feat(gateway): add SDK-facing tools.invoke RPC

[ai-hpc]

Summary

• Problem: @openclaw/sdk exposes a tools namespace, but oc.tools.invoke() had no Gateway RPC method to call and remained unsupported.
• Why it matters: SDK clients need a typed WebSocket path for generic tool invocation that follows the same Gateway auth, tool policy, deny-list, and plugin approval semantics as the existing HTTP /tools/invoke route.
• What changed: adds tools.invoke to the Gateway RPC surface, protocol schemas, method discovery, scope gating, SDK client/types, and docs; shared Gateway tool-invoke logic now backs both HTTP and RPC paths.
• What did NOT change: no tool policy bypass, no default tool allow-list expansion, no config migration, and no replay cache beyond using idempotencyKey as the stable tool-call id when supplied.

Change Type (select all)

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes Gateway RPC: add SDK-facing tools.invoke #74705
• Related SDK: stabilize app-client happy path for agents, sessions, runs #74704
• This PR fixes a bug or regression

Root Cause (if applicable)

N/A

Regression Test Plan (if applicable)

N/A

User-visible / Behavior Changes

SDK clients can now call oc.tools.invoke(name, params) through the Gateway. The RPC method accepts name, optional args, sessionKey, agentId, confirm, and idempotencyKey fields.

Diagram (if applicable)

Before:
SDK oc.tools.invoke() -> unsupported error
HTTP POST /tools/invoke -> existing Gateway tool path

After:
SDK oc.tools.invoke() -> WS tools.invoke -> shared Gateway tool path -> policy/deny-list/approval/tool result
HTTP POST /tools/invoke -> shared Gateway tool path -> existing HTTP envelope

Security Impact (required)

• New permissions/capabilities? (Yes/No) Yes
• Secrets/tokens handling changed? (Yes/No) No
• New/changed network calls? (Yes/No) No
• Command/tool execution surface changed? (Yes/No) Yes
• Data access scope changed? (Yes/No) Yes
• If any Yes, explain risk + mitigation: This exposes an existing direct tool-invoke capability over Gateway WS for SDK clients. It is gated by operator.write, reuses the existing Gateway tool policy chain and HTTP deny-list semantics, preserves owner-only filtering for non-admin clients, and reports plugin approval-needed refusals unless the caller explicitly opts into confirm: true.

Repro + Verification

Environment

• OS: macOS local checkout and Ubuntu 24.04 Blacksmith Testbox
• Runtime/container: Node 22 / pnpm dev checkout
• Model/provider: N/A
• Integration/channel (if any): Gateway RPC + SDK
• Relevant config (redacted): default local test config

Steps

1. Call SDK oc.tools.invoke() before this change.
2. Observe it throws the existing unsupported namespace error because no Gateway tools.invoke method exists.
3. Apply this PR and call oc.tools.invoke("sessions_list", { args: {}, sessionKey: "main" }).
4. Verify the SDK sends tools.invoke, the Gateway enforces operator.write, and the response uses a typed tool result/refusal envelope.

Expected

• SDK clients can invoke allowed tools through Gateway RPC.
• Disallowed or approval-required tools do not bypass policy and return typed refusal state.
• HTTP /tools/invoke behavior remains compatible.

Actual

• Implemented as expected in targeted unit, gateway, agent, SDK, SDK e2e, protocol, Swift lint, and build coverage.

Evidence

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

• Verified scenarios: SDK tools.invoke dispatch, Gateway tools.invoke handler success envelope, malformed RPC params rejection, operator.write method scope, HTTP /tools/invoke compatibility, plugin approval-needed typed refusal without opening an approval request by default, and mismatched sessionKey/agentId rejection.
• Edge cases checked: HTTP /tools/invoke compatibility, SDK name field, high-risk deny-list preservation, owner-only filtering path, configured session fallback, gateway.tools.allow/deny precedence, confirm: false approval reporting behavior, and confirm: true approval request behavior.
• What is not verified: live third-party SDK consumer behavior outside the repo tests.

Commands run:

pnpm exec oxfmt --check --threads=1 packages/sdk/src/client.ts packages/sdk/src/index.test.ts packages/sdk/src/types.ts src/gateway/protocol/schema/agents-models-skills.ts src/gateway/server-methods/tools-invoke.ts src/gateway/tools-invoke-http.test.ts src/gateway/tools-invoke-shared.ts
pnpm test src/gateway/tools-invoke-http.test.ts src/gateway/method-scopes.test.ts src/agents/pi-tools.before-tool-call.embedded-mode.test.ts packages/sdk/src/index.test.ts packages/sdk/src/index.e2e.test.ts src/gateway/protocol/index.test.ts -- --reporter=verbose
pnpm protocol:check
git diff --check
git diff --cached --check
pnpm check:docs
git diff --check origin/main...HEAD
pnpm lint:swift
pnpm testbox:run --id tbx_01kqgybv7jcdqmsge5mn24rzy8 -- "bash -lc '... install SwiftLint 0.63.2; OPENCLAW_TESTBOX=1 pnpm check:changed'"
pnpm testbox:run --id tbx_01kqgy113v5sgztapmczc604aw -- "OPENCLAW_TESTBOX=1 pnpm build"

pnpm check:changed passed in a fresh Testbox after installing SwiftLint 0.63.2 into the box for the app lint lane. After rebasing onto current origin/main, pnpm check:docs, pnpm protocol:check, and git diff --check origin/main...HEAD passed locally.

Duplicate / Related Threads

• feat(gateway): add SDK tools.invoke RPC #74786 is already closed as superseded by this PR and does not need to reopen.
• tools/invoke returns "Tool not available: message" in 2026.4.26 even with healthy telegram channel #74780 is config/policy diagnostics for HTTP message, not this SDK RPC.
• [Feature]: Invoke tools directly without LLM round-trip #37131 is broader direct tool invocation and still overlaps HTTP/coding-tool work.
• feat(gateway): wire coding tools into /tools/invoke HTTP surface #63919, fix(gateway): allow memory slot tool plugin invokes #75160, and feat(gateway): add audit logging for gateway tool calls #63557 are active HTTP/tool-policy/audit follow-ups, not duplicates of this RPC gap.
• feat(gateway): add SDK task ledger RPCs #74847 is task ledger RPC work tied to Gateway RPC: add SDK-facing task ledger APIs #74707, separate from tools.invoke.
• prtags.dutiful.dev returned 502 for both group listing and text search, so prtags sync is the only blocked curation write path.

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

• Backward compatible? (Yes/No) Yes
• Config/env changes? (Yes/No) No
• Migration needed? (Yes/No) No
• If yes, exact upgrade steps: N/A

Risks and Mitigations

• Risk: The new RPC surface could drift from the HTTP tool-invoke behavior over time.
  • Mitigation: HTTP and RPC now share the same Gateway tool-invoke helper, and tests cover both surfaces.
• Risk: Approval behavior could unexpectedly open approval prompts for SDK callers.
  • Mitigation: the default RPC path reports typed approval-needed refusal; callers must pass confirm: true to request approval explicitly.

[ai-hpc]

@greptile-apps

[clawsweeper]

Codex review: needs maintainer review before merge.

What this changes:

The PR adds an SDK-facing Gateway tools.invoke RPC with protocol schemas, method discovery/scope registration, SDK types/client support, docs, changelog coverage, tests, and shared HTTP/RPC tool invocation plumbing.

Maintainer follow-up before merge:

Maintainer review is the right next action because this is an active implementation PR for a public Gateway/SDK direct tool-execution contract; there is no narrow automated repair to queue from this review.

Security review:

Security review cleared: No concrete security or supply-chain regression was found; the sensitive new RPC is scoped to operator.write, treats only admin WebSocket clients as owner, reuses the existing direct tool policy/deny-list path, and does not change dependencies, workflows, package resolution, or secret handling.

Review details

Best possible solution:

Land one canonical additive tools.invoke implementation that keeps SDK and HTTP direct tool invocation on the same Gateway policy, deny-list, owner-filtering, session scoping, and plugin approval semantics; then let the merge close #74705 while broader direct-tool and audit follow-ups remain separate.

Do we have a high-confidence way to reproduce the issue?

Yes. Current main can reproduce the gap by inspection: oc.tools.invoke() throws the unsupported SDK error, method discovery omits tools.invoke, and the Gateway handler map has no matching RPC handler.

Is this the best way to solve the issue?

Yes, pending maintainer signoff. Sharing the HTTP and RPC invocation helper is the narrow maintainable direction because it avoids policy drift; the remaining decision is approval of the new public RPC/security contract and final exact-head validation.

Acceptance criteria:

• pnpm test src/gateway/tools-invoke-http.test.ts src/gateway/method-scopes.test.ts src/agents/pi-tools.before-tool-call.embedded-mode.test.ts packages/sdk/src/index.test.ts packages/sdk/src/index.e2e.test.ts src/gateway/protocol/index.test.ts -- --reporter=verbose
• pnpm protocol:check
• pnpm check:docs
• pnpm check:changed in Testbox before merge
• Wait for exact-head check-runs to complete

What I checked:

• Current main SDK gap: ToolsNamespace.invoke() still ignores its inputs and returns the explicit unsupported oc.tools.invoke error on current main. (packages/sdk/src/client.ts:767, 7d7b610a2405)
• Current main discovery gap: The Gateway base method list advertises tools.catalog and tools.effective, but not tools.invoke. (src/gateway/server-methods-list.ts:65, 7d7b610a2405)
• Current main handler gap: The core Gateway handler map registers catalog/effective tool handlers and has no direct invocation RPC handler. (src/gateway/server-methods.ts:97, 7d7b610a2405)
• PR RPC handler: The branch adds a tools.invoke handler that validates params, routes through invokeGatewayTool, and returns typed success/refusal payloads. (src/gateway/server-methods/tools-invoke.ts:33, 6b04521d6a41)
• Shared policy path: The branch factors direct invocation into invokeGatewayTool, resolving session-scoped tools, applying owner-only filtering, using the HTTP direct-tool surface policy path, and invoking the before-tool-call approval pipeline. (src/gateway/tools-invoke-shared.ts:197, 6b04521d6a41)
• Scope enforcement: The PR classifies tools.invoke under operator.write; Gateway requests are checked through authorizeGatewayMethod() before dispatch, with admin still bypassing narrower scope checks. (src/gateway/method-scopes.ts:147, 6b04521d6a41)

Likely related people:

• steipete: GitHub commit history ties Peter to the SDK package introduction and recent /tools/invoke behavior on current main, including the unsupported SDK placeholder and HTTP direct-tool path. (role: recent SDK and Gateway direct-tool maintainer; confidence: high; commits: 43f6c8b01aa7, 29de89a8d98c, 98a99765af18; files: packages/sdk/src/client.ts, src/gateway/tools-invoke-http.ts, docs/concepts/openclaw-sdk.md)
• BunsDev: BunsDev authored the linked maintainer issue, is assigned on this PR, and has recent current-main Gateway/SDK RPC work in adjacent artifact surfaces plus contract-tightening commits on this branch. (role: likely maintainer follow-up owner; confidence: high; commits: a102f4dede6a, 8d1582edc236, 2fe48ba18ba1; files: packages/sdk/src/client.ts, src/gateway/server-methods.ts, src/gateway/server-methods-list.ts)
• vincentkoc: Vincent has recent current-main protocol/diagnostic hook work in the same Gateway/tool execution neighborhood and refreshed generated protocol models on this branch. (role: protocol and diagnostics adjacent maintainer; confidence: medium; commits: dcdf97685b60, cead2ea4b106, b638f55fbce4; files: src/gateway/protocol/schema/agents-models-skills.ts, src/agents/pi-tools.before-tool-call.ts, apps/macos/Sources/OpenClawProtocol/GatewayModels.swift)

Remaining risk / open question:

• This review did not rerun the PR’s targeted tests or Testbox checks because the task is read-only; it relies on source inspection and the PR’s recorded validation evidence.
• The new RPC exposes an existing direct tool-invocation capability over WebSocket, so maintainer acceptance of the public contract and exact owner/scope semantics remains the main gate.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 7d7b610a2405.