[Bug]: ACP spawn fails with "requester denies apply_patch" when caller session uses claude-cli backend (loopback MCP dedup leaks into inherited deny)

[shadow-enthusiast]

Describe the bug

When the caller session runs on a claude-cli backend (any model with agentRuntime: claude-cli), spawning an ACP child via sessions_spawn({ runtime: "acp" }) is rejected:

runtime="acp" is unavailable because the requester denies apply_patch.
Use runtime="subagent".

No tool deny policy is configured — the deny originates from the loopback MCP bridge dedup list (NATIVE_TOOL_EXCLUDE) being treated as an inherited policy deny.

Root cause (source trace)

1. mcp-http.runtime.ts defines NATIVE_TOOL_EXCLUDE = {read, write, edit, apply_patch, exec, process} — tools the CLI harness provides natively, excluded from the MCP loopback bridge to avoid duplicates.

2. tool-resolution.ts (resolveGatewayScopedTools) receives these via params.excludeToolNames and merges them into explicitDenylist:

   excludedToolNames.length > 0 ? { deny: excludedToolNames } : void 0

3. The same function then copies the full denylist into inheritedToolDenylist:

   const inheritedToolDenylist = [...explicitDenylist];

4. acp-spawn.ts calls findAcpUnsupportedInheritedToolDeny(ctx.inheritedToolDenylist), which checks against ACP_UNSUPPORTED_INHERITED_TOOL_DENY — a list that includes apply_patch, edit, exec, process, read, write (all present in NATIVE_TOOL_EXCLUDE).

5. Result: ACP spawn is hard-blocked because the dedup exclusion list is indistinguishable from a security policy deny.

Why this is a bug

NATIVE_TOOL_EXCLUDE is a deduplication optimization — the CLI harness already provides these tools natively, so the loopback bridge doesn't re-expose them. This is not a security restriction and should not be inherited by child sessions.

PR #80979 (2026-05-13, "Inherit tool restrictions for delegated sessions") introduced inheritedToolDenylist propagation. The intent was correct (inherit real policy denies), but the implementation doesn't distinguish dedup exclusions from policy denies.

Steps to reproduce

1. Configure a model with agentRuntime: claude-cli (e.g., anthropic/claude-opus-4-8 via CLI backend)
2. Set the session model to that CLI-backed model
3. Attempt sessions_spawn({ runtime: "acp", agentId: "claude", task: "echo test" })
4. Observe: spawn rejected with requester denies apply_patch

Switching to any API-backed model (e.g., litellm/claude-opus-4-6) on the same session and retrying — succeeds immediately. No config changes needed.

Expected behavior

ACP spawn should succeed regardless of whether the caller session uses a CLI backend or an API backend, as long as no explicit tool deny policy is configured.

Actual behavior

ACP spawn is blocked when the caller uses any claude-cli backend model.

Suggested fix

In tool-resolution.ts, excludeToolNames (loopback dedup) should not be included in inheritedToolDenylist. They should only filter the current session's tool set:

// Current (broken):
const inheritedToolDenylist = [...explicitDenylist];

// Proposed: separate dedup exclusions from policy denies
const inheritedToolDenylist = [...policyOnlyDenylist]; // without excludeToolNames

Environment

• OpenClaw version: 2026.5.28
• OS: Debian 13 (arm64)
• CLI backend: Claude Code 2.1.157
• ACP backend: acpx

[shadow-enthusiast]

Broader design discussion: #89242 (NATIVE_TOOL_EXCLUDE contaminating session tool policy scope).

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve. Reviewed June 1, 2026, 6:09 PM ET / 22:09 UTC.

Summary
Keep open: current main and the latest release still contain the reported deny-contamination path, and the same author has an open broader tracking issue for the shared tool-policy scope problem. This concrete ACP symptom should be resolved with that broader fix path, not swept closed now.

Reproducibility: yes. by source inspection: current main routes loopback native-tool exclusions into inherited denies, and ACP rejects inherited denies containing apply_patch. I did not run the live claude-cli and ACP setup.

Next step
The bug is valid and likely small, but it is paired with an open broader same-author policy-scope issue and touches delegated-session tool security, so maintainer routing should decide the canonical fix path first.

Security
Needs attention: The issue is security-sensitive because the fix must distinguish dedup exclusions from real caller tool restrictions without widening delegated-session permissions.

Review details

Best possible solution:

Separate loopback dedup exclusions from real inherited tool policy in gateway tool resolution, add regression coverage for CLI loopback ACP spawn and policy introspection, and coordinate the fix with #89242.

Do we have a high-confidence way to reproduce the issue?

Yes by source inspection: current main routes loopback native-tool exclusions into inherited denies, and ACP rejects inherited denies containing apply_patch. I did not run the live claude-cli and ACP setup.

Is this the best way to solve the issue?

The suggested direction is likely the best narrow fix: keep loopback exclusions as current-surface filtering only while preserving inheritance for real policy denies. Because the same-author broader issue remains open, maintainers should coordinate this symptom with that shared resolver fix instead of closing it now.

AGENTS.md: found and applied where relevant.

Remaining risk / open question:

• I did not run a live claude-cli plus ACP scenario, so the runtime proof still needs a focused repro or regression test before landing a fix.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 646df2da83df.

Label changes

Label changes:

• add P1: A shipped delegated-session workflow is blocked for users whose active model runs through the claude-cli backend.
• add impact:security: The issue is about command/file tool policy inheritance, which is a security boundary for delegated sessions.
• add impact:auth-provider: The failure is triggered by the selected model runtime/backend, so provider/runtime choice changes whether ACP spawn works.
• add issue-rating: 🦞 diamond lobster: Current issue advisory state selects this label.
• add clawsweeper:source-repro: Current issue advisory state selects this label.
• add clawsweeper:no-new-fix-pr: Current issue advisory state selects this label.
• add clawsweeper:fix-shape-clear: Current issue advisory state selects this label.
• add clawsweeper:needs-maintainer-review: Current issue advisory state selects this label.
• add clawsweeper:needs-security-review: Current issue advisory state selects this label.

Label justifications:

• P1: A shipped delegated-session workflow is blocked for users whose active model runs through the claude-cli backend.
• impact:security: The issue is about command/file tool policy inheritance, which is a security boundary for delegated sessions.
• impact:auth-provider: The failure is triggered by the selected model runtime/backend, so provider/runtime choice changes whether ACP spawn works.

Evidence reviewed

Security concerns:

• [medium] Keep real inherited denies intact — src/gateway/tool-resolution.ts:129
  The contaminated path is in tool-policy inheritance; a fix that simply drops denies for ACP would restore availability but could weaken the security hardening added for delegated sessions.
  Confidence: 0.86

Acceptance criteria:

• node scripts/run-vitest.mjs src/gateway/tool-resolution.test.ts src/gateway/mcp-http.test.ts src/agents/tools/sessions-spawn-tool.test.ts
• Focused live or harness repro: claude-cli-backed caller session invokes sessions_spawn with runtime="acp" and no explicit deny policy.

What I checked:

• Repository policy applied: Root and scoped gateway/agent AGENTS.md files were read; the relevant guidance treats gateway, agent, session, provider, and tool-policy surfaces as compatibility/security-sensitive review paths. (AGENTS.md:1, 646df2da83df)
• Loopback dedup source: Current main defines the loopback native tool exclusion set with read, write, edit, apply_patch, exec, and process, then passes it as excludeToolNames into gateway tool resolution. (src/gateway/mcp-http.runtime.ts:12, 646df2da83df)
• Current policy contamination path: Current main merges excludeToolNames into explicitDenylist and copies that full list into inheritedToolDenylist, so loopback dedup exclusions become inherited policy-like denies for spawned sessions. (src/gateway/tool-resolution.ts:129, 646df2da83df)
• ACP rejection path: ACP spawn rejects inherited denies that include command/file tools and formats the exact requester-denies error reported here. (src/agents/inherited-tool-deny.ts:57, 646df2da83df)
• Existing regression coverage gap: Current tests assert that inherited command-tool denies block ACP, but the inspected resolver tests do not cover the distinct case where loopback excludeToolNames should filter only the current MCP surface without inheriting into child policy. (src/agents/tools/sessions-spawn-tool.test.ts:593, 646df2da83df)
• Shipped behavior check: The same excludeToolNames to inherited deny path and ACP inherited-deny rejection are present in latest release tag v2026.5.28, so this is not already fixed in the latest release. (src/gateway/tool-resolution.ts:126, e93216080aa1)

Likely related people:

• pgondhi987: Merged PR Inherit tool restrictions for delegated sessions [AI] #80979 added inherited deny propagation through gateway tool resolution and ACP/session spawn rejection paths. (role: introduced inherited tool propagation; confidence: high; commits: 6c918ca85fc6; files: src/gateway/tool-resolution.ts, src/agents/inherited-tool-deny.ts, src/agents/tools/sessions-spawn-tool.ts)
• steipete: Commit history shows the MCP loopback runtime and NATIVE_TOOL_EXCLUDE set were introduced in the gateway loopback refactor. (role: introduced MCP loopback runtime path; confidence: high; commits: 25b069a6f3cd; files: src/gateway/mcp-http.runtime.ts, src/gateway/mcp-http.ts)
• Vincent Koc: Current blame on the relevant gateway and inherited-deny files points to a recent main rewrite/refactor snapshot touching the same files, making this person a reasonable routing candidate for current-main context. (role: recent area contributor; confidence: medium; commits: 26e61b208707; files: src/gateway/tool-resolution.ts, src/gateway/mcp-http.runtime.ts, src/agents/inherited-tool-deny.ts)

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[steipete]

Fixed in PR #88946 on branch inference via commit 9e1e9aadb9.

This is the concrete ACP symptom of #89242. excludeToolNames from the loopback MCP native-tool dedup path now filters only the current loopback tool list; it no longer becomes an inherited deny containing apply_patch, read, write, exec, or process. Real policy denies still inherit.

Proof:

• node scripts/run-vitest.mjs src/gateway/tool-resolution.exclude.test.ts src/gateway/tool-resolution.test.ts passed: 2 files, 6 tests.
• node scripts/run-vitest.mjs src/agents/tools/sessions-spawn-tool.test.ts passed: 1 file, 52 tests.
• node scripts/run-oxlint.mjs --tsconfig config/tsconfig/oxlint.core.json src/gateway/tool-resolution.ts src/gateway/tool-resolution.exclude.test.ts src/gateway/tool-resolution.test.ts src/agents/tools/sessions-spawn-tool.test.ts passed.
• node scripts/run-tsgo.mjs -p tsconfig.core.json --incremental false passed.
• git diff --check passed.
• final autoreview was clean.

Leaving this open until #88946 lands.