openclaw
diff --git a/‎docs/.generated/plugin-sdk-api-baseline.sha256‎
Lines changed: 2 additions & 2 deletions b/‎docs/.generated/plugin-sdk-api-baseline.sha256‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎docs/gateway/opentelemetry.md‎
Lines changed: 7 additions & 0 deletions b/‎docs/gateway/opentelemetry.md‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎extensions/diagnostics-otel/src/service.test.ts‎
Lines changed: 40 additions & 18 deletions b/‎extensions/diagnostics-otel/src/service.test.ts‎
Lines changed: 40 additions & 18 deletions
diff --git a/‎extensions/diagnostics-otel/src/service.ts‎
Lines changed: 14 additions & 15 deletions b/‎extensions/diagnostics-otel/src/service.ts‎
Lines changed: 14 additions & 15 deletions
diff --git a/‎src/agents/agent-tools.before-tool-call.e2e.test.ts‎
Lines changed: 141 additions & 0 deletions b/‎src/agents/agent-tools.before-tool-call.e2e.test.ts‎
Lines changed: 141 additions & 0 deletions
@@ -1,2 +1,2 @@
-1cd5bcc75461c64d39a00918a50d033e66ae7ec199d8029f7cccaaa2eeb16f22  plugin-sdk-api-baseline.json
-a5d3b43c3710c4238958b1b3163e652ac34bdc7b82215c6294ce61b72188d75e  plugin-sdk-api-baseline.jsonl
+ae06e87a060aaa9618e2b245553d90402c0fbbe1ebc864928dc7f771cede7c6d  plugin-sdk-api-baseline.json
+8ae4665726d0a8e2e80587ab0b98afce6718861a996daef2fac207066c29dd4f  plugin-sdk-api-baseline.jsonl
@@ -161,6 +161,13 @@ When any subkey is enabled, model and tool spans get bounded, redacted
 `captureContent: true` only for broad diagnostics captures where OTLP log
 message bodies are also approved for export.
 
+`toolInputs`/`toolOutputs` content is captured for the built-in agent runtime's
+tool executions (`openclaw.content.tool_input` on completed/error spans,
+`openclaw.content.tool_output` on completed spans). External harness tool calls
+(Codex, Claude CLI) emit `tool.execution.*` spans without content payloads.
+Captured content travels on a trusted, listener-only channel and is never placed
+on the public diagnostic event bus.
+
 ## Sampling and flushing
 
 - **Traces:** `diagnostics.otel.sampleRate` (root-span only, `0.0` drops all,
 
@@ -408,6 +408,22 @@ function emitTrustedModelCallCompletedWithContent(
   );
 }
 
+function emitTrustedToolExecutionCompletedWithContent(
+  event: Omit<
+    Extract<Parameters<typeof emitDiagnosticEvent>[0], { type: "tool.execution.completed" }>,
+    "type"
+  >,
+  toolContent: NonNullable<DiagnosticEventPrivateData["toolContent"]>,
+) {
+  emitTrustedDiagnosticEventWithPrivateData(
+    {
+      type: "tool.execution.completed",
+      ...event,
+    },
+    { toolContent },
+  );
+}
+
 afterAll(() => {
   vi.doUnmock("@opentelemetry/api");
   vi.doUnmock("@opentelemetry/sdk-node");
@@ -3991,15 +4007,18 @@ describe("diagnostics-otel service", () => {
         systemPrompt: "private system prompt",
       },
     );
-    emitDiagnosticEvent({
-      type: "tool.execution.completed",
-      runId: "run-1",
-      toolName: "read",
-      toolCallId: "tool-1",
-      durationMs: 20,
-      toolInput: "private tool input",
-      toolOutput: "private tool output",
-    } as Parameters<typeof emitDiagnosticEvent>[0]);
+    emitTrustedToolExecutionCompletedWithContent(
+      {
+        runId: "run-1",
+        toolName: "read",
+        toolCallId: "tool-1",
+        durationMs: 20,
+      },
+      {
+        toolInput: "private tool input",
+        toolOutput: "private tool output",
+      },
+    );
     await flushDiagnosticEvents();
 
