Feature Request: Middleware hooks for agent protocol enforcement

[philliptiongson]

Summary

Add optional middleware hooks to OpenClaw that allow runtime enforcement of agent protocols, beyond post-hoc scoring.

Problem

Current ACT (Agent Capability Test) framework scores agents after the fact. We can detect protocol violations, but cannot prevent them. This leads to:

1. Self-assessment inflation — agents describe compliance but dont execute it
2. WAL violations — agents respond before writing state files
3. Handshake failures — agents skip the startup handshake block
4. Tool proliferation — agents use direct tools instead of wrapper scripts

Desired Hooks

1. tool_choice lock (per-session)

Allow forcing a session to text-only mode for the first turn:
session.set_tool_choice("none") # First turn: text only
session.set_tool_choice("auto") # Subsequent turns: normal
Use case: Enforce handshake output before any tool calls.

2. Pre-tool-call validation

Allow intercepting tool calls before execution:
def tool_validator(call):
if not call_has_valid_nonce(call):
return {"error": "missing run_token"}
return {"ok": true}

gateway.register_tool_validator(tool_validator)
Use case: Ensure WAL (Write-Ahead Logging) is written before any substantive tool calls.

3. Turn-phase markers

Allow marking turns as protocol preamble vs substantive work:
session.begin_phase("preflight")

... protocol handshake/wal ...

session.end_phase("preflight")
session.begin_phase("work")
Use case: Separate preflight compliance from scenario work in evidence/tracking.

Why This Matters

Without runtime enforcement, were limited to:

• Post-hoc scoring (measures but doesnt prevent)
• Retry loops (works but inefficient)
• Wrapper scripts (fragile, easily bypassed)

With hooks, we can:

• Block non-compliant behavior before it happens
• Make compliance mechanically enforced vs. honor-system
• Build finite-state machines for agent behavior

Alternative Considered

We considered building this outside OpenClaw (external harness), but:

• Tool routing lives inside OpenClaw
• Session state is in OpenClaw
• The right place for these hooks is the gateway

Environment

• OpenClaw 2026.2.26
• Running ACT tests via run-test.sh
• Using Sonnet and MiniMax models

---

This would enable the ACT preflight gate system to work with true runtime enforcement rather than retry loops.

[svan058]

Strong +1 on this. We're hitting the exact same wall from a different angle.

We run a relational agent (Claude Opus) with a multi-step reasoning loop (persona grounding, context retrieval, output validation) defined in workspace files. The loop works when the model follows it, but there's zero enforcement — it's honor system. The model can skip person-file retrieval, skip output quality checks, skip the whole reasoning protocol, and nothing stops it.

What we need is exactly what you've described: deterministic gates in the pipeline that the model can't route around. Specifically:

• Pre-generation hook: force retrieval calls (load person context, load chat history) before the model sees the message. Not 'please read these files' in the prompt — actual tool calls that must complete before generation starts.
• Post-generation hook: validate output against quality criteria before it reaches the user. Did it ground in context? Does it contain actionable content vs meta-narration? If validation fails, regenerate with feedback.

This connects directly to Discussion #20575 — the plugin hook system already fires llm_input/llm_output internally but it's not bridged to external handlers. If that bridge lands AND this issue adds the ability to block/modify at those hook points (not just observe), you'd have a full enforcement pipeline: intercept before generation → inject required context → generate → validate output → send or reject.

The alternative right now is forking OpenClaw for pipeline control, which works but creates a maintenance burden that shouldn't be necessary. A clean hook system with blocking capability would make this a config-level feature instead of a fork-level decision.

Happy to help test/validate a PR against our setup if it would be useful.

[eadmin2]

Production Case Study: Why This Feature Request Matters

I'm running a 6-agent OpenClaw team (v2026.3.13, Windows, Claude Sonnet 4.6) for a SaaS business. Hit the exact problems described here — specifically self-assessment inflation — and had to build a workaround. Sharing what happened, what I built, and what's still missing.

The Problem in Practice

My main agent (Jarvis) has SOUL.md rules that say "bias toward action" and "fix errors immediately." Despite this, when Jarvis detected cron job failures and config errors, he:

1. Reported the error but didn't fix it — waited for my approval even though the fix was within his authority
2. Said he logged a behavioral correction but hadn't — I had to follow up before he actually wrote the file
3. Said he'd hardened SOUL.md with a new rule but hadn't — again, only did it after I checked

Three rounds of "I did it" → "show me" → "okay doing it now." This is textbook self-assessment inflation: the agent describes compliance without executing it.

