Summary
A live Tiverton debugging session found .claw-session-history artifacts created with root-only ownership/permissions, preventing the normal host operator user from running claw audit and claw history export.
This blocks exactly the commands operators need when debugging provider-visible context, feed fetches, and channel-context cursors.
Live evidence
Host/repo: tiverton:tiverton-house
Date: May 11, 2026
Runtime: claw-api/claw-wall/clawdash v0.14.8, cllama v0.6.4
Operator user: clawdbot
Commands that failed as the normal host user:
$ claw audit --since 4h --claw boulton --type feed_fetch --json
Error: open session history "/home/clawdbot/tiverton-house/.claw-session-history/context-ledger/history.jsonl": permission denied
$ claw history export boulton --after 2026-05-11T11:00:00Z --limit 20
Error: open /home/clawdbot/tiverton-house/.claw-session-history/boulton/history.index.json: permission denied
Filesystem state:
drwxrwxr-x 11 clawdbot clawdbot ... .claw-session-history
drwx------ 10 root root ... .claw-session-history/context-ledger
A Docker-root workaround could still read data like .claw-session-history/context-ledger/boulton/cursor.json, so the files existed; they were just inaccessible to the operator user and normal claw diagnostics.
Why this matters
The incident being debugged was a channel-context/cursor visibility mismatch. The correct investigation path was to inspect:
feed_fetch audit events;
- context-ledger cursor values;
- exported session history;
- provider-visible context snapshots/logs.
Those are operator/debugging surfaces, so they need to be readable by the same user expected to operate claw in the repo checkout. Requiring interactive sudo or ad hoc Docker-root commands is too fragile for live pod operations.
Suspected cause
The cllama/container process writes some host-mounted .claw-session-history files as root, or creates parent directories with root-only permissions. Downstream pods can patch around that with post-start normalization, but the default should preserve host-level operability.
This may affect at least:
.claw-session-history/context-ledger/
.claw-session-history/context-ledger/history.jsonl
.claw-session-history/<agent>/history.index.json
- related per-agent history files used by
claw history export
Proposed fix
Ensure session-history and context-ledger artifacts are created with host-operable ownership/permissions.
Possible implementation directions:
- Run the writer with the intended runtime UID/GID when writing bind-mounted session history.
- Chown/chmod created session-history paths after writes using the configured host/runtime user mapping.
- Make
claw up or the relevant runtime materialization step create .claw-session-history subdirectories with safe group-readable/traversable permissions before containers start.
- Add a repair path in
claw diagnostics if legacy root-owned files are detected.
The exact mechanism can vary by driver/runtime, but the contract should be: a non-root host operator who can run claw compose in the project can also run claw audit and claw history export without permission errors.
Acceptance criteria
- In a pod using cllama session history/context-ledger on a bind mount, the host operator user can run:
claw audit --since 4h --claw <agent> --type feed_fetch --json
claw history export <agent> --after <timestamp>
.claw-session-history/context-ledger is traversable/readable enough for those commands without world-opening unrelated secrets.
- New files are not created as root-only on subsequent turns.
- Existing root-owned legacy trees can be repaired through a documented or automated path.
- Add a regression test or integration smoke that checks file ownership/permissions from the host side after an agent turn writes history/cursor state.
Related downstream hardening
Tiverton is adding local script hardening so live deploy/restart paths normalize .claw-session-history permissions, but that is a workaround. The upstream runtime should avoid creating host-mounted debug artifacts that the host operator cannot read.
Summary
A live Tiverton debugging session found
.claw-session-historyartifacts created with root-only ownership/permissions, preventing the normal host operator user from runningclaw auditandclaw history export.This blocks exactly the commands operators need when debugging provider-visible context, feed fetches, and channel-context cursors.
Live evidence
Host/repo:
tiverton:tiverton-houseDate: May 11, 2026
Runtime:
claw-api/claw-wall/clawdash v0.14.8,cllama v0.6.4Operator user:
clawdbotCommands that failed as the normal host user:
Filesystem state:
A Docker-root workaround could still read data like
.claw-session-history/context-ledger/boulton/cursor.json, so the files existed; they were just inaccessible to the operator user and normalclawdiagnostics.Why this matters
The incident being debugged was a channel-context/cursor visibility mismatch. The correct investigation path was to inspect:
feed_fetchaudit events;Those are operator/debugging surfaces, so they need to be readable by the same user expected to operate
clawin the repo checkout. Requiring interactive sudo or ad hoc Docker-root commands is too fragile for live pod operations.Suspected cause
The cllama/container process writes some host-mounted
.claw-session-historyfiles as root, or creates parent directories with root-only permissions. Downstream pods can patch around that with post-start normalization, but the default should preserve host-level operability.This may affect at least:
.claw-session-history/context-ledger/.claw-session-history/context-ledger/history.jsonl.claw-session-history/<agent>/history.index.jsonclaw history exportProposed fix
Ensure session-history and context-ledger artifacts are created with host-operable ownership/permissions.
Possible implementation directions:
claw upor the relevant runtime materialization step create.claw-session-historysubdirectories with safe group-readable/traversable permissions before containers start.clawdiagnostics if legacy root-owned files are detected.The exact mechanism can vary by driver/runtime, but the contract should be: a non-root host operator who can run
claw composein the project can also runclaw auditandclaw history exportwithout permission errors.Acceptance criteria
claw audit --since 4h --claw <agent> --type feed_fetch --jsonclaw history export <agent> --after <timestamp>.claw-session-history/context-ledgeris traversable/readable enough for those commands without world-opening unrelated secrets.Related downstream hardening
Tiverton is adding local script hardening so live deploy/restart paths normalize
.claw-session-historypermissions, but that is a workaround. The upstream runtime should avoid creating host-mounted debug artifacts that the host operator cannot read.