[Bug]: Plugin `before_tool_call` hook does not fire for native exec on 2026.4.29 (Anthropic harness)

[juno02139]

Bug type

Behavior bug (incorrect output/state without crash)

Beta release blocker

No

Summary

A plugin that registers a before_tool_call hook never sees that handler invoked when a native tool (e.g. exec) runs through the Anthropic harness on 2026.4.29 (commit a448042). The plugin's register() runs, the same plugin's after_tool_call handler does fire, but before_tool_call is silently skipped — so plugins cannot block or modify native tool calls before execution.

Steps to reproduce

1. Install OpenClaw 2026.4.29 globally (npm install -g openclaw@2026.4.29).
2. Drop a minimal plugin into the workspace plugins/ dir whose register() only does:

   api.on("before_tool_call", (event, ctx) => {
     fs.appendFileSync("/tmp/btc-trace.log", JSON.stringify({ts: Date.now(), tool: event.toolName}) + "\n");
   }, { priority: 50 });

3. Start the gateway (systemctl --user restart openclaw-gateway.service) and confirm register() fires (one log line per gateway start).
4. Drive a native exec from any agent harness — e.g. ask the agent through Discord to run ls.
5. Observe: the agent returns the correct directory listing (proving native exec ran end-to-end), but /tmp/btc-trace.log stays empty.

Switching the same handler to after_tool_call reproduces the opposite — the trace log is written on every tool call. The plugin code path itself works; only before_tool_call is silent.

Expected behavior

Per src/agents/pi-tools.before-tool-call.ts, the wrapper at wrapToolWithBeforeToolCallHook (line 597) calls runBeforeToolCallHook (line 396) on every tool execution. That function reads the global hook runner via getGlobalHookRunner() (line 474) and gates further work on hookRunner?.hasHooks("before_tool_call") (line 528). Plugin handlers registered via api.on("before_tool_call", ...) end up in registry.typedHooks (src/plugins/registry.ts:2034), which hasHooks reads lazily (src/plugins/hooks.ts:1344-1345).

So the handler should fire on every wrapped tool call. before_tool_call is not in CONVERSATION_HOOK_NAMES (src/plugins/hook-types.ts), so the allowConversationAccess gate in registerTypedHook (src/plugins/registry.ts:2010) does not apply — non-bundled plugins should be able to register without any policy opt-in.

Actual behavior

The plugin's register() runs (logged once at gateway start). A real exec tool call runs end-to-end (the agent returns correct command output). The plugin's before_tool_call handler is never invoked.

The most likely root cause is at src/agents/pi-tools.before-tool-call.ts:528: the getGlobalHookRunner() call at line 474 either returns null or returns a runner whose registry.typedHooks does not include the plugin's handler in the runtime context the native-exec dispatch path uses. The short-circuit at line 528 then returns { blocked: false } without ever invoking hookRunner.runBeforeToolCall. We have not pinpointed whether this is a runtime-mode issue around activatePluginRegistry / preserveGatewayHookRunner (src/plugins/loader.ts:1411-1425), a singleton-init ordering bug, or something else; but the empirical signal is that before_tool_call is silent while after_tool_call works in the same plugin and same gateway PID.

OpenClaw version

2026.4.29 (a448042)

Operating system

Ubuntu 24.04.4 LTS

Install method

npm global (npm install -g openclaw@2026.4.29)

Model

anthropic/claude-opus-4-7

Provider / routing chain

openclaw -> anthropic

Additional provider/model setup details

Single in-process gateway PID (no subagent / external runtime). Anthropic harness via @mariozechner/pi-coding-agent running embedded inside the gateway process. No Codex, no native-hook-relay path involved — confirmed there is exactly one node process in the gateway tree.

Logs, screenshots, and evidence

# Plugin register() — fires once at gateway start
2026-05-02 13:39:21 [skill-channel-gate] register() called; rules=1

# Real exec turn — Discord HITL, agent returned correct ls output
2026-05-02 13:48:25  user: @Juno run ls
2026-05-02 13:48:44  Juno: AGENTS.md  CLAUDE.md  HEARTBEAT.md  IDENTITY.md  NOTES.md  README.md  SOUL.md  TOOLS.md  USER.md  docs/  plugins/  skills/

# Trace handler output — never written (file remained 0 bytes, mtime = pre-test truncate)
$ wc -c /tmp/skill-channel-gate-trace.log
0 /tmp/skill-channel-gate-trace.log

# No "[skill-channel-gate] before_tool_call" line ever appears in journal
$ journalctl --user -u openclaw-gateway --since "13:48" | grep skill-channel-gate
2026-05-02 13:39:21 [skill-channel-gate] register() called; rules=1

