fix(doctor): warn when sandbox hides MCP tools

[clawsweeper]

Makes #84699 merge-ready for the ClawSweeper automerge loop.
The edit pass should inspect the live PR diff, review comments, and failing checks; rebase if needed; keep the contributor branch credited; and stop only when validation is green or an external blocker is proven.
Known failing checks:

• Failing check: checks-node-core-runtime-infra-state:FAILURE (https://github.com/openclaw/openclaw/actions/runs/26189254524/job/77053059689)

ClawSweeper 🐠 replacement reef notes:

• Cluster: automerge-openclaw-openclaw-84699
• Source PRs: fix(doctor): warn when sandbox hides MCP tools #84699
• Credit: Source PR: fix(doctor): warn when sandbox hides MCP tools #84699
• Validation: pnpm check:changed
• Replacement reason: ClawSweeper could not update the source PR branch directly, so it opened a writable replacement PR instead.
• Automerge requested by: @Takhoffman

• Repair fallback: GitHub rejected the repair branch push because it updates workflow files and the ClawSweeper app token does not have workflows permission

Inherited issue-closing references from the source PR:
Closes #80909

Co-author credit kept:

• @nxmxbbd: Co-authored-by: David 32288+nxmxbbd@users.noreply.github.com

fish notes: model gpt-5.5, reasoning high; reviewed against 21051c1.

[clawsweeper]

Codex review: passed.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
This bot replacement PR adds an openclaw doctor warning, regression coverage, gateway docs, and a changelog entry for sandbox tool policies that hide configured MCP server tools.

Reproducibility: yes. source-reproducible. Runtime policy inspection shows sandbox tool policy is a second gate for plugin-owned bundled MCP tools, and the source PR supplies after-patch live openclaw doctor output showing the new warning.

PR rating
Overall: 🐚 platinum hermit
Proof: 🦞 diamond lobster
Patch quality: 🐚 platinum hermit
Summary: Strong CLI proof and focused coverage make this a normal mergeable PR with no remaining blocking findings.

Rank-up moves:

• none

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Sufficient (live_output): The source PR includes copied live CLI output from a real openclaw doctor run after the patch showing the targeted sandbox/MCP warning and observed zero exit.

Risk before merge

• Read-only review did not rerun the reported validation commands, so exact-head checks should remain the merge gate.

Maintainer options:

1. Decide the mitigation before merge
   Merge through the armed automerge lane once exact-head checks remain green, keeping runtime behavior unchanged and documenting the MCP sources this diagnostic does not enumerate yet.
2. Pause or close
   Do not merge this PR until maintainers decide whether the risk is worth taking.

Next step before merge
No repair lane is needed; this PR already has sufficient proof, no review findings, and an active automerge path gated by exact-head checks.

Security
Cleared: The diff adds diagnostics, docs, tests, and changelog text without changing dependency sources, workflows, secrets handling, permissions, network calls, or command execution behavior.

Review details

Best possible solution:

Merge through the armed automerge lane once exact-head checks remain green, keeping runtime behavior unchanged and documenting the MCP sources this diagnostic does not enumerate yet.

Do we have a high-confidence way to reproduce the issue?

Yes, source-reproducible. Runtime policy inspection shows sandbox tool policy is a second gate for plugin-owned bundled MCP tools, and the source PR supplies after-patch live openclaw doctor output showing the new warning.

Is this the best way to solve the issue?

Yes. The patch keeps the fix in doctor diagnostics, mirrors the relevant sandbox policy fallback path, adds focused coverage, and avoids changing runtime tool filtering or provider serialization.

Label justifications:

• P2: This is a normal-priority doctor/config diagnostic fix for a real MCP tool visibility failure mode with limited runtime blast radius.
• rating: 🐚 platinum hermit: Current PR rating is 🐚 platinum hermit because proof is 🦞 diamond lobster, patch quality is 🐚 platinum hermit, and Strong CLI proof and focused coverage make this a normal mergeable PR with no remaining blocking findings.
• status: 🚀 automerge armed: This PR is in ClawSweeper's automerge lane. Sufficient (live_output): The source PR includes copied live CLI output from a real openclaw doctor run after the patch showing the targeted sandbox/MCP warning and observed zero exit.
• proof: sufficient: Contributor real behavior proof is sufficient. The source PR includes copied live CLI output from a real openclaw doctor run after the patch showing the targeted sandbox/MCP warning and observed zero exit.

What I checked:

• Clean checkout: The target checkout was clean on main before read-only review. (2c0c9c92f485)
• PR surface: The exact PR head changes five files: changelog, two gateway docs pages, the doctor allowlist helper, and its tests. (79dfc3ebc8bd)
• Doctor implementation: The PR adds collectSandboxMcpAllowlistWarnings, which warns when active sandbox tool policy lacks bundle-mcp, group:plugins, or matching server-prefixed MCP tool names/globs. (src/commands/doctor/shared/plugin-tool-allowlist-warnings.ts:531, 79dfc3ebc8bd)
• Runtime contract mirrored: Runtime sandbox policy resolves global/agent allow, alsoAllow, deny, default allow, and deny precedence before exposing sandboxed tools, which is the contract the diagnostic is trying to mirror. (src/agents/sandbox/tool-policy.ts:211, 79dfc3ebc8bd)
• Final runtime filter: Bundled MCP/LSP tools are filtered through the effective policy pipeline, including profile, provider, global, agent, group, sender, sandbox, subagent, and inherited tool policies. (src/agents/pi-embedded-runner/effective-tool-policy.ts:162, 79dfc3ebc8bd)
• Regression coverage: The tests cover missing sandbox MCP allow entries, partial per-agent fallback, explicit bundle-mcp/group/plugin/server-glob allowances, deny cases, sandbox-off cases, and provider/profile blockers. (src/commands/doctor/shared/plugin-tool-allowlist-warnings.test.ts:92, 79dfc3ebc8bd)

