[Bug]: CLI backend (claude-cli) loopback MCP bridge NATIVE_TOOL_EXCLUDE contaminates session tool policy — affects subagent spawn, tool inheritance, and policy introspection

[shadow-enthusiast]

Describe the bug

When a session runs on a claude-cli backend, the loopback MCP bridge excludes native tools (read, write, edit, apply_patch, exec, process) via NATIVE_TOOL_EXCLUDE to avoid duplicating tools the harness provides natively. However, these exclusions are merged into the session's explicitDenylist in resolveGatewayScopedTools() alongside real policy denies, making them indistinguishable.

This has cascading effects beyond the ACP spawn issue (filed separately):

1. Subagent capability resolution sees the caller as having tool denies that don't actually exist as policy
2. inheritedToolDenylist propagates dedup exclusions to all child sessions (subagent and ACP)
3. Tool policy introspection (e.g., resolveToolProfilePolicy) reports false denies for CLI-backend sessions
4. Any future feature that reads explicitDenylist or inheritedToolDenylist will be affected

The design gap

There are two semantically different reasons to exclude a tool from a session's tool set:

Reason	Source	Should inherit?	Should block ACP?
Policy deny	Config, sender, agent, group policy	Yes	Yes
Dedup exclusion	Loopback MCP bridge (NATIVE_TOOL_EXCLUDE)	No	No

Currently both flow through the same { deny: [...] } policy object and end up in the same explicitDenylist array. The tool-resolution.ts resolver has no way to tell them apart.

Affected code path

mcp-http.runtime.ts:  excludeToolNames: NATIVE_TOOL_EXCLUDE
         ↓
tool-resolution.ts:   params.excludeToolNames → { deny: excludedToolNames }
                      → merged into explicitDenylist
                      → copied to inheritedToolDenylist
         ↓
acp-spawn.ts:         findAcpUnsupportedInheritedToolDeny() → BLOCKED
subagent-capabilities.ts: inherits false denies

Suggested approach

Separate the two exclusion types at the resolveGatewayScopedTools level:

• excludeToolNames should filter the current session's tool array only (as it does now)
• excludeToolNames should not contribute to explicitDenylist or inheritedToolDenylist
• Alternatively, introduce a scope or reason field on deny entries so downstream consumers can distinguish policy from dedup

Impact

• Any user running OpenClaw with a claude-cli backend as their primary model cannot spawn ACP sessions from chat (the most natural workflow)
• Workaround: temporarily switch to an API-backed model before spawning ACP, then switch back — functional but defeats the purpose of having a default model

Environment

• OpenClaw version: 2026.5.28
• Relevant source: tool-resolution.ts, mcp-http.runtime.ts, inherited-tool-deny.ts

[shadow-enthusiast]

Related: #89241 (the concrete ACP-spawn symptom of this design gap).

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve. Reviewed June 1, 2026, 6:12 PM ET / 22:12 UTC.

Summary
Keep open: current main and the latest release still conflate loopback MCP native-tool dedup exclusions with inherited policy denies, so the reported ACP/subagent policy contamination remains source-reproducible.

Reproducibility: yes. Source inspection shows loopback excludeToolNames still flows into explicitDenylist, then inheritedToolDenylist, and ACP rejects those inherited command-tool denies; I did not run a live claude-cli/ACP session.

Next step
This is a narrow source-reproducible bug with clear affected files and no required product/config decision.

Review details

Best possible solution:

Split loopback dedup exclusions from policy denies in the gateway scoped-tool resolver while preserving real configured/inherited deny propagation and current-session tool filtering.

Do we have a high-confidence way to reproduce the issue?

Yes. Source inspection shows loopback excludeToolNames still flows into explicitDenylist, then inheritedToolDenylist, and ACP rejects those inherited command-tool denies; I did not run a live claude-cli/ACP session.

Is this the best way to solve the issue?

Yes. The requested direction is the narrow maintainable fix: keep excludeToolNames as current-session filtering only and keep real policy denies inheritable.

AGENTS.md: found and applied where relevant.

Remaining risk / open question:

• Live claude-cli plus ACP runtime reproduction was not run during this read-only review, so the finding is source-reproducible rather than runtime-reproduced.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 646df2da83df.