     const modelOptions = startedSpanOptions("openclaw.model.call");
@@ -4052,15 +4071,18 @@ describe("diagnostics-otel service", () => {
         systemPrompt: "system prompt",
       },
     );
-    emitDiagnosticEvent({
-      type: "tool.execution.completed",
-      runId: "run-1",
-      toolName: "read",
-      toolCallId: "tool-1",
-      durationMs: 20,
-      toolInput: "tool input",
-      toolOutput: `${"x".repeat(4077)} Bearer ${"a".repeat(80)}`, // pragma: allowlist secret
-    } as Parameters<typeof emitDiagnosticEvent>[0]);
+    emitTrustedToolExecutionCompletedWithContent(
+      {
+        runId: "run-1",
+        toolName: "read",
+        toolCallId: "tool-1",
+        durationMs: 20,
+      },
+      {
+        toolInput: "tool input",
+        toolOutput: `${"x".repeat(4077)} Bearer ${"a".repeat(80)}`, // pragma: allowlist secret
+      },
+    );
     await flushDiagnosticEvents();
 
     const modelCall = telemetryState.tracer.startSpan.mock.calls.find(
 
@@ -109,6 +109,11 @@ type OtelModelCallContent = {
   toolDefinitions?: unknown;
 };
 
+type OtelToolCallContent = {
+  toolInput?: unknown;
+  toolOutput?: unknown;
+};
+
 type MessageDeliveryDiagnosticEvent = Extract<
   DiagnosticEventPayload,
   {
@@ -910,14 +915,14 @@ function assignOtelModelContentAttributes(
 
 function assignOtelToolContentAttributes(
   attributes: Record<string, string | number | boolean>,
-  event: Record<string, unknown>,
+  content: OtelToolCallContent | undefined,
   policy: OtelContentCapturePolicy,
 ): void {
   if (policy.toolInputs) {
-    assignOtelContentAttribute(attributes, "openclaw.content.tool_input", event.toolInput);
+    assignOtelContentAttribute(attributes, "openclaw.content.tool_input", content?.toolInput);
   }
   if (policy.toolOutputs) {
-    assignOtelContentAttribute(attributes, "openclaw.content.tool_output", event.toolOutput);
+    assignOtelContentAttribute(attributes, "openclaw.content.tool_output", content?.toolOutput);
   }
 }
 
