fix(active-memory): expose memory tools to recall runs

[vyctorbrzezowski]

Summary

• Problem: Active Memory lightweight embedded recall runs can allowlist Memory Core tools before those runtime plugin tools are materialized, collapsing the callable tool set.
• Why it matters: memory_search and memory_get should remain callable when Memory Core is installed and Active Memory scopes the embedded run to memory tools.
• What changed: runtime toolsAllow now contributes to generic plugin tool materialization, and Active Memory opts into gateway subagent binding for the embedded recall run.
• What did NOT change (scope boundary): no plugin-specific tool IDs were hardcoded in core behavior, and no public SDK surface or memory storage behavior changed.

Change Type (select all)

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes active-memory + memory-core dont compose: lightweight sub-agent bootstrap excludes memory-kind plugin tools, allowlist resolves to empty, placeholder turn lands in transcript #74572
• This PR fixes a bug or regression

Root Cause (if applicable)

• Root cause: embedded runs applied the final runtime tool filter after creating the tool set, but the runtime toolsAllow was not also used to materialize matching plugin tools before that final filter.
• Missing detection / guardrail: no focused test covered a lightweight embedded run that allowlists plugin-provided memory tools.
• Contributing context (if known): Active Memory uses a narrow memory tool allowlist for recall runs while Memory Core registers memory_search and memory_get as plugin tools.

Regression Test Plan (if applicable)

• Coverage level that should have caught this:
  • Unit test
  • Seam / integration test
  • End-to-end test
  • Existing coverage already sufficient
• Target test or file: extensions/active-memory/index.test.ts, src/agents/pi-embedded-runner/run/attempt.test.ts, src/agents/pi-tools.create-openclaw-coding-tools.test.ts
• Scenario the test should lock in: Active Memory recall runs pass gateway subagent binding, embedded attempt context carries runtime allowlists, and runtime allowlists contribute to plugin tool materialization.
• Why this is the smallest reliable guardrail: it tests the generic tool composition seams without requiring a full gateway session.
• Existing test that already covers this (if any): src/plugins/tools.optional.test.ts covers optional plugin tools and gateway-bindable registry behavior.
• If no new test is added, why not: N/A

User-visible / Behavior Changes

Active Memory recall runs can now call Memory Core plugin tools when Memory Core is installed and those tools are explicitly allowlisted for the embedded run.

Diagram (if applicable)

Before:
Active Memory recall -> toolsAllow(memory_*) -> plugin tools not materialized -> final filter can leave no callable memory tools

After:
Active Memory recall -> toolsAllow(memory_*) -> materialize matching plugin tools -> final filter keeps callable Memory Core tools

Security Impact (required)

• New permissions/capabilities? (Yes/No) No
• Secrets/tokens handling changed? (Yes/No) No
• New/changed network calls? (Yes/No) No
• Command/tool execution surface changed? (Yes/No) Yes
• Data access scope changed? (Yes/No) No
• If any Yes, explain risk + mitigation: embedded runs can materialize only plugin tools already included in the explicit runtime allowlist and gateway-bindable registry; the final allowlist filter still applies.

Repro + Verification

Environment

• OS: macOS
• Runtime/container: Node.js v24.14.0, pnpm 10.33.0
• Model/provider: N/A
• Integration/channel (if any): Active Memory + Memory Core
• Relevant config (redacted): N/A

Steps

1. Install Memory Core and Active Memory.
2. Trigger an Active Memory embedded recall run with bootstrapContextMode: "lightweight" and toolsAllow: ["memory_recall", "memory_search", "memory_get"].
3. Verify Memory Core plugin tools are materialized before the final embedded tool allowlist filter.

Expected

• memory_search and memory_get remain callable when registered by Memory Core and explicitly allowlisted by the embedded run.

Actual

• Before this change, the runtime allowlist could resolve to no callable tools because matching plugin tools were not materialized before final filtering.

