fix(agents): suppress Write/Edit failed warning on response-timeout false-failure (#55424)

[MoerAI]

Summary

Fixes the false "Write failed" / "Edit failed" warning class without trusting argument-derived payload metadata. Instead of suppressing payload warnings when lastToolError.fileTarget exists, write recovery now treats timeout/abort failures as successful only after reading the target file back and proving the requested content is present.

The recovery path keeps normal successful writes cheap: it uses stat metadata first, only reads small same-size existing files before the write, and defers full readback to the timeout/abort path. Large same-size sandbox writes use sub-second stat mtimes so completed writes can still recover without a normal-path full-file read.

Changes

• Add source-backed write timeout recovery beside the existing edit recovery path.
• Apply write recovery to host and sandboxed write tools.
• Remove the unsafe payload warning-policy suppression from the original PR approach.
• Preserve visible payload warnings when fileTarget only proves the attempted path.
• Improve sandbox stat mtime precision for write-recovery metadata checks.
• Isolate the E2E timeout fixture shims so the broad support-boundary CI shard does not depend on inherited PATH state.

Real behavior proof

Behavior addressed: response/ack timeout after a completed file write no longer surfaces as a failed write when disk readback proves the requested content was written; argument-derived fileTarget alone still does not suppress payload warnings.

Real environment tested: local macOS checkout plus broad support-boundary shard reproduction. Maintainer applied proof: override because this is a shared write-tool/payload-layer fix covered by focused runtime tests and changed-surface CI proof, without a channel-specific live Feishu/Telegram run.

Exact steps or command run after this patch:

.agents/skills/autoreview/scripts/autoreview --mode local --base origin/main
pnpm test src/agents/pi-embedded-runner/run/payloads.errors.test.ts src/agents/pi-embedded-subscribe.handlers.tools.test.ts src/agents/pi-tools.read.host-edit-recovery.test.ts src/agents/sandbox/fs-bridge.anchored-ops.test.ts src/agents/sandbox/fs-bridge.shell.test.ts test/scripts/openclaw-e2e-instance.test.ts -- --reporter=verbose
OPENCLAW_VITEST_MAX_WORKERS=2 node scripts/run-vitest.mjs run --config test/vitest/vitest.full-core-support-boundary.config.ts

Evidence after fix: autoreview clean with no accepted/actionable findings; focused Vitest passed 138 tests across payload, write recovery, sandbox stat coverage, and the E2E timeout fixture; the previously failing support-boundary shard passed locally with 178 files passed, 1 skipped, 1996 tests passed.

Observed result after fix: write recovery returns success only after timeout/abort readback matches requested content and either pre-state differed, metadata changed, or the target was known missing before the write. Payload warning tests still show timed-out write errors when fileTarget only proves the attempted path. The broad support-boundary timeout fixture no longer depends on inherited PATH lookup after its fake timeout wrapper records the command.

What was not tested: live Feishu/Telegram end-to-end delivery was not rerun; the fix is covered at the shared write-tool and payload construction layers used by those channels. Remote Crabbox pnpm check:changed was attempted on run run_ce50a1ea3ee0 but the raw synced workspace had no .git, so it failed before running checks.

Closes #55424

[clawsweeper]

Codex review: needs changes before merge. Reviewed May 27, 2026, 4:00 AM ET / 08:00 UTC.

Summary
The PR adds readback-confirmed write timeout recovery for host and sandbox file tools, adjusts edit/write path normalization and sandbox stat mtime precision, and expands payload, recovery, sandbox, and E2E fixture tests.

PR surface: Source +256, Tests +387. Total +643 across 10 files.

Reproducibility: yes. for the PR-introduced blocker: source inspection shows the outer host guard validates the original file:// string, while the PR's recovery wrapper decodes it before stat/read. I did not live-run the original Feishu channel case.

Review metrics: 1 noteworthy metric.

• Workspace-guarded mutating tools affected: 2 host tools: write and edit. Both can run under tools.fs.workspaceOnly, so their recovery path normalization must preserve the guard contract before merge.

