#11820: fix(sandbox): remap container paths in sandboxed file tools
agents
stale
Cluster:
Sandbox Path Management Fixes
## Problem
When a sandbox runs with `workspaceAccess: "none"`, the host sandbox directory (e.g. `/data/clawfront-data/{sandbox-id}/`) is bind-mounted into the Docker container at `/workspace`. Both paths point to the same physical files.
The agent executes commands inside Docker via `exec`, so it discovers files at container paths like `/workspace/projects/foo/package.json`. When it then tries to use the structured `read`/`write`/`edit` tools with those paths, the gateway-side `assertSandboxPath` rejects them — because `/workspace/...` on the host is not inside the sandbox root.
This forces the agent to fall back to `cat`/`echo >` via bash inside Docker, which works but bypasses the structured file tools entirely — losing MIME detection, image sanitization, path normalization, and the sandbox symlink guard.
## Fix
Add a `remapContainerPath` step in `wrapSandboxPathGuard` that translates container paths back to host paths before validation. For example, `/workspace/foo.txt` becomes `/data/clawfront-data/{sandbox-id}/foo.txt`. Paths that don't match the container workdir prefix pass through unchanged.
## Test plan
- [x] New tests: container-absolute read/write/edit paths resolve to sandbox dir
- [x] New test: paths outside the container workspace prefix are still rejected
- [x] Existing sandbox + workspace path tests pass
- [x] Full test suite passes (`pnpm build && pnpm check && pnpm test`)
🤖 AI-assisted (Claude Code) · fully tested · I understand what the code does
🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- greptile_comment -->
<h2>Greptile Overview</h2>
<h3>Greptile Summary</h3>
This change threads `sandbox.containerWorkdir` into the sandboxed `read`/`write`/`edit` tool wrappers and adds a `remapContainerPath` step inside `wrapSandboxPathGuard` so container-absolute paths (e.g. `/workspace/foo.txt`) are rewritten to the host sandbox root before running `assertSandboxPath`. The accompanying tests extend `pi-tools.workspace-paths.test.ts` to cover container-absolute read/write/edit paths and confirm that non-workdir-prefixed container paths remain blocked.
<h3>Confidence Score: 4/5</h3>
- This PR is generally safe to merge once a path-traversal edge case in container path remapping is addressed.
- The change is localized and backed by new tests, but `remapContainerPath` can join `..` segments from a container path into a host path, which will cause unexpected rejections (and could become risky if surrounding validation changes).
- src/agents/pi-tools.read.ts
<!-- greptile_other_comments_section -->
<!-- /greptile_comment -->
Most Similar PRs
#16509: Fix sandbox path validation rejecting Docker bind mount paths
by Clawborn · 2026-02-14
86.3%
#4226: Fix/sandbox containerworkdir rw access
by ozgur-polat · 2026-01-29
85.0%
#3907: fix(sandbox): use absolute /bin/sh path + add allowedReadPaths config
by pvoo · 2026-01-29
84.4%
#17402: fix:sandbox path issue
by luckylhb90 · 2026-02-15
84.1%
#16922: fix: remove incorrect sandbox file tool guidance
by carrotRakko · 2026-02-15
82.6%
#19344: fix(sandbox): allow writes when workspaceAccess is 'none'
by mingming099 · 2026-02-17
81.4%
#12174: fix(agents): add path containment check in apply_patch for non-sand...
by coygeek · 2026-02-08
80.8%
#14810: fix:sandbox file path Inconsistency
by luckylhb90 · 2026-02-12
80.5%
#3967: fix(sandbox): correct workspace prompt path
by sweepies · 2026-01-29
80.3%
#13873: fix(sandbox): prevent Windows PATH from poisoning docker exec
by alessandrorodi · 2026-02-11
80.2%