Skip to content

cllama: session-history and context-ledger files should not be root-only on host mounts #233

Description

@mostlydev

Summary

A live Tiverton debugging session found .claw-session-history artifacts created with root-only ownership/permissions, preventing the normal host operator user from running claw audit and claw history export.

This blocks exactly the commands operators need when debugging provider-visible context, feed fetches, and channel-context cursors.

Live evidence

Host/repo: tiverton:tiverton-house
Date: May 11, 2026
Runtime: claw-api/claw-wall/clawdash v0.14.8, cllama v0.6.4
Operator user: clawdbot

Commands that failed as the normal host user:

$ claw audit --since 4h --claw boulton --type feed_fetch --json
Error: open session history "/home/clawdbot/tiverton-house/.claw-session-history/context-ledger/history.jsonl": permission denied
$ claw history export boulton --after 2026-05-11T11:00:00Z --limit 20
Error: open /home/clawdbot/tiverton-house/.claw-session-history/boulton/history.index.json: permission denied

Filesystem state:

drwxrwxr-x 11 clawdbot clawdbot ... .claw-session-history
drwx------ 10 root     root     ... .claw-session-history/context-ledger

A Docker-root workaround could still read data like .claw-session-history/context-ledger/boulton/cursor.json, so the files existed; they were just inaccessible to the operator user and normal claw diagnostics.

Why this matters

The incident being debugged was a channel-context/cursor visibility mismatch. The correct investigation path was to inspect:

  • feed_fetch audit events;
  • context-ledger cursor values;
  • exported session history;
  • provider-visible context snapshots/logs.

Those are operator/debugging surfaces, so they need to be readable by the same user expected to operate claw in the repo checkout. Requiring interactive sudo or ad hoc Docker-root commands is too fragile for live pod operations.

Suspected cause

The cllama/container process writes some host-mounted .claw-session-history files as root, or creates parent directories with root-only permissions. Downstream pods can patch around that with post-start normalization, but the default should preserve host-level operability.

This may affect at least:

  • .claw-session-history/context-ledger/
  • .claw-session-history/context-ledger/history.jsonl
  • .claw-session-history/<agent>/history.index.json
  • related per-agent history files used by claw history export

Proposed fix

Ensure session-history and context-ledger artifacts are created with host-operable ownership/permissions.

Possible implementation directions:

  • Run the writer with the intended runtime UID/GID when writing bind-mounted session history.
  • Chown/chmod created session-history paths after writes using the configured host/runtime user mapping.
  • Make claw up or the relevant runtime materialization step create .claw-session-history subdirectories with safe group-readable/traversable permissions before containers start.
  • Add a repair path in claw diagnostics if legacy root-owned files are detected.

The exact mechanism can vary by driver/runtime, but the contract should be: a non-root host operator who can run claw compose in the project can also run claw audit and claw history export without permission errors.

Acceptance criteria

  • In a pod using cllama session history/context-ledger on a bind mount, the host operator user can run:
    • claw audit --since 4h --claw <agent> --type feed_fetch --json
    • claw history export <agent> --after <timestamp>
  • .claw-session-history/context-ledger is traversable/readable enough for those commands without world-opening unrelated secrets.
  • New files are not created as root-only on subsequent turns.
  • Existing root-owned legacy trees can be repaired through a documented or automated path.
  • Add a regression test or integration smoke that checks file ownership/permissions from the host side after an agent turn writes history/cursor state.

Related downstream hardening

Tiverton is adding local script hardening so live deploy/restart paths normalize .claw-session-history permissions, but that is a workaround. The upstream runtime should avoid creating host-mounted debug artifacts that the host operator cannot read.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingcllama

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions