FRD: installed-plugin opt-in for registerTrustedToolPolicy + registerAgentToolResultMiddleware

[ryanhelms]

[FRD] Installed-plugin opt-in for registerTrustedToolPolicy + registerAgentToolResultMiddleware

Status: Draft (ByteDesk-internal). Ready to file at openclaw/openclaw issues.
Author: ByteDesk Platform team (companion to BDP-1207, follow-up from BDP-1198 in bytedesk-platform).
Reference: docs/plugins/hooks.md, docs/plugins/building-plugins.md, docs/plugins/manifest.md.

Problem

The OpenClaw plugin SDK currently restricts two host-trusted registration surfaces to bundled plugins only. When an installed plugin (e.g. one loaded via plugins.load.paths or openclaw plugins install) calls them, the gateway emits warnings and skips registration:

• api.registerTrustedToolPolicy(...) → only bundled plugins can register trusted tool policies
• api.registerAgentToolResultMiddleware(...) → only bundled plugins can register agent tool result middleware

This is a reasonable default — these surfaces run with host trust ahead of the standard before_tool_call / after_tool_call hook chain — but it leaves serious gaps for downstream platforms that ship their own first-party plugins outside the OpenClaw image.

ByteDesk hit this on bytedesk-workflow-harness, an installed plugin that implements a workflow control plane on top of OpenClaw primitives. BDP-1198 had to fall back to the public hook chain to keep functionality:

1. Trusted-policy fallback → before_tool_call hook for the workflow-harness engineering exec-policy / per-cascade budget gate.
2. Tool-result-middleware fallback → after_tool_call hook for workflow correlation-id tagging and artifact capture.

The fallbacks work, but they have two real costs:

1. Wrong execution order. before_tool_call hooks for installed plugins run after all bundled-plugin trusted policies. The workflow-harness engineering policy is meant to be the per-cascade budget/exec-policy gate for harness-owned cascades, and ordering matters for deny-decisions.
2. Reduced surface for middleware. after_tool_call hooks cannot mutate the model-visible tool output the way registerAgentToolResultMiddleware can — only the artifact bag. Workflow-correlation tagging into model-visible context is therefore not possible from an installed plugin today.

The hard side-step is bundling our plugin into the OpenClaw image, which tightens coupling between OpenClaw releases and the downstream platform release. We'd prefer not to do that just to escape an SDK gate.

Requested upstream primitive

An explicit, manifest-declared opt-in for both surfaces, available to installed plugins. Two equivalent shapes — either works, but manifest-field is preferred because it keeps the trust posture declarative and reviewable at install time:

Option A — manifest field on openclaw.plugin.json (preferred)

Two new optional contract fields, mirroring the existing contracts.tools[] pattern:

{
  "id": "bytedesk-workflow-harness",
  "contracts": {
    "tools": ["bytedesk_workflow_*"],
    "trustedToolPolicies": ["bytedesk-workflow"],
    "agentToolResultMiddleware": ["bytedesk-workflow"]
  }
}

Semantics:

• Each entry is a policy / middleware id the plugin promises to register at runtime.
• The gateway records the declaration at plugin discovery (before code load), exactly like contracts.tools[].
• At api.registerTrustedToolPolicy(id, ...) / api.registerAgentToolResultMiddleware(id, ...) call time, the gateway accepts the registration iff id appears in the matching manifest array.
• Undeclared policies/middleware continue to log the existing warning and skip registration — the existing bundled-plugin path is unchanged.

This matches the spirit of "if OpenClaw must know it before loading plugin code, put it in openclaw.plugin.json" from manifest.md.

Option B — gateway-config allowlist

Equivalent opt-in via gateway config rather than plugin manifest:

{
  plugins: {
    entries: {
      "bytedesk-workflow-harness": {
        enabled: true,
        trustedToolPolicy: true,
        agentToolResultMiddleware: true,
      },
    },
  },
}

Same runtime gate, decision lives in the operator's config instead of the plugin's manifest. Acceptable as a complement (operator override) but should not be the only opt-in path — manifest declarations are reviewable by openclaw plugins inspect before install.

Either option — ordering guarantee

Document the ordering relationship between installed-plugin trusted policies and bundled-plugin trusted policies. The downstream-useful semantics are:

• Bundled-plugin trusted policies run first (existing behavior).
• Installed-plugin trusted policies run next, in plugin-load order.
• Standard before_tool_call / after_tool_call hooks run last (existing behavior).

This preserves the host-trust default while giving installed plugins a slot that's strictly stronger than the public hook chain.

Out of scope for this FRD

• Letting installed plugins register registerNodeInvokePolicy host-trusted surfaces — separate trust posture, separate review.
• Letting installed plugins extend registerSessionExtension defaults — already allowed; just needs the namespace + description fields documented in hooks.md (BDP-1198 path A handled the local-side warning).
• Cross-plugin policy composition / merge rules — installed plugins each register their own id; collisions on id should be a load error, not a merge.

Docs locations to update upstream

If the primitive lands, the following files in openclaw/openclaw should pick up the opt-in surface in the same change:

File	What to add
docs/plugins/manifest.md	New contracts.trustedToolPolicies[] + contracts.agentToolResultMiddleware[] fields, alongside the existing contracts.tools[] row in the top-level schema table.
docs/plugins/building-plugins.md	A short "Trusted surfaces from installed plugins" section showing the manifest declaration + the api.registerTrustedToolPolicy(...) call, plus the ordering guarantee.
docs/plugins/hooks.md	Update the registerTrustedToolPolicy and registerAgentToolResultMiddleware reference rows to note the installed-plugin opt-in and link to the manifest section.
docs/cli/plugins.md	Update openclaw plugins inspect --runtime --json output description to surface declared trustedToolPolicies / agentToolResultMiddleware so operators can audit before enabling.

Downstream design we're holding back

ByteDesk's bytedesk-workflow-harness plugin currently ships the hook-based fallback in:

• bytedesk-openclaw/plugins/bytedesk-workflow-harness/src/harness/trusted-tool-policy.ts
• bytedesk-openclaw/plugins/bytedesk-workflow-harness/src/harness/tool-result-middleware.ts
• bytedesk-openclaw/plugins/bytedesk-workflow-harness/src/exec-policy/registry.ts

When the opt-in lands, each will prefer api.registerTrustedToolPolicy(...) / api.registerAgentToolResultMiddleware(...) and fall back to the hook chain only when the gate isn't configured — so we stay forward-compatible with older OpenClaw releases.

Why not just bundle the plugin

Bundling bytedesk-workflow-harness into the OpenClaw image side-steps the restriction but tightens coupling between every OpenClaw release and the workflow-harness release. The harness already targets a published pluginApi / minGatewayVersion range and ships its own lifecycle. The installed-plugin opt-in lets the host trust posture stay explicit without forcing the bundle.

Asked of upstream

• Confirm whether the bundled-only restriction on these two surfaces is a deliberate long-term trust posture or a default that predates installed-plugin maturity.
• If extending: pick Option A (manifest) or Option B (gateway config) — or accept both — and scope a single PR that adds the manifest fields, the runtime gate, and the docs updates listed above.
• If not extending: state that explicitly so downstream platforms can plan around bundling or hook-only fallbacks.

Companion ByteDesk artifacts

• BDP-1198 — landed Path A (cleared session-extension + nodeInvokePolicy warnings; trusted-policy + middleware fallbacks via hooks).
• BDP-1207 — this FRD; tracks the upstream ask.
• docs/workflow-harness.md — the workflow-harness design that motivates the ask (see "Trusted policy" + "Decorator" pattern rows).

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve. Reviewed May 28, 2026, 1:52 PM ET / 17:52 UTC.

Summary
Keep open. Current main still rejects installed plugins on both requested host-trusted registration paths, and changing that boundary needs an explicit plugin SDK/security decision rather than cleanup closure.

Reproducibility: yes. for the current limitation: source and tests show installed plugins are skipped for both registration calls unless they are bundled. No runtime repro was run because this is a read-only review, but the code path and asserted behavior are direct.

Next step
A maintainer should decide whether installed plugins may opt into these host-trusted SDK surfaces and which declaration path becomes the supported contract.

Security
Needs attention: The issue itself is security-sensitive because it proposes expanding installed-plugin access to host-trusted registration surfaces.

Review details

Best possible solution:

Make an explicit product/security decision first, then implement one narrow trusted-surface opt-in with schema, runtime gates, ordering and collision tests, inspect visibility, and public plugin docs.

Do we have a high-confidence way to reproduce the issue?

Yes for the current limitation: source and tests show installed plugins are skipped for both registration calls unless they are bundled. No runtime repro was run because this is a read-only review, but the code path and asserted behavior are direct.

Is this the best way to solve the issue?

Unclear until maintainers choose the trust model. A declarative manifest opt-in fits the existing manifest-contract pattern, but the API shape, operator override, ordering, and audit semantics need approval before a fix PR is safe.

AGENTS.md: found and applied where relevant.

Remaining risk / open question:

• Opening these registrations to installed plugins changes a host-trusted security boundary for pre-tool policy decisions and model-visible tool-result rewriting.
• The permanent contract needs maintainer decisions on manifest versus operator config, install-time auditability, runtime ordering, duplicate-id behavior, and docs/inspect output before implementation.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 2cde33177247.

Label changes

Label changes:

• add P2: The issue is a normal-priority plugin SDK feature with clear downstream impact but no current core regression or outage.
• add impact:security: The requested change affects host-trusted plugin surfaces that can influence tool execution policy and model-visible tool results.
• add issue-rating: 🦞 diamond lobster: Current issue advisory state selects this label.
• add clawsweeper:source-repro: Current issue advisory state selects this label.
• add clawsweeper:no-new-fix-pr: Current issue advisory state selects this label.
• add clawsweeper:fix-shape-clear: Current issue advisory state selects this label.
• add clawsweeper:needs-maintainer-review: Current issue advisory state selects this label.
• add clawsweeper:needs-product-decision: Current issue advisory state selects this label.
• add clawsweeper:needs-security-review: Current issue advisory state selects this label.

Label justifications:

• P2: The issue is a normal-priority plugin SDK feature with clear downstream impact but no current core regression or outage.
• impact:security: The requested change affects host-trusted plugin surfaces that can influence tool execution policy and model-visible tool results.

Evidence reviewed

Security concerns:

• [medium] Define the installed-plugin trust boundary before implementation — src/plugins/registry.ts:500
  Allowing installed plugins into pre-tool policy and pre-model tool-result rewriting needs explicit audit, ordering, and collision semantics so an installed plugin cannot silently gain broader host trust than intended.
  Confidence: 0.86

Acceptance criteria:

• After product approval, use node scripts/run-vitest.mjs src/agents/codex-app-server.extensions.test.ts src/plugins/contracts/host-hooks.contract.test.ts src/plugins/manifest.test.ts src/cli/plugins-authoring-command.test.ts for focused coverage.
• If SDK or lazy-loading surfaces change, use the repository build/check path required by AGENTS.md, preferably through Testbox for broad pnpm gates in this worktree.
• Validate public docs for manifest, hooks, building plugins, and CLI inspect output if those surfaces change.

What I checked:

• Repository policy read: Root AGENTS.md and scoped plugin/docs policy were read from the checkout; plugin SDK compatibility, manifest-first behavior, and product/security guidance affected the review. (AGENTS.md:1, 2cde33177247)
• Trusted policy gate is still bundled-only: registerTrustedToolPolicy returns an error diagnostic for any plugin whose origin is not bundled, matching the warning in the report. (src/plugins/registry.ts:1964, 2cde33177247)
• Tool result middleware gate is still bundled-only: registerAgentToolResultMiddleware rejects non-bundled plugin records before checking the declared runtime contract, so installed plugins cannot opt in today. (src/plugins/registry.ts:500, 2cde33177247)
• Current tests assert the opposite behavior: The Codex app-server extension test explicitly expects a non-bundled plugin to be rejected even when it declares contracts.agentToolResultMiddleware. (src/agents/codex-app-server.extensions.test.ts:147, 2cde33177247)
• Trusted policy tests reject external plugins: The host-hooks contract test expects external trusted policy registration to produce no trusted policy registrations and an error diagnostic. (src/plugins/contracts/host-hooks.contract.test.ts:125, 2cde33177247)
• Manifest contract is only partially present: The manifest schema already supports agentToolResultMiddleware, but it has no trustedToolPolicies contract field and the existing middleware contract remains bundled-only at runtime. (src/plugins/manifest.ts:396, 2cde33177247)

Likely related people:

• Peter Steinberger: Current local blame and file history for the registry, manifest, docs, and tests around these surfaces point to the current source import commit by this author. (role: recent area contributor; confidence: medium; commits: f8c8c0d41e1e; files: src/plugins/registry.ts, src/plugins/manifest.ts, src/agents/codex-app-server.extensions.test.ts)
• vincentkoc: The shipped changelog credits this contributor for the Plugin SDK tool-result transform migration that established the current registerAgentToolResultMiddleware plus manifest-contract path. (role: adjacent feature contributor; confidence: medium; commits: 27ae826f6525; files: CHANGELOG.md, docs/plugins/manifest.md, docs/plugins/sdk-overview.md)
• Devin Robison: Recent available history includes trusted-tool policy hardening work in the agent/tool execution path, which is adjacent to the host-trusted policy surface in this request. (role: adjacent trusted-tool contributor; confidence: low; commits: 52ef42302ead; files: src/agents/pi-tool-definition-adapter.ts, src/agents/pi-embedded-subscribe.handlers.tools.ts)

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[Countermarch]

Additional concrete evidence from the first-party Tokenjuice external install path on OpenClaw 2026.5.28 (e932160): the bundled-only registerAgentToolResultMiddleware gate is currently exposed to users as a broken official-plugin install flow, not only as a downstream platform limitation.

Observed flow:

1. Enable Tokenjuice in config with no installed Tokenjuice plugin files.
2. Run ordinary CLI/status commands.
3. OpenClaw warns that the plugin is not installed and recommends the official external install command:

plugins.entries.tokenjuice: plugin not installed: tokenjuice -- install the official external plugin with: openclaw plugins install @openclaw/tokenjuice

4. Install the official package:

openclaw plugins install @openclaw/tokenjuice --pin
openclaw gateway restart
openclaw plugins doctor

5. plugins doctor reports:

tokenjuice: only bundled plugins can register agent tool result middleware

The ClawHub route also installed successfully:

openclaw plugins install clawhub:@openclaw/tokenjuice --force --pin

but plugins doctor still reported the same bundled-only middleware diagnostic.

The installed package declares this contract in its manifest:

{
  "contracts": {
    "agentToolResultMiddleware": ["openclaw", "codex"]
  }
}

and its entrypoint registers middleware for those runtimes:

api.registerAgentToolResultMiddleware(createTokenjuiceAgentToolResultMiddleware(), {
  runtimes: ["openclaw", "codex"],
});

So the current host behavior is internally inconsistent for this official plugin:

• the config warning tells the operator to install @openclaw/tokenjuice externally;
• the official external package installs;
• the manifest declares contracts.agentToolResultMiddleware;
• the loader rejects the registration because the plugin origin is not bundled.

Expected outcomes would be one of:

• Tokenjuice ships/loads as a bundled plugin whenever plugins.entries.tokenjuice.enabled = true;
• official external Tokenjuice is allowed to register its declared agentToolResultMiddleware; or
• the warning/install guidance stops recommending an external install route that cannot satisfy the plugin's required contract.

Local containment was to install/copy Tokenjuice into the installed OpenClaw bundled extension tree so it loaded with origin: bundled, then remove the stale external install record. After registry refresh and gateway restart, openclaw plugins doctor reported no plugin issues and Tokenjuice loaded successfully.

Redactions: replaced local absolute paths with generic install/state descriptions and omitted machine names, account identifiers, chat ids, unrelated job counts, backup filenames, and process command lines.

[brokemac79]

I’m going to work on a focused PR for this.

Duplicate / competing PR scan before coding:

• No PR directly mentions FRD: installed-plugin opt-in for registerTrustedToolPolicy + registerAgentToolResultMiddleware #87735.
• Adjacent open PR Add capability manifest verifier plugin #88189 appears to add a bundled capability-manifest-verifier plugin, not this installed-plugin opt-in path.
• Adjacent open PR Plugin SDK: add text-only tool_result_before_model hook #64907 appears to add a separate tool_result_before_model hook, not this trusted registration gate.
• Related closed Tokenjuice issues ([Bug]: tokenjuice - main Codex bash results are not compacted #88537, tokenjuice tool-result middleware discards message tool results on codex runtime, breaking Signal/channel replies #82018, Bug: tool-result middleware discards nested toolResult blocks; message tool returns become 'Tool output unavailable due to post-processing error' #82912) are runtime/middleware-shape issues rather than this installed-plugin origin/contract gate.

I’ll keep the fix scoped to declared installed/official plugin contracts, with focused runtime/schema/docs coverage and proof before marking the PR ready.

[brokemac79]

i'm picking this up to do a PR