Goose doesn't stay in it's directory?

[waym0re]

When I'm running goose cli from a directory, I'd expect it to stay in it's directory or sub-directories. (Claude cli and Gemini cli do this, for example). This way the only files and folders the AI can wreck are contained to where I started it. But this is not the case.

For example, if I'm starting goose in ~/Documents/AI_generated_software/Sample1/ , I find goose writing files in ~/Documents/AI_generated_software/ .

This is super dangerous. It means goose can effectively delete all my config files and archived files, any documents, and so on. It's not just theoretical, in a prior session goose ran "cd ~/Documents/AI_generated_software && rm -rf Sample1 && mkdir -p Sample1/app/src/main/java/com/sample1" and completely deleted something.

I also had the same situation using the desktop app, although my main use is cli.

Yes, I COULD review every command and so on, but my idea is vibe coding and I don't really mind if it does crazy stuff, as long as it stays within the directory I can choose.

Am I missing some obvious way to restrict goose to the current working directory and subdirectories (and obviously being able to run things in path)? I am reading up on .gooseignore, but it seems for the developer tools only (and therefore not cli or desktop modes? I use mostly cli and think maybe developer is the way to go?).

I'm really new to goose and loving it so far.

[GameKyuubi]

I've found using CLAUDE.md in the project directory to tell Claude to check which directory it's in before it does anything seems to fix this but yeah idk why Goose thinks this is good default behavior. If I start a chat in a directory idk why default behavior is to look outside that directory. It might be bringing irrelevant context with it when you start a new chat. If you found a better solution lmk.

[MrStonerT]

Has anyone recently learned any additional system prompts we should tell Goose or have you adjusted your prompts to ensure this doesn't happen?

I recently found Goose created a whole user directory on my C drive - absolutely scared the heck out of me - it was a reference in another open source solution... it did it again later in the conversation! I had to tell it explicitly not to.

[waym0re]

IME, prompting most AI models to not do something, actually encourages them to do it (LLMs don't have a negative like images). So no matter how often I told it explicitly "no, stay in /your/folder, create subdirectories there, blah blah", a few commands down it would try to write stuff to /tmp or elsewhere.
My "solution" was either to sandbox it in a user that had no rights and watch it fail commands for permissions over and over, or in a VM and let it rip. I can't say I never use goose anymore, but I've sort of moved on.

[jorge-gbs]

Yea I've had that happen. We should have a some kind of setting or boundary where anything inside the selected folder is auto approved and outside requires approval.

[GameKyuubi]

It's got to be a bug, sometimes even when starting an entirely new context the wrong working path is handed over, even though it's selected in the menu. The agent has no idea what I'm talking about because it's in the wrong directory. And then when switching chats, the working directory for the chat I'm coming back to also occasionally gets swapped, which means it's a pain to work on different projects simultaneously, defeating what I thought the point of having separate chats with separate selectable working directories was in the first place.

[MrStonerT]

Agreed - I often ask it to check what the working directory is at the beginning of a chat just to be sure its not still 'working' with the wrong folder. Be good if we had an option to Create a Folder and when selecting folders it remembers the last position or defaults to the file system extensions' allowed directory.

[Stitch10925]

Isn't that exactly what the goose ignore file is for?
https://goose-docs.ai/docs/guides/using-gooseignore

Or am I missing something?

[MrStonerT]

I don't believe so and that's not how other coding assistants work either, for instance Claude Code stays within the boundaries unless given permission explicitly - Goose seems to creep outside on occasion and it could be that the models are not as strong or it could be the boundaries are less well defined. I have it in my system prompts to stay within the working directory and the filesystem extension explicitly states where the root working directory is as well - seems this gets ignored in certain cases. in my case I asked it to work from a git repo and make some adjustments... apparently there were references to the git owners own user folders... Goose happily recreated those folders on my system. I would rather it programmatically look for prompts or tool calling that includes directories outside the working directory for instance.

here's what I found when searching the same for Claude Code as an example:
"Claude Code stays within the directory it was told primarily through sandboxed security permissions, current working directory (CWD) restrictions, and explicit user approval prompts. It does not rely on a .claudeignore file for hard boundaries, but rather on active directory scoping. "

[waym0re]

Did you even read the post? "I am reading up on .gooseignore, but it seems for the developer tools only (and therefore not cli or desktop modes? I use mostly cli and think maybe developer is the way to go?)."

[UncleRedz]

I'm seeing the same thing, it's the developer extension which doesn't enforce the current workspace path when path's are provided in tool calls. Also believe the ignore file is just that, a way to ignore files, not a way to enforce actions to stay within a specific folder. Goose happily created temp files and folders all over my hard drive, which felt kind of dangerous.

My solution was to disable the developer extension and instead use an MCP which provides file operations with folder enforcement. In my case, something I developed my self, and now Goose stays within it's folder. My advice would be to look for an MCP that is safer and provides the tools you need.

[Lo-Yun]

I've finally found a simple way to detain goose inside the CWD (current working directory). I use MCP official "Filsystem" extension. Please check this out.
Also, I have to disable the default "developer" extension to avoid goose's jailbreak.