Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions setup/verify.ts
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ import path from 'path';

import Database from 'better-sqlite3';

import { DATA_DIR, STORE_DIR } from '../src/orchestrator/config.js';
import { DATA_DIR, STATE_ROOT, STORE_DIR } from '../src/orchestrator/config.js';
import { readEnvFile } from '../src/orchestrator/env.js';
import { logger } from '../src/orchestrator/logger.js';
import {
Expand All @@ -23,7 +23,7 @@ import {
import { emitStatus } from './status.js';

// Derive service label from data directory for instance-specific checks
const SERVICE_DIR_NAME = path.basename(DATA_DIR).replace(/[^a-zA-Z0-9_-]/g, '-');
const SERVICE_DIR_NAME = path.basename(STATE_ROOT).replace(/[^a-zA-Z0-9_-]/g, '-');
const SERVICE_LABEL = `com.claudeclaw.${SERVICE_DIR_NAME}`;
const SYSTEMD_UNIT = `claudeclaw-${SERVICE_DIR_NAME}`;

Expand Down
5 changes: 4 additions & 1 deletion src/runtimes/sandbox-runner.ts
Original file line number Diff line number Diff line change
Expand Up @@ -300,7 +300,10 @@ export function buildSandboxSettings(
denyWrite.push(mount.hostPath);
} else if (mount.readonly) {
allowRead.push(mount.hostPath);
denyWrite.push(mount.hostPath); // enforce read-only at srt level
// Do NOT push to denyWrite: per srt config, denyWrite takes precedence
// over allowWrite, so adding a parent path here blocks nested writable
// mounts (e.g. groupDir inside projectRoot). Read-only is enforced
// implicitly: paths not present in allowWrite cannot be written.
} else {
// read-write
allowWrite.push(mount.hostPath);
Expand Down