Likely related people:

• giodl73-repo: The central doctor allowlist warning helper, sandbox tool policy resolver, and related bundle-MCP policy paths in current main trace to feat(policy): add channel conformance checks (#80407). (role: recent area contributor; confidence: high; commits: cbf72e5e26ee; files: src/commands/doctor/shared/plugin-tool-allowlist-warnings.ts, src/agents/sandbox/tool-policy.ts, src/agents/pi-tools.policy.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 2c0c9c92f485.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 🥚 common Tiny Branchling

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 🥚 common.
Trait: keeps receipts.
Image traits: location diff observatory; accessory review stamp; palette moss green and polished brass; mood patient; pose standing beside its cracked shell; shell paper lantern shell; lighting moonlit rim light; background small green status lights.
Share on X: post this hatch
Copy: My PR egg hatched a 🥚 common Tiny Branchling in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[clawsweeper]

🦞✅
ClawSweeper merged this PR after the passing review.

Source: clawsweeper[bot]
Feedback: structured ClawSweeper verdict: pass (sha=79dfc3ebc8bd554848116e345c7997afb29cec29)
Merge status: merged by ClawSweeper automerge
Merged at: 2026-05-21T03:28:28Z
Merge commit: 6745fe8e7046

What merged:

• This bot replacement PR adds an openclaw doctor warning, regression coverage, gateway docs, and a changelog entry for sandbox tool policies that hide configured MCP server tools.
• Reproducibility: yes. source-reproducible. Runtime policy inspection shows sandbox tool policy is a second g ... ed MCP tools, and the source PR supplies after-patch live openclaw doctor output showing the new warning.

Automerge notes:

• PR branch already contained follow-up commit before automerge: fix(doctor): mirror sandbox policy fallback
• PR branch already contained follow-up commit before automerge: fix(doctor): preserve sandbox deny diagnostics
• PR branch already contained follow-up commit before automerge: fix(doctor): polish sandbox MCP warnings
• PR branch already contained follow-up commit before automerge: fix(doctor): warn when sandbox hides MCP tools
• PR branch already contained follow-up commit before automerge: fix(clawsweeper): address review for automerge-openclaw-openclaw-8469…

The automerge loop is complete.

Automerge progress:

• 2026-05-21 02:39:38 UTC validation and review 1 55c71de5430e (complete) in 11m 26s Run: https://github.com/openclaw/clawsweeper/actions/runs/26201705595 already-current

• 2026-05-21 02:40:11 UTC repair finished 55c71de5430e (opened) in 11m 59s Run: https://github.com/openclaw/clawsweeper/actions/runs/26201705595 open_fix_pr

• 2026-05-21 02:41:37 UTC review requested repair 55c71de5430e (structured ClawSweeper marker: fix-required (finding=review-feedback sha=55c71d...)

• 2026-05-21 02:41:56 UTC repair queued 55c71de5430e (autonomous) Run: https://github.com/openclaw/clawsweeper/actions/runs/26202263222

• 2026-05-21 02:46:07 UTC repair started (running) in 1s Run: https://github.com/openclaw/clawsweeper/actions/runs/26202263222 automerge-openclaw-openclaw-84699

• 2026-05-21 02:46:21 UTC validation plan (passed) in 14s Run: https://github.com/openclaw/clawsweeper/actions/runs/26202263222 pnpm check:changed; pnpm lint; pnpm check:test-types

• 2026-05-21 02:46:27 UTC Codex write preflight (passed) in 20s Run: https://github.com/openclaw/clawsweeper/actions/runs/26202263222 danger-full-access

• 2026-05-21 02:52:26 UTC Codex edit 1 149fbc7f5bb6 (complete) in 6m 20s Run: https://github.com/openclaw/clawsweeper/actions/runs/26202263222 exit 0

• 2026-05-21 03:03:30 UTC validation and review 1 79dfc3ebc8bd (base moved) in 17m 23s Run: https://github.com/openclaw/clawsweeper/actions/runs/26202263222 rebased

• 2026-05-21 03:03:35 UTC repair completed 79dfc3ebc8bd (branch updated) in 17m 29s Run: https://github.com/openclaw/clawsweeper/actions/runs/26202263222 initial automerge rebase is delegated to Codex repair

• 2026-05-21 03:03:35 UTC review queued 79dfc3ebc8bd (after repair)

• 2026-05-21 03:10:30 UTC automerge wait 79dfc3ebc8bd (ready) in 24m 24s Run: https://github.com/openclaw/clawsweeper/actions/runs/26202263222 checks and exact-head review are ready

• 2026-05-21 03:28:14 UTC review passed 79dfc3ebc8bd (structured ClawSweeper verdict: pass (sha=79dfc3ebc8bd554848116e345c7997afb29ce...)

• 2026-05-21 03:10:32 UTC repair finished 79dfc3ebc8bd (pushed) in 24m 26s Run: https://github.com/openclaw/clawsweeper/actions/runs/26202263222 repair_contributor_branch

• 2026-05-21 03:20:59 UTC review queued 79dfc3ebc8bd (queued)

• 2026-05-21 03:28:31 UTC merged 79dfc3ebc8bd (merged by ClawSweeper automerge)

[Takhoffman]

@clawsweeper automerge