Merge readiness
Overall: 🧂 unranked krab
Proof: 🐚 platinum hermit
Patch quality: 🧂 unranked krab
Result: blocked by patch quality or review findings.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Fix file URL recovery so it cannot stat/read outside the workspace guard.
• Add a workspaceOnly regression test showing outside-root file:// paths do not reach recovery stat/read.

Risk before merge

• Merging the current head can allow recovery precheck/readback to stat or read host file:// targets before the workspace-only write/edit path rejects the operation, weakening the tools.fs.workspaceOnly boundary.

Maintainer options:

1. Align recovery with the workspace guard (recommended)
   Update edit/write recovery so file URL paths are only decoded after the outer guard has normalized them, or decline recovery for host file URLs under workspaceOnly.
2. Pause until the boundary is owner-reviewed
   If maintainers want a different file URL contract, hold the PR until the agent file-tool owners decide where file URL normalization belongs.

Copy recommended automerge instruction

@clawsweeper automerge

Special instructions:
Preserve readback-confirmed write/edit timeout recovery, but ensure host recovery uses the same workspace-guarded path normalization as `wrapToolWorkspaceRootGuard` or skips `file://` recovery under `workspaceOnly`; add regression coverage proving outside-root `file://` paths do not reach recovery stat/read.

Next step before merge
A narrow automated repair can preserve the PR's recovery behavior while restoring the host workspace guard boundary.

Security
Needs attention: Needs attention: the PR can weaken tools.fs.workspaceOnly for host file URL paths during recovery precheck/readback.

Review findings

• [P1] Keep file URL recovery behind the workspace guard — src/agents/pi-tools.host-edit.ts:61

Review details

Best possible solution:

Keep the readback-confirmed timeout recovery, but make recovery consume the same guarded path flow as the workspace root guard or skip file URL recovery unless the guard has safely mapped it; add workspaceOnly regression coverage for that boundary.

Do we have a high-confidence way to reproduce the issue?

Yes for the PR-introduced blocker: source inspection shows the outer host guard validates the original file:// string, while the PR's recovery wrapper decodes it before stat/read. I did not live-run the original Feishu channel case.

Is this the best way to solve the issue?

No, not yet. Readback-confirmed recovery is the right shape, but this implementation must first reuse the guarded path flow or skip unsafe file URL recovery under workspaceOnly.

Full review comments:

• [P1] Keep file URL recovery behind the workspace guard — src/agents/pi-tools.host-edit.ts:61
normalizeMutationPathLikeUpstreamWrite converts file:// arguments to absolute host paths before the recovery wrapper's precheck/readback. With tools.fs.workspaceOnly=true, the outer guard validates the original file://... string as a workspace-relative literal, so a timed-out write/edit can stat or read arbitrary host files in recovery before the underlying guarded operation rejects. Reuse the guarded normalized path, or skip file URL recovery unless the guard has mapped it.
  Confidence: 0.9

Overall correctness: patch is incorrect
Overall confidence: 0.88

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against c95d348bb5ef.

Label changes

Label justifications:

• P1: The PR targets a real agent file-tool regression but currently has a high-impact workspaceOnly security-boundary blocker.
• merge-risk: 🚨 security-boundary: The diff can stat/read host file URL targets in recovery before the existing workspace guard rejects the write/edit operation.
• rating: 🧂 unranked krab: Overall readiness is 🧂 unranked krab; proof is 🐚 platinum hermit and patch quality is 🧂 unranked krab.
• status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Override: A maintainer applied proof: override for this PR.

Evidence reviewed

PR surface:

Source +256, Tests +387. Total +643 across 10 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	6	269	13	+256
Tests	4	405	18	+387
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	10	674	31	+643

Security concerns:

• [high] File URL recovery bypasses workspaceOnly guard — src/agents/pi-tools.host-edit.ts:61
  The PR decodes host file:// paths inside recovery before the workspace guard's normalized path flow has accepted them, allowing precheck/readback to touch outside-root files.
  Confidence: 0.9

Acceptance criteria:

• node scripts/run-vitest.mjs src/agents/pi-tools.read.host-edit-recovery.test.ts src/agents/pi-tools.workspace-paths.test.ts src/agents/pi-embedded-runner/run/payloads.errors.test.ts
• node scripts/run-vitest.mjs src/agents/sandbox/fs-bridge.anchored-ops.test.ts src/agents/sandbox/fs-bridge.shell.test.ts test/scripts/openclaw-e2e-instance.test.ts

What I checked:

• PR head decodes file URLs before recovery: The current PR head adds normalizeMutationPathLikeUpstreamWrite, which converts file:// values to absolute host paths before edit/write recovery uses them. (src/agents/pi-tools.host-edit.ts:59, c5b9a538ceab)
• PR head performs recovery precheck before base tool execution: wrapWriteToolWithRecovery resolves the path, then runs readOriginalWriteState before calling the wrapped write tool; host write recovery supplies direct fs.stat and fs.readFile callbacks. (src/agents/pi-tools.host-edit.ts:380, c5b9a538ceab)
• Current main host guard validates the original path string: On current main, wrapToolWorkspaceRootGuardWithOptions maps file URLs only through container-workdir flows; the normal host write path validates the original string and then invokes the inner tool. (src/agents/pi-tools.read.ts:743, c95d348bb5ef)
• Current main wraps host writes with the workspace guard: When tools.fs.workspaceOnly is true, host write tools are wrapped by wrapToolWorkspaceRootGuard, while the underlying workspace-only write operation rejects outside-root paths later via canonical workspace mapping. (src/agents/pi-tools.ts:709, c95d348bb5ef)
• Linked bug remains a real target: The linked issue reports repeated Write/Edit failed messages on Windows/Feishu even though the files were verified as successfully written, which this PR is trying to address.
• Review discussion already identified the same boundary: The prior Codex/ClawSweeper review comments called out that file URL recovery must stay behind the workspace guard, and the current PR remains open with merge-risk: 🚨 security-boundary.

Likely related people:

• giodl73-repo: Recent current-main commits changed host edit recovery and workspace-only write-parent behavior in the same files and tests this PR touches. (role: recent workspace guard and recovery contributor; confidence: high; commits: 9e31b9d34414, 6b337ff3eaaa; files: src/agents/pi-tools.host-edit.ts, src/agents/pi-tools.read.ts, src/agents/pi-tools.workspace-paths.test.ts)
• steipete: History shows repeated agent file-tool/security-boundary work in nearby paths, and the current PR branch includes maintainer-authored follow-up commits. (role: recent area contributor and PR branch maintainer; confidence: medium; commits: fd3ca8a34c72, 693d17c4a2ae, a0d5462571ab; files: src/agents/pi-tools.read.ts, src/agents/pi-tools.host-edit.ts, src/agents/sandbox/fs-bridge.ts)
• mbelinky: Commit history attributes the earlier host edit recovery hardening to this author, making them relevant context for the recovery wrapper behavior. (role: introduced adjacent recovery behavior; confidence: medium; commits: 922f4e66ea1a; files: src/agents/pi-tools.host-edit.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a3d9de9692

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Preserve timeout warning when no user-facing reply exists

This new gate suppresses warnings for any timedOut && fileTarget error before considering whether the user received any assistant output. In turns where a write/edit call times out and the assistant produces no user-facing reply, buildEmbeddedRunPayloads now returns no error payload at all, so users get silence instead of the previous warning path (showWarning fallback when hasUserFacingReply is false). That can hide real or ambiguous file-mutation failures, not just the false-failure case this change targets.

Useful? React with 👍 / 👎.

[MoerAI]

Thanks for the concern — wanted to lay out the technical reasoning here:

Why the gate is intentionally before hasUserFacingReply:

This is the response-timeout false-failure class (#55424). The mutation actually completed on disk; only the tool-ack reply timed out. Showing "Write failed" for a successful write is the bug.

Why fileTarget !== undefined is the right boundary, not a leaky filter:

1. extractFileTarget() (src/agents/tool-mutation.ts:253-266) only returns a value for the write/edit family (FILE_MUTATING_TOOL_NAMES = {"edit", "write"}). Exec, message, cron, gateway, sessions_send timeouts never match — they keep the existing visible-warning path (covered by the new "still shows exec tool errors when timedOut is true" regression).

