fix(gateway): honor plugin suppression + drop provider-gated tools in raw coding factory

simonusa · simonusa · commit 427c102e03a6 · 2026-05-04T11:52:55.000-07:00
Address bot review on PR #63919: [P2] Plugin suppression bypass — `createOpenClawCodingToolsRaw()` previously delegated to the full coding factory which unconditionally appended `createOpenClawTools(...)` and `listChannelAgentTools(...)`. The resolver explicitly requests core-only resolution for known core tool requests (`disablePluginTools: true`), but that intent was lost — a "core-only" HTTP request could still re-enter plugin resolution via the coding factory. Added `disablePluginTools` flag to `createOpenClawCodingTools` options that skips both plugin spreads. Raw factory always sets it. Independent of the existing `includeCoreTools` flag — keeps core coding tools materialized, only suppresses plugin loading. [P2] Provider-gated tools without context — `apply_patch` is provider-gated to OpenAI-family models. The /tools/invoke HTTP surface has no session-bound model context, so allowlisting `apply_patch` would silently produce nothing (resolver reports tool unavailable). Added `excludeProviderGatedTools` flag that drops provider-gated tools at construction time. Raw factory always sets it. Documented in tools-invoke HTTP API docs that `apply_patch` is no longer materializable via this surface even if allowlisted. [P3] Docs + changelog — updated `docs/gateway/tools-invoke-http-api.md` to reflect the new default deny entries (`process`, `write`, `edit`) and added a "Coding tools available via HTTP" section. Added Unreleased changelog entry describing the new feature and contract. Local tests: 99/99 in tools-invoke-http suites pass on private fork (legacy fork has pre-existing typebox dep issue unrelated to this change).
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,7 @@ Docs: https://docs.openclaw.ai
 
 ### Changes
 
+- Gateway/tools-invoke: wire coding primitive tools (`read`, plus opt-in `write`/`edit`/`exec`/`process`) into the HTTP `/tools/invoke` endpoint via a new unwrapped factory `createOpenClawCodingToolsRaw()`. Enables deterministic automation flows (linting, tests, browser capture) without a full LLM round-trip. The new factory honors the resolver's plugin-suppression intent end-to-end and excludes provider-gated tools (`apply_patch`) that cannot be safely materialized without session-bound model context. The default HTTP deny list now also includes the canonical mutating tool names `write`, `edit`, and `process`, so they require explicit `gateway.tools.allow` opt-in. Refs #37131. Thanks @simonusa.
 - Plugins/active-memory: skip session-store channel entries that contain `:` when resolving the recall subagent's channel, so QQ c2c agent IDs (e.g. `c2c:10D4F7C2…`) and other scoped conversation IDs do not reach bundled-plugin `dirName` validation and crash the recall run. The same guard already applied to explicit `channelId` params (#76704); this extends it to store-derived channels. (#77396) Thanks @hclsys.
 - Models/auth: add `openclaw models auth list [--provider <id>] [--json]` so users can inspect saved per-agent auth profiles without dumping secrets or hitting the old “too many arguments” path. Thanks @vincentkoc.
 - Control UI/header: show the active agent name in dashboard breadcrumbs without adding the current session key, keeping non-chat views oriented without crowding the topbar.
diff --git a/docs/gateway/tools-invoke-http-api.md b/docs/gateway/tools-invoke-http-api.md
@@ -106,17 +106,24 @@ Gateway HTTP also applies a hard deny list by default (even if session policy al
 - `exec` — direct command execution (RCE surface)
 - `spawn` — arbitrary child process creation (RCE surface)
 - `shell` — shell command execution (RCE surface)
-- `fs_write` — arbitrary file mutation on the host
+- `process` — background process orchestration; sibling of exec (RCE surface via shell)
+- `write` — canonical workspace write tool; arbitrary file mutation on the host
+- `edit` — canonical workspace edit tool; arbitrary file mutation on the host
+- `fs_write` — arbitrary file mutation on the host (legacy/alternate name)
 - `fs_delete` — arbitrary file deletion on the host
 - `fs_move` — arbitrary file move/rename on the host
-- `apply_patch` — patch application can rewrite arbitrary files
+- `apply_patch` — patch application can rewrite arbitrary files (note: not currently materializable via `/tools/invoke` even if allowlisted, since this surface has no session-bound model context and `apply_patch` is provider-gated to OpenAI-family models)
 - `sessions_spawn` — session orchestration; spawning agents remotely is RCE
 - `sessions_send` — cross-session message injection
 - `cron` — persistent automation control plane
 - `gateway` — gateway control plane; prevents reconfiguration via HTTP
 - `nodes` — node command relay can reach system.run on paired hosts
 - `whatsapp_login` — interactive setup requiring terminal QR scan; hangs on HTTP
 
