Inherit tool restrictions for delegated sessions [AI]

[pgondhi987]

Summary

• Problem: delegated sessions could receive a broader tool surface than the caller that created them.
• Why it matters: caller-scoped tool restrictions should remain consistent across subagent and ACP delegation paths.
• What changed: added normalized session-scoped inherited tool denies, threaded them through loopback/tool resolution, native subagent spawns, ACP spawns, and session patch handling.
• What did NOT change (scope boundary): this does not remove delegation support or change unrelated tool policy defaults.
• AI-assisted: yes

Change Type (select all)

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Related: N/A
• This PR fixes a bug or regression

Real behavior proof (required for external PRs)

• Behavior or issue addressed: delegated sessions now inherit caller tool-deny context instead of reconstructing a wider child tool surface.
• Real environment tested: Not run in this branch handoff.
• Exact steps or command run after this patch: Not run; command execution was constrained by the supervisor workflow.
• Evidence after fix: Focused regression coverage was added for loopback deny propagation, sessions_spawn context forwarding, child session persistence, session patch normalization, and effective subagent tool policy.
• Observed result after fix: Not runtime-verified in this handoff.
• What was not tested: Live gateway replay, build, typecheck, and test commands.
• Before evidence: N/A

Root Cause (if applicable)

• Root cause: loopback tool filtering removed native tools at the immediate MCP surface, but that deny context was not persisted or forwarded when creating delegated child sessions.
• Missing detection / guardrail: regression coverage did not assert that delegated sessions inherit caller-scoped denied tools.
• Contributing context: subagent and ACP spawn paths materialize child session state through separate code paths.

Regression Test Plan (if applicable)

• Coverage level that should have caught this:
  • Unit test
  • Seam / integration test
  • End-to-end test
  • Existing coverage already sufficient
• Target test or file: src/gateway/mcp-http.test.ts, src/agents/tools/sessions-spawn-tool.test.ts, src/agents/subagent-spawn.depth-limits.test.ts, src/agents/pi-tools.policy.test.ts, src/gateway/sessions-patch.test.ts
• Scenario the test should lock in: caller-denied tools are normalized, persisted on spawned sessions, forwarded through subagent and ACP delegation, and applied by effective subagent tool policy.
• Why this is the smallest reliable guardrail: it covers the handoff points where deny context can be dropped without requiring a live model/provider run.
• Existing test that already covers this (if any): N/A
• If no new test is added, why not: N/A

User-visible / Behavior Changes

Delegated child sessions inherit caller-scoped tool denies. A child session may now have fewer tools when it is created from a restricted caller surface.

Diagram (if applicable)

Before:
[restricted caller] -> [sessions_spawn] -> [child session reconstructs tools]

After:
[restricted caller] -> [sessions_spawn + inherited deny list] -> [child session policy applies deny list]

Security Impact (required)

• New permissions/capabilities? No
• Secrets/tokens handling changed? No
• New/changed network calls? No
• Command/tool execution surface changed? Yes
• Data access scope changed? Yes
• If any Yes, explain risk + mitigation: delegated sessions now inherit caller tool restrictions, reducing the chance that delegation widens command or file access beyond the caller's effective tool policy.

Repro + Verification

Environment

• OS: Not runtime-verified in this handoff
• Runtime/container: Not runtime-verified in this handoff
• Model/provider: Not runtime-verified in this handoff
• Integration/channel (if any): Loopback MCP and delegated session paths
• Relevant config (redacted): N/A

Steps

1. Start a gateway with loopback MCP available.
2. Confirm the caller surface excludes native tools such as exec.
3. Spawn a delegated session from that restricted caller.
4. Confirm the delegated session policy also excludes the inherited denied tools.

Expected

• Delegated sessions do not receive tools denied to the caller.

Actual

• Not runtime-verified in this handoff.

Evidence

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Targeted regression tests were added but not executed in this handoff.

Human Verification (required)

• Verified scenarios: Static review of changed code paths and added regression coverage.
• Edge cases checked: native tool alias normalization, duplicate deny entries, ACP session patching, native subagent store patching, and policy application from stored session state.
• What you did not verify: live gateway replay, build, typecheck, and test commands.

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

No review conversations were addressed in this branch handoff.

Compatibility / Migration

• Backward compatible? Yes
• Config/env changes? No
• Migration needed? No
• If yes, exact upgrade steps: N/A

Risks and Mitigations

• Risk: delegated sessions created from restricted surfaces may lose tools that existing workflows implicitly expected.
  • Mitigation: inherited denies only come from the caller's effective denied tools and are applied through the existing tool-policy pipeline.

[clawsweeper]

Codex review: needs real behavior proof before merge.

Summary
The PR adds inherited delegated-session tool allow/deny state across gateway tool resolution, sessions_spawn, native subagent and ACP spawns, session patch/protocol models, and focused regression tests.

Reproducibility: yes. source-reproducible. Current main excludes native tools from loopback MCP callers but does not persist or forward that effective restriction through sessions_spawn into ACP or native delegated children.

Real behavior proof
Needs real behavior proof before merge: Missing: the PR body says no runtime verification or command was run after the patch; the contributor should add redacted terminal/log/live output or diagnostic media showing the fixed delegation behavior, then update the PR body for re-review or ask a maintainer to comment @clawsweeper re-review.

Next step before merge
Manual review is needed because this protected-label PR changes security-sensitive delegated tool policy and lacks external real behavior proof.

Security
Cleared: No dependency, workflow, secret, or supply-chain regression was found; the diff narrows delegated tool surfaces rather than broadening them.

Review details

Best possible solution:

Merge the inheritance fix after maintainer policy review and redacted runtime proof demonstrate restricted caller-to-child delegation for both native subagent and ACP paths.

Do we have a high-confidence way to reproduce the issue?

Yes, source-reproducible. Current main excludes native tools from loopback MCP callers but does not persist or forward that effective restriction through sessions_spawn into ACP or native delegated children.

Is this the best way to solve the issue?

Yes for the implementation direction. The latest head uses current OpenClaw tool ids for ACP checks and threads inherited policy through the right handoff points, but merge should wait for real behavior proof and maintainer approval.

What I checked:

• current-main loopback restriction: Current main gives loopback MCP callers a narrower surface by excluding native file/process tools before building the loopback tool schema. (src/gateway/mcp-http.runtime.ts:11, dfd63a214516)
• current-main delegation gap: Current main forwards sessions_spawn ACP context without inherited allow/deny fields, so the child session is created without the caller's reduced tool surface. (src/agents/tools/sessions-spawn-tool.ts:352, dfd63a214516)
• current-main lacks inherited session state: A current-main search found no inheritedToolAllow/inheritedToolDeny implementation under source, apps, or packages. (dfd63a214516)
• PR-head inherited policy construction: At PR head, gateway resolution collects explicit deny policy, prepares an inherited deny list, and passes inherited allow/deny arrays into OpenClaw tool construction for sessions_spawn to consume. (src/gateway/tool-resolution.ts:101, f559b1585f00)
• PR-head child forwarding: At PR head, sessions_spawn checks ACP inherited restrictions and forwards inherited allow/deny lists into ACP child context. (src/agents/tools/sessions-spawn-tool.ts:321, f559b1585f00)
• PR-head ACP allow check uses current tool ids: The latest head checks ACP inherited allow requirements against current OpenClaw core tool ids rather than the earlier synthetic ACP-only names. (src/agents/inherited-tool-deny.ts:21, f559b1585f00)

Likely related people:

• steipete: Recent history shows substantial work on subagent orchestration, ACP spawned-run isolation, gateway loopback helpers, and current-line ownership in the affected paths. (role: feature-history owner; confidence: high; commits: eacdfbc84b6d, 2febe72108d2, 23178d933fa5; files: src/agents/tools/sessions-spawn-tool.ts, src/agents/acp-spawn.ts, src/gateway/mcp-http.runtime.ts)
• vincentkoc: Recent merged history includes sessions_spawn ACP-field handling, plugin tool denylist behavior, and gateway/tool-policy typing near this policy surface. (role: recent adjacent contributor; confidence: medium; commits: efc3a52947e9, 571d75aab351, 00f256dd3163; files: src/agents/tools/sessions-spawn-tool.ts, src/agents/acp-spawn.ts, src/gateway/tool-resolution.ts)
• Bob: Related ACP sessions_spawn streaming and sandbox-inheritance security commits are adjacent to the delegation boundary this PR changes. (role: ACP sessions_spawn history contributor; confidence: medium; commits: 257e2f5338d1, ac11f0af731d; files: src/agents/tools/sessions-spawn-tool.ts, src/agents/acp-spawn.ts)

Remaining risk / open question:

• The PR has no redacted runtime proof showing a restricted caller spawning a delegated child that remains restricted after the patch.
• The change touches security-sensitive command/file/tool delegation policy and has a protected maintainer label, so explicit maintainer policy review is still needed.

Codex review notes: model gpt-5.5, reasoning high; reviewed against dfd63a214516.

[pgondhi987]

Not applicable to this automation stage; changelog/release-note and external real behavior proof requirements are handled outside auto-pr stages.

Quoted comment from @clawsweeper:

Codex review: needs real behavior proof before merge.

Summary
The PR adds inherited allow/deny tool policy state for delegated sessions and threads it through gateway, subagent, ACP, protocol, session patch, and regression-test paths.

Reproducibility: yes. source-reproducible. Current main narrows the loopback MCP tool surface but does not persist or forward that effective restriction through sessions_spawn into ACP or native delegated children.

Real behavior proof
Needs real behavior proof before merge: The PR body says no runtime verification or test command was run after the patch, so an external contributor still needs redacted terminal output, logs, live output, a recording, screenshot with diagnostics, or a linked artifact showing the fixed behavior. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, ask a maintainer to comment @clawsweeper re-review.

Next step before merge
Maintainer handling is needed because the PR has a protected label, missing real behavior proof, and a blocking policy-boundary correctness finding.

Security
Cleared: No supply-chain change or concrete capability-widening regression was found; the remaining security-sensitive concern is functional over-restriction in the ACP policy check.

Review findings

• [P2] Map ACP allow checks to current tool ids — src/agents/inherited-tool-deny.ts:67-69

Review details

Best possible solution:

Keep the inheritance fix direction, but map ACP capability checks to documented current OpenClaw tool ids or a separate ACP capability contract before merging.

Do we have a high-confidence way to reproduce the issue?

Yes, source-reproducible. Current main narrows the loopback MCP tool surface but does not persist or forward that effective restriction through sessions_spawn into ACP or native delegated children.

Is this the best way to solve the issue?

No. The inheritance direction is appropriate, but the latest PR still compares inherited OpenClaw allow lists against synthetic ACP names, which can disable valid ACP delegation under normal restrictive profiles.

Full review comments:

• [P2] Map ACP allow checks to current tool ids — src/agents/inherited-tool-deny.ts:67-69
  The inherited allow list is built from actual OpenClaw tool names, but this check also requires synthetic names like fs_delete, fs_move, fs_write, shell, and spawn. A restrictive caller that still allows the current file/runtime tools can now have runtime="acp" rejected because those synthetic names are absent. Map ACP requirements to the current policy ids, or use a documented ACP capability contract, before failing closed.
  Confidence: 0.86

Overall correctness: patch is incorrect
Overall confidence: 0.84

What I checked:

• current-main loopback restriction: Current main narrows loopback MCP by passing NATIVE_TOOL_EXCLUDE (read, write, edit, apply_patch, exec, process) into resolveGatewayScopedTools, so a caller can have a narrower tool surface than normal agent execution. (src/gateway/mcp-http.runtime.ts:43, 380daf2f50ce)
• current-main delegation gap: Current main creates sessions_spawn without inherited allow/deny state, and the ACP spawn call forwards no inherited tool context to the child session. (src/agents/tools/sessions-spawn-tool.ts:367, 380daf2f50ce)
• current-main lacks inherited session tool state: A repository search on current main found no inheritedToolAllow/inheritedToolDeny implementation, confirming this is new PR behavior rather than already implemented on main. (380daf2f50ce)
• PR implementation direction: At PR head, gateway tool resolution now collects explicit deny policy into inheritedToolDenylist, computes an effective inherited allow list after filtering, and passes both into createOpenClawTools. (src/gateway/tool-resolution.ts:142, f96cfa3f017d)
• blocking ACP allow-list mismatch: At PR head, findAcpUnsupportedInheritedToolAllow requires synthetic names such as fs_delete, fs_move, fs_write, shell, and spawn, while the current core tool catalog uses OpenClaw ids such as read, write, edit, apply_patch, exec, and process. (src/agents/inherited-tool-deny.ts:67, f96cfa3f017d)
• PR proof gate: The PR body explicitly says the branch was not runtime-verified, no command was run after the patch, and only focused regression coverage was added but not executed in the handoff. (f96cfa3f017d)

Likely related people:

• steipete: Recent path history shows substantial subagent orchestration, ACP spawn, and sessions_spawn capability work in the affected code paths. (role: feature-history owner; confidence: high; commits: eacdfbc84b6d, 2febe72108d2, 6a7b76e119ca; files: src/agents/tools/sessions-spawn-tool.ts, src/agents/acp-spawn.ts, src/agents/pi-tools.policy.ts)
• vincentkoc: Recent history includes sessions_spawn ACP-field handling and gateway/plugin tool-deny work adjacent to the policy propagation path. (role: recent area contributor; confidence: medium; commits: efc3a52947e9, 1427c3a78d80, 571d75aab351; files: src/agents/tools/sessions-spawn-tool.ts, src/gateway/tool-resolution.ts, src/agents/pi-tools.policy.ts)
• pgondhi987: Beyond this PR, prior merged history touches ACP child-session envelope inheritance and gateway/tool dispatch paths related to this policy handoff. (role: recent area contributor; confidence: medium; commits: 31160dc069b7, d5eabbd36c87, 037f197684d4; files: src/agents/acp-spawn.ts, src/gateway/tool-resolution.ts, src/agents/pi-tools.policy.ts)

Remaining risk / open question:

• The PR body lacks after-fix real behavior proof from a real setup, which is required for external PRs.
• The current ACP allow-list check can reject valid ACP delegation under restrictive OpenClaw tool profiles.
• The PR touches command/tool execution policy, so maintainer review should verify the final policy contract before merge.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 380daf2f50ce.