2. The narrow combination is timedOut === true && fileTarget !== undefined. A real failed write (permission denied, ENOSPC, EACCES) does not set timedOut: true; those errors keep the existing mutating-error warning path at lines 196-201.

The remaining edge — "disk write timed out AND no assistant reply":

For write/edit specifically, an ack-reply timeout still leaves the partial bytes on disk: the OS does not roll back a partial write when the JS-level ack times out. The reporter explicitly documented 8/8 affected writes completed successfully on disk on v2026.3.13 Windows 11. The product choice is: if the file is there, do not lie to the user that it failed.

If you'd prefer a tighter boundary, I can layer this with hasUserFacingReply:

const isFileWriteResponseTimeoutFalseFailure =
  params.lastToolError.timedOut === true &&
  params.lastToolError.fileTarget !== undefined &&
  params.hasUserFacingReply;

That would preserve the warning only in the narrow case where ack-timed-out AND no assistant text exists. Happy to push that variant if you'd prefer the stricter shape — let me know and I'll add a regression test for the "no reply + write timeout" path.

Verification of current shape: pnpm test src/agents/pi-embedded-runner/run/payloads.errors.test.ts — 33 passed (4 new cases pin write+fileTarget suppression, write-without-fileTarget still warns, exec timeout still warns).

[clawsweeper]

ClawSweeper PR egg

🔥 Warming up: real-behavior proof passed; findings, security review, or rank-up moves are still in progress.

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d10cf265be

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Keep file-URL recovery reads inside the workspace guard

When host file tools run with tools.fs.workspaceOnly=true, the outer wrapToolWorkspaceRootGuard does not parse file:// paths unless a container workdir is configured, so a path like file:///etc/passwd is validated as a relative literal under the workspace. This new normalization then converts the same argument to /etc/passwd inside the edit/write recovery wrappers before their pre-error stat/readFile, so an edit or write attempt with a local file URL can touch arbitrary host files before the underlying workspace-only operation rejects the write. Align the guard and recovery normalization, or avoid resolving file:// here unless it has already been mapped by the guarded path flow.

Useful? React with 👍 / 👎.

[steipete]

Verification before merge:

Behavior addressed: Write/Edit response-timeout false failures now suppress the user-facing failed-warning only when the completed file change is proven from the filesystem. Timed-out payloads that only attempted a target path still warn.

Real environment tested: local macOS checkout on head c5b9a53, plus GitHub CI for the same SHA.

Exact steps or command run after this patch:

pnpm test src/agents/pi-embedded-runner/run/payloads.errors.test.ts src/agents/pi-embedded-subscribe.handlers.tools.test.ts src/agents/pi-tools.read.host-edit-recovery.test.ts src/agents/sandbox/fs-bridge.anchored-ops.test.ts src/agents/sandbox/fs-bridge.shell.test.ts test/scripts/openclaw-e2e-instance.test.ts -- --reporter=verbose

OPENCLAW_VITEST_MAX_WORKERS=2 node scripts/run-vitest.mjs run --config test/vitest/vitest.full-core-support-boundary.config.ts

.agents/skills/autoreview/scripts/autoreview --mode local --base origin/main

Evidence after fix: focused local tests passed, 138 tests across 3 shards. Full core support-boundary shard passed, 178 files passed, 1996 tests passed, 10 skipped. Autoreview reported clean with no accepted/actionable findings. GitHub Main CI run 26498401197 passed. GitHub Critical Quality CodeQL run 26498401102 passed.

Observed result after fix: write-timeout recovery succeeds only after proving requested content reached disk and pre-state proves the operation was not a no-op; attempted-path-only timeout payloads still produce the warning. E2E timeout fixtures no longer depend on ambient PATH ordering.

What was not tested: Crabbox changed-check run did not complete because the synced workspace lacked .git metadata, so git diff origin/main...HEAD failed before checks in run_ce50a1ea3ee0. Local support-boundary and GitHub CI/Critical Quality covered the changed surfaces instead.