fix(gateway): tighten tools invoke rpc contract

BunsDev · BunsDev · commit 8d1582edc236 · 2026-05-01T03:04:16.000-05:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,7 @@ Docs: https://docs.openclaw.ai
 
 - Voice Call/Google Meet: add Twilio Meet join phase logs around pre-connect DTMF, realtime stream setup, and initial greeting handoff for easier live-call debugging. Thanks @donkeykong91 and @PfanP.
 - macOS app: move recent session context rows into a Context submenu while keeping usage and cost details root-level, so the menu bar companion stays compact with many active sessions. Thanks @guti.
+- Gateway/SDK: add SDK-facing tools.invoke RPC with shared HTTP policy, typed approval/refusal results, and SDK helper support. Refs #74705. Thanks @BunsDev and @ai-hpc.
 - Messages/docs: clarify that `BodyForAgent` is the primary inbound model text while `Body` is the legacy envelope fallback, and add Signal coverage so channel hardening patches target the real prompt path. Refs #66198. Thanks @defonota3box.
 - Control UI/Usage: add UTC quarter-hour token buckets for the Usage Mosaic and reuse them for hour filtering, keeping the legacy session-span fallback for older summaries. (#74337) Thanks @konanok.
 - BlueBubbles: add opt-in `channels.bluebubbles.replyContextApiFallback` that fetches the original message from the BlueBubbles HTTP API when the in-memory reply-context cache misses (multi-instance deployments sharing one BB account, post-restart, after long-lived TTL/LRU eviction). Off by default; channel-level setting propagates to accounts that omit the flag through `mergeAccountConfig`; routed through the typed `BlueBubblesClient` so every fetch is SSRF-guarded by the same three-mode policy as every other BB client request; reply-id shape is validated and part-index prefixes (`p:0/<guid>`) are stripped before the request; concurrent webhooks for the same `replyToId` coalesce into one fetch and successful responses populate the reply cache for subsequent hits. Also promotes BlueBubbles attachment download failures from verbose to runtime error so silently-dropped inbound images are visible at default log level, and extends `sanitizeForLog` to redact `?password=…`/`?token=…` query params and `Authorization:` headers before they reach the log sink (CWE-532). (#71820) Thanks @coletebou and @zqchris.
diff --git a/apps/macos/Sources/OpenClawProtocol/GatewayModels.swift b/apps/macos/Sources/OpenClawProtocol/GatewayModels.swift
@@ -3831,48 +3831,36 @@ public struct ToolsEffectiveResult: Codable, Sendable {
 }
 
 public struct ToolsInvokeParams: Codable, Sendable {
-    public let name: String?
-    public let tool: String?
-    public let action: String?
+    public let name: String
     public let args: [String: AnyCodable]?
     public let sessionkey: String?
     public let agentid: String?
     public let confirm: Bool?
     public let idempotencykey: String?
-    public let dryrun: Bool?
 
     public init(
-        name: String?,
-        tool: String?,
-        action: String?,
+        name: String,
         args: [String: AnyCodable]?,
         sessionkey: String?,
         agentid: String?,
         confirm: Bool?,
-        idempotencykey: String?,
-        dryrun: Bool?)
+        idempotencykey: String?)
     {
         self.name = name
-        self.tool = tool
-        self.action = action
         self.args = args
         self.sessionkey = sessionkey
         self.agentid = agentid
         self.confirm = confirm
         self.idempotencykey = idempotencykey
-        self.dryrun = dryrun
     }
 
     private enum CodingKeys: String, CodingKey {
         case name
-        case tool
-        case action
         case args
         case sessionkey = "sessionKey"
         case agentid = "agentId"
         case confirm
         case idempotencykey = "idempotencyKey"
-        case dryrun = "dryRun"
     }
 }
 
diff --git a/apps/shared/OpenClawKit/Sources/OpenClawProtocol/GatewayModels.swift b/apps/shared/OpenClawKit/Sources/OpenClawProtocol/GatewayModels.swift
@@ -3831,48 +3831,36 @@ public struct ToolsEffectiveResult: Codable, Sendable {
 }
 
 public struct ToolsInvokeParams: Codable, Sendable {
-    public let name: String?
-    public let tool: String?
-    public let action: String?
+    public let name: String
     public let args: [String: AnyCodable]?
     public let sessionkey: String?
     public let agentid: String?
     public let confirm: Bool?
     public let idempotencykey: String?
-    public let dryrun: Bool?
 
