always-further · kipz · Jun 24, 2026 · Jun 24, 2026 · Jun 24, 2026
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,8 @@
 
 - *(tool-sandbox)* Pass TLS trust bundle env vars (`SSL_CERT_FILE`, `CURL_CA_BUNDLE`, `NODE_EXTRA_CA_CERTS`, `REQUESTS_CA_BUNDLE`, `GIT_SSL_CAINFO`) to tool-sandbox children so HTTPS certificate verification works when TLS interception is active (#1248)
 
+- *(tool-sandbox)* Skip missing `fs_read`/`fs_write` directories instead of erroring on startup; matches existing `fs_read_file` behaviour (#1252)
+
 ## [0.65.1] - 2026-06-23
 ## [0.65.0] - 2026-06-23
 

diff --git a/crates/nono-cli/src/tool-sandbox/platform/linux.rs b/crates/nono-cli/src/tool-sandbox/platform/linux.rs
@@ -3226,11 +3226,11 @@ fn add_policy_fs(
     use super::dynamic_providers::expand_dynamic_tokens;
     for entry in &expand_dynamic_tokens(&policy.fs_read)? {
         let path = resolve_policy_path(entry, policy_root)?;
-        caps.add_fs(FsCapability::new_dir(path, AccessMode::Read)?);
+        add_optional_dir(caps, path, AccessMode::Read)?;
     }
     for entry in &expand_dynamic_tokens(&policy.fs_write)? {
         let path = resolve_policy_path(entry, policy_root)?;
-        caps.add_fs(FsCapability::new_dir(path, AccessMode::ReadWrite)?);
+        add_optional_dir(caps, path, AccessMode::ReadWrite)?;
     }
     for entry in &expand_dynamic_tokens(&policy.fs_read_file)? {
         let path = resolve_policy_path(entry, policy_root)?;
@@ -3243,6 +3243,17 @@ fn add_policy_fs(
     Ok(())
 }
 
+fn add_optional_dir(caps: &mut CapabilitySet, path: PathBuf, access: AccessMode) -> Result<()> {
+    match FsCapability::new_dir(&path, access) {
+        Ok(capability) => {
+            caps.add_fs(capability);
+            Ok(())
+        }
+        Err(NonoError::PathNotFound(_)) => Ok(()),
+        Err(err) => Err(err),
+    }
+}
+
 fn add_optional_read_file(caps: &mut CapabilitySet, path: PathBuf) -> Result<()> {
     match FsCapability::new_file(&path, AccessMode::Read) {
         Ok(capability) => {

diff --git a/crates/nono-cli/src/tool-sandbox/platform/macos.rs b/crates/nono-cli/src/tool-sandbox/platform/macos.rs
@@ -2261,11 +2261,11 @@ fn add_policy_fs(
     use super::dynamic_providers::expand_dynamic_tokens;
     for entry in &expand_dynamic_tokens(&policy.fs_read)? {
         let path = resolve_policy_path(entry, policy_root)?;
-        caps.add_fs(FsCapability::new_dir(path, AccessMode::Read)?);
+        add_optional_dir(caps, path, AccessMode::Read)?;
     }
     for entry in &expand_dynamic_tokens(&policy.fs_write)? {
         let path = resolve_policy_path(entry, policy_root)?;
-        caps.add_fs(FsCapability::new_dir(path, AccessMode::ReadWrite)?);
+        add_optional_dir(caps, path, AccessMode::ReadWrite)?;
     }
     for entry in &expand_dynamic_tokens(&policy.fs_read_file)? {
         let path = resolve_policy_path(entry, policy_root)?;
@@ -2278,6 +2278,17 @@ fn add_policy_fs(
     Ok(())
 }
 
+fn add_optional_dir(caps: &mut CapabilitySet, path: PathBuf, access: AccessMode) -> Result<()> {
+    match FsCapability::new_dir(&path, access) {
+        Ok(capability) => {
+            caps.add_fs(capability);
+            Ok(())
+        }
+        Err(NonoError::PathNotFound(_)) => Ok(()),
+        Err(err) => Err(err),
+    }
+}
+
 fn add_optional_read_file(caps: &mut CapabilitySet, path: PathBuf) -> Result<()> {
     match FsCapability::new_file(&path, AccessMode::Read) {
         Ok(capability) => {