feat(gateway): wire coding tools into /tools/invoke HTTP surface

[simonusa]

Summary

• resolveGatewayScopedTools only included createOpenClawTools (gateway management tools); createOpenClawCodingTools (exec, edit, read, browser, etc.) was never wired in
• The official docs describe exec as blocked by the HTTP deny list by default — implying the intent was always for coding tools to be available on this surface, gated by gateway.tools.allow
• This PR completes that wiring: coding tools are now reachable via POST /tools/invoke, subject to the existing deny list and policy pipeline
• Dedup: gateway tools take precedence over coding tools of the same name

Root Cause

The deny list in DEFAULT_GATEWAY_HTTP_TOOL_DENY already included exec, spawn, apply_patch, etc. — designed to gate exactly these tools on the HTTP surface. But createOpenClawCodingTools was never passed to resolveGatewayScopedTools, so the deny list had nothing to gate: coding tools simply weren't present at all. The docs described the intended behavior; the implementation was incomplete.

What did NOT change

• Security posture: exec and other high-risk tools remain on DEFAULT_GATEWAY_HTTP_TOOL_DENY — blocked by default, require explicit gateway.tools.allow to enable
• Agent session runners: no change to how tools are wired for LLM agent runs
• Tool policy pipeline: coding tools pass through the same applyToolPolicyPipeline + deny-list as all other tools

Regression Test Plan

• Added createOpenClawCodingTools stub to the vi.mock("../agents/pi-tools.js") block in tools-invoke-http.test.ts — without this, all 22 existing tests failed with 500s (undefined function crash)
• Added new test: exposes coding tools via /tools/invoke when agent policy allows them — verifies a coding tool passes through policy + deny-list filtering and is callable via the HTTP surface

Tests  24 passed (24)  src/gateway/tools-invoke-http.test.ts

Evidence

Production motivation: a LangGraph orchestrator running ruff/bandit/tsc/npm via /tools/invoke in an OpenClaw container — eliminates ~240s LLM agent startup overhead per deterministic command call where no model reasoning is needed.

Human Verification

• npx vitest run src/gateway/tools-invoke-http.test.ts — 24/24 pass on a clean branch based on upstream/main
• Pre-commit hooks (tsgo, oxlint, lint:auth) passed

Relationship to existing PRs

• fix(gateway): deny nodes over HTTP tools invoke #55906 (fix(gateway): deny nodes over HTTP tools invoke) — orthogonal: restricts the surface; this PR expands it. Both coexist.
• fix(gateway): enforce owner-only tools in invoke API #55724 (fix(gateway): enforce owner-only tools in invoke API) — orthogonal: enforces owner-only policy. Our change passes senderIsOwner: true for HTTP bearer auth, consistent with that direction.

Risks and Mitigations

• Risk: operator enables exec via gateway.tools.allow without understanding the RCE surface
  Mitigation: exec is on DEFAULT_GATEWAY_HTTP_TOOL_DENY — explicit opt-in required; no behavior change for default installs
• Risk: dedup logic (gateway tools shadow coding tools of the same name) could suppress a tool unexpectedly
  Mitigation: gateway and coding tool names are disjoint in practice; merge order is documented in the code comment

Addresses #37131

[greptile-apps]

Greptile Summary

This PR completes the wiring of createOpenClawCodingTools into the /tools/invoke HTTP surface via resolveGatewayScopedTools. The previous review concerns — unintentional MCP loopback exposure and duplicate agentId resolution — are both addressed: coding tools are now gated behind surface === "http", and resolvedAgentId is computed once before both usages. The implementation, tests, and comments are clean.

Confidence Score: 5/5

Safe to merge — previous review concerns are addressed and no new P0/P1 issues remain.

Both prior concerns (MCP loopback exposure and duplicate agentId resolution) are fixed. The surface === 'http' guard is correct, dedup logic is sound, and all 24 tests pass. All remaining considerations are P2 or lower.

No files require special attention.

Vulnerabilities

No security concerns identified. High-risk coding tools (exec, spawn, apply_patch, etc.) remain on DEFAULT_GATEWAY_HTTP_TOOL_DENY and require explicit operator opt-in. The senderIsOwner: true passed at construction time is appropriate — it avoids double-gating at tool construction, while applyOwnerOnlyToolPolicy in tools-invoke-http.ts applies the real auth check against the actual bearer token. MCP loopback surface is correctly excluded from the expansion via the surface === "http" guard.