     public init(
-        name: String?,
-        tool: String?,
-        action: String?,
+        name: String,
         args: [String: AnyCodable]?,
         sessionkey: String?,
         agentid: String?,
         confirm: Bool?,
-        idempotencykey: String?,
-        dryrun: Bool?)
+        idempotencykey: String?)
     {
         self.name = name
-        self.tool = tool
-        self.action = action
         self.args = args
         self.sessionkey = sessionkey
         self.agentid = agentid
         self.confirm = confirm
         self.idempotencykey = idempotencykey
-        self.dryrun = dryrun
     }
 
     private enum CodingKeys: String, CodingKey {
         case name
-        case tool
-        case action
         case args
         case sessionkey = "sessionKey"
         case agentid = "agentId"
         case confirm
         case idempotencykey = "idempotencyKey"
-        case dryrun = "dryRun"
     }
 }
 
diff --git a/docs/gateway/protocol.md b/docs/gateway/protocol.md
@@ -503,9 +503,10 @@ enumeration of `src/gateway/server-methods/*.ts`.
     including core, plugin, and channel tools.
 - Operators may call `tools.invoke` (`operator.write`) to invoke one available tool through the
   same gateway policy path as `/tools/invoke`.
-  - `name` is required for SDK callers; `tool` is accepted as the HTTP-compatible alias.
-    `action`, `args`, `sessionKey`, `agentId`, `confirm`, `idempotencyKey`, and reserved
-    `dryRun` are optional.
+  - `name` is required. `args`, `sessionKey`, `agentId`, `confirm`, and
+    `idempotencyKey` are optional.
+  - If both `sessionKey` and `agentId` are present, the resolved session agent must match
+    `agentId`.
   - The response is an SDK-facing envelope with `ok`, `toolName`, optional `output`, and typed
     `error` fields. Approval or policy refusals return `ok:false` in the payload rather than
     bypassing the gateway tool policy pipeline.
diff --git a/packages/sdk/src/client.ts b/packages/sdk/src/client.ts
@@ -769,13 +769,11 @@ export class ToolsNamespace extends RpcNamespace {
   async invoke(name: string, params?: ToolInvokeParams): Promise<ToolInvokeResult> {
     return await this.call("invoke", {
       name,
-      ...(params?.action ? { action: params.action } : {}),
       ...(params?.args ? { args: params.args } : {}),
       ...(params?.sessionKey ? { sessionKey: params.sessionKey } : {}),
       ...(params?.agentId ? { agentId: params.agentId } : {}),
       ...(typeof params?.confirm === "boolean" ? { confirm: params.confirm } : {}),
       ...(params?.idempotencyKey ? { idempotencyKey: params.idempotencyKey } : {}),
-      ...(typeof params?.dryRun === "boolean" ? { dryRun: params.dryRun } : {}),
     });
   }
 }
diff --git a/packages/sdk/src/index.test.ts b/packages/sdk/src/index.test.ts
@@ -359,24 +359,20 @@ describe("OpenClaw SDK", () => {
     await expect(
       oc.tools.invoke("demo", {
         args: { mode: "test" },
-        action: "json",
         sessionKey: "agent:main:main",
         confirm: false,
         idempotencyKey: "tools-invoke-test",
-        dryRun: false,
       }),
     ).resolves.toMatchObject({ ok: true, toolName: "demo", output: { value: 1 } });
     expect(transport.calls).toEqual([
       {
         method: "tools.invoke",
         params: {
           name: "demo",
-          action: "json",
           args: { mode: "test" },
           sessionKey: "agent:main:main",
           confirm: false,
           idempotencyKey: "tools-invoke-test",
-          dryRun: false,
         },
         options: undefined,
       },
diff --git a/packages/sdk/src/types.ts b/packages/sdk/src/types.ts
@@ -115,13 +115,11 @@ export type SDKError = {
 };
 
 export type ToolInvokeParams = {
-  action?: string;
   args?: JsonObject;
   sessionKey?: string;
   agentId?: string;
   confirm?: boolean;
   idempotencyKey?: string;
-  dryRun?: boolean;
 };
 
 export type ToolInvokeResult = {
diff --git a/src/gateway/protocol/schema/agents-models-skills.ts b/src/gateway/protocol/schema/agents-models-skills.ts
@@ -377,15 +377,12 @@ export const ToolsEffectiveParamsSchema = Type.Object(
 
