#5952: feat(tools): add fs.restrictToWorkspace config option

## Summary Adds a new configuration option `tools.fs.restrictToWorkspace` that restricts `read`, `write`, and `edit` tools to the agent's workspace directory **without requiring Docker sandbox**. ## Motivation Currently, the only way to restrict filesystem access to specific directories is through Docker sandboxing. However, many users: 1. Don't have Docker installed or don't want to run Docker 2. Trust the agent but want guardrails against accidental access to sensitive files 3. Want a lightweight security layer without container overhead The path validation logic already exists in `sandbox-paths.ts` — this PR exposes it via config. ## Changes - **`src/config/types.tools.ts`**: Added `FsToolsConfig` type with `restrictToWorkspace` option - **`src/config/zod-schema.agent-runtime.ts`**: Added `ToolsFsSchema` for validation - **`src/agents/pi-tools.ts`**: Modified tool creation to use sandboxed tools when `restrictToWorkspace` is enabled - **`docs/gateway/configuration.md`**: Added documentation ## Usage ```json5 { tools: { fs: { restrictToWorkspace: true } } } ``` When enabled: - `read`, `write`, and `edit` tools are restricted to the workspace - Path traversal (`../`) is blocked - Symlinks pointing outside workspace are blocked ## Notes - This only restricts filesystem tools — `exec` can still access the full filesystem unless Docker sandbox is also enabled - The implementation reuses the existing `wrapSandboxPathGuard` / `assertSandboxPath` logic Closes #5948 <!-- greptile_comment --> <h2>Greptile Overview</h2> <h3>Greptile Summary</h3> This PR introduces a new config surface `tools.fs.restrictToWorkspace` (types + runtime zod validation) and wires it into tool construction so `read`/`write`/`edit` can be restricted to a workspace-root path guard even without Docker sandboxing. It also documents the new option in the gateway configuration docs. Main thing to double-check is how this interacts with sandbox mode and with per-agent config: in `createOpenClawCodingTools` the new flag won’t have any effect for write/edit when `sandboxRoot` is present (those tools are still removed), and `AgentToolsSchema` currently doesn’t accept `tools.fs` so the setting is global-only even though it’s described generically in docs. <h3>Confidence Score: 3/5</h3> - This PR looks mostly safe, but has a couple of configuration/behavior mismatches worth fixing before merge. - Core change is localized and reuses existing path-guard tooling, but there are edge-case behavior differences: the new option currently can’t be set per-agent due to zod `.strict()` in `AgentToolsSchema`, and enabling it alongside sandbox mode doesn’t yield the expected restricted write/edit behavior. These are likely to surprise users and should be clarified or adjusted. - src/agents/pi-tools.ts and src/config/zod-schema.agent-runtime.ts <!-- greptile_other_comments_section --> _{(2/5) Greptile learns from your feedback when you react with thumbs up/down!} <!-- /greptile_comment -->