Date: 2026-05-20
Status: Technical request for review
**Problem:** 90 deny rules for the old /home/gleb/openclaw/videoctl/ path are duplicated across all 15 permission sections. The videoctl binary was relocated to /home/gleb/videoctl/. These rules are purely redundant — the * catch-all deny already covers these paths.
**Impact:** ~90 lines of config bloat. Not runtime-context critical (only active agent's section is loaded) but adds noise to the config file.
**Fix:** Remove all patterns containing /home/gleb/openclaw/videoctl from the config. The new allow at /home/gleb/videoctl/bin/videoctl + catch-all deny provides equivalent coverage.
**Section Locations (for bulk removal):**
• Main permission: lines 127, 193, 345-351, 391, 399, 434-443, 474-483, 648-654, 672, 694-700, 722-728, 1867, 1942
• Agent sections (14 copies, lines ~2011-23217): each has `openclaw/videoctl/**`: "deny" plus `openclaw/videoctl/bin/videoctl` denys
**Problem:** ACPX caches the permission ruleset at session creation time. When the config file is updated (e.g., adding new videoctl allows), running sessions don't pick up the changes. Only a session reload applies the new rules.
**Impact:** Preflight tool shows correct rules, but runtime denies. Confusing for both user and agent.
**Fix (options):**
• **Option A:** Add a daemon-side mechanism to detect config file changes and trigger a permission reload (ACPX may not support this)
• **Option B:** Accept that permission changes require a reload — document as known behavior
• **Option C:** Patch OpenCode to reload permission config on SIGHUP or periodically
**Current config:**
• `/home/matrix-lite/xdg/persistent-chat/opencode/opencode.json` (24K+ lines)
• ACPX merge: `Permission.merge(input.agent.permission ?? [], input.permission ?? [])`
• Evaluation: `findLast()` — last matching rule wins
**Problem:** Repos at /home/matrix-lite/workspace/repos/<name>/ are symlinks to /home/gleb/<name>/. Git's safe.directory check blocks bare git -C <workspace-path> commands.
**Impact:** Simple git commands fail with "dubious ownership" errors. The permission config has -c safe.directory=... variants for each repo, but the bare command form doesn't include it.
**Affected repos:**
• `sfq-factory` (symlink → `/home/gleb/sfq-factory`)
• `automeat` (symlink → `/home/gleb/automeat`)
• `videoctl` (symlink → `/home/gleb/openclaw/videoctl`) — actually this one redirects via new path
**Not affected:**
• `matrix-lite` at `/home/matrix-lite/app` — direct ownership, no symlink
• `openclaw-tools` — marked as ignore
**Fix (options):**
• **Option A (cleanest):** Set `git config --global safe.directory '*'` or specific repo paths — eliminates the check for all repos
• **Option B (current approach):** Always use `git -c safe.directory=/home/gleb/<repo> -C <workspace-path>` commands
• **Option C:** Remove the symlinks and clone repos directly under matrix-lite ownership
**Problem:** The config file has grown to 24K+ lines with 15 nearly-identical permission sections. While only the active agent's section is loaded at runtime, maintaining 15 copies is error-prone.
**Observations:**
• Main `permission` section: ~1,800 lines (bash ~1,500, read/edit/external_directory ~300)
• Each agent `build.permission`: ~200-300 bash rules, all structurally similar
• ACPX merges main + active agent: `Permission.merge(agent.permission, input.permission)`
• The 14 inactive agent sections sit on disk, never loaded at runtime
**Fix (deferred):** Design a shared-base config with per-agent overrides. Not urgent since unused sections don't consume runtime context.
| Issue | Config lines | Runtime impact | Priority |
|-------|-------------|----------------|----------|
| Stale openclaw/videoctl denys | ~90 lines | Low (not loaded) | Medium (config hygiene) |
| Permission startup cache | N/A | High (confusing failures) | High |
| Git safe.directory | ~128 lines | Medium (simple commands fail) | Medium |
| Permission consolidation | ~22K lines (14 copies) | None (not loaded) | Low |