fix(policy): align agent workspace evidence with runtime

giodl73-repo · giodl73-repo · commit d81f5ed30d07 · 2026-05-22T20:15:38.000-07:00
diff --git a/docs/cli/policy.md b/docs/cli/policy.md
@@ -342,7 +342,7 @@ Example JSON output:
       }
     ]
   },
-  "checksRun": 31,
+  "checksRun": 30,
   "checksSkipped": 0,
   "findings": []
 }
diff --git a/extensions/policy/src/doctor/register.test.ts b/extensions/policy/src/doctor/register.test.ts
@@ -2135,6 +2135,141 @@ describe("registerPolicyDoctorChecks", () => {
     );
   });
 
+  it("accepts sandbox-scoped tool denies for read-only agent workspace policy", async () => {
+    const configPath = join(workspaceDir, "openclaw.jsonc");
+    const cfg = {
+      ...cfgWithPolicy(),
+      tools: {
+        sandbox: { tools: { deny: ["group:runtime", "group:fs"] } },
+      },
+      agents: {
+        defaults: {
+          sandbox: { mode: "all", workspaceAccess: "ro" },
+        },
+        list: [
+          {
+            id: "locked",
+            sandbox: { workspaceAccess: "none" },
+            tools: { sandbox: { tools: { deny: ["group:runtime", "group:fs"] } } },
+          },
+        ],
+      },
+    } as unknown as OpenClawConfig;
+    await fs.writeFile(configPath, "{}", "utf-8");
+    await fs.writeFile(
+      join(workspaceDir, "policy.jsonc"),
+      JSON.stringify({
+        agents: {
+          workspace: {
+            allowedAccess: ["none", "ro"],
+            denyTools: ["exec", "process", "write", "edit", "apply_patch"],
+          },
+        },
+      }),
+      "utf-8",
+    );
+
+    registerPolicyDoctorChecks();
+    const result = await runDoctorLintChecks(ctx(configPath, cfg));
+    const evidence = collectPolicyEvidence(cfg as unknown as Record<string, unknown>);
+
+    expect(evidence.agentWorkspace).toEqual(
+      expect.arrayContaining([
+        expect.objectContaining({
+          id: "agents-defaults-tool-exec",
+          denied: true,
+          source: "oc://openclaw.config/tools/sandbox/tools/deny",
+        }),
+        expect.objectContaining({
+          id: "locked-tool-apply_patch",
+          denied: true,
+          source: "oc://openclaw.config/agents/list/#0/tools/sandbox/tools/deny",
+        }),
+      ]),
+    );
+    expect(result.findings).toEqual([]);
+  });
+
+  it("accepts runtime tool deny globs for agent workspace policy", async () => {
+    const configPath = join(workspaceDir, "openclaw.jsonc");
+    const cfg = {
+      ...cfgWithPolicy(),
+      tools: {
+        deny: ["e*"],
+      },
+      agents: {
+        defaults: {
+          sandbox: { mode: "all", workspaceAccess: "ro" },
+        },
+      },
+    } as unknown as OpenClawConfig;
+    await fs.writeFile(configPath, "{}", "utf-8");
+    await fs.writeFile(
+      join(workspaceDir, "policy.jsonc"),
+      JSON.stringify({
+        agents: {
+          workspace: {
+            allowedAccess: ["ro"],
+            denyTools: ["exec"],
+          },
+        },
+      }),
+      "utf-8",
+    );
+
+    registerPolicyDoctorChecks();
+    const result = await runDoctorLintChecks(ctx(configPath, cfg));
+
+    expect(result.findings).toEqual([]);
+  });
+
+  it("reports sandbox tool deny overrides outside policy", async () => {
+    const configPath = join(workspaceDir, "openclaw.jsonc");
+    const cfg = {
+      ...cfgWithPolicy(),
+      tools: {
+        sandbox: { tools: { deny: ["exec"] } },
+      },
+      agents: {
+        defaults: {
+          sandbox: { mode: "all", workspaceAccess: "ro" },
+        },
+        list: [
+          {
+            id: "locked",
+            sandbox: { workspaceAccess: "none" },
+            tools: { sandbox: { tools: { deny: ["group:fs"] } } },
+          },
+        ],
+      },
+    } as unknown as OpenClawConfig;
+    await fs.writeFile(configPath, "{}", "utf-8");
+    await fs.writeFile(
+      join(workspaceDir, "policy.jsonc"),
+      JSON.stringify({
+        agents: {
+          workspace: {
+            allowedAccess: ["none", "ro"],
+            denyTools: ["exec"],
+          },
+        },
+      }),
+      "utf-8",
+    );
+
+    registerPolicyDoctorChecks();
+    const result = await runDoctorLintChecks(ctx(configPath, cfg));
+
+    expect(result.findings).toEqual([
+      expect.objectContaining({
+        checkId: "policy/agents-tool-not-denied",
+        message: "agent 'locked' does not deny required tool 'exec'.",
+        ocPath: "oc://openclaw.config/agents/list/#0/tools/deny",
+        requirement: "oc://policy.jsonc/agents/workspace/denyTools",
+      }),
+    ]);
+  });
+
   it("accepts read-only agent workspace policy with group denies", async () => {
     const configPath = join(workspaceDir, "openclaw.jsonc");
     const cfg = {
@@ -2174,6 +2309,54 @@ describe("registerPolicyDoctorChecks", () => {
     expect(result.findings).toEqual([]);
   });
 
