fix(plugins): honor plugin tool denylists

vincentkoc · vincentkoc · commit 571d75aab351 · 2026-05-03T19:33:00.000-07:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -51,6 +51,7 @@ Docs: https://docs.openclaw.ai
 - Gateway/sessions: memoize repeated thinking-option enrichment and skip unused cost fallback checks while listing sessions, reducing per-row work on large multi-agent stores. Fixes #76931.
 - Agents/tools: use config-only runtime snapshots for plugin tool registration and live runtime config getters, avoiding expensive full secrets snapshot clones on the core-plugin-tools prep path. Fixes #76295.
 - Agents/tools: honor the effective tool denylist before constructing optional PDF/media tool factories, so `tools.deny: ["pdf"]` skips PDF setup before later policy filtering. Fixes #76997.
+- Plugin tools: honor explicit tool denylists while selecting plugin tool runtimes, so denied plugin tools are not materialized for direct command or gateway surfaces before later policy filtering. Thanks @vincentkoc.
 - Agents/bootstrap: keep pending `BOOTSTRAP.md` and bootstrap truncation notices in system-prompt Project Context instead of copying setup text or raw warning diagnostics into WebChat user/runtime context. Fixes #76946.
 - Channels/WhatsApp: allow `@whiskeysockets/libsignal-node` in `onlyBuiltDependencies` so pnpm v9+ `blockExoticSubdeps` no longer rejects the baileys git-tarball subdep and silences all inbound agent replies. Fixes #76539. Thanks @ottodeng and @vincentkoc.
 - Gateway/install: keep `.env`-managed values in the macOS LaunchAgent env file while still tracking `OPENCLAW_SERVICE_MANAGED_ENV_KEYS`, so regenerated services do not boot without managed auth/provider keys. Fixes #75374.
diff --git a/src/agents/openclaw-plugin-tools.ts b/src/agents/openclaw-plugin-tools.ts
@@ -17,6 +17,7 @@ import type { AnyAgentTool } from "./tools/common.js";
 
 type ResolveOpenClawPluginToolsOptions = OpenClawPluginToolOptions & {
   pluginToolAllowlist?: string[];
+  pluginToolDenylist?: string[];
   currentChannelId?: string;
   currentThreadTs?: string;
   currentMessageId?: string | number;
@@ -81,6 +82,7 @@ export function resolveOpenClawPluginToolsForOptions(params: {
     }),
     existingToolNames: params.existingToolNames ?? new Set<string>(),
     toolAllowlist: params.options?.pluginToolAllowlist,
+    toolDenylist: params.options?.pluginToolDenylist,
     allowGatewaySubagentBinding: params.options?.allowGatewaySubagentBinding,
     ...(authProfileStore
       ? {
diff --git a/src/agents/openclaw-tools.browser-plugin.integration.test.ts b/src/agents/openclaw-tools.browser-plugin.integration.test.ts
@@ -142,6 +142,31 @@ describe("createOpenClawTools browser plugin integration", () => {
     );
   });
 
+  it("forwards plugin tool deny policy to plugin resolution", () => {
+    hoisted.resolvePluginTools.mockReturnValue([]);
+    const config = {
+      plugins: {
+        allow: ["browser"],
+      },
+    } as OpenClawConfig;
+
+    resolveOpenClawPluginToolsForOptions({
+      options: {
+        config,
+        pluginToolAllowlist: ["*"],
+        pluginToolDenylist: ["browser"],
+      },
+      resolvedConfig: config,
+    });
+
+    expect(hoisted.resolvePluginTools).toHaveBeenCalledWith(
+      expect.objectContaining({
+        toolAllowlist: ["*"],
+        toolDenylist: ["browser"],
+      }),
+    );
+  });
+
   it("does not pass a stale active snapshot as plugin runtime config for a resolved run config", () => {
     const staleSourceConfig = {
       plugins: {
diff --git a/src/agents/pi-tools.ts b/src/agents/pi-tools.ts
@@ -649,6 +649,7 @@ export function createOpenClawCodingTools(options?: {
           allowHostBrowserControl: sandbox ? sandbox.browserAllowHostControl : true,
           sandboxed: !!sandbox,
           pluginToolAllowlist,
+          pluginToolDenylist,
           currentChannelId: options?.currentChannelId,
           currentThreadTs: options?.currentThreadTs,
           currentMessageId: options?.currentMessageId,
diff --git a/src/gateway/tool-resolution.ts b/src/gateway/tool-resolution.ts
@@ -15,6 +15,7 @@ import {
 } from "../agents/tool-policy-pipeline.js";
 import {
   collectExplicitAllowlist,
+  collectExplicitDenylist,
   mergeAlsoAllowPolicy,
   resolveToolProfilePolicy,
 } from "../agents/tool-policy.js";
@@ -108,6 +109,16 @@ export function resolveGatewayScopedTools(params: {
       subagentPolicy,
       gatewayRequestedTools.length > 0 ? { allow: gatewayRequestedTools } : undefined,
     ]),
+    pluginToolDenylist: collectExplicitDenylist([
+      profilePolicy,
+      providerProfilePolicy,
+      globalPolicy,
+      globalProviderPolicy,
+      agentPolicy,
+      agentProviderPolicy,
+      groupPolicy,
+      subagentPolicy,
+    ]),
   });
 
   const policyFiltered = applyToolPolicyPipeline({
diff --git a/src/plugins/tools.optional.test.ts b/src/plugins/tools.optional.test.ts
@@ -68,6 +68,7 @@ function createContext() {
 function createResolveToolsParams(params?: {
   context?: ReturnType<typeof createContext> & Record<string, unknown>;
   toolAllowlist?: readonly string[];
+  toolDenylist?: readonly string[];
   existingToolNames?: Set<string>;
   env?: NodeJS.ProcessEnv;
   suppressNameConflicts?: boolean;
@@ -76,6 +77,7 @@ function createResolveToolsParams(params?: {
   return {
     context: (params?.context ?? createContext()) as never,
     ...(params?.toolAllowlist ? { toolAllowlist: [...params.toolAllowlist] } : {}),
+    ...(params?.toolDenylist ? { toolDenylist: [...params.toolDenylist] } : {}),
     ...(params?.existingToolNames ? { existingToolNames: params.existingToolNames } : {}),
     ...(params?.env ? { env: params.env } : {}),
     ...(params?.suppressNameConflicts ? { suppressNameConflicts: true } : {}),
@@ -2177,6 +2179,30 @@ describe("resolvePluginTools optional tools", () => {
     expectResolvedToolNames(tools, ["browser"]);
   });
 
+  it("does not materialize plugin tools blocked by explicit deny policy", () => {
+    const browserFactory = vi.fn(() => makeTool("browser"));
+    const browserEntry: MockRegistryToolEntry = {
+      pluginId: "browser",
+      optional: false,
+      source: "/tmp/browser.js",
+      names: ["browser"],
+      declaredNames: ["browser"],
+      factory: browserFactory,
+    };
+    setRegistry([browserEntry]);
+
+    const tools = resolvePluginTools(
+      createResolveToolsParams({
+        toolAllowlist: ["*"],
+        toolDenylist: ["browser"],
+      }),
+    );
+
+    expectResolvedToolNames(tools, []);
+    expect(browserFactory).not.toHaveBeenCalled();
+    expect(loadOpenClawPluginsMock).not.toHaveBeenCalled();
+  });
+
   it("includes optional tools when wildcard allowlist is active (#76507)", () => {
     setOptionalDemoRegistry();
 
diff --git a/src/plugins/tools.ts b/src/plugins/tools.ts
