Bug type
Regression (worked before, now fails)
Beta release blocker
No
Summary
The sessions_spawn tool fails with a forbidden error, even when the AGENTS and SPAWN_ALLOWLIST environment variables are correctly configured. The system behaves as if SPAWN_ALLOWLIST is not set, returning allowed: none.
This issue persists after multiple redeploys and even a full stop/start of the Docker containers.
Steps to reproduce
- Deploy OpenClaw using a docker-compose.yml file.
- In the openclaw service definition, add the following environment variables:
- 'AGENTS=[{"id":"basic-agent","label":"Basic Agent","description":"A generic agent for simple tasks.","model":"google/gemini-2.5-pro","systemPrompt":"You are a sub-agent. Be concise and efficient."}]'
- 'SPAWN_ALLOWLIST=*'
Save the configuration and redeploy the application to ensure the new variables are loaded.
From any session, attempt to call the sessions_spawn tool:
{
"tool": "sessions_spawn",
"agentId": "basic-agent",
"task": "This is a test task."
}
Expected behavior
The sessions_spawn tool call should succeed, creating a new isolated session for the basic-agent.
Actual behavior
The tool call fails with a permission error. The output is:
{
"status": "forbidden",
"error": "agentId is not allowed for sessions_spawn (allowed: none)"
}
This indicates that the allowlist is empty, despite the environment variable being set to *.
OpenClaw version
coollabsio/openclaw:2026.2.6
Operating system
Standard Server (Linux)
Install method
Docker Compose managed by Coolify
Model
gemini 2.5
Provider / routing chain
openclaw -> coolify
Additional provider/model setup details
To confirm the environment variable is correctly passed to the container, we executed a command inside the running openclaw container:
Command:
exec "env | grep SPAWN_ALLOWLIST"
Output:
SPAWN_ALLOWLIST=*
This proves that the variable is present and correctly set within the agent's environment, but the permission service responsible for authorizing sessions_spawn is not reading or respecting it.
Relevant docker-compose.yml Snippet
services:
openclaw:
image: 'coollabsio/openclaw:2026.2.6'
environment:
# ... other variables
- 'AGENTS=[{"id":"basic-agent","label":"Basic Agent","description":"A generic agent for simple tasks.","model":"google/gemini-2.5-pro","systemPrompt":"You are a sub-agent. Be concise and efficient."}]'
- 'SPAWN_ALLOWLIST=*'
volumes:
- 'openclaw-data:/data'
# ... rest of the service definition
La publication de ce rapport est notre meilleur
Logs, screenshots, and evidence
Impact and severity
No response
Additional information
No response
Bug type
Regression (worked before, now fails)
Beta release blocker
No
Summary
The sessions_spawn tool fails with a forbidden error, even when the AGENTS and SPAWN_ALLOWLIST environment variables are correctly configured. The system behaves as if SPAWN_ALLOWLIST is not set, returning allowed: none.
This issue persists after multiple redeploys and even a full stop/start of the Docker containers.
Steps to reproduce
Save the configuration and redeploy the application to ensure the new variables are loaded.
From any session, attempt to call the sessions_spawn tool:
{
"tool": "sessions_spawn",
"agentId": "basic-agent",
"task": "This is a test task."
}
Expected behavior
The sessions_spawn tool call should succeed, creating a new isolated session for the basic-agent.
Actual behavior
The tool call fails with a permission error. The output is:
{
"status": "forbidden",
"error": "agentId is not allowed for sessions_spawn (allowed: none)"
}
This indicates that the allowlist is empty, despite the environment variable being set to *.
OpenClaw version
coollabsio/openclaw:2026.2.6
Operating system
Standard Server (Linux)
Install method
Docker Compose managed by Coolify
Model
gemini 2.5
Provider / routing chain
openclaw -> coolify
Additional provider/model setup details
To confirm the environment variable is correctly passed to the container, we executed a command inside the running openclaw container:
Command:
exec "env | grep SPAWN_ALLOWLIST"
Output:
SPAWN_ALLOWLIST=*
This proves that the variable is present and correctly set within the agent's environment, but the permission service responsible for authorizing sessions_spawn is not reading or respecting it.
Relevant docker-compose.yml Snippet
services:
openclaw:
image: 'coollabsio/openclaw:2026.2.6'
environment:
# ... other variables
- 'AGENTS=[{"id":"basic-agent","label":"Basic Agent","description":"A generic agent for simple tasks.","model":"google/gemini-2.5-pro","systemPrompt":"You are a sub-agent. Be concise and efficient."}]'
- 'SPAWN_ALLOWLIST=*'
volumes:
- 'openclaw-data:/data'
# ... rest of the service definition
La publication de ce rapport est notre meilleur
Logs, screenshots, and evidence
Impact and severity
No response
Additional information
No response