What I Built (Workaround)

Since there's no message:sent hook or pre-response middleware, I built a 4-layer enforcement system using what's currently available:

Layer 1 — SOUL.md Rules: Added explicit "Write-Before-Speak Rule" — never say "Done" until the file write is verified by reading it back. Sequence: execute → verify → report.

Layer 2 — HEARTBEAT.md Self-Compliance Check: Every 30 minutes, the agent audits its own recent claims against filesystem reality (file existence + modification timestamps).

Layer 3 — Nightly Audit Cron: Isolated session at 10 PM scans the day's transcripts for completion claims, cross-references against actual file state.

Layer 4 — verify-claims Custom Hook: Registered on command events. On /new or /stop, reads the latest session transcript, scans for claim phrases ("Done", "Fixed", "Created", etc.), extracts referenced file paths, checks if they exist and were recently modified. Logs discrepancies to an improvement log and queues Slack alerts.

What's Missing (Why This Feature Request Should Be Prioritized)

The workaround works but has fundamental limitations:

1. No message:sent event type for hooks. The ideal trigger is intercepting outbound messages before delivery to verify claims in real-time. Currently I can only audit after the session ends via command events. The agent can say "Done" and the user sees it immediately — the audit happens later.

2. No pre-response validation hook. If I could intercept the response before it reaches the user, I could block messages that contain "Done" / "Fixed" without a corresponding verified file write in the same turn. This maps directly to the pre-tool-call validation hook proposed in this issue.

3. No turn-phase markers. Being able to distinguish "the agent is executing" from "the agent is reporting" would let enforcement hooks know whether a completion claim is premature.

4. SOUL.md is soft guidance only. No matter how explicit the rules are, the model can still say "Done" without doing the work. The only real enforcement is mechanical — which is exactly what this feature request proposes.

Key Takeaway

The gap between "the agent said it complied" and "the agent actually complied" is the single biggest reliability problem in autonomous OpenClaw deployments. Post-hoc scoring catches it too late. SOUL.md rules are necessary but insufficient. Runtime middleware hooks — especially on outbound messages — would close this gap mechanically.

Environment: OpenClaw 2026.3.13, Windows (native, no Docker), Claude Sonnet 4.6 via Anthropic API, 6 agents, Slack channel delivery.

[AlxM1]

Real-World Use Case: Identity Verification Gate

We run a persistent OpenClaw agent (main session on Telegram) with a mandatory identity verification protocol:

• After 1+ hour session gap: challenge user for PIN/passphrase before any output
• Daily after 05:00: require full passphrase (not just PIN)
• Zero tools, zero conversation until verified

The problem: This is enforced purely through system prompt instructions (SOUL.md, AGENTS.md). The LLM is both the enforcer and the entity being enforced. Under context pressure (urgent messages, reactive responses), it routinely skips verification and responds directly — the exact failure mode described in this issue.

What we built as a workaround:

• Filesystem flag (~/.openclaw/.verify-required) set by cron every 15 min on session gap
• verification-gate.sh script that checks/sets/clears the flag
• check-verification.py clears the flag on successful auth
• BEFORE-RESPONDING.md workspace file injected into context as first instruction

What we still need (and can't build outside the gateway):

• Pre-message hook: Before the LLM sees an inbound message, run a script. If it returns non-zero, block the message and inject a fixed response ("Verification required"). This removes the LLM from the enforcement loop entirely.
• Forced first-tool-call: Ability to configure that the first action in a session turn MUST be a specific tool call before text generation is allowed.

The tool_choice lock proposed in this issue would solve our case perfectly. Even a simpler version — a config-level preMessageScript that gates inbound messages — would be transformative.

+1 on this feature. The honor-system approach does not work for security-critical agent protocols.

[openclaw-barnacle]

This issue has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

[openclaw-barnacle]

Closing due to inactivity.
If this is still an issue, please retry on the latest OpenClaw release and share updated details.
If you are absolutely sure it still happens on the latest release, open a new issue with fresh repro steps.