+  it("reports read-only workspace policy when sandbox mode skips the main session", async () => {
+    const configPath = join(workspaceDir, "openclaw.jsonc");
+    const cfg = {
+      ...cfgWithPolicy(),
+      tools: {
+        sandbox: { tools: { deny: ["exec"] } },
+      },
+      agents: {
+        defaults: {
+          sandbox: { mode: "non-main", workspaceAccess: "ro" },
+        },
+      },
+    } as unknown as OpenClawConfig;
+    await fs.writeFile(configPath, "{}", "utf-8");
+    await fs.writeFile(
+      join(workspaceDir, "policy.jsonc"),
+      JSON.stringify({
+        agents: {
+          workspace: {
+            allowedAccess: ["ro"],
+            denyTools: ["exec"],
+          },
+        },
+      }),
+      "utf-8",
+    );
+
+    registerPolicyDoctorChecks();
+    const result = await runDoctorLintChecks(ctx(configPath, cfg));
+
+    expect(result.findings).toEqual(
+      expect.arrayContaining([
+        expect.objectContaining({
+          checkId: "policy/agents-workspace-access-denied",
+          message: "agents.defaults sandbox mode 'non-main' is not allowed by policy.",
+          ocPath: "oc://openclaw.config/agents/defaults/sandbox/mode",
+          requirement: "oc://policy.jsonc/agents/workspace/allowedAccess",
+        }),
+        expect.objectContaining({
+          checkId: "policy/agents-tool-not-denied",
+          message: "agents.defaults does not deny required tool 'exec'.",
+          ocPath: "oc://openclaw.config/tools/deny",
+          requirement: "oc://policy.jsonc/agents/workspace/denyTools",
+        }),
+      ]),
+    );
+  });
+
   it("reports read-only workspace policy when sandbox mode is disabled", async () => {
     const configPath = join(workspaceDir, "openclaw.jsonc");
     const cfg = {
diff --git a/extensions/policy/src/policy-state.ts b/extensions/policy/src/policy-state.ts
@@ -697,6 +697,7 @@ function pushAgentWorkspaceEvidence(
   const explicitSandboxMode = readString(params.sandbox.mode);
   const inheritedSandboxMode = readString(params.inheritedSandbox.mode);
   const sandboxMode = explicitSandboxMode ?? inheritedSandboxMode ?? "off";
+  const sandboxModeCoversAgentMain = sandboxMode === "all";
   const sandboxModeSource =
     explicitSandboxMode !== undefined
       ? `${params.workspaceSourceBase}/sandbox/mode`
@@ -719,30 +720,75 @@ function pushAgentWorkspaceEvidence(
     value: explicitWorkspaceAccess ?? inheritedWorkspaceAccess ?? "none",
     sandboxMode,
     sandboxModeSource,
-    sandboxEnabled: sandboxMode !== "off",
+    sandboxEnabled: sandboxModeCoversAgentMain,
     explicit: explicitWorkspaceAccess !== undefined,
   });
 
   for (const tool of AGENT_WORKSPACE_POLICY_TOOLS) {
-    const inheritedDenied = toolListCoversTool(readStringArray(params.inheritedTools.deny), tool);
-    const localDenied = toolListCoversTool(readStringArray(params.tools.deny), tool);
+    const denyEvidence = agentWorkspaceToolDenyEvidence(params, tool, sandboxModeCoversAgentMain);
     entries.push({
       id: `${params.id}-tool-${tool}`,
       kind: "toolDeny",
-      source: localDenied
-        ? `${params.toolsSourceBase}/deny`
-        : inheritedDenied
-          ? `${params.inheritedToolsSourceBase}/deny`
-          : `${params.toolsSourceBase}/deny`,
+      source: denyEvidence.source,
       scope: params.scope,
       ...(params.agentId === undefined ? {} : { agentId: params.agentId }),
       tool,
-      denied: inheritedDenied || localDenied,
-      explicit: localDenied || inheritedDenied,
+      denied: denyEvidence.denied,
+      explicit: denyEvidence.denied,
     });
   }
 }
 
+function agentWorkspaceToolDenyEvidence(
+  params: {
+    readonly tools: Record<string, unknown>;
+    readonly inheritedTools: Record<string, unknown>;
+    readonly toolsSourceBase: string;
+    readonly inheritedToolsSourceBase: string;
+  },
+  tool: string,
+  sandboxModeCoversAgentMain: boolean,
+): { readonly denied: boolean; readonly source: string } {
+  const localSandboxToolDeny = configuredSandboxToolDenyEntries(params.tools);
+  const inheritedSandboxToolDeny = configuredSandboxToolDenyEntries(params.inheritedTools);
+  const sources = [
+    {
+      entries: readStringArray(params.tools.deny),
+      source: `${params.toolsSourceBase}/deny`,
+    },
+    {
+      entries: readStringArray(params.inheritedTools.deny),
+      source: `${params.inheritedToolsSourceBase}/deny`,
+    },
+    ...(sandboxModeCoversAgentMain
+      ? [
+          localSandboxToolDeny !== undefined
+            ? {
+                entries: localSandboxToolDeny,
+                source: `${params.toolsSourceBase}/sandbox/tools/deny`,
+              }
+            : {
+                entries: inheritedSandboxToolDeny ?? [],
+                source: `${params.inheritedToolsSourceBase}/sandbox/tools/deny`,
+              },
+        ]
+      : []),
+  ];
+  const match = sources.find((entry) => toolListCoversTool(entry.entries, tool));
+  if (match !== undefined) {
+    return { denied: true, source: match.source };
+  }
+  return { denied: false, source: `${params.toolsSourceBase}/deny` };
+}
+
+function configuredSandboxToolDenyEntries(
+  tools: Record<string, unknown>,
+): readonly string[] | undefined {
+  const sandbox = isRecord(tools.sandbox) ? tools.sandbox : {};
+  const sandboxTools = isRecord(sandbox.tools) ? sandbox.tools : {};
+  return Array.isArray(sandboxTools.deny) ? readStringArray(sandboxTools.deny) : undefined;
+}
+
 const AGENT_WORKSPACE_POLICY_TOOLS = ["exec", "process", "write", "edit", "apply_patch"] as const;
 
 const POLICY_TOOL_GROUPS: Record<string, readonly string[]> = {
@@ -772,6 +818,11 @@ function normalizePolicyToolName(value: string): string {
   return normalized;
 }
 
+function policyToolGlobMatches(tool: string, pattern: string): boolean {
+  const escaped = pattern.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+  return new RegExp(`^${escaped.replaceAll("\\*", ".*")}$`).test(tool);
+}
+
 function toolListCoversTool(list: readonly string[], tool: string): boolean {
   for (const entry of list) {
     const normalized = normalizePolicyToolName(entry);
@@ -781,6 +832,9 @@ function toolListCoversTool(list: readonly string[], tool: string): boolean {
     if (POLICY_TOOL_GROUPS[normalized]?.includes(tool)) {
       return true;
     }
+    if (normalized.includes("*") && policyToolGlobMatches(tool, normalized)) {
+      return true;
+    }
   }
   return false;
 }

Original file line number	Diff line number	Diff line change
`@@ -342,7 +342,7 @@ Example JSON output:`
`342`	`342`	`}`
`343`	`343`	`]`
`344`	`344`	`},`
`345`		`- "checksRun": 31,`
	`345`	`+ "checksRun": 30,`
`346`	`346`	`"checksSkipped": 0,`
`347`	`347`	`"findings": []`
`348`	`348`	`}`