fix: separate sandbox policy from completion owner in sessions_spawn

Jerry-Xin · Jerry-Xin · commit e21d6506e0ac · 2026-05-17T18:10:47.000+08:00
PR #80242 passed runSessionKey as agentSessionKey to createSessionsSpawnTool, which caused spawnSubagentDirect to use the run session key for sandbox policy checks (resolveSandboxRuntimeStatus). This could make a sandboxed channel run appear unsandboxed. Introduce completionOwnerKey as a separate field that is only used for registerSubagentRun routing (requesterSessionKey), keeping agentSessionKey for sandbox enforcement, callerDepth, activeChildren, and all other policy checks.
diff --git a/src/agents/openclaw-tools.ts b/src/agents/openclaw-tools.ts
@@ -427,7 +427,8 @@ export function createOpenClawTools(
     ...(includeSubagentSpawnTool
       ? [
           createSessionsSpawnTool({
-            agentSessionKey: options?.runSessionKey ?? options?.agentSessionKey,
+            agentSessionKey: options?.agentSessionKey,
+            completionOwnerKey: options?.runSessionKey,
             agentChannel: options?.agentChannel,
             agentAccountId: options?.agentAccountId,
             agentTo: options?.agentTo,
diff --git a/src/agents/subagent-spawn.ts b/src/agents/subagent-spawn.ts
@@ -147,6 +147,8 @@ export type SpawnSubagentParams = {
 
 export type SpawnSubagentContext = {
   agentSessionKey?: string;
+  /** Separate key used only for completion routing, not sandbox policy. */
+  completionOwnerKey?: string;
   agentChannel?: string;
   agentAccountId?: string;
   agentTo?: string;
@@ -774,6 +776,20 @@ export async function spawnSubagentDirect(
     alias,
     mainKey,
   });
+  const completionOwnerInternalKey = ctx.completionOwnerKey
+    ? resolveInternalSessionKey({
+        key: ctx.completionOwnerKey,
+        alias,
+        mainKey,
+      })
+    : undefined;
+  const completionOwnerDisplayKey = completionOwnerInternalKey
+    ? resolveDisplaySessionKey({
+        key: completionOwnerInternalKey,
+        alias,
+        mainKey,
+      })
+    : undefined;
 
   const callerDepth = getSubagentDepthFromSessionStore(requesterInternalKey, { cfg });
   const maxSpawnDepth =
@@ -980,7 +996,7 @@ export async function spawnSubagentDirect(
       agentId: targetAgentId,
       label: label || undefined,
       mode: spawnMode,
-      requesterSessionKey: requesterInternalKey,
+      requesterSessionKey: completionOwnerInternalKey ?? requesterInternalKey,
       requester: {
         channel: childSessionOrigin?.channel,
         accountId: childSessionOrigin?.accountId,
@@ -1246,9 +1262,9 @@ export async function spawnSubagentDirect(
       runId: childRunId,
       childSessionKey,
       controllerSessionKey: requesterInternalKey,
-      requesterSessionKey: requesterInternalKey,
+      requesterSessionKey: completionOwnerInternalKey ?? requesterInternalKey,
       requesterOrigin,
-      requesterDisplayKey,
+      requesterDisplayKey: completionOwnerDisplayKey ?? requesterDisplayKey,
       task,
       taskName,
       cleanup,
diff --git a/src/agents/tools/sessions-spawn-tool.test.ts b/src/agents/tools/sessions-spawn-tool.test.ts
@@ -947,4 +947,40 @@ describe("sessions_spawn tool", () => {
     expect(peerContext.agentSessionKey).toBe(telegramPeerKey);
     expect(runContext.agentSessionKey).toBe(runSessionKey);
   });
+
+  it("passes completionOwnerKey through to spawnSubagentDirect separately from agentSessionKey", async () => {
+    const tool = createSessionsSpawnTool({
+      agentSessionKey: "agent:main:telegram:default:direct:456",
+      completionOwnerKey: "agent:main:main",
+      agentChannel: "telegram",
+      agentAccountId: "default",
+      agentTo: "telegram:direct:456",
+    });
+
+    await tool.execute("call-completion-owner", { task: "background work" });
+
+    const spawnContext = mockCallArg(hoisted.spawnSubagentDirectMock, 0, 1, "spawnSubagentDirect");
+    expect(spawnContext.agentSessionKey).toBe("agent:main:telegram:default:direct:456");
+    expect(spawnContext.completionOwnerKey).toBe("agent:main:main");
+  });
+
+  it("uses completionOwnerKey for ACP registerSubagentRun requesterSessionKey", async () => {
+    registerAcpBackendForTest();
+    const tool = createSessionsSpawnTool({
+      agentSessionKey: "agent:main:telegram:default:direct:456",
+      completionOwnerKey: "agent:main:main",
+      agentChannel: "telegram",
+      agentAccountId: "default",
+      agentTo: "telegram:direct:456",
+    });
+
+    await tool.execute("call-acp-completion-owner", {
+      runtime: "acp",
+      task: "investigate",
+      agentId: "codex",
+    });
+
+    const registration = mockCallArg(hoisted.registerSubagentRunMock, 0, 0, "registerSubagentRun");
+    expect(registration.requesterSessionKey).toBe("agent:main:main");
+  });
 });
diff --git a/src/agents/tools/sessions-spawn-tool.ts b/src/agents/tools/sessions-spawn-tool.ts
@@ -250,6 +250,8 @@ function resolveAcpUnavailableMessage(opts?: { sandboxed?: boolean; config?: Ope
 export function createSessionsSpawnTool(
   opts?: {
     agentSessionKey?: string;
+    /** Separate key used only for completion routing (registerSubagentRun requesterSessionKey). */
+    completionOwnerKey?: string;
     agentChannel?: GatewayMessageChannel;
     agentAccountId?: string;
     agentTo?: string;
@@ -427,6 +429,20 @@ export function createSessionsSpawnTool(
                 mainKey,
               })
             : alias;
+          const completionOwnerInternalKey = opts?.completionOwnerKey
+            ? resolveInternalSessionKey({
+                key: opts.completionOwnerKey,
+                alias,
+                mainKey,
+              })
+            : undefined;
+          const completionOwnerDisplayKey = completionOwnerInternalKey
+            ? resolveDisplaySessionKey({
+                key: completionOwnerInternalKey,
+                alias,
+                mainKey,
+              })
+            : undefined;
           const requesterDisplayKey = resolveDisplaySessionKey({
             key: requesterInternalKey,
             alias,
@@ -445,9 +461,9 @@ export function createSessionsSpawnTool(
             registerSubagentRun({
               runId: childRunId,
               childSessionKey,
-              requesterSessionKey: requesterInternalKey,
+              requesterSessionKey: completionOwnerInternalKey ?? requesterInternalKey,
               requesterOrigin,
-              requesterDisplayKey,
+              requesterDisplayKey: completionOwnerDisplayKey ?? requesterDisplayKey,
               task,
               taskName,
               cleanup: trackedCleanup,
@@ -497,6 +513,7 @@ export function createSessionsSpawnTool(
         },
         {
           agentSessionKey: opts?.agentSessionKey,
+          completionOwnerKey: opts?.completionOwnerKey,
           agentChannel: opts?.agentChannel,
           agentAccountId: opts?.agentAccountId,
           agentTo: opts?.agentTo,
