[RFC] Trusted tool policy stage and plugin tool metadata

[100yenadmin]

Summary

Add a trusted pre-plugin tool policy stage and plugin-owned tool metadata so bundled/trusted plugins can enforce host-level policy and so plugin tools can appear with first-class catalog/display/safety metadata.

This is proposed SDK surface, not currently implemented API.

Why this matters

Plan Mode must block mutating tools while approval is pending. That gate must run before ordinary plugin before_tool_call hooks so another plugin cannot reorder, rewrite, or bypass the policy accidentally. Plan Mode tools also need catalog/display/safety metadata without hardcoded core tool catalog patches.

The same primitive applies to budget guards, deployment freezes, workspace policy plugins, dangerous-action wrappers, compliance plugins, and tool catalog extensions.

Current SDK surface

OpenClaw currently has before_tool_call, which can rewrite params, block, or require approval. Core config also filters tools before hook wrapping, and plugin tools have basic catalog fields.

Those surfaces are useful but insufficient: before_tool_call is a normal plugin hook, not a bundled/trusted pre-plugin policy tier. Plugin metadata is not a full display/safety registry, and core-owned tools such as update_plan cannot be safely decorated by plugins.

Proposed solution

Expose trusted policy registration such as:

api.registerToolPolicy({
  id,
  stage: "pre_plugin_hooks",
  trust: "bundled",
  handler,
});

Expose metadata registration such as:

api.registerToolMetadata({
  name,
  title,
  category,
  display,
  safety,
});

Maintainers must also decide whether bundled plugins can decorate core-owned tools such as update_plan, or whether those plugins should own parallel tools.

Reusable plugin examples

• Plan Mode blocks mutating tools while approval is pending and labels Plan Mode tools.
• Budget plugins block or require approval for expensive models/tools.
• Workspace policy plugins block filesystem, browser, or network tools that violate path or data-egress rules.
• Deployment plugins gate deploy and rollback tools during freeze windows.
• Dangerous-action wrappers require scoped approval for high-risk mutations.
• Compliance plugins add audit and safety labels to plugin-owned tools.
• Tool catalog plugins publish display, risk, category, and ownership metadata without hardcoding host display maps.

Decisions needed

• Trust tier for pre-plugin policy hooks.
• Policy decision shape and terminal behavior.
• Plugin tool display/safety metadata schema.
• Whether core-owned tools such as update_plan can be decorated.
• Disablement behavior for policy, metadata, and decorated tool state.
• Negative enforcement for external/untrusted plugins attempting privileged policy registration.

Acceptance criteria

• Fixture trusted policy blocks before ordinary before_tool_call hooks.
• Normal plugins cannot override a trusted block.
• External plugins cannot register trusted pre-plugin policy.
• Fixture tool metadata appears in tool catalog and UI/tool display lookup.
• Disabling the fixture plugin removes metadata, decoration, and policy.

References

• RFC PR: [plugin sdk] docs: plugin host hook RFC #71731
• Source behavior/parity oracle: Plan Mode rebased onto upstream/main + executing-state subsystem #71676
• Full RFC packet: docs/plan/plan-mode-plugin-host-hooks-rfc.md

Current replacement stack (2026-04-30)

#72082 was the earlier implementation vehicle. Current review should use the merged foundation #72287 plus #73384 and draft #74483. For this trusted policy / tool metadata slice, #72287 carries the foundation surface; #73384 adds workflow-facing hardening and contract coverage around trusted policy behavior and plugin-owned metadata semantics. This does not close broader open tool capability/provenance proposals such as #48510, #48503, or #62962.

[100yenadmin]

Current SDK audit against the #71427 standard:

Verdict: this RFC is not resolved by current SDK hooks. before_tool_call is real and useful, but it is a normal plugin hook, not a trusted pre-plugin policy tier. Plugin tools also have basic catalog fields, but not first-class display/safety metadata or a safe core-tool decoration path.

What exists today:

• before_tool_call can rewrite params, block, or require approval.
• Core config policy filters tools before hook wrapping.
• Plugin tools can be registered and shown with basic catalog metadata.
• Core tools such as update_plan have static host-owned display config.

Missing host seam:

• Bundled/trusted api.registerToolPolicy({ stage: "pre_plugin_hooks" }) executed before normal plugin hooks.
• A rule that normal plugins cannot override or reorder around a trusted block.
• api.registerToolMetadata(...) merged into catalog/effective inventory/UI display.
• An explicit decoration model, or explicit rejection of decoration, for core-owned tools such as update_plan.
• Fixture tests for trusted policy ordering, external-plugin rejection, metadata projection, and disablement cleanup.

So this issue is still a host-hook decision, not a duplicate of existing before_tool_call.

[100yenadmin]

Already implemented? Comparison using the #71427 standard:

Existing surface	Why it may look sufficient	Exact missing SDK contract	Other plugin consumers
Normal before_tool_call, core config filtering, basic plugin tool catalog fields	Plugins can already block calls and register tools	Bundled/trusted pre-plugin policy tier, metadata/display registry, and explicit core-tool decoration rule	budget guards, workspace policy, deploy freezes, dangerous-action approvals

Verdict: before_tool_call is real, but this RFC is not already implemented because trusted policy must run before ordinary plugin hook ordering and metadata must become a first-class SDK/catalog/UI contract.

[clawsweeper]

Closing this as duplicate or superseded after Codex automated review.

Close #71734 as superseded by the newer canonical implementation PR #72082. Current main still lacks the requested trusted pre-plugin tool policy tier and first-class plugin tool metadata projection, so this is not implemented on main. But #72082 is an open implementation PR explicitly covering #71734 and tracking the same remaining host-hook SDK work.

Best possible solution:

Use #72082 as the canonical implementation and review vehicle for #71734. Keep the eventual fix generic: a bundled/trusted pre-plugin tool policy registration contract, negative enforcement for external plugins, first-class plugin tool metadata projection into catalog/effective inventory/UI lookup, an explicit core-tool decoration rule, and fixture tests for ordering, override resistance, metadata projection, and disablement cleanup.

What I checked:

• Current main verified clean: The checkout is on current main at 7e13f3f, and git status was clean after the read-only review. (7e13f3f51401)
• Plugin API lacks requested registration methods: OpenClawPluginApi exposes registerTool, registerHook, gateway, command, provider, middleware, memory, and lifecycle methods, but no registerTrustedToolPolicy/registerToolPolicy or registerToolMetadata method. A targeted rg search for those proposed names returned no matches. (src/plugins/types.ts:2061, 7e13f3f51401)
• Current hook surface is still normal before_tool_call: The typed plugin hook list includes before_tool_call, after_tool_call, and tool_result_persist, but has no pre_plugin_hooks stage or distinct trusted policy hook. (src/plugins/hook-types.ts:75, 7e13f3f51401)
• Tool hook ordering is ordinary plugin priority ordering: getHooksForName sorts all hook registrations by numeric priority, and runBeforeToolCall delegates to the normal before_tool_call modifying hook. This can terminally block lower-priority hooks, but it is not a separate bundled/trusted tier before ordinary plugin hooks. (src/plugins/hooks.ts:193, 7e13f3f51401)
• Plugin tool metadata remains basic: PluginToolMeta is only pluginId plus optional, so current main has no plugin-owned display/category/safety metadata registry for tools. (src/plugins/tools.ts:16, 7e13f3f51401)
• Gateway catalog schema lacks display/safety metadata fields: ToolCatalogEntrySchema allows only id, label, description, source, pluginId, optional, and defaultProfiles with additionalProperties false. There are no display, safety, risk, tags, or category fields for the requested metadata projection. (src/gateway/protocol/schema/agents-models-skills.ts:369, 7e13f3f51401)

So I’m closing this here and keeping the remaining discussion on the canonical linked item.

Codex Review notes: model gpt-5.5, reasoning high; reviewed against 7e13f3f51401.