fix(exec): exempt venv python interpreter from .goclaw/ path deny#1140
Open
codebit0 wants to merge 1 commit into
Open
fix(exec): exempt venv python interpreter from .goclaw/ path deny#1140codebit0 wants to merge 1 commit into
codebit0 wants to merge 1 commit into
Conversation
The ExecTool path-deny rule blocks any token containing `.goclaw/` unless
it matches one of the AllowPathExemptions prefixes (skills-store, tenants).
This silently rejected legitimate commands invoking the goclaw-managed
Python interpreter via its absolute path:
/home/user/.goclaw/venv/bin/python3 .../script.py
The first token `/home/user/.goclaw/venv/bin/python3` matched the deny
pattern but no exemption, so the entire command was denied.
Naive exemption (".goclaw/venv/bin/") does not work: matchesAnyPathExemption
resolves both tokens and exemption candidates via EvalSymlinks, and the
venv's python3 is a symlink into the host's python cellar (e.g. linuxbrew).
The token canonicalizes to /home/linuxbrew/.../python3.14 while a literal
".goclaw/venv/bin/" prefix never gets touched.
Fix: resolve venv/bin/python3 once at startup and exempt the dirname of
the resolved target. Failure to resolve (no venv present) silently falls
through.
Without this, ACP-driven agents either fail outright or work only via
fragile heuristics (cwd-local symlinks generated on the fly by the LLM).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The ExecTool's
.goclaw/path-deny silently rejected legitimate invocations of the goclaw-managed Python interpreter via its absolute path:```
/home/user/.goclaw/venv/bin/python3 .../script.py
```
The first token matched the deny pattern but no exemption, so the whole command was denied without a clear error path — agents either failed outright or worked only via fragile cwd-local symlink heuristics generated by the LLM.
A naive exemption (e.g. `.goclaw/venv/bin/`) does not help: `matchesAnyPathExemption` resolves both tokens and exemption candidates via `filepath.EvalSymlinks`, and `venv/bin/python3` is a symlink into the host's python cellar. The canonicalized token (`/home/linuxbrew/.../python3.14`) never matches a literal venv-relative prefix.
Fix
Resolve `venv/bin/python3` once at startup and exempt the directory of its real target:
```go
if real, err := filepath.EvalSymlinks(filepath.Join(filepath.Dir(dataDir), "venv", "bin", "python3")); err == nil {
et.AllowPathExemptions(filepath.Dir(real) + "/")
}
```
Falls through silently if no venv is present.
Behaviour change
Operators who invoke the pinned venv interpreter via its absolute path (the recommended pattern for ETL/cron scripts, since shell-PATH fallback can silently pick the wrong python) no longer get denied.
Test plan