Evidence

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

What you personally verified (not just CI), and how:

• Verified scenarios:
  • pnpm test extensions/active-memory/index.test.ts src/agents/pi-embedded-runner/run/attempt.test.ts src/plugins/tools.optional.test.ts src/agents/pi-tools.create-openclaw-coding-tools.test.ts
  • pnpm exec oxfmt --check --threads=1 extensions/active-memory/index.ts extensions/active-memory/index.test.ts src/agents/pi-embedded-runner/run/attempt.tool-run-context.ts src/agents/pi-embedded-runner/run/attempt.test.ts src/agents/pi-tools.ts src/agents/pi-tools.create-openclaw-coding-tools.test.ts src/agents/test-helpers/fast-openclaw-tools.ts CHANGELOG.md
  • git diff --check
  • codex review --base origin/main
• Edge cases checked:
  • runtime allowlist propagation when toolsAllow is present
  • generic plugin tool materialization without hardcoded memory plugin IDs
  • Active Memory preserves lightweight bootstrap and narrow memory tool allowlist
• What you did not verify:
  • pnpm check:changed currently fails in extension test typecheck on a pre-existing duplicate-property error in extensions/memory-wiki/src/claim-health.test.ts that is present on origin/main.

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

• Backward compatible? (Yes/No) Yes
• Config/env changes? (Yes/No) No
• Migration needed? (Yes/No) No
• If yes, exact upgrade steps: N/A

Risks and Mitigations

• Risk: broader plugin tool materialization than intended for embedded runs.
  • Mitigation: only explicit runtime allowlist entries are added to the existing plugin tool allowlist composition, and the final tool filter still applies.

[clawsweeper]

Codex review: needs maintainer review before merge.

What this changes:

The PR threads embedded-run toolsAllow into plugin tool materialization, enables gateway subagent binding for Active Memory recall runs, adds focused regression tests, and adds a changelog entry for #74572.

Maintainer follow-up before merge:

No repair job is needed: this active contributor PR has no concrete review finding for automation to fix, and the remaining action is exact-head CI completion plus normal maintainer merge handling.

Security review:

Security review cleared: The diff changes runtime tool materialization but stays bounded by explicit allowlists and gateway-bindable plugin registry behavior, with no dependency, workflow, secret, publishing, or downloaded-code changes.

Review details

Best possible solution:

Land this focused generic fix once exact-head checks pass, preserving the existing core/plugin boundary: runtime toolsAllow should only help materialize explicitly allowlisted plugin tools before the embedded runner's final allowlist filter, while Active Memory keeps its lightweight memory-only recall scope.

Do we have a high-confidence way to reproduce the issue?

Yes. The linked issue gives concrete steps, and source inspection confirms the current-main path: Active Memory allowlists Memory Core tool names, Memory Core owns those tools as plugin registrations, and the embedded runner filters after tool construction without using runtime toolsAllow for plugin materialization.

Is this the best way to solve the issue?

Yes. The PR fixes the narrow root cause without hardcoding Memory Core IDs in shared core behavior, and the final embedded-run allowlist still bounds the callable tool set after plugin materialization.

What I checked:

• Current main Active Memory recall shape: Active Memory still starts the recall embedded run with a narrow memory tool allowlist and lightweight bootstrap; current main does not pass allowGatewaySubagentBinding at this call site. (extensions/active-memory/index.ts:2139, 54f44ec3215d)
• Memory tools are plugin-owned: Memory Core registers memory_search and memory_get through plugin tool registration, so those tools must be available from the plugin registry before the embedded-run final allowlist filter runs. (extensions/memory-core/index.ts:42, 54f44ec3215d)
• Embedded runner filters after tool construction: The embedded attempt path constructs the full coding tool list, then applies applyEmbeddedAttemptToolsAllow(allTools, params.toolsAllow), so allowlisted plugin tools need to be materialized before this final filter. (src/agents/pi-embedded-runner/run/attempt.ts:780, 54f44ec3215d)
• Current main omits runtime allowlist in plugin materialization: Current main builds pluginToolAllowlist from profile/global/agent/group/sandbox/subagent policies only; it does not include embedded-run toolsAllow. (src/agents/pi-tools.ts:622, 54f44ec3215d)
• PR diff scope: The PR adds runtimeToolAllowlist, passes embedded toolsAllow through buildEmbeddedAttemptToolRunContext, includes it in pluginToolAllowlist, and opts Active Memory recall into gateway subagent binding. (src/agents/pi-tools.ts:631, 046cd1e50f40)
• Maintainer discussion and PR state: A maintainer comment says the fix direction is right; after the force-push, the public PR API reports mergeable=true, mergeable_state=unstable, open, unmerged, and not draft at head 046cd1e50f409f0cbc92a470c0dcfb814dcd8b1d. (046cd1e50f40)

