#Heres what I'm dealing with! Subagent anarchy...

1 messages · Page 1 of 1 (latest)

ember furnace
#

ARIE my agent and I are struggling with path file issues in Sandbox mode. Can I turn sandbox off? Will that help? I'm using this for R&D on Local - Local - Grok-4-1-fast model management. Running Mac Studio M3 256g

APP BUILD PATH HELL – VERBOSE THOUGHTS + SOLUTIONS! 🏗️🚨🦞

Diagnosis (why impossible subagents):

Subagent sandbox cwd /workspace root
Tools read/write host bridge → root files despite cd task
Exec shell cd not inherited tool calls
Spawn "STRICT PATH" text ignored (no code enforce)
Heartbeat purge kills good work
4 Empire Solutions (ranked CEO dev lead):

Manual Agent Exec Phases (10/10 Reliable No Sub)

ARIE exec mkdir cd npm cargo tauri step-by-step CEO approve "phase pass"
Pros: Full control elevated, no breach, verbose proof paste
Cons: No parallel, CEO ping phases
Impl: Current – phase 1 manual scaffold done
Sandbox Code Gen + Main Apply Diffs (9/10 Secure)

Spawn sandbox model="Coder" task="gen code diffs phase X" → sessions_history diffs
ARIE edit/write diffs host
Pros: Sandbox no host write, ARIE verify apply
Cons: 2step diffs manual approve
Impl: Spawn sandbox model=Coder cleanup=delete history diffs edit
External Repo ~/dev/ARIEvista (8/10 Git Clean)

mkdir ~/dev/ARIEvista git clone or scaffold
Spawn task="code ~/dev/ARIEvista" (host path? elevated)
Pros: Separate git no workspace mix
Cons: Elevated host path, workspace rule
Impl: cd ~/dev mkdir git clone scaffold
Container Per App Docker (7/10 Isolated)

docker run tauri dev container workspace/projects/app
Spawn docker sandbox
Pros: Total isolation
Cons: Docker deps heavy M3 arm
Impl: Dockerfile tauri build
MY REC #1 Manual Agent: Proven, no breach, CEO gate phases, fast.

#2 Sandbox Gen: Sub safe, ARIE apply.

Restart ARIEvista phase 1 manual? Or #2 spawn sandbox gen.

viral urchinBOT
#

To help others find answers, you can mark your question as solved via Right click solution message -> Apps -> âś… Mark Solution

soft summitBOT
#

Yes — you can turn sandboxing off, and for “I’m trying to actually build a real app (tauri/cargo/npm) on my own Mac” it often does make life easier. But it won’t magically fix the “cd not inherited” part (that’s just how tool calls work).

Why you’re seeing “/workspace root” + path chaos

A few things stack up:

  • agents.defaults.sandbox.mode: "non-main" will sandbox anything that isn’t the main session key. Group/channel/thread sessions (and often subagents) count as non‑main, so you get dropped into a container with its own /workspace.
  • Tool calls are stateless: an exec that does cd foo does not change where later read/write/edit happen. File tools resolve paths against the workspace root (or the sandbox workspace), not your last shell cd.

Option A (simplest): disable sandboxing

Config key is exactly this (global default):

  • agents.defaults.sandbox.mode = "off"

CLI:

# 
openclaw config set agents.defaults.sandbox.mode "off"
openclaw gateway restart

If you only want to disable it for one agent (recommended if you have other agents you want sandboxed), set:

  • agents.list[IDX].sandbox.mode = "off"

Get the list first:

openclaw config get agents.list

Then:

# 
openclaw config set agents.list[IDX].sandbox.mode "off"
openclaw gateway restart

Docs: https://docs.openclaw.ai/gateway/sandboxing

One extra “gotcha”: exec host

exec has its own “where to run” knob. If you’ve been running with host=sandbox, and you turn sandboxing off, you generally want exec on the host:

openclaw config set tools.exec.host "gateway"
openclaw gateway restart

Docs: https://docs.openclaw.ai/tools/exec

#

Option B (keep sandbox, but make paths sane)

If you want sandbox safety and want it working on real files:

  1. Mount your agent workspace into the sandbox:
  • agents.defaults.sandbox.workspaceAccess = "rw" (mounts at /workspace)
  1. If subagents keep “starting fresh” in separate sandboxes, consider:
  • agents.defaults.sandbox.scope = "agent" (shared container per agent, not per session)
  1. If your repo is outside the workspace, bind-mount it:
  • agents.defaults.sandbox.docker.binds = ["/path/on/host:/repo:rw"]

Docs: https://docs.openclaw.ai/gateway/sandboxing

#

Regardless of sandbox: fix the “cd isn’t inherited” expectation

Treat every tool call as independent:

  • For exec, use workdir or do cd … && … in the same command.
  • For read/write/edit, always pass paths relative to the workspace (or absolute paths if you’re intentionally doing that).

