[RFC] Scoped plugin commands, trusted command ownership, and continuation

[100yenadmin]

Summary

Extend plugin commands with declarative gateway scopes, trusted command-root ownership, and a continueAgent result for commands that should resume an agent run after handling.

This is proposed SDK surface, not currently implemented API.

Why this matters

Plan Mode /plan accept, /plan revise, and /plan answer must patch plugin state, enqueue a continuation, and resume the agent. Current plugin commands can run handlers, but they do not declare host-enforced scopes and they default to stopping command handling.

The same primitive applies to deploy approvals, review gates, incident/ticket workflows, budget overrides, memory/context actions, workspace policy grants, and channel-specific command adapters.

Current SDK surface

OpenClaw currently has api.registerCommand(...). Command context includes gatewayClientScopes, plugin gateway methods can declare opts.scope, duplicate plugin command registration is blocked, and built-in command roots are reserved.

Those surfaces are useful but insufficient: plugins can self-inspect scopes, but the host does not enforce command requiredScopes before the handler. There is no trusted ownership model for reserved roots and no continueAgent result that resumes an agent run after command-side state changes.

Proposed solution

Extend command registration with fields such as:

api.registerCommand({
  name,
  requiredScopes,
  ownership,
  handler,
});

Extend command results with:

return {
  message,
  continueAgent: true,
  delivery: "ephemeral",
};

Existing plugin commands should preserve current behavior: no requiredScopes means current auth behavior, and no continueAgent means do not resume the agent.

Reusable plugin examples

• Plan Mode uses /plan accept, /plan revise, /plan answer, /plan auto on, and /plan auto off.
• Review plugins use /review approve, /review request-changes, and /review rerun.
• Deployment plugins use /deploy approve, /deploy pause, /rollback, and /release status.
• Budget plugins use /budget override, /budget reset, and /budget status.
• Incident plugins use /incident ack, /incident escalate, and /ticket close.
• Memory plugins use /memory pin, /memory forget, and /context refresh.
• Policy plugins use /policy grant, /policy revoke, and /policy explain.
• Channel plugins use /telegram approve, /slack handoff, and /email summarize.

Decisions needed

• Command scope declaration shape.
• Reserved command ownership model: manifest, runtime, or two-phase ownership.
• continueAgent result semantics.
• Command discovery before plugin runtime activation.
• Text-channel behavior for read-only vs mutating commands.
• Error behavior for insufficient scopes, disabled plugins, and untrusted reserved-root claims.

Acceptance criteria

• Fixture command requiring operator.approvals rejects insufficient scope before handler execution.
• Read-only fixture command works with read scope only.
• Command returning continueAgent: true resumes agent execution.
• Command returning no continuation preserves current behavior.
• Untrusted plugin cannot claim a reserved command root.
• Text-channel command path receives the same scope and continuation semantics.

References

• RFC PR: [plugin sdk] docs: plugin host hook RFC #71731
• Source behavior/parity oracle: Plan Mode rebased onto upstream/main + executing-state subsystem #71676
• Full RFC packet: docs/plan/plan-mode-plugin-host-hooks-rfc.md

Current replacement stack (2026-04-30)

#72082 was the earlier implementation vehicle. Current review should use the merged foundation #72287 plus #73384 and draft #74483. For this command/session continuation slice, #73384 is the current workflow PR to review for host-mediated session actions, typed action errors, and continueAgent-style workflow continuation semantics.

[100yenadmin]

Current SDK audit against the #71427 standard:

Verdict: this RFC is not resolved by current SDK hooks. Plugin commands exist, and command handlers receive gatewayClientScopes, but scope enforcement and continuation are still plugin/manual or host-hardcoded behavior.

What exists today:

• api.registerCommand(...) registers plugin slash commands.
• Command context includes gatewayClientScopes.
• Plugin gateway methods can declare opts.scope.
• Duplicate plugin command registration is blocked and built-in command roots are reserved.

Missing host seam:

• Declarative requiredScopes on command definitions, enforced by the host before invoking the handler.
• A trusted command-root ownership model for bundled plugins.
• A command result shape such as continueAgent: true that resumes agent execution after state patching or next-turn injection.
• A default-preserving path where existing plugin commands still stop command handling.
• Fixture tests for scope denial, reserved-root denial, and continuation.

This issue remains valid because available scopes in context are not the same thing as host-enforced command authorization and continuation semantics.

[100yenadmin]

Already implemented? Comparison using the #71427 standard:

Existing surface	Why it may look sufficient	Exact missing SDK contract	Other plugin consumers
api.registerCommand(...), gatewayClientScopes in context, scoped plugin gateway methods	Plugins can register slash commands and inspect scopes manually	Host-enforced command requiredScopes, trusted reserved-root ownership, and continueAgent command result	deploy approvals, review commands, budget overrides, incident commands, channel commands

Verdict: plugin commands exist, but this RFC is not already implemented because authorization and continuation are not host-owned command semantics.

[clawsweeper]

Closing this as duplicate or superseded after Codex automated review.

Close #71735 as superseded by the newer canonical implementation PR #72082. Current main still lacks declarative command requiredScopes, trusted reserved-root ownership, and continueAgent semantics, so this is not implemented on main. However, #72082 is an open draft PR explicitly covering #71735 and tracking the same remaining SDK/host-hook work, including command scopes, bundled reserved ownership, continuation, and fixture coverage.

Best possible solution:

Use #72082 as the canonical implementation/review vehicle for #71735. Keep the eventual fix generic in the plugin SDK and host command dispatcher: additive requiredScopes, host-side pre-handler enforcement, trusted bundled reserved-root ownership, continueAgent result semantics, and fixture coverage for text and native command paths.

What I checked:

• Canonical follow-up PR tracks the same work: The provided GitHub context shows [plugin sdk] Add generic plugin host-hook SDK contracts #72082, "Add generic plugin host-hook SDK contracts", is an open draft implementation PR whose body explicitly lists [RFC] Scoped plugin commands, trusted command ownership, and continuation #71735 as covered and includes a dedicated section for scoped commands, reserved ownership, and continuation. git ls-remote confirms the PR head SHA is still present at refs/pull/72082/head. (7a20bf755d6c)
• Current SDK command type lacks the proposed fields: PluginCommandResult is still just ReplyPayload, and OpenClawPluginCommandDefinition exposes name, native aliases/progress messages, description, acceptsArgs, requireAuth, and handler, with no requiredScopes, ownership, or continueAgent field. (src/plugins/types.ts:1842, 9a529ca78bfa)
• Current host execution only passes scopes through: executePluginCommand checks requireAuth/isAuthorizedSender, copies gatewayClientScopes into the handler context, and then invokes command.handler(ctx). There is no host-side requiredScopes gate before handler execution. (src/plugins/commands.ts:192, 9a529ca78bfa)
• Current text command path still stops after plugin command handling: handlePluginCommand executes the matched plugin command and always returns shouldContinue: false with the reply, so current main does not map a plugin command result into agent continuation. (src/auto-reply/reply/commands-plugin.ts:35, 9a529ca78bfa)
• Current reserved command behavior is static denial, not trusted ownership: validateCommandName lazily constructs a static reservedCommands set and rejects plugin command names or aliases that match built-ins. That protects existing built-ins, but it is not the trusted reserved-root ownership model requested by [RFC] Scoped plugin commands, trusted command ownership, and continuation #71735. (src/plugins/command-registration.ts:44, 9a529ca78bfa)

So I’m closing this here and keeping the remaining discussion on the canonical linked item.

Codex Review notes: model gpt-5.5, reasoning high; reviewed against 9a529ca78bfa.