 export const ToolsInvokeParamsSchema = Type.Object(
   {
-    name: Type.Optional(NonEmptyString),
-    tool: Type.Optional(NonEmptyString),
-    action: Type.Optional(NonEmptyString),
+    name: NonEmptyString,
     args: Type.Optional(Type.Record(Type.String(), Type.Unknown())),
     sessionKey: Type.Optional(NonEmptyString),
     agentId: Type.Optional(NonEmptyString),
     confirm: Type.Optional(Type.Boolean()),
     idempotencyKey: Type.Optional(NonEmptyString),
-    dryRun: Type.Optional(Type.Boolean()),
   },
   { additionalProperties: false },
 );
diff --git a/src/gateway/server-methods/tools-invoke.ts b/src/gateway/server-methods/tools-invoke.ts
@@ -43,15 +43,12 @@ export const toolsInvokeHandlers: GatewayRequestHandlers = {
       );
       return;
     }
-    const requestedToolName = normalizeOptionalString(params.name ?? params.tool);
+    const requestedToolName = normalizeOptionalString(params.name);
     if (!requestedToolName) {
       respond(
         false,
         undefined,
-        errorShape(
-          ErrorCodes.INVALID_REQUEST,
-          "invalid tools.invoke params: name or tool required",
-        ),
+        errorShape(ErrorCodes.INVALID_REQUEST, "invalid tools.invoke params: name required"),
       );
       return;
     }
diff --git a/src/gateway/tools-invoke-http.test.ts b/src/gateway/tools-invoke-http.test.ts
@@ -923,8 +923,7 @@ describe("tools.invoke Gateway RPC", () => {
     allowAgentsListForMain();
 
     const call = await invokeToolsRpc({
-      tool: "agents_list",
-      action: "json",
+      name: "agents_list",
       args: {},
       sessionKey: "main",
       idempotencyKey: "rpc-tool-test",
@@ -979,6 +978,33 @@ describe("tools.invoke Gateway RPC", () => {
     });
   });
 
+  it("rejects mismatched session and agent scope", async () => {
+    cfg = {
+      agents: {
+        list: [
+          { id: "main", default: true, tools: { allow: ["agents_list"] } },
+          { id: "other", tools: { allow: ["agents_list"] } },
+        ],
+      },
+    };
+
+    const call = await invokeToolsRpc({
+      name: "agents_list",
+      sessionKey: "agent:main:main",
+      agentId: "other",
+    });
+
+    expect(call?.[0]).toBe(true);
+    expect(call?.[1]).toMatchObject({
+      ok: false,
+      toolName: "agents_list",
+      error: {
+        code: "validation_error",
+        message: 'agent id "other" does not match session agent "main"',
+      },
+    });
+  });
+
   it("rejects malformed params at the RPC boundary", async () => {
     const call = await invokeToolsRpc({ name: "" });
 
diff --git a/src/gateway/tools-invoke-shared.ts b/src/gateway/tools-invoke-shared.ts
@@ -214,6 +214,18 @@ export async function invokeGatewayTool(params: {
   if (knownCoreTool && !tools.some((candidate) => candidate.name === toolName)) {
     ({ agentId, tools } = resolveTools(false));
   }
+  const requestedAgentId = normalizeOptionalString(params.input.agentId);
+  if (requestedAgentId && agentId && requestedAgentId !== agentId) {
+    return {
+      ok: false,
+      status: 400,
+      toolName,
+      error: {
+        type: "invalid_request",
+        message: `agent id "${requestedAgentId}" does not match session agent "${agentId}"`,
+      },
+    };
+  }
   const tool = applyOwnerOnlyToolPolicy(tools, params.senderIsOwner).find(
     (candidate) => candidate.name === toolName,
   );

Original file line number	Diff line number	Diff line change
`@@ -769,13 +769,11 @@ export class ToolsNamespace extends RpcNamespace {`
`769`	`769`	`async invoke(name: string, params?: ToolInvokeParams): Promise<ToolInvokeResult> {`
`770`	`770`	`return await this.call("invoke", {`
`771`	`771`	`name,`
`772`		`- ...(params?.action ? { action: params.action } : {}),`
`773`	`772`	`...(params?.args ? { args: params.args } : {}),`
`774`	`773`	`...(params?.sessionKey ? { sessionKey: params.sessionKey } : {}),`
`775`	`774`	`...(params?.agentId ? { agentId: params.agentId } : {}),`
`776`	`775`	`...(typeof params?.confirm === "boolean" ? { confirm: params.confirm } : {}),`
`777`	`776`	`...(params?.idempotencyKey ? { idempotencyKey: params.idempotencyKey } : {}),`
`778`		`- ...(typeof params?.dryRun === "boolean" ? { dryRun: params.dryRun } : {}),`
`779`	`777`	`});`
`780`	`778`	`}`
`781`	`779`	`}`