Label changes

Label changes:

• add P1: The issue reports a broken agent workflow where claude-cli-backed sessions cannot spawn ACP children despite no configured tool-deny policy.
• add impact:session-state: The reported bug propagates false inherited tool-deny state into child session capability and policy handling.
• add impact:auth-provider: The failure depends on the selected model/runtime backend, so provider/runtime selection changes the available spawn behavior.
• add issue-rating: 🦞 diamond lobster: Current issue advisory state selects this label.
• add clawsweeper:source-repro: Current issue advisory state selects this label.
• add clawsweeper:queueable-fix: Current issue advisory state selects this label.
• add clawsweeper:fix-shape-clear: Current issue advisory state selects this label.

Label justifications:

• P1: The issue reports a broken agent workflow where claude-cli-backed sessions cannot spawn ACP children despite no configured tool-deny policy.
• impact:auth-provider: The failure depends on the selected model/runtime backend, so provider/runtime selection changes the available spawn behavior.
• impact:session-state: The reported bug propagates false inherited tool-deny state into child session capability and policy handling.

Evidence reviewed

Acceptance criteria:

• node scripts/run-vitest.mjs src/gateway/tool-resolution.test.ts src/agents/tools/sessions-spawn-tool.test.ts
• node scripts/run-vitest.mjs src/agents/agent-tools.policy.test.ts

What I checked:

• Current resolver source: excludeToolNames is converted into a deny entry in explicitDenylist, then copied into inheritedToolDenylist. (src/gateway/tool-resolution.ts:117, 646df2da83df)
• Current loopback source: The MCP loopback bridge passes the native tool dedup set as excludeToolNames. (src/gateway/mcp-http.runtime.ts:12, 646df2da83df)
• Current ACP guard source: ACP spawn rejects inherited denies covering apply_patch, edit, exec, process, read, or write, matching the loopback native-tool exclusion set. (src/agents/inherited-tool-deny.ts:5, 646df2da83df)
• Spawn consumer source: sessions_spawn checks opts.inheritedToolDenylist before dispatching ACP spawns, producing the reported forbidden path when that list contains a native command tool. (src/agents/tools/sessions-spawn-tool.ts:319, 646df2da83df)
• Latest release provenance: The same excludeToolNames to explicitDenylist to inheritedToolDenylist shape is present in v2026.5.28, matching the version in the report. (src/gateway/tool-resolution.ts:117, e93216080aa1)
• History provenance: Current blame for the affected resolver, loopback exclusion, and ACP inherited-deny helper points to commit 26e61b2087; deeper local history is grafted around these paths. (src/gateway/tool-resolution.ts:117, 26e61b208707)

Likely related people:

• Vincent Koc: Current blame for the affected gateway resolver, loopback exclusion, and inherited ACP deny helper points to commit 26e61b2087 in this checkout. (role: recent area contributor; confidence: medium; commits: 26e61b2087; files: src/gateway/tool-resolution.ts, src/gateway/mcp-http.runtime.ts, src/agents/inherited-tool-deny.ts)

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[steipete]

Fixed in PR #88946 on branch inference via commit 9e1e9aadb9.

What changed:

• resolveGatewayScopedTools() still filters excludeToolNames from the loopback MCP tool array, but those native-tool dedup exclusions no longer enter explicitDenylist or inheritedToolDenylist.
• real policy denies, including gateway.tools.deny, still flow into plugin policy and child-session inheritance.

Proof:

• node scripts/run-vitest.mjs src/gateway/tool-resolution.exclude.test.ts src/gateway/tool-resolution.test.ts passed: 2 files, 6 tests.
• node scripts/run-vitest.mjs src/agents/tools/sessions-spawn-tool.test.ts passed: 1 file, 52 tests.
• node scripts/run-oxlint.mjs --tsconfig config/tsconfig/oxlint.core.json src/gateway/tool-resolution.ts src/gateway/tool-resolution.exclude.test.ts src/gateway/tool-resolution.test.ts src/agents/tools/sessions-spawn-tool.test.ts passed.
• node scripts/run-tsgo.mjs -p tsconfig.core.json --incremental false passed.
• git diff --check passed.
• final autoreview was clean.

Leaving this open until #88946 lands.