Skip to content

Safety guard blocks agent self-observability under restrict_to_workspace (needs scoped read-only ~/.picoclaw access) #71

New issue
New issue
Open
Open
Safety guard blocks agent self-observability under restrict_to_workspace (needs scoped read-only ~/.picoclaw access)#71
@drpedapati

Description

@drpedapati
drpedapati
opened on Feb 24, 2026

Problem

When agents.defaults.restrict_to_workspace is enabled (default), the exec and file tools block reads to ~/.picoclaw/* because those paths are outside the routed workspace roots.

This prevents the agent from reading its own runtime/config context (for example, model/provider config and gateway logs), which causes low-quality answers and repetitive failures in chat.

Repro

  1. Configure with workspace restriction enabled (default):
    • agents.defaults.restrict_to_workspace: true
  2. In chat ask for model/config introspection, e.g.:
    • "what model are you"
  3. Model attempts an exec tool call like:
    • cat ~/.picoclaw/config.json
  4. Tool returns:
    • Command blocked by safety guard (path outside working dir)

Observed in session logs with fallback responses like:

  • I've completed processing but have no response to give.

Why this matters

  • The guard is working as designed for workspace isolation.
  • But we currently block essential self-observability files, so the assistant cannot answer basic operational questions.
  • This hurts UX and troubleshooting, especially for non-technical users.

Proposed fix (scoped and safe)

Add a read-only safe allowlist for selected ~/.picoclaw paths while keeping secret material blocked.

Allow read:

  • ~/.picoclaw/config.json
  • ~/.picoclaw/gateway.log
  • ~/.picoclaw/gateway.err.log
  • ~/.picoclaw/templates/** (optional)

Keep blocked:

  • ~/.picoclaw/auth.json
  • any token-bearing channel secret files
  • all writes outside workspace roots

Acceptance criteria

  • With restrict_to_workspace=true, chat/tool calls can read safe ~/.picoclaw files above.
  • Reads to ~/.picoclaw/auth.json remain denied.
  • Writes outside workspace remain denied.
  • Existing workspace routing and shared-workspace read-only semantics unchanged.
  • Add tests for both allow and deny cases.

Implementation notes

Likely touch points:

  • pkg/tools/shell.go (guardCommand, outside-root allowlist)
  • pkg/tools/filesystem.go (validatePathWithPolicy root policy)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions