feat(gateway): add SDK tools.invoke RPC

[gazeatcode]

Summary

• Problem: @openclaw/sdk exposes oc.tools.invoke() as an unsupported scaffold while the Gateway only supports direct tool invocation through HTTP /tools/invoke.
• Why it matters: SDK clients need a protocol-defined tool invocation path that preserves Gateway policy, owner-only filtering, and plugin approval semantics.
• What changed: added tools.invoke protocol schemas, method registration/scope, a Gateway handler, shared direct-tool invocation core reused by HTTP, SDK typing/client support, docs, changelog, and targeted tests.
• What did NOT change (scope boundary): did not broaden HTTP auth behavior, did not bypass existing tool policies, and did not allow high-risk direct tools unless the existing gateway.tools.allow path permits them.

Change Type (select all)

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes Gateway RPC: add SDK-facing tools.invoke #74705
• Related #
• This PR fixes a bug or regression

Root Cause (if applicable)

• Root cause: N/A
• Missing detection / guardrail: N/A
• Contributing context (if known): the SDK had an unsupported oc.tools.invoke() placeholder and the existing direct invocation implementation lived only in the HTTP route.

Regression Test Plan (if applicable)

• Coverage level that should have caught this:
  • Unit test
  • Seam / integration test
  • End-to-end test
  • Existing coverage already sufficient
• Target test or file: packages/sdk/src/index.test.ts, src/gateway/server-methods/tools-invoke.test.ts, src/gateway/protocol/index.test.ts, src/gateway/method-scopes.test.ts, src/gateway/tools-invoke-http.test.ts, src/agents/pi-tools.before-tool-call.e2e.test.ts
• Scenario the test should lock in: SDK calls tools.invoke, Gateway validates the params/result contract, method scopes require operator write, direct invoke still uses Gateway allow/deny filtering, and plugin approvals can return typed approval-required state without waiting when confirm: true is omitted.
• Why this is the smallest reliable guardrail: these tests cover the SDK client seam, protocol validation, handler mapping, shared HTTP behavior, and plugin approval mode without broad end-to-end tool execution setup.
• Existing test that already covers this (if any): existing HTTP direct invocation tests covered /tools/invoke; this PR extends that path through the shared core.
• If no new test is added, why not: N/A

User-visible / Behavior Changes

SDK clients can call oc.tools.invoke("tool-name", { args, sessionKey, agentId, confirm, idempotencyKey }). Without confirm: true, plugin approval requests return a typed { ok: false, requiresApproval: true, approvalId, error } result instead of waiting for approval and executing.

Diagram (if applicable)

Before:
SDK -> oc.tools.invoke() -> unsupported error
HTTP -> /tools/invoke -> direct tool invoke path

After:
SDK -> tools.invoke RPC -> shared direct tool invoke core -> policy/hooks/approval/tool
HTTP -> /tools/invoke -> shared direct tool invoke core -> policy/hooks/approval/tool

Security Impact (required)

• New permissions/capabilities? (Yes/No) Yes
• Secrets/tokens handling changed? (Yes/No) No
• New/changed network calls? (Yes/No) No
• Command/tool execution surface changed? (Yes/No) Yes
• Data access scope changed? (Yes/No) Yes
• If any Yes, explain risk + mitigation: this adds a direct tool invocation RPC, so the handler requires operator.write, treats only operator.admin callers as owner for owner-only tools, reuses the same direct-invocation Gateway tool allow/deny filtering as HTTP /tools/invoke, runs the existing before-tool-call/plugin approval pipeline, and returns typed approval-required results when callers omit confirm: true.

Repro + Verification

Environment

• OS: Linux
• Runtime/container: Node 22 + pnpm
• Model/provider: N/A
• Integration/channel (if any): Gateway RPC / SDK
• Relevant config (redacted): default test config

Steps

1. Call oc.tools.invoke("demo", { args: { input: "hello" } }) from the SDK.
2. Call Gateway tools.invoke with { name, args, sessionKey, agentId, confirm }.
3. Exercise a plugin approval request without confirm: true.

Expected

• SDK sends tools.invoke RPC params.
• Gateway validates params, resolves the scoped tool through normal policy, and returns success or typed refusal.
• Plugin approval returns requiresApproval: true without executing when confirm: true is omitted.

Actual

• Matches expected in targeted tests.

Evidence

Attach at least one:

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

What you personally verified (not just CI), and how:

• Verified scenarios: SDK tools.invoke request construction, protocol validation, method scope registration, Gateway handler mapping, shared HTTP direct invoke behavior, plugin approval request-only behavior, formatting, whitespace, and TypeScript checks.
• Edge cases checked: invalid params, admin owner context, typed approval-required result, HTTP high-risk tool deny filtering, plugin/core tool fallback, hook-blocked calls, tool input/auth errors, and agent/session mismatch handling in the core path.
• What you did not verify: live Gateway invocation against a real external plugin approval UI.

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

If a bot review conversation is addressed by this PR, resolve that conversation yourself. Do not leave bot review conversation cleanup for maintainers.

Compatibility / Migration

• Backward compatible? (Yes/No) Yes
• Config/env changes? (Yes/No) No
• Migration needed? (Yes/No) No
• If yes, exact upgrade steps: N/A

Risks and Mitigations

• Risk: direct tool invocation is a sensitive Gateway surface.
  • Mitigation: require operator scope, preserve owner-only filtering, reuse Gateway direct-tool allow/deny filtering, and keep plugin approval gates in the execution path.

[clawsweeper]

Thanks for the context here. I swept through the related work, and this is now duplicate or superseded.

Close as superseded: the same SDK-facing tools.invoke Gateway RPC work is now tracked by open non-draft #74804, which covers the same core/SDK/protocol/docs surface and avoids the concrete SDK name-override bug still present in this draft branch. Current main still lacks the feature, so this is not implemented-on-main; the right cleanup is to keep the canonical PR/issue path active and close this draft duplicate.

So I’m closing this here and keeping the remaining discussion on the canonical linked item.

Review details

Best possible solution:

Retire this draft and finish one canonical additive tools.invoke implementation in #74804 that keeps SDK and HTTP invocation on the same Gateway tool policy, allow/deny filtering, owner scoping, session targeting, and plugin approval semantics.

Do we have a high-confidence way to reproduce the issue?

Yes. Current main can be checked directly: oc.tools.invoke still throws unsupported, server-methods-list.ts does not advertise tools.invoke, and the Gateway handler map has no tools.invoke RPC handler.

Is this the best way to solve the issue?

No for this PR as-is. The branch is a draft duplicate with a concrete SDK/security bug, while #74804 tracks the same requested behavior on a non-draft canonical branch with a safer SDK parameter construction pattern.

Security review:

Security review needs attention: The diff adds a sensitive direct tool invocation RPC, and this branch’s SDK helper allows caller params to override the explicit tool name.

• [medium] SDK params can override tool name — packages/sdk/src/client.ts:185
  The SDK helper spreads caller params after the explicit tool-name argument. If an app forwards a user-controlled params object, a hidden name field can switch the invoked tool while the call site appears to request another tool.
  Confidence: 0.88

What I checked:

• Current main SDK still marks invoke unsupported: On current main, ToolsNamespace.invoke() discards its arguments and throws the explicit unsupported oc.tools.invoke error. (packages/sdk/src/client.ts:749, 027ea5f08bd9)
• Current main method list omits tools.invoke: The advertised Gateway base methods include tools.catalog and tools.effective, but no tools.invoke. (src/gateway/server-methods-list.ts:65, 027ea5f08bd9)
• Draft branch has SDK tool-name override bug: The PR branch builds { name: toolName, ...gatewayParams }, so an unexpected name key in the params object can override the explicit SDK argument before the RPC call. (packages/sdk/src/client.ts:185, 0efa6ad399c6)
• Canonical related PR is open and non-draft: GitHub API data shows feat(gateway): add SDK-facing tools.invoke RPC #74804 is open, non-draft, mergeable, and targets the same SDK-facing tools.invoke Gateway RPC work. (8438a2c388bb)
• Canonical PR avoids the SDK override pattern: feat(gateway): add SDK-facing tools.invoke RPC #74804 builds the RPC params from the explicit name argument plus whitelisted optional fields instead of spreading arbitrary caller params after name. (packages/sdk/src/client.ts:741, 8438a2c388bb)
• Maintainer duplicate triage names feat(gateway): add SDK-facing tools.invoke RPC #74804 canonical: Related maintainer PR fix(gateway): harden artifact RPCs #74926 explicitly says the tools-invoke cluster has feat(gateway): add SDK-facing tools.invoke RPC #74804 and draft this PR covering the same surface, with feat(gateway): add SDK-facing tools.invoke RPC #74804 remaining the better canonical candidate. (188a5005c7a1)

Likely related people:

• steipete: Recent GitHub commit history ties Peter to packages/sdk/src/client.ts, src/gateway/tools-invoke-http.ts, SDK/protocol alignment, and the direct HTTP tool invocation surface this work extends. (role: recent maintainer and SDK/Gateway adjacent owner; confidence: high; commits: 29de89a8d98c, 43f6c8b01aa7, 98a99765af18; files: packages/sdk/src/client.ts, src/gateway/tools-invoke-http.ts, docs/concepts/openclaw-sdk.md)
• BunsDev: BunsDev authored the member issue Gateway RPC: add SDK-facing tools.invoke #74705 with acceptance criteria for this exact RPC and later maintainer duplicate triage in fix(gateway): harden artifact RPCs #74926 identifies feat(gateway): add SDK-facing tools.invoke RPC #74804 as the better canonical tools-invoke candidate. (role: maintainer requester and follow-up owner; confidence: medium; commits: 188a5005c7a1; files: src/gateway/server-methods/tools-invoke.ts, packages/sdk/src/client.ts, docs/gateway/protocol.md)
• vincentkoc: The related canonical PR history includes Vincent refreshing tools-invoke protocol models, and recent main history shows adjacent protocol, generated model, and tool execution diagnostics work. (role: protocol/generated-client adjacent maintainer; confidence: medium; commits: 76d51b43021d, dcdf97685b60, 7ba13fbc2ba7; files: apps/macos/Sources/OpenClawProtocol/GatewayModels.swift, apps/shared/OpenClawKit/Sources/OpenClawProtocol/GatewayModels.swift, src/gateway/protocol/schema/agents-models-skills.ts)
• shakkernerd: Prior ClawSweeper review context ties Shakker’s merged work to the tool catalog/effective RPC area and the HTTP invoke path this PR factors into shared code. (role: Gateway tool RPC and HTTP invoke surface contributor; confidence: medium; commits: 4109446c2f54; files: src/gateway/server-methods/tools-catalog.ts, src/gateway/server-methods/tools-effective.ts, src/gateway/tools-invoke-http.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 027ea5f08bd9.