fix(doctor): warn when sandbox hides MCP tools

[nxmxbbd]

Summary

• Problem: sandboxed agents could hide configured MCP server tools even though the MCP servers loaded successfully, and there was no clear openclaw doctor warning for the missing sandbox tool allow gate.
• Solution: add a doctor warning when mcp.servers are configured but active sandbox tool policy does not allow bundle-mcp, group:plugins, or a matching server glob such as outlook__*.
• What changed: mirror runtime sandbox policy fallback for per-agent partial overrides, preserve warnings when a separate agent intentionally denies MCP, polish warning grammar/source labels, and document sanitized server globs plus the current bundled-plugin/Claude .mcp.json diagnostic limitation.
• What did NOT change (scope boundary): no sandbox defaults, provider serialization, MCP runtime behavior, runtime tool policy enforcement, or bundled-plugin/.mcp.json MCP discovery logic changed.

Motivation

• Related to MCP server tools never reach outbound tools[] across 4.26 → 5.7 (cluster previously closed + locked as 'resolved') #80909: the reporter confirmed adding "bundle-mcp" to tools.sandbox.tools.alsoAllow made the real MCP tools visible again in sandboxed turns.
• The failure mode is confusing because the MCP server can load successfully while the sandbox tool policy filters the provider-visible tool list before the request.

Change Type (select all)

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes MCP server tools never reach outbound tools[] across 4.26 → 5.7 (cluster previously closed + locked as 'resolved') #80909
• This PR fixes a bug or regression

Real behavior proof

• Behavior or issue addressed:

Sandboxed OpenClaw turns with configured mcp.servers now surface a doctor warning when the active sandbox tool allow gate would hide bundled MCP tools before provider requests.

• Real environment tested:

Local OpenClaw checkout on branch fix/80909-sandbox-mcp-docs, rebased onto current upstream/main, using a temp state dir at /tmp/openclaw-80909-doctor-state and running the real pnpm openclaw doctor CLI.

• Exact steps or command run after this patch:

OPENCLAW_STATE_DIR=/tmp/openclaw-80909-doctor-state pnpm openclaw doctor --non-interactive --no-workspace-suggestions

• Evidence after fix:

Terminal capture from this branch, copied live output:

◇  Doctor warnings ───────────────────────────────────────────────────────╮
│                                                                         │
│  - mcp.servers defines 1 MCP server ("outlook"), but                    │
│    tools.sandbox.tools.alsoAllow does not include "bundle-mcp",         │
│    "group:plugins", or a matching "<server>__*" MCP tool pattern.       │
│    Sandboxed agents will filter bundled MCP tools before provider       │
│    requests. Add "bundle-mcp" to tools.sandbox.tools.alsoAllow (or use  │
│    "group:plugins" / server globs) if those MCP tools should be         │
│    visible; use tools.sandbox.tools.allow: [] only when you             │
│    intentionally want no sandbox allow gate.                            │
│                                                                         │
├─────────────────────────────────────────────────────────────────────────╯

The command exited 0. The run also printed unrelated local temp-state doctor findings such as missing UI assets, gateway auth/connect noise, and existing build warnings from bundled zod locale .d.cts files.

• Observed result after fix:

openclaw doctor prints the targeted sandbox/MCP warning in the Doctor warnings panel instead of silently allowing the misconfiguration to pass.

• What was not tested:

An end-to-end sandboxed provider turn against a live MCP server was not rerun in this checkout; the reporter's real setup already confirmed "bundle-mcp" fixes the missing provider-visible MCP tools. This PR also intentionally does not make doctor enumerate MCP servers loaded from bundled plugin manifests or Claude .mcp.json; the docs call that limitation out.

• Before evidence (optional but encouraged):

Before the first fix commit, /tmp/openclaw-80909-red-check.mjs returned [] for the target config and failed because it expected the sandbox/MCP warning.

Root Cause (if applicable)

• Root cause: sandbox tool policy is a second allow gate for sandboxed sessions. Configured MCP servers can load under bundle-mcp, but if tools.sandbox.tools lacks bundle-mcp, group:plugins, or a matching <server>__* pattern, those MCP tools are filtered before provider requests.
• Missing detection / guardrail: openclaw doctor did not flag the configuration shape, so users could diagnose it as a provider serialization or MCP loading bug.
• Contributing context: per-agent sandbox tool overrides fall back field-by-field at runtime, so the diagnostic must mirror that behavior to avoid false positives.

Regression Test Plan (if applicable)

• Coverage level that should have caught this:
  • Unit test
  • Seam / integration test
  • End-to-end test
  • Existing coverage already sufficient
• Target test or file: src/commands/doctor/shared/plugin-tool-allowlist-warnings.test.ts
• Scenario the test should lock in: sandboxed mcp.servers warn when the active sandbox allow gate omits MCP/plugin entries, do not warn for bundle-mcp, group:plugins, server globs, or explicit allow-all, and do not false-positive on per-agent partial override fallback.
• Why this is the smallest reliable guardrail: the warning helper owns the exact doctor warning logic and can exercise the sandbox policy combinations without a full gateway runtime.
• Existing test that already covers this (if any): none for the new sandbox/MCP warning path before this branch.
• If no new test is added, why not: N/A.

User-visible / Behavior Changes

openclaw doctor can now warn when sandbox policy is likely hiding configured MCP server tools from sandboxed agents. Docs now clarify which sandbox allow entries expose MCP/plugin tools, how sanitized server globs are formed, and that bundled-plugin/Claude .mcp.json MCP sources use the same gate but are not enumerated by this diagnostic yet.

Diagram (if applicable)

Before:
mcp.servers loads -> sandboxed session tool gate omits bundle-mcp -> provider sees no MCP tools -> doctor has no targeted warning

After:
mcp.servers loads -> doctor compares active sandbox allow policy -> warning explains bundle-mcp / group:plugins / server glob fix

Security Impact (required)

• New permissions/capabilities? No
• Secrets/tokens handling changed? No
• New/changed network calls? No
• Command/tool execution surface changed? No
• Data access scope changed? No
• If any Yes, explain risk + mitigation: N/A.

Repro + Verification

Environment

• OS: Linux container/dev host
• Runtime/container: local OpenClaw checkout with pnpm/node toolchain
• Model/provider: N/A for doctor helper/unit coverage
• Integration/channel (if any): configured MCP server shape from MCP server tools never reach outbound tools[] across 4.26 → 5.7 (cluster previously closed + locked as 'resolved') #80909
• Relevant config (redacted): temp OPENCLAW_STATE_DIR=/tmp/openclaw-80909-doctor-state with sandbox mode enabled and mcp.servers.outlook configured

Steps

1. Run focused warning helper unit tests.
2. Run the original red repro script and verify it emits the target warning.
3. Run the fallback repro script and verify it emits [].
4. Run TS/docs format checks and docs MDX validation.
5. Run real openclaw doctor against the temp state dir and inspect the Doctor warnings panel.

Expected

• Missing sandbox MCP allow entries produce the targeted warning.
• Explicit MCP allow entries and runtime fallback-compatible configs do not warn.
• Docs and formatting checks pass.

Actual

• pnpm test:unit:fast -- src/commands/doctor/shared/plugin-tool-allowlist-warnings.test.ts -> 19 tests passed.
• node --import tsx /tmp/openclaw-80909-red-check.mjs -> emitted the target warning.
• node --import tsx /tmp/openclaw-80909-agent-fallback-red.mjs -> printed [].
• pnpm exec oxfmt --check src/commands/doctor/shared/plugin-tool-allowlist-warnings.ts src/commands/doctor/shared/plugin-tool-allowlist-warnings.test.ts -> all matched files formatted.
• pnpm format:docs:check -- docs/gateway/config-tools.md docs/gateway/sandbox-vs-tool-policy-vs-elevated.md -> docs formatting clean.
• pnpm docs:check-mdx -> passed.
• pnpm tsgo:core:test -> passed.
• OPENCLAW_STATE_DIR=/tmp/openclaw-80909-doctor-state pnpm openclaw doctor --non-interactive --no-workspace-suggestions -> printed the target Doctor warnings panel and exited 0.

Evidence

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

What I personally verified (not just CI), and how:

• Verified scenarios: missing sandbox MCP allow entry warning, bundle-mcp, group:plugins, server glob, explicit allow-all, sandbox off, per-agent fallback inheritance, intentional deny preserving global warning, sanitized server-name glob.
• Edge cases checked: multi-source warning grammar, unset sandbox allowlist source label, sanitized mcp.servers["Outlook Graph"] prefix, docs for bundled-plugin/Claude .mcp.json diagnostic limitation.
• What I did not verify: end-to-end sandboxed provider turn against a live MCP server after this local patch; bundled-plugin manifest or .mcp.json MCP discovery expansion, intentionally out of scope.

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

• Backward compatible? Yes
• Config/env changes? No
• Migration needed? No
• If yes, exact upgrade steps: N/A.

Risks and Mitigations

• Risk: doctor warning could false-positive if it diverges from runtime sandbox tool policy fallback.
  • Mitigation: helper now mirrors allow, alsoAllow, and deny fallback field-by-field, with focused regression tests for partial overrides and intentional deny behavior.
• Risk: users with server names containing spaces/non-provider-safe characters could use the raw config key in a server glob.
  • Mitigation: docs now state server globs use the sanitized provider-safe server prefix and tests cover "Outlook Graph" -> outlook-graph__*.
• Risk: users might expect this diagnostic to cover all MCP sources.
  • Mitigation: docs explicitly state bundled-plugin manifests and Claude .mcp.json MCP servers use the same sandbox gate but are not enumerated by this diagnostic yet.

AI assistance disclosure

This patch and PR draft were prepared with AI assistance and locally verified before submission.

[clawsweeper]

Codex review: needs maintainer review before merge.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The PR adds openclaw doctor warnings, tests, and docs for mcp.servers configurations whose active sandbox tool allow policy hides bundle-mcp or plugin-owned tools.

Reproducibility: yes. source-reproducible rather than independently rerun: runtime code shows sandbox tool policy filters bundled MCP/plugin tools unless bundle-mcp, group:plugins, a matching tool pattern, or allow-all is present. The linked issue also has real-user confirmation that adding bundle-mcp restores provider-visible MCP tools.

PR rating
Overall: 🐚 platinum hermit
Proof: 🐚 platinum hermit
Patch quality: 🐚 platinum hermit
Summary: Focused, well-scoped diagnostic PR with source-aligned tests and sufficient real CLI proof, with no blocking findings found in read-only review.

Rank-up moves:

• none

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Sufficient (live_output): The PR body includes copied live output from a real openclaw doctor run after the patch showing the new sandbox/MCP warning and exit status 0.

Next step before merge
No repair lane is needed because the PR has no blocking review findings; remaining action is normal maintainer review, CI, and merge decision.

Security
Cleared: The patch adds static doctor diagnostics, tests, and docs; it does not add dependencies, CI changes, network calls, secret handling, or new execution paths.

Review details

Best possible solution:

Review and land this PR after normal CI; the linked issue should close only after the diagnostic/docs fix merges.

Do we have a high-confidence way to reproduce the issue?

Yes, source-reproducible rather than independently rerun: runtime code shows sandbox tool policy filters bundled MCP/plugin tools unless bundle-mcp, group:plugins, a matching tool pattern, or allow-all is present. The linked issue also has real-user confirmation that adding bundle-mcp restores provider-visible MCP tools.

Is this the best way to solve the issue?

Yes, this is the best narrow fix for the confirmed root cause: it adds a targeted doctor warning and docs without changing sandbox defaults, provider serialization, or MCP runtime behavior.

Label changes:

• add P2: This is a focused user-facing doctor/docs fix for a confusing MCP sandbox configuration failure with limited blast radius.
• add proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes copied live output from a real openclaw doctor run after the patch showing the new sandbox/MCP warning and exit status 0.
• add rating: 🐚 platinum hermit: Current PR rating is 🐚 platinum hermit because proof is 🐚 platinum hermit, patch quality is 🐚 platinum hermit, and Focused, well-scoped diagnostic PR with source-aligned tests and sufficient real CLI proof, with no blocking findings found in read-only review.
• add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The PR body includes copied live output from a real openclaw doctor run after the patch showing the new sandbox/MCP warning and exit status 0.

Label justifications:

• P2: This is a focused user-facing doctor/docs fix for a confusing MCP sandbox configuration failure with limited blast radius.
• rating: 🐚 platinum hermit: Current PR rating is 🐚 platinum hermit because proof is 🐚 platinum hermit, patch quality is 🐚 platinum hermit, and Focused, well-scoped diagnostic PR with source-aligned tests and sufficient real CLI proof, with no blocking findings found in read-only review.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The PR body includes copied live output from a real openclaw doctor run after the patch showing the new sandbox/MCP warning and exit status 0.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes copied live output from a real openclaw doctor run after the patch showing the new sandbox/MCP warning and exit status 0.

What I checked:

• Related issue confirmation: The linked issue discussion includes a real 2026.5.18 confirmation that adding bundle-mcp to tools.sandbox.tools.alsoAllow restored MCP tools in the provider request and enabled a first successful tool round trip.
• Current main docs gap: Current main documents core tool groups through group:openclaw but does not document group:plugins or the sandbox/MCP allow gate that the PR adds. Public docs: docs/gateway/config-tools.md. (docs/gateway/config-tools.md:45, 9e4eca00ff0f)
• Runtime sandbox allow behavior: The sandbox resolver preserves allow: [] as allow-all, otherwise defaults to DEFAULT_TOOL_ALLOW plus alsoAllow; that default list excludes bundle-mcp, so configured MCP tools are filtered unless explicitly allowed. (src/agents/sandbox/tool-policy.ts:95, 9e4eca00ff0f)
• Runtime policy application: The embedded Pi effective-tool pipeline applies params.sandboxToolPolicy to bundled tools after profile/global policy, matching the reported layer where MCP/plugin tools disappear. (src/agents/pi-embedded-runner/effective-tool-policy.ts:178, 9e4eca00ff0f)
• PR implementation: The PR adds collectSandboxMcpAllowlistWarnings, checks configured mcp.servers, active sandbox modes, effective sandbox policy fields, bundle-mcp, group:plugins, and sanitized server globs, then keeps existing plugin allowlist warnings intact. (src/commands/doctor/shared/plugin-tool-allowlist-warnings.ts:329, e0290ceac5e0)
• PR regression coverage: The PR adds focused tests for missing sandbox MCP allows, unset labels, plural grammar, bundle-mcp, group:plugins, server globs, sanitized server names, allow-all, sandbox-off, per-agent fallback, and intentional deny behavior. (src/commands/doctor/shared/plugin-tool-allowlist-warnings.test.ts:91, e0290ceac5e0)

Likely related people:

• Ayaan Zaidi: Blame and file history show the current doctor allowlist warning helper, touched docs, and sandbox policy files in the current checkout originate from d41f595. (role: introduced current diagnostic surface; confidence: high; commits: d41f595c752d; files: src/commands/doctor/shared/plugin-tool-allowlist-warnings.ts, src/commands/doctor/shared/plugin-tool-allowlist-warnings.test.ts, docs/gateway/config-tools.md)
• Peter Steinberger: History for resolveSandboxToolPolicyForAgent and adjacent sandbox inspector/refactor work includes multiple commits by Peter Steinberger on the sandbox policy area that this PR mirrors. (role: sandbox policy history contributor; confidence: medium; commits: a185ca283a74, bfada9e42551, bcbfb357bec7; files: src/agents/sandbox/tool-policy.ts, src/agents/sandbox/runtime-status.ts)
• Vincent Koc: Local history shows Vincent Koc authored the embedded Pi bundle-MCP landing that made configured MCP tools part of the affected tool materialization path. (role: embedded Pi bundle-MCP feature introducer; confidence: medium; commits: 06459ca0dfba; files: src/agents/embedded-pi-mcp.ts, src/agents/pi-embedded-runner/run/attempt.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 9e4eca00ff0f.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 🥚 common Cosmic Signal Puff

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 🥚 common.
Trait: guards the happy path.
Image traits: location flaky test forest; accessory commit compass; palette amber, ink, and glacier blue; mood calm; pose leaning over a miniature review desk; shell matte ceramic shell; lighting cool dashboard glow; background tiny artifact crates.
Share on X: post this hatch
Copy: My PR egg hatched a 🥚 common Cosmic Signal Puff in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[Takhoffman]

@clawsweeper automerge

[clawsweeper]

🦞🔧
ClawSweeper automerge is enabled.

• Head: e0290ceac5e0
• Label: clawsweeper:automerge
• Action: repair worker queued. Run: https://github.com/openclaw/clawsweeper/actions/runs/26197309245
• Flow: review this head, repair/rebase only if needed, then re-review the exact repaired head before merge.

Draft PRs stay fix-only until GitHub marks them ready for review. Pause with /clawsweeper stop.

Automerge progress:

• 2026-05-21 00:05:14 UTC review queued e0290ceac5e0 (queued)

• 2026-05-21 00:07:24 UTC repair queued e0290ceac5e0 (autonomous) Run: https://github.com/openclaw/clawsweeper/actions/runs/26197309245

• 2026-05-21 00:10:28 UTC repair started (running) in 1s Run: https://github.com/openclaw/clawsweeper/actions/runs/26197309245 automerge-openclaw-openclaw-84699

• 2026-05-21 00:10:42 UTC validation plan (passed) in 15s Run: https://github.com/openclaw/clawsweeper/actions/runs/26197309245 pnpm check:changed; pnpm lint; pnpm check:test-types

• 2026-05-21 00:10:53 UTC Codex write preflight (passed) in 25s Run: https://github.com/openclaw/clawsweeper/actions/runs/26197309245 danger-full-access

• 2026-05-21 00:16:53 UTC Codex edit 1 3e6f302ff206 (complete) in 6m 25s Run: https://github.com/openclaw/clawsweeper/actions/runs/26197309245 exit 0

• 2026-05-21 00:28:43 UTC validation and review 1 21051c13abf2 (base moved) in 18m 15s Run: https://github.com/openclaw/clawsweeper/actions/runs/26197309245 rebased

• 2026-05-21 00:29:31 UTC repair finished 21051c13abf2 (opened) in 19m 3s Run: https://github.com/openclaw/clawsweeper/actions/runs/26197309245 open_fix_pr

[clawsweeper]

ClawSweeper 🐠 reef update

Thanks for the work on this. ClawSweeper opened a replacement PR only because the source branch was not writable from the available bot permissions. branch tides, not contributor blame.

Why replacement: ClawSweeper could not update the source PR branch directly; GitHub did not grant sufficient push rights to the bot for that branch.
Replacement PR: #84742
Why close: this run explicitly closes the superseded source PR after the credited replacement PR is open, so review continues in one place.
Closing this one because the run was configured to close superseded source PRs after opening the replacement.
The original contribution stays credited in the replacement PR context.
Co-author credit kept:

• @nxmxbbd: Co-authored-by: David 32288+nxmxbbd@users.noreply.github.com

fish notes: model gpt-5.5, reasoning high; reviewed against 21051c1.