fix(agents): enforce subagent envelope inheritance on ACP child sessions [AI-assisted]

[pgondhi987]

Summary

• Problem: ACP child sessions (agent:{id}:acp:{uuid}) were not recognized as subagent-envelope sessions by isSubagentSessionKey, so subagent tool policy, spawn-depth caps, per-parent child caps, and the subagents.allowAgents target allowlist were all skipped for ACP children spawned from within a subagent envelope.
• Why it matters: A restricted subagent could spawn an ACP child and regain access to tools blocked by the subagent deny list (e.g. sessions_send, agents_list), and bypass depth/child/allowlist caps — all while still running inside the same trusted gateway.
• What changed: Introduced isSubagentEnvelopeSession (replacing bare isSubagentSessionKey in three tool-policy call sites) to transitively detect ACP sessions parented by a subagent envelope via the spawnedBy chain. Added resolveAcpSubagentEnvelopeState to run depth, child-count, and allowAgents checks on the ACP spawn path and patch spawnDepth/subagentRole/subagentControlScope onto the child session record. Extracted DEFAULT_SUBAGENT_MAX_CHILDREN_PER_AGENT constant.
• What did NOT change: No changes to isSubagentSessionKey itself, ACP approval/allowlist classification, sandbox inheritance, per-sender authorization checks, or acp.allowedAgents default behavior.

Change Type (select all)

• Bug fix
• Security hardening

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution

Linked Issue/PR

• This PR fixes a bug or regression

Root Cause (if applicable)

• Root cause: isSubagentSessionKey matches only keys with a subagent: rest segment. ACP child keys use acp:{uuid} and fell through, so pi-tools.ts, effective-tool-policy.ts, and gateway/tool-resolution.ts all skipped resolveSubagentToolPolicyForSession for them. The ACP spawn path in acp-spawn.ts also never ran the depth/child/allowAgents guards from subagent-spawn.ts.
• Missing detection / guardrail: No classification check or spawn-time guard for the ACP child case — the subagent path and ACP path shared no common enforcement point.
• Contributing context: Same inheritance-drift pattern as prior sandbox inheritance fixes — same ACP spawn call site, different boundary (subagent envelope rather than sandbox).

Regression Test Plan (if applicable)

• Coverage level that should have caught this:
  • Unit test
  • Seam / integration test
• Target test or file: src/agents/acp-spawn.test.ts, src/agents/pi-tools.create-openclaw-coding-tools.test.ts
• Scenario the test should lock in: ACP children spawned from a subagent session receive the subagent tool policy and are rejected when depth/child/allowAgents caps are exceeded.
• Why this is the smallest reliable guardrail: The spawn path and tool-policy gate are both exercised directly; no runtime or channel infrastructure required.
• Existing test that already covers this (if any): None — new cases added.

User-visible / Behavior Changes

• ACP children spawned from within a subagent envelope now inherit the subagent tool deny list. This is a restriction tightening, not a new permission.
• subagents.maxSpawnDepth, subagents.maxChildrenPerAgent, and subagents.allowAgents now apply to ACP spawns from subagent sessions (previously they applied only to runtime="subagent" spawns).
• DEFAULT_SUBAGENT_MAX_CHILDREN_PER_AGENT is now an exported constant (default value unchanged: 5).

Security Impact (required)

• New permissions/capabilities? No
• Secrets/tokens handling changed? No
• New/changed network calls? No
• Command/tool execution surface changed? Yes — tool deny lists now also apply to ACP child sessions parented by a subagent envelope. This restricts the tool surface for that session class; it does not expand it.
• Data access scope changed? No

Repro + Verification

Environment

• OS: Linux (Ubuntu)
• Runtime: Node 22
• Model/provider: N/A (unit tests only)
• Integration/channel: N/A

Steps

1. pnpm install
2. pnpm test src/agents/acp-spawn.test.ts
3. pnpm test src/agents/pi-tools.create-openclaw-coding-tools.test.ts
4. pnpm tsgo:prod

Expected

• All new test cases pass: depth rejection, child-cap rejection, allowAgents rejection, envelope field inheritance, ACP-child tool policy restriction.

Actual

• All tests pass on branch HEAD.

Evidence

• Failing test/log before + passing after — four new acp-spawn.test.ts cases and one new pi-tools integration case, all green on branch.

Human Verification (required)

⚠️ AI-assisted PR — generated by OpenAI Codex, reviewed by Claude Code. No human runtime verification was performed.

• Verified scenarios: Static analysis and unit test review confirm the three tool-policy call sites and the spawn-time gate are consistent with each other and with the prior subagent-spawn path.
• Edge cases checked: Non-subagent ACP sessions (plain ACP, not under a subagent envelope) are unaffected — isSubagentEnvelopeSession returns false for them and the spawn-time gate exits early.
• What you did not verify: Live gateway session, end-to-end channel round-trip, macOS app smoke.

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

• Backward compatible? Yes — restriction tightening only; no API or config surface removed.
• Config/env changes? No
• Migration needed? No

Risks and Mitigations

• Risk: ACP children of subagents that previously had unrestricted tool access will now receive the deny list. Operators relying (intentionally or not) on the old behavior may see tool calls blocked.
  • Mitigation: The change matches the documented contract for subagent envelopes. No operator-visible config change is required. The fix aligns ACP spawn with runtime="subagent" spawn behavior.

[greptile-apps]

Greptile Summary

This PR closes a security gap where ACP child sessions (agent:{id}:acp:{uuid}) spawned from within a subagent envelope were not subject to the subagent tool deny list, depth caps, per-parent child caps, or the allowAgents target allowlist. The fix introduces isSubagentEnvelopeSession (backed by a spawnedBy-chain traversal in isStoredSubagentEnvelopeSession) and resolveAcpSubagentEnvelopeState, applying them consistently across all three tool-policy call sites and the ACP spawn path. Prior review concerns about redundant store reads were addressed in an earlier commit on this branch.

Confidence Score: 5/5

Safe to merge — the restriction tightening is correct and the logic is consistent with the existing subagent-spawn path.

All three tool-policy call sites and the ACP spawn path have been updated symmetrically. The isStoredSubagentEnvelopeSession traversal correctly handles direct subagent keys (early return), ACP keys with patched subagent fields, and ACP keys reachable via the spawnedBy chain — with a cycle guard. Depth, child-count, and allowAgents enforcement in resolveAcpSubagentEnvelopeState mirrors the existing spawnSubagentDirect guards. The previously flagged store-read concerns were resolved in an earlier commit. No remaining findings rise above P2.

No files require special attention.

_{Reviews (2): Last reviewed commit: "address build faiure" | Re-trigger Greptile}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: bac38bfb04

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[martingarramon]

Security reasoning is sound — ACP children bypassing the subagent deny list + depth/child/allowAgents caps is a real gap, and the isSubagentEnvelopeSession + spawnedBy-chain traversal (with visited-set for cycle safety) is the right shape. Test coverage across the three tool-policy call sites and the ACP spawn gate is solid.

Two blockers + one concern on the hot path before this can land.

1. BLOCKER — TS2345 at src/agents/acp-spawn.ts:267

CI check-additional-extension-surfaces + cascades are red on:

src/agents/acp-spawn.ts(267,36): error TS2345: Argument of type 'string | undefined' is not assignable to parameter of type 'string'.
Type 'undefined' is not assignable to type 'string'.

The Boolean(childSessionKey) && !trackedChildSessionKeys.has(childSessionKey) pattern fails because Boolean(...) in TypeScript returns boolean but does NOT narrow the surrounding scope — so childSessionKey stays string | undefined when passed to Set.has(value: string). Drop the Boolean() wrapper; a plain truthy check narrows:

childSessionKey && !trackedChildSessionKeys.has(childSessionKey)

(Or typeof childSessionKey === "string" if you want to be explicit.) pnpm tsgo:prod doesn't run the plugin-sdk boundary dts check that caught this; pnpm build does. Running pnpm build locally before push would have surfaced it.

2. BLOCKER — Architectural boundary violation: task-boundaries.test.ts

FAIL src/tasks/task-boundaries.test.ts > task boundaries > keeps direct task-registry imports behind the approved task access seams
AssertionError: expected [ 'agents/acp-spawn.ts', …(3) ] to deeply equal [ 'tasks/runtime-internal.ts', …(2) ]

The new import { listTasksForOwnerKey } from "../tasks/task-registry.js" in acp-spawn.ts crosses an architectural boundary that the codebase enforces via task-boundaries.test.ts. Two options:

• If the direct import is intentional (e.g., security hardening justifies a new seam through task-registry): update the test's approved-seam allowlist to include agents/acp-spawn.ts and note the rationale in the same commit. The test explicitly expects changes to come with a paired allowlist update.
• If the call can route through an existing approved accessor (tasks/runtime-internal.ts or similar): prefer that — keeps the boundary narrow and matches the existing subagent-spawn path's lookup approach.

