fix: constrain wildcard subagent targets

[joshavant]

Summary

• Problem: agents.*.subagents.allowAgents: ["*"] let sessions_spawn.agentId target arbitrary unconfigured agent ids, creating ad hoc state roots.
• Solution: Treat wildcard subagent allowlists as “any configured target” while preserving explicit allowlist entries.
• What changed: Native subagent and ACP spawn policy now pass configured target ids into the shared target policy; docs and config comments describe the tightened wildcard behavior.
• What did NOT change: Explicit allowlisted-but-unconfigured target ids still work, including mixed allowlists like ["*", "beta"].

Motivation

• Closes sessions_spawn accepts unknown agentId with allowAgents:"*" (auto-provisions default-configured subagent, no registry validation) #84040 by making the wildcard match the configured agent registry instead of acting as an open-ended agent-id creation escape.

Change Type (select all)

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes sessions_spawn accepts unknown agentId with allowAgents:"*" (auto-provisions default-configured subagent, no registry validation) #84040
• This PR fixes a bug or regression

Real behavior proof (required for external PRs)

• Behavior addressed: sessions_spawn with allowAgents: ["*"] rejects an unconfigured explicit agentId instead of spawning a new arbitrary agent state root.
• Real environment tested: AWS Crabbox direct provider, provider=aws, lease cbx_687b1eaafdfc, run run_5a730368b161, built branch from source, live Gateway, OpenAI openai/gpt-5.5.
• Exact steps or command run after this patch: Started Gateway with one configured agent main, main.subagents.allowAgents: ["*"], exposed sessions_spawn, then ran a live parent agent turn that called sessions_spawn once with agentId: "bogus-84040-b397f15f".
• Evidence after fix: Run output reported ISSUE_84040_FIX_EVIDENCE with finalText: "ISSUE_84040_PARENT_REJECTED_b397f15f", one sessions_spawn tool call, transcript containing both forbidden and configured agent registry, rogueAgentDirExists: false, and rogueWorkspaceDirExists: false.
• Observed result after fix: The model saw the forbidden tool result and replied with the rejected sentinel; no rogue agent or workspace directory was created.
• What was not tested: Live Telegram/channel delivery was not involved; this is a Gateway/OpenAI subagent tool-path proof.
• Before evidence: Current-main AWS repro accepted a bogus agentId and created agents/bogus-84040-.../sessions plus workspace/bogus-84040-....

Root Cause (if applicable)

• Root cause: The shared subagent target policy treated allowAgents containing "*" as unconditional allow-any before checking whether the target id existed in the configured registry.
• Missing detection / guardrail: Existing tests covered wildcard acceptance but not wildcard rejection for unconfigured ids.
• Contributing context (if known): Explicit allowlists historically allowed unconfigured ids, so the fix preserves explicit entries while narrowing only wildcard expansion.

Regression Test Plan (if applicable)

• Coverage level that should have caught this:
  • Unit test
  • Seam / integration test
  • End-to-end test
  • Existing coverage already sufficient
• Target test or file: src/agents/subagent-target-policy.test.ts, src/agents/openclaw-tools.subagents.sessions-spawn.allowlist.test.ts, src/agents/acp-spawn.test.ts.
• Scenario the test should lock in: Wildcard allowlists include configured ids plus requester, reject unconfigured ids, and preserve explicit entries in mixed wildcard allowlists.
• Why this is the smallest reliable guardrail: The shared target-policy test proves the pure contract; native and ACP spawn tests prove both callers pass configured target ids correctly.
• Existing test that already covers this (if any): Existing wildcard tests only asserted broad acceptance.
• If no new test is added, why not: N/A.

User-visible / Behavior Changes

subagents.allowAgents: ["*"] now means any configured target agent, not arbitrary agent ids. Operators who intentionally need an unconfigured target can still list that id explicitly.

Diagram (if applicable)

Before:
sessions_spawn(agentId=bogus) -> allowAgents ["*"] -> accepted -> bogus agent/workspace state

After:
sessions_spawn(agentId=bogus) -> allowAgents ["*"] -> registry check -> forbidden

Security Impact (required)

• New permissions/capabilities? No
• Secrets/tokens handling changed? No
• New/changed network calls? No
• Command/tool execution surface changed? Yes
• Data access scope changed? Yes
• If any Yes, explain risk + mitigation: The change narrows wildcard delegation to configured agents, reducing accidental or model-driven creation of arbitrary agent state/workspace roots. Explicit allowlist entries preserve intentional compatibility.

Repro + Verification

Environment

• OS: Linux on AWS Crabbox
• Runtime/container: Node 24 via repository build on direct AWS Crabbox
• Model/provider: OpenAI openai/gpt-5.5
• Integration/channel (if any): Gateway RPC only; no external channel
• Relevant config (redacted): one configured main agent with subagents.allowAgents: ["*"]; OpenAI API key sourced from environment

Steps

1. Build OpenClaw from this branch.
2. Start Gateway with one configured main agent and main.subagents.allowAgents: ["*"].
3. Run a live parent agent turn that calls sessions_spawn once with an unconfigured bogus agentId.

Expected

• The tool call returns forbidden with a configured-registry error and no bogus state root is created.

Actual

• Parent final text was ISSUE_84040_PARENT_REJECTED_b397f15f; transcript contained forbidden and configured agent registry; no rogue agent/workspace directories existed.

Evidence

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

• Verified scenarios: Target-policy pure contract, native sessions_spawn allowlist enforcement, ACP envelope allowlist enforcement, live AWS Gateway/OpenAI repro path.
• Edge cases checked: Mixed wildcard-plus-explicit allowlists preserve explicit unconfigured ids; explicit self-target behavior remains denyable; default omitted-agent self-spawn remains allowed.
• What you did not verify: Channel-specific delivery flows.

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

• Backward compatible? Mostly
• Config/env changes? Yes
• Migration needed? No
• If yes, exact upgrade steps: If an operator intentionally used ["*"] to target an unconfigured id, add that id explicitly to allowAgents.

Risks and Mitigations

• Risk: Operators relying on wildcard to target ad hoc ids will now see a forbidden result.
  • Mitigation: Explicit allowlist entries still allow those ids, and the error lists configured/allowed targets.

[clawsweeper]

Codex review: needs maintainer review before merge.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The PR threads configured agent IDs into native and ACP subagent spawn policy, changes wildcard allowlists to reject unconfigured targets, updates tests/docs, and adds a changelog entry.

Reproducibility: yes. Current main source clearly returns success on allowed.allowAny, existing tests expect wildcard to accept an unconfigured target, and the PR body includes before/after live Gateway evidence.

PR rating
Overall: 🐚 platinum hermit
Proof: 🦞 diamond lobster
Patch quality: 🐚 platinum hermit
Summary: Focused patch with strong live proof and regression coverage, held at a normal good tier because the compatibility/security decision still needs maintainer ownership.

Rank-up moves:

• none

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Sufficient (live_output): The PR body supplies after-fix live AWS Crabbox/Gateway output showing the forbidden result and absence of rogue state roots for the changed behavior.

Risk before merge

• Merging changes allowAgents: ["*"] from any well-formed target to configured targets only, so deployments relying on ad hoc auto-provisioned IDs will start receiving forbidden spawn results unless those IDs are listed explicitly.
• Existing rogue/ad hoc agent state is not deleted, but workflows that only reached it through wildcard targeting may lose their implicit access path after upgrade.
• This read-only review did not run the PR tests or replay the Crabbox proof; required CI and maintainer/security acceptance should still gate merge.

Maintainer options:

1. Accept fail-closed wildcard hardening
   Maintainers can land the PR as-is if they accept that wildcard no longer provisions ad hoc targets and operators must explicitly list compatibility IDs.
2. Add an explicit compatibility mode
   If preserving current auto-provision behavior is required, add a documented opt-in compatibility knob with tests for default strict behavior and opt-in lax behavior.
3. Pause for allowlist semantics coordination
   Hold merge until the interaction with the open SPAWN_ALLOWLIST wildcard PR is resolved so env-derived wildcard behavior does not drift from the registry contract.

Next step before merge
The PR is maintainer-labeled and compatibility-sensitive; the next action is human maintainer/security review, not an automated repair PR.

Security
Cleared: The diff narrows an existing spawn authorization boundary and does not add dependencies, workflow execution, secret handling, or broader permissions.

Review details

Best possible solution:

Land a single tightened wildcard contract only after maintainer/security review accepts the fail-closed compatibility tradeoff and the open SPAWN_ALLOWLIST wildcard work is checked for semantic conflict.

Do we have a high-confidence way to reproduce the issue?

Yes. Current main source clearly returns success on allowed.allowAny, existing tests expect wildcard to accept an unconfigured target, and the PR body includes before/after live Gateway evidence.

Is this the best way to solve the issue?

Mostly yes. Threading configured IDs into the shared policy is the narrow owner-boundary fix, but changing wildcard from permissive to fail-closed is a maintainer/security compatibility decision rather than a safe automated merge choice.

Label changes:

• add P1: The PR fixes a security-relevant agent scoping bug that can create unintended agent/session state roots under wildcard spawn permission.
• add merge-risk: 🚨 compatibility: The diff intentionally changes the documented wildcard behavior and can make existing wildcard-based spawn configurations fail closed on upgrade.
• add merge-risk: 🚨 session-state: Existing ad hoc agent/session roots may become unreachable through wildcard targeting unless operators add explicit allowlist entries.
• add proof: sufficient: Contributor real behavior proof is sufficient. The PR body supplies after-fix live AWS Crabbox/Gateway output showing the forbidden result and absence of rogue state roots for the changed behavior.
• add rating: 🐚 platinum hermit: Current PR rating is 🐚 platinum hermit because proof is 🦞 diamond lobster, patch quality is 🐚 platinum hermit, and Focused patch with strong live proof and regression coverage, held at a normal good tier because the compatibility/security decision still needs maintainer ownership.
• add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The PR body supplies after-fix live AWS Crabbox/Gateway output showing the forbidden result and absence of rogue state roots for the changed behavior.

Label justifications:

• P1: The PR fixes a security-relevant agent scoping bug that can create unintended agent/session state roots under wildcard spawn permission.
• merge-risk: 🚨 compatibility: The diff intentionally changes the documented wildcard behavior and can make existing wildcard-based spawn configurations fail closed on upgrade.
• merge-risk: 🚨 session-state: Existing ad hoc agent/session roots may become unreachable through wildcard targeting unless operators add explicit allowlist entries.
• rating: 🐚 platinum hermit: Current PR rating is 🐚 platinum hermit because proof is 🦞 diamond lobster, patch quality is 🐚 platinum hermit, and Focused patch with strong live proof and regression coverage, held at a normal good tier because the compatibility/security decision still needs maintainer ownership.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The PR body supplies after-fix live AWS Crabbox/Gateway output showing the forbidden result and absence of rogue state roots for the changed behavior.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body supplies after-fix live AWS Crabbox/Gateway output showing the forbidden result and absence of rogue state roots for the changed behavior.

Acceptance criteria:

• node scripts/run-vitest.mjs src/agents/subagent-target-policy.test.ts src/agents/openclaw-tools.subagents.sessions-spawn.allowlist.test.ts
• node scripts/run-vitest.mjs src/agents/acp-spawn.test.ts
• Before merge, verify required CI for head 5ee8b1a and review the supplied Crabbox run evidence.

What I checked:

• Current main wildcard bypass: On current main, resolveSubagentTargetPolicy returns ok when allowed.allowAny is true, so wildcard validation does not require the target ID to be in the configured registry. (src/agents/subagent-target-policy.ts:73, a00e7d3898cf)
• Current native spawn call lacks configured IDs: The native spawnSubagentDirect policy call passes requester, target, requested ID, and allowAgents but no configured agent registry, matching the linked issue's source-level root cause. (src/agents/subagent-spawn.ts:835, a00e7d3898cf)
• Current ACP spawn call has the same policy shape: The ACP envelope policy call also omits configured target IDs on current main, so the wildcard semantics are shared across both spawn paths. (src/agents/acp-spawn.ts:797, a00e7d3898cf)
• PR narrows wildcard policy: The PR adds configuredAgentIds to the target-policy input, removes the unconditional allowAny success path, and returns a configured-registry error for wildcard misses. (src/agents/subagent-target-policy.ts:63, 5ee8b1a8e0e3)
• PR threads configured targets through callers: The native path uses listAgentIds(cfg), and the ACP path builds configured targets from OpenClaw agent IDs, ACP runtime mappings, ACP defaults, and explicit ACP allowed agents before calling the shared policy. (src/agents/acp-spawn.ts:447, 5ee8b1a8e0e3)
• Regression coverage added: The patch adds pure policy, native sessions_spawn, and ACP spawn tests for configured wildcard acceptance, unconfigured wildcard rejection, and mixed wildcard-plus-explicit compatibility. (src/agents/subagent-target-policy.test.ts:64, 5ee8b1a8e0e3)

Likely related people:

• Patrick-Erichsen: Current checkout blame attributes the relevant subagent policy and spawn files to d60ab48, which GitHub maps to this author; the checkout history is shallow/compressed, so confidence is limited. (role: recent area contributor; confidence: medium; commits: d60ab485114a; files: src/agents/subagent-target-policy.ts, src/agents/subagent-spawn.ts, src/agents/acp-spawn.ts)
• Jefsky: The related open PR fix(config): apply SPAWN_ALLOWLIST env for sessions_spawn (#79490) #79913 changes how SPAWN_ALLOWLIST=* reaches agents.defaults.subagents.allowAgents, which overlaps this wildcard semantics decision. (role: adjacent allowlist contributor; confidence: medium; commits: 389b46eb14a0; files: src/config/io.ts, src/config/spawn-allowlist-env.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against a00e7d3898cf.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 🥚 common Cosmic Merge Sprite

        /\     /\            
      _/  \___/  \_          
     /  ( o   o )  \         
    |      \_/      |        
    |   /\  ===  /\ |        
     \_/  \_____/  \_/       
        _/|_| |_|\_          
       /__| | | |__\         
          ' ' ' '            
         /_/     \_\         
       .-----------.         
      '-------------'        

Rarity: 🥚 common.
Trait: sniffs out flaky tests.
Image traits: location release reef; accessory commit compass; palette seafoam, black, and opal; mood proud; pose balancing on a branch marker; shell translucent glimmer shell; lighting golden review-room light; background gentle dashboard dots.
How to hatch it: once this PR reaches status: 👀 ready for maintainer look or status: 🚀 automerge armed, the PR author or a maintainer can comment @clawsweeper hatch to turn this ASCII egg into its generated creature image.
Share on X: post this hatch
Copy: My PR egg hatched a 🥚 common Cosmic Merge Sprite in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchable usually means sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.