@@ -3045,6 +3050,7 @@ export function createDiagnosticsOtelService(): OpenClawPluginService {
       const recordToolExecutionCompleted = (
         evt: Extract<DiagnosticEventPayload, { type: "tool.execution.completed" }>,
         metadata: DiagnosticEventMetadata,
+        toolContent?: OtelToolCallContent,
       ) => {
         const attrs = toolExecutionBaseAttrs(evt);
         toolExecutionDurationHistogram.record(evt.durationMs, attrs);
@@ -3055,11 +3061,7 @@ export function createDiagnosticsOtelService(): OpenClawPluginService {
           ...toolExecutionBaseAttrs(evt),
         };
         addRunAttrs(spanAttrs, evt);
-        assignOtelToolContentAttributes(
-          spanAttrs,
-          evt as unknown as Record<string, unknown>,
-          contentCapturePolicy,
-        );
+        assignOtelToolContentAttributes(spanAttrs, toolContent, contentCapturePolicy);
         const span =
           takeTrackedTrustedSpan(evt, metadata) ??
           spanWithDuration("openclaw.tool.execution", spanAttrs, evt.durationMs, {
@@ -3073,6 +3075,7 @@ export function createDiagnosticsOtelService(): OpenClawPluginService {
       const recordToolExecutionError = (
         evt: Extract<DiagnosticEventPayload, { type: "tool.execution.error" }>,
         metadata: DiagnosticEventMetadata,
+        toolContent?: OtelToolCallContent,
       ) => {
         const attrs = {
           ...toolExecutionBaseAttrs(evt),
@@ -3090,11 +3093,7 @@ export function createDiagnosticsOtelService(): OpenClawPluginService {
         if (evt.errorCode) {
           spanAttrs["openclaw.errorCode"] = lowCardinalityAttr(evt.errorCode, "other");
         }
-        assignOtelToolContentAttributes(
-          spanAttrs,
-          evt as unknown as Record<string, unknown>,
-          contentCapturePolicy,
-        );
+        assignOtelToolContentAttributes(spanAttrs, toolContent, contentCapturePolicy);
         const span =
           takeTrackedTrustedSpan(evt, metadata) ??
           spanWithDuration("openclaw.tool.execution", spanAttrs, evt.durationMs, {
@@ -3425,10 +3424,10 @@ export function createDiagnosticsOtelService(): OpenClawPluginService {
               recordToolExecutionStarted(evt, metadata);
               return;
             case "tool.execution.completed":
-              recordToolExecutionCompleted(evt, metadata);
+              recordToolExecutionCompleted(evt, metadata, privateData.toolContent);
               return;
             case "tool.execution.error":
-              recordToolExecutionError(evt, metadata);
+              recordToolExecutionError(evt, metadata, privateData.toolContent);
               return;
             case "tool.execution.blocked":
               recordToolExecutionBlocked(evt, metadata);
 
