[Bug]: sandboxed agents fail file access and file sending for host absolute workspace paths

[carlos-ferreira]

Bug type

Behavior bug (incorrect output/state without crash)

Beta release blocker

No

Summary

With agents.defaults.sandbox.mode: "all" and agents.defaults.sandbox.workspaceAccess: "rw", observed sandboxed agent sessions failed file access against host absolute workspace paths such as /home/sysadmin/.openclaw/workspace-personal-carlos/... with Sandbox FS error (ENOENT), and file sending worked again after sandbox was disabled.

Steps to reproduce

1. Configure:

   {
     "agents": {
       "defaults": {
         "sandbox": {
           "mode": "all",
           "scope": "agent",
           "workspaceAccess": "rw"
         }
       }
     }
   }

2. Start a sandboxed agent session.
3. Have the agent read, write, or send a file using a host absolute workspace path such as /home/sysadmin/.openclaw/workspace-<agent>/....
4. Observe file-tool failures with Sandbox FS error (ENOENT).
5. Change:

   {
     "agents": {
       "defaults": {
         "sandbox": {
           "mode": "off"
         }
       }
     }
   }

6. Observe that file sending works again.

Expected behavior

With sandbox enabled and workspaceAccess: "rw", agent file access and file sending should work for files in the active agent workspace.

Grounded reference:

• The documented sandbox workspace for writable workspace access is /workspace.
• In the observed environment, disabling sandbox restored file sending.

Actual behavior

Observed sandboxed sessions used host absolute workspace paths and failed file access.

Observed evidence:

• File reads against /home/sysadmin/.openclaw/workspace-personal-carlos/... failed with Sandbox FS error (ENOENT).
• In an observed file-sending session, the agent attempted to send a file using:

  MEDIA:/home/sysadmin/.openclaw/workspace-personal-carlos/carlos_coverflex_last_month.csv
  

• In that same session, the guidance shown to the agent stated that absolute MEDIA:/... paths are blocked.
• After changing agents.defaults.sandbox.mode to "off", file sending worked again.

OpenClaw version

OpenClaw 2026.3.28 (f9b1079)

Operating system

Linux 6.12.74+deb13+1-amd64 x86_64 GNU/Linux

Install method

Global npm install under:
/home/sysadmin/.npm-global/lib/node_modules/openclaw

Model

openai/5.1-mini

Provider / routing chain

Local OpenClaw install -> configured model provider routing to OpenAI.

Additional provider/model setup details

The observed failures were in sandboxed agent file access and file sending, not in model inference output.

Logs, screenshots, and evidence

Observed failing read pattern:

Sandbox FS error (ENOENT): /home/sysadmin/.openclaw/workspace-personal-carlos/...

Observed failing send path:

MEDIA:/home/sysadmin/.openclaw/workspace-personal-carlos/carlos_coverflex_last_month.csv

Observed workaround:

{
  "agents": {
    "defaults": {
      "sandbox": {
        "mode": "off"
      }
    }
  }
}

Local environment evidence:

OpenClaw 2026.3.28 (f9b1079)
Linux 6.12.74+deb13+1-amd64 x86_64 GNU/Linux
Global npm root: /home/sysadmin/.npm-global/lib/node_modules

Impact and severity

• File access failed in observed sandboxed agent sessions when host absolute workspace paths were used.
• File sending was broken in the observed environment until sandbox was disabled.

Additional information

Observed docs alignment:

• workspaceAccess: "rw" documents /workspace as the writable sandbox workspace.
• The failing sessions still used host absolute workspace paths.

[steipete]

Closing this as implemented after Codex review.

Current main already implements the sandbox workspace-path and outbound-media handling described here: workspaceAccess: "rw" uses the real agent workspace as the sandbox root, sandbox FS resolution accepts mounted host workspace paths and /workspace/... container paths, and sandbox media normalization maps workspace paths back into the host root with regression coverage and shipped changelog entries.

What I checked:

• workspaceAccess: "rw" uses the real agent workspace as the sandbox root: resolveSandboxContext sets workspaceDir to agentWorkspaceDir when sandbox workspace access is read/write, so sandbox file/media resolution runs against the host agent workspace root. (src/agents/sandbox/context.ts:42, 5dfc1b90e176)
• Sandbox FS resolver accepts mounted host workspace paths and /workspace/... paths: resolveSandboxFsPathWithMounts first maps absolute container paths through mount roots, then also accepts absolute host paths under mounted roots instead of rejecting them as outside the sandbox. (src/agents/sandbox/fs-paths.ts:111, 5dfc1b90e176)
• Sandbox media normalization maps workspace/container paths back into the host sandbox root: resolveSandboxedMediaSource rewrites /workspace/... and file:///workspace/... media paths to the host sandbox root and then allows absolute paths that stay inside that root. (src/agents/sandbox-paths.ts:103, 5dfc1b90e176)
• Regression coverage exists for sandbox workspace/media path mapping: Tests cover /workspace/... media mapping and sandbox FS mount resolution for mounted paths, matching the reported failure mode. (src/agents/sandbox-paths.test.ts:113, 5dfc1b90e176)
• Changelog records the shipped sandbox path/media fixes and prompt guidance: The changelog already documents mapping sandbox file-tool /workspace/... paths, mapping sandbox media workspace paths, clarifying prompt path guidance, and later aligning outbound media with fs policy. (CHANGELOG.md:4229, 5dfc1b90e176)

So I’m closing this as already implemented rather than keeping a duplicate issue open.

Review notes: reviewed against 5dfc1b90e176; fix evidence: commit 5dfc1b90e176.