wrote normal workspace file
OK: remote bridge write to existing /workspace/skills blocked: Sandbox path is read-only; cannot write files: /tmp/openclaw-pr85591-proof-zhcYO1/workspace/skills/demo/SKILL.md
OK: remote bridge write to existing /workspace/.agents/skills blocked: Sandbox path is read-only; cannot write files: /tmp/openclaw-pr85591-proof-zhcYO1/workspace/.agents/skills/demo/SKILL.md
host readback remote-normal.txt=remote-normal-ok
OK: remote OpenClaw fs bridge wrote under absent skills root
host readback absent skills/new.txt=absent-root-created
RESULT: current-head proof complete

Observed result after fix: Normal workspace writes succeeded through both the generic and remote OpenClaw fs bridges. Writes under existing /workspace/skills and /workspace/.agents/skills failed through both bridge paths with read-only sandbox path errors. The Docker mount table showed /workspace writable while both existing skill roots were mounted read-only. The remote bridge allowed a normal write under an absent skills/ root, matching Docker/generic existing-root filtering behavior.

What was not tested: A full interactive UI session was not included. This proof covers the Docker mount behavior, both OpenClaw fs bridge write paths, and the final absent-root remote bridge compatibility behavior directly.

[clawsweeper]

Codex review: needs maintainer review before merge.

Latest ClawSweeper review: 2026-05-23 23:18 UTC / May 23, 2026, 7:18 PM ET.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

PR Surface
Source +222, Tests +228. Total +450 across 9 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	6	252	30	+222
Tests	3	229	1	+228
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	9	481	31	+450

Summary
The PR mounts existing workspace skill roots read-only in writable sandboxes, mirrors that policy in generic and remote filesystem bridges, updates sandbox hash state, and adds targeted sandbox tests.

Reproducibility: yes. at source level: current main mounts the workspace writable in workspaceAccess: "rw" and does not add a protected skill-root overlay or bridge classification. I did not run Docker in this read-only review, but the PR body supplies current-head terminal proof for the runtime path.

PR rating
Overall: 🐚 platinum hermit
Proof: 🦞 diamond lobster
Patch quality: 🐚 platinum hermit
Summary: Strong terminal proof and a focused patch make this a good merge candidate once maintainers accept the compatibility and sandbox-boundary tradeoff.

Rank-up moves:

• Get sandbox/security owner acceptance of the hardened default, custom-bind boundary, and hot-container recreation behavior.

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Sufficient (terminal): The PR body includes current-head terminal proof showing Docker mount state, generic and remote bridge blocking, and absent-root remote write compatibility.

Risk before merge

• Merging intentionally makes existing workspace skills and .agents/skills roots read-only inside workspaceAccess: "rw" sandboxes, so any workflow that edits those paths from inside the sandbox will start failing with read-only errors.
• Hot existing sandbox containers with stale mount state can remain running until explicit recreation or cooldown, delaying Docker-level hardening for those sessions.
• Custom Docker binds are appended after managed workspace mounts, so maintainers should explicitly accept the boundary where operator-provided binds may shadow Docker mount protection even though OpenClaw filesystem bridges classify protected skills as read-only.

Maintainer options:

1. Accept the hardened default (recommended)
   Land the PR as-is if maintainers accept that existing workspace skill roots are no longer editable from inside writable sandboxes.
2. Add an editable-skills escape hatch
   If in-sandbox skill editing is a supported workflow, require an explicit opt-in mode with tests for both hardened and editable behavior before merge.
3. Pause for sandbox boundary policy
   If custom bind precedence or hot-container recreation timing must be part of the hard guarantee, pause until maintainers settle that policy.

Next step before merge
The remaining action is maintainer/security acceptance of the default behavior and sandbox boundary policy, not an automated code repair.

Security
Cleared: The diff is security-sensitive sandbox hardening, and I found no concrete supply-chain or security regression in the patch itself.

Review details

Best possible solution:

Land this after sandbox/security owner acceptance of the hardened default, preserving absent-root write compatibility and adding an explicit editable-skills mode only if maintainers decide that workflow is supported.

Do we have a high-confidence way to reproduce the issue?

Yes, at source level: current main mounts the workspace writable in workspaceAccess: "rw" and does not add a protected skill-root overlay or bridge classification. I did not run Docker in this read-only review, but the PR body supplies current-head terminal proof for the runtime path.

Is this the best way to solve the issue?

Yes, with maintainer acceptance: read-only nested binds plus matching generic and remote bridge policy are a narrow maintainable fix for existing skill roots. The remaining question is whether the compatibility break, hot-container timing, and custom-bind boundary are acceptable as default policy.

