[Bug]: `apply_patch` is treated as an unknown/plugin-only tool in agent policy pipeline, so agent-routed runs cannot execute it

[Alfred-claw28]

Bug type

Regression (worked before, now fails)

Summary

Summary

In OpenClaw 2026.3.12, apply_patch appears to exist as a built-in runtime tool, but the agent tool-policy pipeline strips it from allowlists before execution.
This causes repeated warnings like:

• tools.profile (coding) allowlist contains unknown entries (apply_patch)
• tools.allow allowlist contains unknown entries (apply_patch)

Steps to reproduce

Reproduction

1. Configure OpenClaw with tools.exec.applyPatch.enabled = true
2. Use an eligible OpenAI/Codex model (for example gpt-5.1-codex-mini / gpt-5.4 depending on local config)
3. Run an agent turn that asks to update a workspace file using apply_patch
4. Observe:
   • no actual apply_patch tool call in session history
   • file unchanged
   • logs contain unknown-entry warnings for apply_patch

Expected behavior

Expected behavior

If apply_patch is a supported built-in tool for the active runtime/model, it should be recognized as a core/valid tool during allowlist resolution and should not be stripped as an unknown entry.

Actual behavior

Actual behavior

apply_patch is treated as unknown/plugin-only during allowlist sanitization, so agent runs cannot execute it.

OpenClaw version

OpenClaw 2026.3.12

Operating system

Linux Mint 22.3

Install method

npm global

Model

Openai GPT 5-4

Provider / routing chain

openclaw->tailscale-gateway

Config file / key location

No response

Additional provider/model setup details

No response

Logs, screenshots, and evidence

Impact and severity

No response

Additional information

Temporary local workaround used

A narrow local patch that forces apply_patch into coreToolNames for this pipeline:

const coreToolNames = new Set(
  params.tools
    .filter((tool) => !params.toolMeta(tool) || normalizeToolName$1(tool.name) === "apply_patch")
    .map((tool) => normalizeToolName$1(tool.name))
    .filter(Boolean)
);

Questions for maintainers

• Should apply_patch be treated as a core tool in this path?
• Is the toolMeta(...) test too broad for built-in tools that carry metadata?
• Are there other built-ins affected by the same classification issue?

[dsantoreis]

Hey @Alfred-claw28 — I traced through the code. Here's what's happening:

apply_patch is in the core tool catalog (tool-catalog.ts), and there's even an explicit fallback in pi-tools.policy.ts that grants it access when exec is in the allowlist. So the policy filter itself would let it through.

The problem is upstream of the policy filter: apply_patch is conditionally gated in pi-tools.ts behind two checks:

const applyPatchEnabled =
  !!applyPatchConfig?.enabled &&
  isOpenAIProvider(options?.modelProvider) &&
  isApplyPatchAllowedForModel({ modelProvider, modelId, allowModels });

If either isOpenAIProvider returns false for your provider chain or isApplyPatchAllowedForModel doesn't match your model id, the tool never gets created. When it's not in the resolved tool set but IS in your allowlist, the pipeline correctly warns that it's "unknown" (because it's a core tool that's unavailable for the current runtime).

Your setup goes through openclaw→tailscale-gateway, so it's worth checking: does the gateway preserve the provider identity as OpenAI? If the tailscale relay rewrites or proxies it, isOpenAIProvider might return false.

Also, what does your tools.exec.applyPatch.allowModels look like? If it's set, it needs to contain a pattern matching gpt-5-4 (or whatever the normalized model id is). If unset, any OpenAI model should pass.

TL;DR: not a bug in the policy pipeline itself — it's the conditional tool creation that's filtering it before the pipeline ever sees it. The warning is actually helpful here, telling you the tool exists but can't activate for your config.

[dsantoreis]

Looked into this. The root cause is in pi-tools.ts (line ~352-355):

const applyPatchEnabled =
    !!applyPatchConfig?.enabled &&
    isOpenAIProvider(options?.modelProvider) &&
    isApplyPatchAllowedForModel({ ... });

isOpenAIProvider only returns true for "openai" or "openai-codex" (exact match after lowercasing). When routing through a tailscale gateway or any custom provider that forwards to OpenAI, modelProvider resolves to whatever the gateway reports, not "openai".

So the tool never gets created, never enters the tools array, and the policy pipeline correctly flags it as unknown in the allowlist since it is not a core tool at that point.

Two things going on:

1. Provider gate is too strict for routed setups. The isOpenAIProvider check should probably also accept provider aliases or have a config override (something like tools.exec.applyPatch.forceProvider: "openai").

2. The warning is misleading. If apply_patch is in the tool catalog with profiles: ["coding"], the coding profile allowlist will always include it, but the tool only exists conditionally. The pipeline should probably suppress the unknown-entry warning for catalog entries that are disabled by provider/model gating rather than treating them the same as typos.

For a workaround: if your tailscale gateway preserves the original provider name as openai in the model routing response, it should work. Otherwise there is no workaround short of patching isOpenAIProvider to accept your provider string.

[Giszmo]

Using ppq.ai's "autoclaw" as described here I'm running into the same issue. As autoclaw is routing to up to 4 different models, it might not be compatible with the fix proposed by @justinhuangcode ?

My crustacean suggests to add:

Also hitting this with ppq/autoclaw routing to Kimi K2.5. Suggests the allowlist stripping affects more than just apply_patch / OpenAI models - any dynamically-routed model where OpenClaw can't pre-determine the tool schema gets hit.

Crustacean claimed to have patched the local version with #45293 and kimi k2.5 still failed when being triggered via ppq/autoclaw.

[justinhuangai]

Using ppq.ai's "autoclaw" as described here I'm running into the same issue. As autoclaw is routing to up to 4 different models, it might not be compatible with the fix proposed by @justinhuangcode ?

My crustacean suggests to add:

Also hitting this with ppq/autoclaw routing to Kimi K2.5. Suggests the allowlist stripping affects more than just apply_patch / OpenAI models - any dynamically-routed model where OpenClaw can't pre-determine the tool schema gets hit.

Crustacean claimed to have patched the local version with #45293 and kimi k2.5 still failed when being triggered via ppq/autoclaw.

I took another look at this on the latest upstream main, and I think my original read in #45293 was probably off.

At this point, my best read is that the main failure mode here is happening earlier, at tool creation time in src/agents/pi-tools.ts, not in tool-policy-pipeline.

apply_patch currently only seems to get created when:

• tools.exec.applyPatch.enabled is on
• the resolved provider is openai or openai-codex
• tools.exec.applyPatch.allowModels matches, if configured

Relevant source:

• https://github.com/openclaw/openclaw/blob/main/src/agents/pi-tools.ts#L62
• https://github.com/openclaw/openclaw/blob/main/src/agents/pi-tools.ts#L106
• https://github.com/openclaw/openclaw/blob/main/src/agents/pi-tools.ts#L357

So in cases like ppq/autoclaw, my suspicion is that apply_patch never gets created in the first place, which would also explain why applying #45293 locally didn’t help.

The current tests also seem to line up with that reading:

• https://github.com/openclaw/openclaw/blob/main/src/agents/pi-tools.create-openclaw-coding-tools.adds-claude-style-aliases-schemas-without-dropping-b.test.ts#L54
• https://github.com/openclaw/openclaw/blob/main/src/agents/tool-policy-pipeline.test.ts#L48

So I think this likely needs to be re-triaged as a provider/model capability gating issue rather than a policy-pipeline classification bug.

[justinhuangai]

Bug type

Regression (worked before, now fails)

Summary

Summary

In OpenClaw 2026.3.12, apply_patch appears to exist as a built-in runtime tool, but the agent tool-policy pipeline strips it from allowlists before execution. This causes repeated warnings like:

• tools.profile (coding) allowlist contains unknown entries (apply_patch)
• tools.allow allowlist contains unknown entries (apply_patch)

Steps to reproduce

Reproduction

1. Configure OpenClaw with tools.exec.applyPatch.enabled = true

2. Use an eligible OpenAI/Codex model (for example gpt-5.1-codex-mini / gpt-5.4 depending on local config)

3. Run an agent turn that asks to update a workspace file using apply_patch

4. Observe:

   • no actual apply_patch tool call in session history
   • file unchanged
   • logs contain unknown-entry warnings for apply_patch

Expected behavior

Expected behavior

If apply_patch is a supported built-in tool for the active runtime/model, it should be recognized as a core/valid tool during allowlist resolution and should not be stripped as an unknown entry.

Actual behavior

Actual behavior

apply_patch is treated as unknown/plugin-only during allowlist sanitization, so agent runs cannot execute it.

OpenClaw version

OpenClaw 2026.3.12

Operating system

Linux Mint 22.3

Install method

npm global

Model

Openai GPT 5-4

Provider / routing chain

openclaw->tailscale-gateway

Config file / key location

No response

Additional provider/model setup details

No response

Logs, screenshots, and evidence

Impact and severity

No response

Additional information

Temporary local workaround used

A narrow local patch that forces apply_patch into coreToolNames for this pipeline:

const coreToolNames = new Set(
params.tools
.filter((tool) => !params.toolMeta(tool) || normalizeToolName$1(tool.name) === "apply_patch")
.map((tool) => normalizeToolName$1(tool.name))
.filter(Boolean)
);

Questions for maintainers

• Should apply_patch be treated as a core tool in this path?
• Is the toolMeta(...) test too broad for built-in tools that carry metadata?
• Are there other built-ins affected by the same classification issue?

Hi @Alfred-claw28, could you please give this another try on the latest stable release, v2026.3.22 (e7d11f6)?

The original report was on 2026.3.12, and the warning behavior has changed since then. Newer versions distinguish gated core tools like apply_patch from truly unknown/plugin-only entries, so it would be helpful to confirm whether this still reproduces on current stable.

If it does, could you share:

• the actual runtime provider/model
• your tools.exec.applyPatch config
• the full warning text
• whether the workspace is sandboxed or read-only

[openclaw-barnacle]

This issue has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Latest ClawSweeper review: 2026-05-24 12:12 UTC / May 24, 2026, 8:12 AM ET.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
Keep open: current main and v2026.5.22 still construct apply_patch only for exact openai or openai-codex provider IDs, so the routed/custom provider support question remains unresolved and security-sensitive.

Reproducibility: yes. at source level. Passing a routed/custom modelProvider other than exact openai or openai-codex makes applyPatchEnabled false before policy filtering, although I did not run a live routed-gateway session.

Next step
Maintainers need to choose whether and how routed/custom provider IDs can be trusted for apply_patch before a fix PR should widen the gate.

Security
Needs attention: The issue is security-sensitive because routed/custom provider support would change which provider identities can receive a filesystem-mutating tool.

Review details

Best possible solution:

Define a fail-closed trusted-provider or capability contract for routed apply_patch support, or explicitly document routed/custom providers as unsupported, then align creation logic, warnings, docs, and regression coverage.

Do we have a high-confidence way to reproduce the issue?

Yes, at source level. Passing a routed/custom modelProvider other than exact openai or openai-codex makes applyPatchEnabled false before policy filtering, although I did not run a live routed-gateway session.

Is this the best way to solve the issue?

No. A policy-pipeline-only workaround addresses the misleading classification symptom, but the durable solution needs explicit routed-provider trust semantics or a documented unsupported boundary.

Label justifications:

• P2: This affects a real coding workflow with limited blast radius, but the remaining fix needs maintainer product and security judgment.
• impact:security: The remaining decision controls access to apply_patch, a filesystem-mutating tool, across provider trust boundaries.
• impact:auth-provider: The behavior depends on provider identity and routed model selection before the tool is constructed.

Security concerns:

• [medium] Define trust before widening apply_patch access — src/agents/pi-tools.ts:652
  Routed/custom provider support would let additional model-provider paths receive apply_patch, so any implementation should fail closed behind an explicit trusted-provider or capability contract rather than infer trust from provider-name aliases.
  Confidence: 0.9

Acceptance criteria:

• node scripts/run-vitest.mjs src/agents/pi-tools.create-openclaw-coding-tools.test.ts src/agents/tool-policy-pipeline.test.ts src/agents/pi-tools.policy.test.ts
• Review docs/tools/exec.md, docs/tools/apply-patch.md, src/config/schema.help.ts, and src/config/types.tools.ts for the final routed-provider contract wording.

What I checked:

• Current provider gate: isOpenAIProvider still accepts only openai and openai-codex, so a routed provider alias does not qualify. (src/agents/pi-tools.ts:104, 996d07ee466c)
• Tool construction gate: applyPatchEnabled requires the exact provider gate and model allowlist before the apply_patch tool is created; policy filtering cannot restore it later. (src/agents/pi-tools.ts:652, 996d07ee466c)
• Provider constraint coverage: The current test asserts apply_patch appears for openai and openai-codex, is absent without provider context, and is absent for non-OpenAI providers. (src/agents/pi-tools.create-openclaw-coding-tools.test.ts:687, 996d07ee466c)
• Warning behavior coverage: Policy-pipeline tests now suppress built-in profile warnings for unavailable apply_patch but still warn for explicit allowlists when the gated core tool is unavailable. (src/agents/tool-policy-pipeline.test.ts:93, 996d07ee466c)
• Docs contract: The exec docs describe apply_patch as enabled by default for OpenAI/OpenAI Codex models and explicitly note it is only available for those models. Public docs: docs/tools/exec.md. (docs/tools/exec.md:255, 996d07ee466c)
• Latest release behavior: The latest release tag v2026.5.22 contains the same exact-provider construction gate, so the remaining limitation is shipped behavior, not only current-main drift. (src/agents/pi-tools.ts:655, a374c3a5bfd5)

Likely related people:

• steipete: Introduced apply_patch and its docs in 8b4bdaa8a473, including the exact OpenAI/OpenAI-Codex provider gate; also clarified gated core tool warnings in 394fd87c2c49. (role: introduced behavior and adjacent warning-path contributor; confidence: high; commits: 8b4bdaa8a473, 394fd87c2c49; files: src/agents/pi-tools.ts, docs/tools/apply-patch.md, docs/tools/exec.md)
• vincentkoc: Changed profile allowlist warning suppression for unavailable gated core tools and recently worked in the tool-policy audit path. (role: recent warning-path contributor; confidence: medium; commits: 53504b366201, 09dd051e7813; files: src/agents/tool-policy-pipeline.ts, src/agents/tool-policy-pipeline.test.ts, src/agents/pi-tools.ts)
• eleqtrizit: Authored the merged restrictive-allowlist policy pipeline refactor that current unknown/unavailable allowlist behavior builds on. (role: policy pipeline contributor; confidence: medium; commits: 193fdd6e3b0c; files: src/agents/tool-policy-pipeline.ts, src/agents/tool-policy.ts, src/agents/tool-policy-pipeline.test.ts)
• justinhuangai: Opened the related unmerged metadata-classification PR and later identified provider/tool-construction gating as the likely remaining failure mode in the issue discussion. (role: related investigator and proposed-fix author; confidence: medium; commits: 3166ebeb42c0; files: src/agents/tool-policy-pipeline.ts, src/agents/tool-policy-pipeline.test.ts)

Remaining risk / open question:

• No live Tailscale or ppq/autoclaw routed-provider session was run in this read-only review, so reproduction proof is source-level rather than end-to-end.
• Widening apply_patch to routed/custom provider IDs without an explicit trust contract could expose a filesystem-mutating tool to provider paths the operator did not intend to trust.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 996d07ee466c.