Plugin source (10 lines, only the handler shown):

api.on("before_tool_call", (event, ctx) => {
  try {
    appendFileSync("/tmp/skill-channel-gate-trace.log",
      JSON.stringify({ts: Date.now(), pid: process.pid, toolName: event?.toolName, sessionKey: ctx?.sessionKey, paramsKeys: Object.keys(event?.params ?? {})}) + "\n");
    console.log(`[skill-channel-gate] before_tool_call: toolName=${event?.toolName}`);
  } catch (e) { console.error(e); }
  return undefined;
}, { priority: 50 });

Impact and severity

• Affected: All plugins that need to gate, modify, or audit native tool calls (exec, read, write, etc.) before execution under the Anthropic harness on 2026.4.29 stable.
• Severity: High. before_tool_call is the documented surface for tool-execution policy plugins; with it silent, plugins cannot enforce per-channel/per-tenant restrictions at the execution boundary, leaving after_tool_call audit-only.
• Frequency: Always (1/1 register, 1/1 exec turns observed). No intermittency; the handler simply never fires.
• Consequence: For our use case (a Discord-tenant-scoped agent that needs to block specific skills outside specific channels) this means the execution-surface tenant wall is not enforceable from a plugin; we are reduced to HITL discipline until this is fixed.

Additional information

• before_tool_call is not in CONVERSATION_HOOK_NAMES so the allowConversationAccess policy gate does not apply.
• The same plugin's after_tool_call handler does fire on the same exec turns — the plugin code path and registration are reaching the registry; only the dispatch-time read of plugin handlers for before_tool_call is producing zero hits.
• Local codex review was not run (codex CLI not installed on the repro machine). Happy to add a regression test alongside a fix once a maintainer confirms the diagnosis direction.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Summary
Keep open: current main still matches the reported native Pi/Anthropic before_tool_call dispatch gap, and the related loopback-MCP PR does not cover native exec. The reporter's 2026.5.7 recheck adds useful runtime evidence that this is not limited to 2026.4.29.

Reproducibility: yes. source-reproducible with high confidence, though I did not live-run the gateway. The issue includes real 2026.4.29 and 2026.5.7 gateway traces, and current main still routes wrapped native tools through a helper that consults only the global hook runner while after_tool_call has a run-context fallback.

Next step
Manual review is appropriate because this is a pre-exec policy boundary and the fix should confirm active hook-runner ownership before changing runtime wiring.

Security
Needs attention: The report is security-sensitive because a documented pre-exec policy hook may be bypassed for native tool execution.

Review details

Best possible solution:

Native Pi/Anthropic tool wrapping should resolve the active gateway or run hook runner for before_tool_call, with regression coverage where an external plugin observes or blocks native exec.

Do we have a high-confidence way to reproduce the issue?

Yes, source-reproducible with high confidence, though I did not live-run the gateway. The issue includes real 2026.4.29 and 2026.5.7 gateway traces, and current main still routes wrapped native tools through a helper that consults only the global hook runner while after_tool_call has a run-context fallback.

Is this the best way to solve the issue?

Unclear as an implementation until the hook-runner ownership contract is confirmed. The maintainable direction is to carry the active gateway/run hook runner into native before-hook dispatch rather than adding another ad hoc global lookup branch.

Security concerns:

• [high] Pre-exec tool policy hook may be bypassed — src/agents/pi-tools.before-tool-call.ts:505
  Native tool execution reaches before_tool_call through runBeforeToolCallHook(), which gates plugin dispatch on the global hook runner only; if that runner lacks the loaded plugin handler, policy plugins cannot block or require approval before exec runs.
  Confidence: 0.82

Acceptance criteria:

• node scripts/run-vitest.mjs src/agents/pi-tools.before-tool-call.e2e.test.ts src/agents/pi-tools.before-tool-call.integration.e2e.test.ts src/agents/openclaw-owned-tool-runtime-contract.test.ts
• node scripts/run-vitest.mjs src/agents/pi-tool-definition-adapter.test.ts src/agents/pi-tool-definition-adapter.after-tool-call.fires-once.test.ts
• node scripts/run-vitest.mjs src/plugins/loader.test.ts

What I checked:

• Documented expected behavior: The public plugin hook docs describe before_tool_call as the hook for rewriting params, blocking execution, or requiring approval before tool execution. Public docs: docs/plugins/hooks.md. (docs/plugins/hooks.md:121, 947c9512c30b)
• Native tools are wrapped before adapter conversion: createOpenClawCodingTools() still maps normalized native tools through wrapToolWithBeforeToolCallHook(...), so native exec depends on this pre-exec helper path. (src/agents/pi-tools.ts:1016, 947c9512c30b)
• Before hook helper reads only the global hook runner: runBeforeToolCallHook() calls getGlobalHookRunner() and returns without plugin dispatch when that runner lacks before_tool_call, matching the reported silent skip mode. (src/agents/pi-tools.before-tool-call.ts:505, 947c9512c30b)
• After hook path has run-context fallback: Embedded tool completion uses ctx.hookRunner before falling back to the global runner for after_tool_call, explaining the reported asymmetry where after hooks fire while before hooks do not. (src/agents/pi-embedded-subscribe.handlers.tools.ts:1261, 947c9512c30b)
• Adapter does not provide a second before-hook dispatch for already wrapped native tools: toToolDefinitions() detects tools already wrapped with the before-hook marker and skips its own runBeforeToolCallHook() branch. (src/agents/pi-tool-definition-adapter.ts:230, 947c9512c30b)
• Registration is allowed for non-conversation tool hooks: before_tool_call is a valid plugin hook and is not listed in CONVERSATION_HOOK_NAMES; registerTypedHook() pushes valid non-conversation hooks into registry.typedHooks. (src/plugins/registry.ts:2285, 947c9512c30b)

Likely related people:

• steipete: Recent GitHub file history on src/agents/pi-tools.before-tool-call.ts, src/agents/pi-tools.ts, and plugin loader/runtime surfaces includes hook dispatch, derived tool params, and before-hook test work central to this report. (role: recent area contributor / likely follow-up owner; confidence: high; commits: e4bae42d631e, c6cfd12228b3, 61e534428a1e; files: src/agents/pi-tools.before-tool-call.ts, src/agents/pi-tools.ts, src/plugins/loader.ts)
• jalehman: Recent current-main history includes code-mode tool display/replay and embedded tool-search work touching src/agents/pi-tools.ts and src/agents/pi-embedded-subscribe.handlers.tools.ts, adjacent to the native tool execution path. (role: recent adjacent contributor; confidence: low; commits: 4bfd7416f0f9; files: src/agents/pi-tools.ts, src/agents/pi-embedded-subscribe.handlers.tools.ts)
• jfan22: Authored the related loopback-MCP before_tool_call PR, which is useful dispatch-path context even though it does not cover this native Pi/Anthropic exec path. (role: adjacent prior investigator; confidence: low; commits: 015c6c2ba574; files: src/gateway/mcp-http.handlers.ts)

Remaining risk / open question:

• I did not live-run a gateway in this read-only sweep; the current-main assessment is source-backed and supported by the reporter's 2026.5.7 runtime recheck.
• The exact runtime transition that makes the global hook runner miss the plugin while the after-hook path sees a runner still needs maintainer confirmation.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 947c9512c30b.

[arun02139]

Re-verified against OpenClaw 2026.5.7 (eeef486) on 2026-05-12. Behavior unchanged from 2026.4.29 — plugin-registered before_tool_call handlers still do not fire for native exec.

Two independent turns through the gateway, neither produced a trace line:

1. openclaw agent --agent juno --message "Use Bash to run exactly: date +%s..." — exec ran successfully (1778609675 returned).
2. Discord @Juno run \date` via Bash—execran successfully (session jsonl:toolName: "exec", exitCode: 0, aggregated: "Tue May 12 02:18:09 PM EDT 2026"`).

Plugin baseline confirmed sound:

• Gateway startup journal: [skill-channel-gate] register() called; rules=3 (exactly once, no errors).
• The trace handler uses appendFileSync('/tmp/skill-channel-gate-trace.log', ...) unconditionally at the top of the before_tool_call callback — it fires for any tool name / session key / rule match (or non-match). So absence of file = absence of event.
• /tmp/ is writable for the gateway uid; no [skill-channel-gate] trace failed: stderr lines.
• Plugin is loaded as in-tree (path declared in plugins.load.paths), activation: { onStartup: true } set per the 2026.5.7 in-tree-load fix.

Same handler shape works for the sister memory-observer plugin's after_tool_call — only before_tool_call is affected. No code change required on our end; reporting only.

[hiroshiyoneyama-a11y]

Possibly same root cause as #73723. My case on 2026.5.19 is after_tool_call relay lookup failing (native hook relay not found); yours is before_tool_call not firing on 2026.4.29. Both feel like plugin-registry / relay-registry not being shared with the Codex hook dispatcher.