Worth flagging to a maintainer which side they prefer before pushing — the boundary test exists to force that conversation.

3. Greptile P2 is valid — hot-path store reads

Greptile flagged that isSubagentEnvelopeSession now reads the session store from three tool-policy call sites (pi-tools.ts:393, effective-tool-policy.ts:137, gateway/tool-resolution.ts:64-66) that were previously pure string checks. For non-subagent ACP sessions (the common case), every resolveGatewayScopedTools call now pays an extra store read that returns undefined and is discarded.

Two cheap options:

• Pass a pre-loaded store handle through callers that already have one, so the recursive spawnedBy traversal re-uses the same in-memory map instead of issuing fresh reads at each level.
• Add a short-lived request-scoped cache keyed on childSessionKey for isSubagentEnvelopeSession — the result is stable within a single tool resolution.

Not a correctness issue, but on a ~5k-contributor repo where resolveGatewayScopedTools runs on every tool call, the I/O shift is worth flagging in the PR body so maintainers can decide.

Minor

• [AI-assisted] + "No human runtime verification was performed" — elevated-risk review mode for a 631-line security-path change. Worth adding a human-verified live repro (subagent → ACP spawn → confirm tool deny list applies) to the Human Verification section before merge, even if the unit tests are comprehensive. Static analysis didn't catch either CI blocker above, so the "static analysis confirms consistency" claim needs a runtime anchor.
• Good call on extracting DEFAULT_SUBAGENT_MAX_CHILDREN_PER_AGENT to a constant — gives the ACP path and subagent path a single source of truth.

Happy to re-review after the two CI blockers clear and the hot-path question gets a maintainer call.

[pgondhi987]

@codex review

[pgondhi987]

@greptile review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: cb585d7e87

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a98723fd7b

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[pgondhi987]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ddaaf8972c

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 01b073e0a5

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[pgondhi987]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a4adbfbe3e

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d6e5dbdc66

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[pgondhi987]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Another round soon, please!

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

https://github.com/openclaw/openclaw/blob/2147ce103a3efe32a25e949bf916e5aeaedde19d/src/plugins/status.ts#L193-L197
Forward logger to metadata snapshot loading path

buildPluginSnapshotReport now accepts a caller logger (used by plugins list --json to keep output machine-readable), but the snapshot branch in buildPluginReport drops it when calling loadPluginMetadataRegistrySnapshot. In this path the loader falls back to the default plugin logger, so plugin warnings/info can still be emitted during JSON mode and corrupt stdout JSON for automation. Pass params?.logger through this call so snapshot and diagnostics paths behave consistently.

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[pgondhi987]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2147ce103a

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[pgondhi987]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. 👍

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[martingarramon]

Re-review 2147ce103a:

Blockers from prior review: both resolved.

• Boolean(childSessionKey) narrowing at old acp-spawn.ts:267 is gone — new resolveAcpSubagentEnvelopeState / countUntrackedActiveAcpRunsForOwner use normalizeOptionalString returns instead.
• listTasksForOwnerKey now imported via ../tasks/runtime-internal.js, which is in TASK_REGISTRY_ALLOWED_IMPORTERS (task-boundaries.test.ts) — clean routing through an approved seam.

Two remaining concerns:

1. Scope creep in src/plugins/** + src/cli/plugins-cli.ts: The logger-forwarding changes (quietPluginJsonLogger, buildPluginSnapshotReport(params?.logger), Codex P2 at status.ts:193) are legitimate plugin-CLI cleanup but unrelated to the subagent envelope security fix. The PR description's "What changed" section doesn't mention plugin runtime/CLI. Worth splitting into a separate PR so the security fix lands self-contained.

2. checks-node-core still red (run 24720964486): "Node non-dist test shards failed". Codex ran clean = runtime/test failure, not TS. Worth identifying the failing shard before the next `@codex review`.

Core subagent envelope path (`acp-spawn.ts` + `gateway/tool-resolution.ts` + `pi-tools.policy.ts` + `subagent-capabilities`) LGTM on intent pending CI green.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 31160dc069

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Make ACP child-cap enforcement independent of task write success

This new cap check depends on countUntrackedActiveAcpRunsForOwner(...), which reads ACP children from task rows, but ACP task registration is still best-effort (createRunningTaskRun(...) exceptions are logged and ignored later in spawnAcpDirect). If task persistence fails (or is transiently unavailable), active ACP children are omitted from this count and subagent-envelope sessions can continue spawning beyond maxChildrenPerAgent, bypassing the policy this change is meant to enforce.

Useful? React with 👍 / 👎.