Quick debug I’d like to see (will explain exactly why you’re sandboxed)

Paste these outputs:

openclaw --version
openclaw sandbox explain --json

Docs: https://docs.openclaw.ai/cli/sandbox and https://docs.openclaw.ai/gateway/sandbox-vs-tool-policy-vs-elevated

ember furnace
#

Here you go!

reasintopenclaw@Reasints-Mac-Studio .openclaw % openclaw sandbox explain --json
{
"docsUrl": "https://docs.openclaw.ai/sandbox",
"agentId": "main",
"sessionKey": "agent:main:main",
"mainSessionKey": "agent:main:main",
"sandbox": {
"mode": "all",
"scope": "agent",
"perSession": false,
"workspaceAccess": "rw",
"workspaceRoot": "/Users/reasintopenclaw/.openclaw/sandboxes",
"sessionIsSandboxed": true,
"tools": {
"allow": [
"exec",
"process",
"read",
"write",
"edit",
"apply_patch",
"image",
"sessions_list",
"sessions_history",
"sessions_send",
"sessions_spawn",
"subagents",
"session_status"
],
"deny": [
"browser",
"canvas",
"nodes",
"cron",
"gateway",
"telegram",
"whatsapp",
"discord",
"irc",
"googlechat",
"slack",
"signal",
"imessage"
],
"sources": {
"allow": {
"source": "default",
"key": "tools.sandbox.tools.allow"
},
"deny": {
"source": "default",
"key": "tools.sandbox.tools.deny"
}
}
}
},
"elevated": {
"enabled": true,
"allowedByConfig": false,
"alwaysAllowedByConfig": false,
"allowFrom": {},
"failures": []
},
"fixIt": [
"agents.defaults.sandbox.mode=off",
"agents.list[].sandbox.mode=off",
"tools.sandbox.tools.allow",
"tools.sandbox.tools.deny",
"agents.list[].tools.sandbox.tools.allow",
"agents.list[].tools.sandbox.tools.deny",
"tools.elevated.enabled"
]
}

soft summitBOT
#

That sandbox explain output is the smoking gun: you’ve configured agents.defaults.sandbox.mode: "all", so even your main session is always in Docker, hence /workspace and the “where the hell am I” path behavior.

1) Yes, you can turn sandbox off (and it will help)

If you set sandbox to off, all tools run on the host filesystem again (so /Users/... paths behave normally).

openclaw config set agents.defaults.sandbox.mode "off"
openclaw gateway restart

Docs: https://docs.openclaw.ai/gateway/sandboxing

Security note: this also removes the safety boundary, so do it only if you trust the agent + tool policy you’ve set.

2) Better for your “CEO on host + subagents in jail” workflow: use non-main

#

Your goal (#2 “sandbox gen + main apply diffs”) maps almost perfectly to:

  • main session: host
  • subagents / other sessions: sandbox

That’s exactly what non-main is for:

openclaw config set agents.defaults.sandbox.mode "non-main"
openclaw gateway restart

Then rerun:

openclaw sandbox explain --json
#

You want sessionIsSandboxed: false for agent:main:main, but subagents should still show sandboxed.

Docs: https://docs.openclaw.ai/gateway/sandbox-vs-tool-policy-vs-elevated

3) Important: turning off sandbox does NOT fix “cd not inherited”

You called this out correctly: tool calls are stateless.

So even on host mode, this pattern will still bite you:

  • exec: "cd app"
  • then write: "src/main.rs" (this will not write into app/src/main.rs)

Fix: always be explicit:

  • For exec, set workdir (best) or cd … && … in the same command.
#
  • For file tools, use paths rooted in the project directory (app/src/...) or absolute paths.

4) Why “elevated” isn’t saving you right now

Your output shows:

"elevated": { "enabled": true, "allowedByConfig": false }

So elevated is compiled in, but not allowlisted for your sender, meaning you don’t have the “escape hatch” from sandbox → host exec.

(You don’t need elevated if you switch to non-main and keep main on-host.)