code-mode: AgentToolsSchema rejects "codeMode" key but docs say agent-level config works

[Kaspre]

Scope: Bug directly in the Openclaw Code Mode implementation introduced by #80600 (the per-agent schema path was missed when codeMode was added at the top-level ToolsSchema). Surfaced while testing #80600 on 2026.5.16-beta.4.

Problem

docs/reference/code-mode.md (line 67) says:

Add tools.codeMode.enabled: true to the agent or runtime config

But the per-agent tools zod schema (AgentToolsSchema) is .strict() and doesn't include codeMode. Only the top-level ToolsSchema accepts it. Per-agent enablement isn't possible — the gateway rejects the config.

Change and value

Either add codeMode: CodeModeSchema.optional() to AgentToolsSchema, or correct the doc to say "runtime/top-level only".

Per-agent enablement is the more useful option — it allows testing code mode on a single agent without forcing fleet-wide behavior change during evaluation or gradual rollout.

Who's affected

Anyone reading the documented agent-level config and trying to apply it. Affects evaluation/testing workflows where mixing code-mode and non-code-mode agents in the same fleet is desirable.

Reproduction

Tested on Openclaw 2026.5.16-beta.4.

1. Add to openclaw.json:

   {
     "agents": {
       "list": [
         {
           "id": "test-agent",
           "tools": { "codeMode": { "enabled": true } }
         }
       ]
     }
   }

2. openclaw gateway restart

Expected

Gateway starts; code mode enabled for test-agent only.

Actual

Gateway rejects config validation:

agents.list.0.tools: Unrecognized key: "codeMode"
Run "openclaw doctor --fix" to repair, then retry.

Schema evidence

In dist/zod-schema.agent-runtime-CMJF3lIB.js:

• Line 471: const AgentToolsSchema = z.object({ ...CommonToolPolicyFields, elevated, exec, fs, loopDetection, message, sandbox }).strict() — no codeMode
• Line 662: const ToolsSchema = z.object({ ...CommonToolPolicyFields, ..., codeMode: CodeModeSchema, ... }) — codeMode present at top-level only

Suggested fix

Add codeMode: CodeModeSchema.optional() to AgentToolsSchema so the documented agent-level enablement works. If a per-agent override isn't intended, instead remove "agent or" from the docs.

Local workaround

Set tools.codeMode.enabled: true at the root of openclaw.json. This enables code mode for every agent in the fleet.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by maintainer comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors can comment @clawsweeper re-review or @clawsweeper re-run on their own open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
Keep open. Current main still has the reported docs/schema mismatch, and an open linked fix PR uses closing syntax, so this issue should remain open until that PR is reviewed and either landed or closed.

Reproducibility: yes. from current-main source inspection. The documented agents.list[].tools.codeMode path flows into a strict AgentToolsSchema that lacks codeMode, so the reported shape is rejected before gateway startup.

Next step
No new repair job is needed because an open PR already references this issue with closing syntax; maintainers should review that PR against the full schema/type/runtime contract.

Review details

Best possible solution:

Land or revise the linked fix so agents.list[].tools.codeMode is accepted in schema/types and resolved for the active agent during code-mode activation, with focused regression coverage.

Do we have a high-confidence way to reproduce the issue?

Yes, from current-main source inspection. The documented agents.list[].tools.codeMode path flows into a strict AgentToolsSchema that lacks codeMode, so the reported shape is rejected before gateway startup.

Is this the best way to solve the issue?

Yes, honoring the documented per-agent contract is the best fix; a docs-only rollback would remove a useful rollout path already promised by the reference docs. The implementation should cover schema, exported types, and active-agent runtime resolution.

What I checked:

• Documented contract: The code-mode reference says to add tools.codeMode.enabled: true to the agent or runtime config, making agent-level enablement part of the current user-facing contract. Public docs: docs/reference/code-mode.md. (docs/reference/code-mode.md:67, 73ca3cf3c3dd)
• Per-agent schema rejects the reported key: AgentToolsSchema is strict and lists common policy fields plus elevated, exec, fs, loopDetection, message, and sandbox, but it has no codeMode member. (src/config/zod-schema.agent-runtime.ts:703, 73ca3cf3c3dd)
• Agent entries use that strict tools schema: AgentEntrySchema validates agents.list[].tools with AgentToolsSchema, so the reported agents.list[0].tools.codeMode shape is on the rejecting path. (src/config/zod-schema.agent-runtime.ts:1009, 73ca3cf3c3dd)
• Top-level schema accepts the workaround: The root ToolsSchema includes codeMode: CodeModeSchema, matching the reporter's workaround and showing the mismatch is agent-scope-specific. (src/config/zod-schema.agent-runtime.ts:1028, 73ca3cf3c3dd)
• Type surface has the same mismatch: AgentToolsConfig omits codeMode, while the top-level tools config includes codeMode?: CodeModeConfig. (src/config/types.tools.ts:362, 73ca3cf3c3dd)
• Runtime activation currently reads root tools config: resolveCodeModeConfig reads config.tools.codeMode, and the embedded run path calls it with params.config; a complete fix should ensure the active agent override participates, not only schema acceptance. (src/agents/code-mode.ts:124, 73ca3cf3c3dd)

Likely related people:

• steipete: The related generic code-mode PR introduced the runtime/docs/schema surface, and git history shows commits adding and hardening code mode on the affected files. (role: code-mode feature owner; confidence: high; commits: 0844e771a8df, 0db097936568; files: src/agents/code-mode.ts, src/config/zod-schema.agent-runtime.ts, src/config/types.tools.ts)
• hclsys: The open linked PR is the current implementation candidate for this issue and touches the reported schema/test surface according to the provided GitHub context. (role: open fix PR author; confidence: medium; commits: f9bfa5d12d0e; files: src/config/zod-schema.agent-runtime.ts, src/config/zod-schema.agent-defaults.test.ts)

Remaining risk / open question:

• The linked fix path should verify runtime activation for the active agent override, not only acceptance of the key in AgentToolsSchema.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 73ca3cf3c3dd.