@@ -9,8 +9,10 @@ import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
 import {
   onInternalDiagnosticEvent,
   onDiagnosticEvent,
+  onTrustedInternalDiagnosticEvent,
   resetDiagnosticEventsForTest,
   type DiagnosticEventPayload,
+  type DiagnosticEventPrivateData,
   type DiagnosticToolLoopEvent,
 } from "../infra/diagnostic-events.js";
 import { MAX_PLUGIN_APPROVAL_TIMEOUT_MS } from "../infra/plugin-approvals.js";
@@ -1761,3 +1763,142 @@ describe("before_tool_call requireApproval handling", () => {
     expect(onResolution).toHaveBeenCalledWith("cancelled");
   });
 });
+
+describe("before_tool_call tool content private-data capture", () => {
+  type TrustedToolEvent = {
+    event: DiagnosticEventPayload;
+    privateData: DiagnosticEventPrivateData;
+  };
+
+  beforeEach(() => {
+    resetDiagnosticSessionStateForTest();
+    resetDiagnosticEventsForTest();
+  });
+
+  async function withTrustedToolEvents(
+    run: (emitted: TrustedToolEvent[], flush: () => Promise<void>) => Promise<void>,
+  ) {
+    const emitted: TrustedToolEvent[] = [];
+    const stop = onTrustedInternalDiagnosticEvent((event, _metadata, privateData) => {
+      if (event.type.startsWith("tool.execution.")) {
+        emitted.push({ event, privateData });
+      }
+    });
+    const flush = () =>
+      new Promise<void>((resolve) => {
+        setImmediate(resolve);
+      });
+    try {
+      await run(emitted, flush);
+    } finally {
+      stop();
+    }
+  }
+
+  function configWithToolContent(
+    fields: { toolInputs?: boolean; toolOutputs?: boolean } = {
+      toolInputs: true,
+      toolOutputs: true,
+    },
+  ) {
+    return {
+      diagnostics: {
+        enabled: true,
+        otel: {
+          enabled: true,
+          traces: true,
+          captureContent: { enabled: true, ...fields },
+        },
+      },
+    } as unknown as import("../config/types.openclaw.js").OpenClawConfig;
+  }
+
+  it("attaches tool input/output to private data when opted in", async () => {
+    const execute = vi.fn().mockResolvedValue({ content: [{ type: "text", text: "file body" }] });
+    const tool = wrapToolWithBeforeToolCallHook({ name: "read", execute } as any, {
+      agentId: "main",
+      sessionKey: "session-key",
+      runId: "run-1",
+      loopDetection: { enabled: false },
+      config: configWithToolContent(),
+    });
+
+    await withTrustedToolEvents(async (emitted, flush) => {
+      await tool.execute("call-1", { path: "/etc/secret" }, undefined, undefined);
+      await flush();
+
+      const completed = emitted.find((e) => e.event.type === "tool.execution.completed");
+      expect(completed?.privateData.toolContent?.toolInput).toEqual({ path: "/etc/secret" });
+      expect(completed?.privateData.toolContent?.toolOutput).toEqual({
+        content: [{ type: "text", text: "file body" }],
+      });
+      // Public event payload must never carry raw params/results.
+      expect(JSON.stringify(completed?.event)).not.toContain("/etc/secret");
+      expect(JSON.stringify(completed?.event)).not.toContain("file body");
+    });
+  });
+
+  it("omits tool content from private data when capture is not configured", async () => {
+    const execute = vi.fn().mockResolvedValue({ content: [{ type: "text", text: "ok" }] });
+    const tool = wrapToolWithBeforeToolCallHook({ name: "read", execute } as any, {
+      agentId: "main",
+      sessionKey: "session-key",
+      runId: "run-1",
+      loopDetection: { enabled: false },
+    });
+
+    await withTrustedToolEvents(async (emitted, flush) => {
+      await tool.execute("call-1", { path: "/etc/secret" }, undefined, undefined);
+      await flush();
+
+      const completed = emitted.find((e) => e.event.type === "tool.execution.completed");
+      expect(completed).toBeDefined();
+      expect(completed?.privateData.toolContent).toBeUndefined();
+    });
+  });
+
+  it("captures only opted-in fields and clones away from live params", async () => {
+    const liveParams = { path: "/etc/secret" };
+    const execute = vi.fn().mockResolvedValue({ content: [{ type: "text", text: "out" }] });
+    const tool = wrapToolWithBeforeToolCallHook({ name: "read", execute } as any, {
+      agentId: "main",
+      sessionKey: "session-key",
+      runId: "run-1",
+      loopDetection: { enabled: false },
+      config: configWithToolContent({ toolInputs: true, toolOutputs: false }),
+    });
+
+    await withTrustedToolEvents(async (emitted, flush) => {
+      await tool.execute("call-1", liveParams, undefined, undefined);
+      await flush();
+
+      const completed = emitted.find((e) => e.event.type === "tool.execution.completed");
+      expect(completed?.privateData.toolContent?.toolInput).toEqual({ path: "/etc/secret" });
+      expect(completed?.privateData.toolContent?.toolOutput).toBeUndefined();
+      // Captured snapshot is a clone, not the live params object.
+      expect(completed?.privateData.toolContent?.toolInput).not.toBe(liveParams);
+    });
+  });
+
+  it("attaches tool input but not output on execution errors", async () => {
+    const execute = vi.fn().mockRejectedValue(new Error("boom"));
+    const tool = wrapToolWithBeforeToolCallHook({ name: "read", execute } as any, {
+      agentId: "main",
+      sessionKey: "session-key",
+      runId: "run-1",
+      loopDetection: { enabled: false },
+      config: configWithToolContent(),
+    });
+
+    await withTrustedToolEvents(async (emitted, flush) => {
+      await expect(
+        tool.execute("call-1", { path: "/etc/secret" }, undefined, undefined),
+      ).rejects.toThrow("boom");
+      await flush();
+
+      const errored = emitted.find((e) => e.event.type === "tool.execution.error");
+      expect(errored?.privateData.toolContent?.toolInput).toEqual({ path: "/etc/secret" });
+      expect(errored?.privateData.toolContent?.toolOutput).toBeUndefined();
+    });
+  });
+});