Label justifications:

• P2: This is a normal-priority sandbox hardening fix with limited but security-sensitive blast radius.
• merge-risk: 🚨 compatibility: Existing workflows that edit workspace skill roots from inside writable sandboxes will fail after this PR.
• merge-risk: 🚨 security-boundary: The patch changes sandbox boundary behavior and leaves maintainer policy choices around stale containers and custom bind precedence.
• rating: 🐚 platinum hermit: Current PR rating is 🐚 platinum hermit because proof is 🦞 diamond lobster, patch quality is 🐚 platinum hermit, and Strong terminal proof and a focused patch make this a good merge candidate once maintainers accept the compatibility and sandbox-boundary tradeoff.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (terminal): The PR body includes current-head terminal proof showing Docker mount state, generic and remote bridge blocking, and absent-root remote write compatibility.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes current-head terminal proof showing Docker mount state, generic and remote bridge blocking, and absent-root remote write compatibility.

What I checked:

• Current main writable gap: Current main mounts the sandbox workspace with readOnly only when workspaceAccess is not rw, with no separate protected skill overlay, so existing skills under the writable workspace inherit write access. (src/agents/sandbox/workspace-mounts.ts:23, 5c4a733912a8)
• Current main workspace selection: Current main uses the agent workspace as the mounted workspace for rw mode and only runs syncSkillsToWorkspace for non-rw modes, matching the linked issue's source-level rw reproduction path. (src/agents/sandbox/context.ts:45, 5c4a733912a8)
• PR Docker mount implementation: The PR resolves existing skill roots only for workspaceAccess rw, formats them as read-only mounts, and appends them after the managed workspace mount. (src/agents/sandbox/workspace-mounts.ts:38, 69d60b0efc12)
• PR generic bridge protection: The PR inserts protected skill mounts into the generic filesystem bridge as non-writable and gives them higher mount priority than binds for bridge policy classification. (src/agents/sandbox/fs-paths.ts:90, 69d60b0efc12)
• PR remote bridge protection: The PR adds existing-root protected skill mounts to the remote bridge, resolves local/container paths through mount priority, and filters absent roots to preserve normal absent skills-path writes. (src/agents/sandbox/remote-fs-bridge.ts:269, 69d60b0efc12)
• Targeted regression coverage: The added test covers existing skill roots resolving read-only through the bridge and remote writes under absent skills roots remaining allowed. (src/agents/sandbox/workspace-skills-bridge-readonly.test.ts:10, 69d60b0efc12)

Likely related people:

• steipete: Local blame attributes the current sandbox mount and bridge files to Peter Steinberger in this checkout, and GitHub path history shows multiple sandbox refactor/safety commits in the same area. (role: recent area contributor; confidence: high; commits: 071c3e364b77, 7066d5e192a6, eb4a93a8dbdf; files: src/agents/sandbox/workspace-mounts.ts, src/agents/sandbox/fs-paths.ts, src/agents/sandbox/remote-fs-bridge.ts)
• vincentkoc: GitHub path history for remote-fs-bridge.ts shows recent remote bridge and sandbox backend commits by Vincent Koc, including pinned remote fs bridge reads and backend handle splitting. (role: remote bridge contributor; confidence: high; commits: 121870a08583, 7d6af7e154c9, c04bbd3cbb9d; files: src/agents/sandbox/remote-fs-bridge.ts, src/agents/sandbox/fs-paths.ts)
• neeravmakwana: GitHub path history for workspace-mounts.ts and docker.ts shows Neerav Makwana authored the recent managed workspace mount SELinux relabeling change adjacent to this PR's bind mount behavior. (role: sandbox mount contributor; confidence: medium; commits: 7516b423eb61; files: src/agents/sandbox/workspace-mounts.ts, src/agents/sandbox/docker.ts)
• joshavant: GitHub path history for fs-paths.ts and docker.ts shows recent sandbox bind/write-policy fixes by Josh Avant that overlap the bridge policy surface touched here. (role: adjacent owner; confidence: medium; commits: 3ee03420613f, 045a581069dc; files: src/agents/sandbox/fs-paths.ts, src/agents/sandbox/docker.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 5c4a733912a8.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 🥚 common Moonlit Shellbean

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 🥚 common.
Trait: keeps receipts.
Image traits: location diff observatory; accessory release bell; palette rose quartz and slate; mood calm; pose standing beside its cracked shell; shell soft speckled shell; lighting warm desk-lamp glow; background little resolved-comment flags.
Share on X: post this hatch
Copy: My PR egg hatched a 🥚 common Moonlit Shellbean in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[jason-allen-oneal]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26321840580
• Updated: 2026-05-23T03:14:22.345Z

[jason-allen-oneal]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Failed
• Detail: The targeted re-review did not finish cleanly. Check the workflow run for details.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26335815816
• Updated: 2026-05-23T14:59:53.322Z

[jason-allen-oneal]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26336161762
• Updated: 2026-05-23T15:22:52.120Z

[jason-allen-oneal]

@clawsweeper re-review

Updated the PR body with exact-head Docker proof for ca768a16b9ef2c70931df2edd6b34966255c0fb2. The body now documents that ro and none do not add a separate /workspace/skills nested bind, and includes refresh/reuse proof showing a reused ro container sees updated synced skill contents after the host removes and recreates the staged skills/ directory.

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Superseded
• Detail: A newer re-review for this item started before this run finished, so GitHub cancelled this older run. Check the latest ClawSweeper run for the current result.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26337207246
• Updated: 2026-05-23T16:00:52.363Z

[jason-allen-oneal]

@clawsweeper re-review

Current-head proof has been refreshed for 69d60b0. The PR body now includes live terminal output covering Docker mounts, generic bridge blocking, remote bridge blocking, and the absent-root remote write compatibility case.

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26346095007
• Updated: 2026-05-23T23:22:03.866Z

[jason-allen-oneal]

@clawsweeper re-review

PR 85591 current-head proof has been refreshed for 69d60b0efc1266c1e4d6ca380954102ae0c1c2ea.

The PR body now includes live terminal output from detached worktree /tmp/openclaw-85591-proof covering:

• Docker mount table: /workspace writable, existing /workspace/skills read-only, existing /workspace/.agents/skills read-only.
• Generic OpenClaw fs bridge: normal workspace write succeeds; writes under both existing protected skill roots are blocked.
• Remote OpenClaw fs bridge: normal workspace write succeeds; writes under both existing protected skill roots are blocked.
• Remote absent-root compatibility: write under absent skills/ root succeeds.

Please re-check the stale-proof finding against the current PR body and head.

[clawsweeper]

🦞👀
ClawSweeper picked this up.

Command router queued. I will update this comment with the next step.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26345067344
• Updated: 2026-05-23T22:29:46.401Z

[steipete]

Verification before merge:

Behavior addressed: workspace skill directories are mounted and enforced read-only for Docker, browser, local bridge, and remote bridge paths; symlink roots, symlink parents, remote-only skill roots, remote symlink aliases, and custom bind shadowing are covered.
Real environment tested: local macOS focused Vitest plus Blacksmith Testbox changed gate.
Exact steps or command run after this patch: pnpm test src/agents/sandbox/workspace-skills-bridge-readonly.test.ts src/agents/sandbox/remote-fs-bridge.test.ts src/agents/sandbox/workspace-mounts.test.ts src/agents/sandbox/docker.config-hash-recreate.test.ts src/agents/sandbox/browser.create.test.ts -- --reporter=verbose
Evidence after fix: 5 test files passed, 48 tests passed locally.
Exact steps or command run after this patch: pnpm check:changed
Evidence after fix: Blacksmith Testbox tbx_01ksbjgyhh4qh237nyx0bff4j5 passed; provider=blacksmith-testbox, exit=0.
Exact steps or command run after this patch: /Users/steipete/Projects/agent-scripts/skills/autoreview/scripts/autoreview --mode branch --base origin/main
Evidence after fix: autoreview clean, no accepted/actionable findings reported.
Observed result after fix: PR branch rebased onto current origin/main and pushed to contributor fork at b47a808.
What was not tested: full release validation and live Docker/browser manual scenarios were not run; changed gate plus focused sandbox coverage matched the touched surface.

Thanks @jason-allen-oneal.

[steipete]

Landed via rebase merge onto main.

• Source branch head before merge: b47a808
• Landed main commit: a0f6ce0
• Gate: local focused Vitest, Blacksmith Testbox tbx_01ksbjgyhh4qh237nyx0bff4j5, autoreview clean

Thanks @jason-allen-oneal.

[gbb-netizen]

@jason-allen-oneal @steipete I'm confused. This PR is presented as introducing a feature, but in the existing state the sandbox workspace in rw mode didn't have built-in skills available at all, so I'm confused what making them read-only does. Did this PR also fix the bug that the skills weren't available? "Added read-only Docker overlays for existing workspace skill roots in rw mode." <- there was no existing workspace skills root, see #48011 which was closed due to hallucination of a PR as an issue tracker, of which the PR was closed in favor of this PR, of which does not seem to address that skills didn't exist in this mode in the first place? Did this also fix the skills bug? If this PR is only for a user-added skills directory, then the related issue needs reopened.

@jason-allen-oneal separate feedback for the PR, you write "Kept ro and none on the existing read-only /workspace mount.", but this is not an enduring fix, because none being read-only is also a bug: #37634, so if the intent was to make skills read only this PR will be broken if that bug is fixed. So any solution for "rw" mode needs extended to none. n.b. "none" is the default.