Likely related people:

• steipete: Recent current-main history touches embedded-runner tool construction and plugin/runtime behavior, and the maintainer discussion explicitly confirmed this fix direction after reviewing the PR. (role: current maintainer / adjacent owner; confidence: high; commits: 4b4e0c82e451, 66cdbccc8a2a, 470098bd26f3; files: src/agents/pi-embedded-runner/run/attempt.ts, src/agents/pi-tools.ts, src/plugins/tools.ts)
• Takhoffman: Recent history includes the Active Memory bundled recall tool change and plugin optional-tool auto-enable work, both adjacent to the memory recall/tool materialization path this PR adjusts. (role: recent Active Memory and plugin-tool maintainer; confidence: medium; commits: f256eeba431b, cfd1e94e6101; files: extensions/active-memory/index.ts, extensions/active-memory/index.test.ts, src/plugins/tools.ts)
• jalehman: History shows prior work on late-binding subagent plugin runtime and related pi-tools/embedded-runner paths that this PR relies on for gateway-bindable plugin tool resolution. (role: adjacent plugin-runtime owner; confidence: medium; commits: eeb140b4f08b; files: src/agents/openclaw-tools.ts, src/agents/pi-tools.ts, src/agents/pi-embedded-runner/run/attempt.ts)

Remaining risk / open question:

• Exact-head CI was still in progress at review time; merge should wait for the remaining checks to complete on 046cd1e50f409f0cbc92a470c0dcfb814dcd8b1d.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 54f44ec3215d.

[steipete]

Reviewed the current head again. The fix direction is right: carry the embedded run toolsAllow into plugin-tool materialization, then keep the Active Memory recall scope narrow to the explicit memory tools.

Still blocked on mergeability: GitHub reports mergeable=false, mergeable_state=dirty for c29e54d735f66f23615e2dc3956d1d9f5bc47cce against current main. Please rebase/update the branch, then rerun the targeted checks plus pnpm check:changed.

Separately, I added a doctor-side warning for the related plugins.allow/tools.allow footgun so restrictive plugin allowlists are louder when tool policy asks for wildcard or plugin-owned tools.

[steipete]

Landed as eabab1f64f9e06642014eb93b1e82c7acdfc95af from reviewed head 046cd1e50f409f0cbc92a470c0dcfb814dcd8b1d.

Review result: this fixes the Active Memory + Memory Core composition bug by preserving runtime plugin tool allowlists through the embedded attempt tool-run context, so recall runs can materialize the Memory Core plugin tools instead of ending with an empty callable set.

Validation:

• mise exec node@22 -- pnpm test extensions/active-memory/index.test.ts src/agents/pi-embedded-runner/run/attempt.test.ts src/plugins/tools.optional.test.ts src/agents/pi-tools.create-openclaw-coding-tools.test.ts
• mise exec node@22 -- pnpm exec oxfmt --check --threads=1 CHANGELOG.md extensions/active-memory/index.ts extensions/active-memory/index.test.ts src/agents/pi-embedded-runner/run/attempt.tool-run-context.ts src/agents/pi-embedded-runner/run/attempt.test.ts src/agents/pi-tools.ts src/agents/pi-tools.create-openclaw-coding-tools.test.ts src/agents/test-helpers/fast-openclaw-tools.ts && git diff --check
• Testbox: OPENCLAW_TESTBOX=1 pnpm check:changed
• GitHub PR checks: all passing, including the qa-lab parity gate.

Thanks @vyctorbrzezowski and @LaFleurAdvertising.