+### Coding tools available via HTTP
+
+The default coding-primitive tools (`read`, plus the deny-listed `write`/`edit`/`exec`/`process` if allowlisted) are reachable here for deterministic automation use cases that don't need a full LLM round-trip (linting, tests, browser capture, etc.). They are constructed via the unwrapped factory `createOpenClawCodingToolsRaw()`, which omits plugin-capable tools and provider-gated tools — the resolver's plugin-suppression intent is honored end-to-end.
+
 You can customize this deny list via `gateway.tools`:
 
 ```json5
diff --git a/src/agents/pi-tools.ts b/src/agents/pi-tools.ts
@@ -311,6 +311,23 @@ export function createOpenClawCodingTools(options?: {
    * after wrapping, dropping symbol-keyed unwrap markers.
    */
   skipBeforeToolCallHook?: boolean;
+  /**
+   * Skip the appended `createOpenClawTools(...)` plugin-capable tool block AND
+   * the channel-defined agent tools. Used by the /tools/invoke HTTP surface so
+   * the resolver's `disablePluginTools` intent is honored end-to-end — without
+   * this, a "core-only" HTTP request would still re-enter plugin resolution
+   * via the coding factory. Independent of `includeCoreTools`: keeps the core
+   * coding tools (read/write/edit/exec/process) materialized, only suppresses
+   * plugin-loading.
+   */
+  disablePluginTools?: boolean;
+  /**
+   * Skip materializing tools that require model/provider context to construct
+   * (currently `apply_patch`, gated to OpenAI providers). Used by the
+   * /tools/invoke HTTP surface where no model context is available — without
+   * this, allowlisting a provider-gated tool would silently produce nothing.
+   */
+  excludeProviderGatedTools?: boolean;
   /**
    * Provider of the currently selected model (used for provider-specific tool quirks).
    * Example: "anthropic", "openai", "google", "openai-codex".
@@ -500,6 +517,7 @@ export function createOpenClawCodingTools(options?: {
   // (tools.fs.workspaceOnly is a separate umbrella flag for read/write/edit/apply_patch.)
   const applyPatchWorkspaceOnly = workspaceOnly || applyPatchConfig?.workspaceOnly !== false;
   const applyPatchEnabled =
+    !options?.excludeProviderGatedTools &&
     applyPatchConfig?.enabled !== false &&
     isOpenAIProvider(options?.modelProvider) &&
     isApplyPatchAllowedForModel({
@@ -706,8 +724,13 @@ export function createOpenClawCodingTools(options?: {
     ...(execTool ? [execTool as unknown as AnyAgentTool] : []),
     ...(processTool ? [processTool as unknown as AnyAgentTool] : []),
     // Channel docking: include channel-defined agent tools (login, etc.).
-    ...(includeCoreTools ? listChannelAgentTools({ cfg: options?.config }) : []),
-    ...(includeCoreTools
+    ...(includeCoreTools && !options?.disablePluginTools
+      ? listChannelAgentTools({ cfg: options?.config })
+      : []),
+    // Plugin-capable OpenClaw tools (channel/messaging/skill plugins). Skipped
+    // when `disablePluginTools` is set so a "core-only" caller (e.g. /tools/invoke
+    // HTTP surface) does not re-enter plugin resolution via the coding factory.
+    ...(includeCoreTools && !options?.disablePluginTools
       ? createOpenClawTools({
           sandboxBrowserBridgeUrl: sandbox?.browser?.bridgeUrl,
           allowHostBrowserControl: sandbox ? sandbox.browserAllowHostControl : true,
@@ -883,5 +906,17 @@ export function createOpenClawCodingTools(options?: {
 export function createOpenClawCodingToolsRaw(
   options?: Parameters<typeof createOpenClawCodingTools>[0],
 ): AnyAgentTool[] {
-  return createOpenClawCodingTools({ ...options, skipBeforeToolCallHook: true });
+  return createOpenClawCodingTools({
+    ...options,
+    skipBeforeToolCallHook: true,
+    // The /tools/invoke HTTP surface has no session-bound model context, so
+    // provider-gated tools (apply_patch is OpenAI-only) cannot be safely
+    // materialized here. Drop them rather than letting allowlist opt-in
+    // silently produce nothing.
+    excludeProviderGatedTools: true,
+    // The resolver already gates plugin loading (`disablePluginTools`) for
+    // core-only HTTP requests; honor that here so the coding factory does not
+    // re-enter plugin resolution via the appended createOpenClawTools(...) block.
+    disablePluginTools: true,
+  });
 }