_{Reviews (2): Last reviewed commit: "feat(gateway): include coding tools in /..." | Re-trigger Greptile}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b73a50ce84

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 7cdd9b1ad8

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ffed1dbccd

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[simonusa]

check-additional failure is pre-existing upstream lint debt unrelated to this PR:

lint:tmp:no-random-messaging — os.tmpdir() usage in extensions/active-memory, browser, memory-core, etc. (being addressed by #63902)
lint:tmp:channel-agnostic-boundaries — channel id literals in src/agents/acp-spawn.ts
lint:tmp:no-raw-channel-fetch — raw fetch() in extensions/browser/src/browser/client-fetch.ts
All three fail on the current upstream/main HEAD independently of this PR. This PR only touches src/gateway/tool-resolution.ts and src/gateway/tools-invoke-http.test.ts.

[clawsweeper]

Codex review: needs maintainer review before merge.

Summary
The PR adds a raw coding-tool factory, wires core coding primitives into Gateway direct tool resolution, expands the HTTP deny list, and updates focused tests, docs, and changelog.

Reproducibility: yes. Source inspection on current main shows the Gateway resolver only materializes createOpenClawTools, so a direct invoke request for a coding primitive such as read has no core coding tool to resolve.

Next step before merge
No narrow automated repair remains; the next action is maintainer approval for the Gateway direct execution/data surface expansion and any RPC/docs scope decision.

Security
Cleared: No concrete security or supply-chain defect was found; the expanded direct-invoke surface stays behind Gateway auth, tool policy, hook checks, and default denies for mutating/RCE-capable coding tools.

Review details

Best possible solution:

Land this after maintainer sign-off and a green targeted Gateway/Testbox changed gate, with explicit confirmation that the shared HTTP/RPC direct-invoke behavior and docs scope are intended.

Do we have a high-confidence way to reproduce the issue?

Yes. Source inspection on current main shows the Gateway resolver only materializes createOpenClawTools, so a direct invoke request for a coding primitive such as read has no core coding tool to resolve.

Is this the best way to solve the issue?

Yes for the code shape, subject to maintainer approval. The patch reuses the existing resolver, policy, hook, owner, and deny-list pipeline; gates coding-tool construction away from loopback; and avoids plugin/provider-gated tool re-entry in the raw factory.

Acceptance criteria:

• pnpm test src/gateway/tools-invoke-http.test.ts src/gateway/tools-invoke-http.cron-regression.test.ts
• pnpm test src/gateway/mcp-http.test.ts
• pnpm check:changed

What I checked:

• Current main lacks coding-tool wiring: On current main, resolveGatewayScopedTools builds its tool set from createOpenClawTools only, so coding primitives such as read/write/edit/exec/process are not materialized by this resolver. (src/gateway/tool-resolution.ts:89, a3f6f24b79a5)
• Direct invoke path already owns hook execution: invokeGatewayTool resolves tools with surface "http" and runs runBeforeToolCallHook before executing the selected tool, which supports using an unwrapped coding-tool factory for this surface. (src/gateway/tools-invoke-shared.ts:196, a3f6f24b79a5)
• Loopback resolver boundary exists on main: McpLoopbackToolCache calls the same resolver with surface "loopback" and its own native-tool exclude list, so the PR's surface gate is important to avoid expanding loopback unintentionally. (src/gateway/mcp-http.runtime.ts:43, a3f6f24b79a5)
• PR gates and dedupes coding tools: The PR patch constructs coding tools only when surface is "http", uses createOpenClawCodingToolsRaw, and appends only non-duplicate coding tools after Gateway tools so Gateway tools keep precedence. (src/gateway/tool-resolution.ts:126, 427c102e03a6)
• PR avoids double hook execution and plugin re-entry: The PR adds skipBeforeToolCallHook, disablePluginTools, and excludeProviderGatedTools options, and createOpenClawCodingToolsRaw forces those flags for the direct invoke surface. (src/agents/pi-tools.ts:906, 427c102e03a6)
• Default deny list is expanded for canonical mutating tools: Current main's default HTTP deny list already blocks exec/apply_patch and other high-risk names; the PR adds process, write, and edit to that list. (src/security/dangerous-tools.ts:9, a3f6f24b79a5)

Likely related people:

• steipete: Recent history ties this handle to Gateway tool resolution, HTTP auth/operator-boundary docs, and dangerous-tool policy centralization around this surface. (role: recent maintainer; confidence: high; commits: 13d1983ec7ba, cad1b89b262b, d94a981a3343; files: src/gateway/tool-resolution.ts, src/security/dangerous-tools.ts, docs/gateway/tools-invoke-http-api.md)
• vincentkoc: Recent path history shows typed Gateway tool-resolution work, plugin-tool denylist fixes, and docs updates for the /tools/invoke deny-list surface. (role: gateway resolver and docs maintainer; confidence: medium; commits: 00f256dd3163, 571d75aab351, b4ac69c6525b; files: src/gateway/tool-resolution.ts, src/security/dangerous-tools.ts, docs/gateway/tools-invoke-http-api.md)
• ai-hpc: Authored the recent SDK-facing tools.invoke RPC work that reuses the same shared invoke helper affected by this PR. (role: adjacent RPC owner; confidence: medium; commits: ef0eb126159f; files: src/gateway/tools-invoke-shared.ts, src/gateway/server-methods/tools-invoke.ts)
• jacobtomlinson: Prior merged work tightened HTTP tool invoke authorization and owner-only behavior in the same security boundary. (role: HTTP invoke hardening contributor; confidence: medium; commits: 29cb1e3c7edd; files: src/gateway/tools-invoke-http.ts, src/security/dangerous-tools.ts)

Remaining risk / open question:

• The PR intentionally expands direct tool access for authenticated Gateway callers, so product/security ownership approval is still needed even though high-risk mutating tools remain default-denied.
• Because the implementation lives in the shared invoke helper path, Gateway RPC tools.invoke inherits the coding-tool availability; maintainers should confirm that is intended or ask for docs follow-through.
• I did not execute tests in this read-only review; the verdict relies on source inspection, the PR patch, and the reported targeted/CI results in the discussion.

Codex review notes: model gpt-5.5, reasoning high; reviewed against a3f6f24b79a5.

[simonusa]

Pivoted to Option A per the clawsweeper review — coding tools are now constructed via a new createOpenClawCodingToolsRaw factory that returns the same tools unwrapped (no wrapToolWithBeforeToolCallHook applied).

Rationale: handleToolsInvokeHttpRequest already calls runBeforeToolCallHook itself before dispatch (tools-invoke-http.ts:267), so the HTTP surface stays the single hook-execution site. No changes to wrapper internals, no adjusted-params drain needed in the HTTP handler.

Implementation (~170 lines, 4 files):

• pi-tools.before-tool-call.ts: new BEFORE_TOOL_CALL_ORIGINAL_TOOL symbol + unwrapToolBeforeToolCallHook() helper
• pi-tools.ts: new createOpenClawCodingToolsRaw() — calls existing factory, unwraps each tool
• tool-resolution.ts: imports raw factory, builds coding tools alongside gateway tools, dedup with gateway tools taking precedence; preserves surface === "http" loopback guard
• tools-invoke-http.test.ts: 5 new regression tests

Tests cover the bot's specific concerns:

• coding-tool availability when allowlisted
• single before_tool_call execution (no double-fire)
• no adjusted-params retained after invoke
• deny-list still blocks unallowlisted coding tools
• loopback non-expansion preserved

Local test results: 90/90 pass on tools-invoke-http.test.ts. Container smoke test: read and exec coding tools reachable via POST /tools/invoke with HTTP 200 from both host and inside a docker network peer.

Force-pushed feat/tools-invoke-coding-tools-upstream. The branch now contains a single commit on top of current upstream/main.

[simonusa]

Addressed all 3 clawsweeper review findings (force-pushed).

[P1] Canonical mutating tools added to default HTTP deny list
src/security/dangerous-tools.ts — write, edit, process now deny-listed alongside the existing exec, apply_patch, fs_* entries. Operators must opt in via gateway.tools.allow to expose them.

[P2] Coding-tool construction gated to surface === "http"
src/gateway/tool-resolution.ts — surface is resolved before the construction call; createOpenClawCodingToolsRaw now returns [] for loopback. Loopback tool surface is unchanged. Verified with the existing mcp-http.test.ts suite (57/57 pass).

