Summary
When asked to save files, the agent uses /tmp instead of its
configured workspace directory. This fails on containers with
readOnlyRootFilesystem: true and bypasses workspace path
validation in internal/workspace/.
Observed behavior
INFO executing tool tool=exec
WARN tool returned error tool=exec output="sh: line 1: /tmp/go1.26.html: Read-only file system"
The agent recovered (the content was already in context from
web_fetch) and produced the summary anyway, but the intent
was wrong — it should have written to the workspace.
Proposed fix
Option 1: System prompt guidance (try first)
Add workspace path instructions to the system prompt or tool
descriptions so the LLM knows where to write. For example, in
the exec tool description or the agent's system prompt:
Your workspace directory is {workspace_path}. Always write
files there, never to /tmp or other system paths.
This is lightweight and usually sufficient — LLMs follow
workspace instructions well.
Option 2: Tool-level enforcement (if needed)
If prompt guidance isn't reliable enough across models, add
enforcement in the exec tool:
- Detect write operations to paths outside the workspace
- Either reject them or rewrite the path to the workspace
- The
internal/workspace/ package already validates paths
for read_file and write_file — exec bypasses this
because it runs arbitrary shell commands
This is defense-in-depth but fragile (parsing shell commands
for file paths is unreliable). Consider limiting what exec
can do rather than trying to intercept paths.
Context
Discovered during OTel tracing validation on OpenShift. The
container's readOnlyRootFilesystem: true security context
correctly blocked the write, but the agent shouldn't have
attempted it in the first place.
Summary
When asked to save files, the agent uses
/tmpinstead of itsconfigured workspace directory. This fails on containers with
readOnlyRootFilesystem: trueand bypasses workspace pathvalidation in
internal/workspace/.Observed behavior
The agent recovered (the content was already in context from
web_fetch) and produced the summary anyway, but the intentwas wrong — it should have written to the workspace.
Proposed fix
Option 1: System prompt guidance (try first)
Add workspace path instructions to the system prompt or tool
descriptions so the LLM knows where to write. For example, in
the exec tool description or the agent's system prompt:
This is lightweight and usually sufficient — LLMs follow
workspace instructions well.
Option 2: Tool-level enforcement (if needed)
If prompt guidance isn't reliable enough across models, add
enforcement in the
exectool:internal/workspace/package already validates pathsfor
read_fileandwrite_file—execbypasses thisbecause it runs arbitrary shell commands
This is defense-in-depth but fragile (parsing shell commands
for file paths is unreliable). Consider limiting what
execcan do rather than trying to intercept paths.
Context
Discovered during OTel tracing validation on OpenShift. The
container's
readOnlyRootFilesystem: truesecurity contextcorrectly blocked the write, but the agent shouldn't have
attempted it in the first place.