INPUT/OUTPUT: failure guardrails; active until avoid_until expires
/home/matrix-lite/state/persistent-chat/recent-failures.json
{
"schema": "persistent_chat_recent_failures_v1",
"updated": "2026-05-18T20:33:45.461885+00:00",
"failures": [
{
"key": "bash-native-opencode-permission-ask-or-repeated-denied-raw-bash-raw-bash-ask-den-9b8352d6a0",
"ts": "2026-05-12T16:35:17.070573+00:00",
"tool": "bash",
"pattern": "native OpenCode permission ask or repeated denied raw bash",
"outcome": "non-interactive Matrix/ACP turns can hang or loop if the same raw bash pattern is retried",
"avoid_until": "2026-05-19T16:35:17.070416+00:00",
"recommended_alternative": "switch to read/glob/grep/list, sandboxed bash, or approved operations wrapper after first denial/failure",
"command": "raw bash ask/denied command",
"status": "resolved",
"updated": "2026-05-18T20:33:37.463996+00:00",
"superseded": true,
"superseded_at": "2026-05-18T20:33:37.464046+00:00",
"superseded_reason": "OpenClaw-era, permission architecture changed since",
"review_reason": "OpenClaw-era, permission architecture changed since"
},
{
"key": "read-external-directory-native-ask-for-non-allowlisted-paths-read-etc-hostname-t-ab5651b68b",
"ts": "2026-05-12T17:37:48.659237+00:00",
"tool": "read",
"pattern": "external_directory native ask for non-allowlisted paths",
"outcome": "non-interactive Matrix/ACP turns can hang when read asks for paths like /etc/hostname",
"avoid_until": "2026-06-11T17:37:48.659054+00:00",
"recommended_alternative": "use allowlisted harmless host identity paths, built-in tools inside allowed roots, sandbox/helper, or request an explicit allowlist change",
"command": "read /etc/hostname triggered external_directory ask",
"status": "resolved",
"updated": "2026-05-18T20:33:38.467238+00:00",
"superseded": true,
"superseded_at": "2026-05-18T20:33:38.467272+00:00",
"superseded_reason": "OpenClaw-era, read permissions reworked",
"review_reason": "OpenClaw-era, read permissions reworked"
},
{
"key": "approval-policy-approval-grant-for-read-does-not-override-native-opencode-permis-a9a1869419",
"ts": "2026-05-12T18:03:40.188866+00:00",
"tool": "approval_policy",
"pattern": "approval grant for read does not override native OpenCode permission maps",
"outcome": "grant was consumed but read /etc/hostname still hit external_directory deny; fallback subagent bash hostname opened a native ask and wedged the ACP turn",
"avoid_until": "2026-06-11T18:03:40.188680+00:00",
"recommended_alternative": "configure exact evaluated permission patterns as allow/deny first, then after grants use only allowlisted wrapper/commands; do not spawn subagents to bypass denials",
"command": "approval apr-7178f62f02 for read /etc/hostname",
"status": "resolved",
"updated": "2026-05-18T20:33:39.477513+00:00",
"superseded": true,
"superseded_at": "2026-05-18T20:33:39.477550+00:00",
"superseded_reason": "OpenClaw-era, approval architecture changed",
"review_reason": "OpenClaw-era, approval architecture changed"
},
{
"key": "task-explore-subagent-inherited-native-bash-ask-permissions-usr-local-bin-opencl-8234e6837a",
"ts": "2026-05-12T19:25:19.438100+00:00",
"tool": "task",
"pattern": "explore subagent inherited native bash ask permissions",
"outcome": "subagent tried quoted sandbox bash to read config, OpenCode opened native bash ask, and Matrix ACP lane wedged with queued messages",
"avoid_until": "2026-06-11T19:25:19.437848+00:00",
"recommended_alternative": "persistent-chat subagents now have explicit fail-closed bash/read permissions; use direct read/glob/grep or allowlisted sandbox/wrapper, never native asks",
"command": "'/usr/local/bin/openclaw-persistent-chat-sandbox' --cwd ... cat /home/openclaw/.config/.../opencode.json",
"status": "resolved",
"updated": "2026-05-18T20:33:40.503255+00:00",
"superseded": true,
"superseded_at": "2026-05-18T20:33:40.503289+00:00",
"superseded_reason": "OpenClaw-era, subagent permissions reworked",
"review_reason": "OpenClaw-era, subagent permissions reworked"
}
]
}