[P2] Unwrap path replaced with explicit skip flag
The bot was right that the symbol-based unwrap couldn't work for exec/process — applyDeferredFollowupToolDescriptions spreads them into new objects, dropping symbol-keyed metadata regardless of enumerability. Fixed by adding skipBeforeToolCallHook?: boolean to createOpenClawCodingTools's options. createOpenClawCodingToolsRaw now calls it with skipBeforeToolCallHook: true so wrap is never applied in the first place. The unwrapToolBeforeToolCallHook helper and BEFORE_TOOL_CALL_ORIGINAL_TOOL symbol were removed (no longer needed).

New regression tests:

• canonical mutating tools (write, edit, process) blocked by default — HTTP 404
• canonical mutating tools (write) allowed when gateway.tools.allow opts in — HTTP 200
• coding-tool mock now uses canonical names (read, write, edit, process) instead of read_file to exercise the real deny-list paths
• existing mcp-http.test.ts covers loopback non-expansion (no changes needed there since coding tools are now construction-gated)

Test results: 156/156 pass across tools-invoke-http.test.ts (29) + tools-invoke-http.cron-regression.test.ts (9) + mcp-http.test.ts (57) + their dependent suites.

Net diff: 5 files, +202 / -16 lines.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/25338116788
• Updated: 2026-05-04T19:17:33.878Z

[simonusa]

Friendly ping — this PR has been ready for review for a few days now:

• ✅ All 3 clawsweeper review findings addressed (P1 deny-list expansion, P2 surface-gating, P2 unwrap mechanism via in-place flag)
• ✅ CI: 76/76 green, no failures
• ✅ Mergeable, no conflicts with current main
• ✅ Latest bot verdict is clawsweeper-verdict:needs-human (no findings)

@steipete — flagging you since you've recently maintained the gateway tool-resolution and tools-invoke surfaces (e.g. fix: keep core gateway tool invokes on shipped tools, refactor: type tool resolution paths, and the recent fix(gateway): invoke plugin-backed catalog tools). This PR is in the same area and uses the same surface-gating pattern (params.surface === "http").

Happy to address any further feedback. Thanks!

[simonusa]

Addressed all clawsweeper review findings; current head is d5393cf6e8 (rebased onto current main to clear unrelated upstream check-dependencies drift on extensions/mattermost).

[P2] Plugin suppression — Added disablePluginTools flag to createOpenClawCodingTools that skips both the listChannelAgentTools(...) and createOpenClawTools(...) plugin spreads. createOpenClawCodingToolsRaw() always sets it, so the resolver's core-only intent is honored end-to-end.

[P2] Provider-gated tools — Added excludeProviderGatedTools flag that drops apply_patch at construction time (since /tools/invoke has no session-bound model context, allowlisting apply_patch would silently produce nothing). Documented this caveat in the deny-list entry.

[P3] Docs + changelog — Updated docs/gateway/tools-invoke-http-api.md to list process/write/edit in the deny list, added a "Coding tools available via HTTP" section explaining the surface, and added an Unreleased changelog entry.

Local tests on the private fork: 99/99 in tools-invoke-http.test.ts + cron-regression.test.ts pass. CI green on this branch (79/79).

[simonusa]

Rebased onto current main (head edddb07f20); new SHA 427c102e03. Conflicts in pi-tools.ts (hook-wrap block + includeCoreTools interaction added by #74804) and CHANGELOG resolved with no semantic change from d5393cf6e8. Local: 65/65 pass on tools-invoke-http, cron-regression, mcp-http, and pi-tools.before-tool-call.embedded-mode. CI green (86 pass). Clawsweeper re-reviewed in-place against 427c102e03: needs-human, security cleared, no findings.

@steipete — bot lists you as primary reviewer; the only remaining gate per its summary is maintainer approval for exposing core coding primitives over authenticated HTTP. Concrete question: is the proposed surface acceptable in principle?

• read — default-allowed
• write / edit / exec / process — default-denied; require explicit opt-in via gateway.tools.allow
• apply_patch — excluded entirely (no session model context on this surface)

The PR is complete as-is and ready to merge if the answer is yes. If exec/process on HTTP feels like too much surface even with default-deny, I can split this into a read-only PR for immediate merge and follow up with the mutating tools in a separate PR — just let me know which path you'd prefer.