Propagate ClickClack tool policy through reply dispatch

[mmaps]

Summary

• Propagates ClickClack account tool policy through inbound agent reply dispatch
• Threads runtime tool restrictions through provider dispatchers, shared reply dispatch, and agent execution

Changes

• Adds a runtime toolsAllow handoff on shared inbound dispatch params and exported provider-dispatcher wrappers
• Carries the policy through reply options into embedded and CLI agent execution
• Adds regression coverage for ClickClack dispatch, provider wrappers, shared dispatch, and embedded agent execution

Real behavior proof

• Behavior or issue addressed: ClickClack account-level tool allowlists are carried through the exported provider dispatcher, shared reply dispatch, and agent reply runtime so the account policy remains the effective runtime tool set.
• Real environment tested: Local OpenClaw worktree ~/Worktrees/openclaw/openclaw/fix/fix-708 at commit 46a21f0323, Node v22.22.2.
• Exact steps or command run after this patch: Ran targeted terminal probes from the PR worktree after the patch: provider wrapper dispatch coverage, shared dispatch to agent execution coverage, and the production embedded-agent tool-policy boundary probe.
• Evidence after fix (screenshot, recording, terminal capture, console output, redacted runtime log, linked artifact, or copied live output): Copied console output from the local OpenClaw run:

$ node scripts/run-vitest.mjs run src/auto-reply/reply/provider-dispatcher.test.ts --reporter=verbose
✓ provider dispatcher wrappers > forwards runtime toolsAllow through the buffered wrapper
✓ provider dispatcher wrappers > forwards runtime toolsAllow through the plain wrapper
Test Files  1 passed (1)
Tests  2 passed (2)

$ node scripts/run-vitest.mjs run src/auto-reply/dispatch.test.ts src/auto-reply/reply/agent-runner-execution.test.ts src/auto-reply/reply/provider-dispatcher.test.ts --reporter=verbose
✓ withReplyDispatcher > passes runtime toolsAllow from buffered dispatch into reply resolution
✓ runAgentTurnWithFallback > passes runtime toolsAllow to embedded agent runs
✓ provider dispatcher wrappers > forwards runtime toolsAllow through the buffered wrapper
✓ provider dispatcher wrappers > forwards runtime toolsAllow through the plain wrapper
Test Files  3 passed (3)
Tests  176 passed (176)

$ node --import tsx <production embedded-agent tool-policy boundary>
[proof-708] runtimeToolsAllow=["message"]
[proof-708] availableTools=["message","exec","read","web_search"]
[proof-708] allowedToolsAfterRuntimePolicy=["message"]
[proof-708] bundleMcpRuntimeCreated=false
[proof-708] result=pass

• Observed result after fix: The exported provider wrappers preserve ["message"]; shared reply dispatch resolves that value into reply options; embedded agent execution receives it; and the production tool-policy boundary excludes exec, read, and web_search while leaving only message available.
• What was not tested: Live ClickClack service delivery and a real model-provider turn were not run locally; those require external service credentials.
• Proof limitations or environment constraints: The terminal proof uses focused local dispatch probes plus the production embedded-agent policy boundary rather than an external service account.

Validation

• node scripts/run-vitest.mjs run --config test/vitest/vitest.extension-clickclack.config.ts extensions/clickclack/src/inbound.test.ts --reporter=verbose
• node scripts/run-vitest.mjs run src/auto-reply/dispatch.test.ts src/auto-reply/reply/agent-runner-execution.test.ts src/auto-reply/reply/provider-dispatcher.test.ts --reporter=verbose
• pnpm tsgo:core
• pnpm tsgo:test:src
• pnpm tsgo:extensions
• pnpm tsgo:test:extensions
• git diff --check
• claude -p "/review 89500" returned approve

Notes

• CLI-backed agent runs fail closed when a runtime tool allowlist is requested, because that backend cannot enforce the runtime policy.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 2, 2026, 11:20 AM ET / 15:20 UTC.

Summary
The PR propagates ClickClack account toolsAllow through inbound reply dispatch, provider dispatcher wrappers, shared dispatch options, and agent execution, with focused regression coverage.

PR surface: Source +30, Tests +157. Total +187 across 12 files.

Reproducibility: yes. Current main has ClickClack account toolsAllow config, but the ClickClack inbound call and exported provider wrappers do not forward it into reply dispatch.

Review metrics: 1 noteworthy metric.

• Runtime policy handoff: 1 optional toolsAllow handoff added across shared reply dispatch contracts. This field carries account-level security policy through generic dispatch, so dropped callers are security-relevant.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🐚 platinum hermit
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• none.

Risk before merge

• [P1] Existing ClickClack accounts that set toolsAllow and route to a CLI backend will now fail closed instead of running without enforceable runtime policy.
• [P1] No live ClickClack service delivery or real provider turn was supplied; the proof is local terminal dispatch coverage plus an embedded-agent policy-boundary probe.

Maintainer options:

1. Accept stricter fail-closed behavior (recommended)
   Merge after maintainers confirm that CLI-backed runs with account toolsAllow should stop rather than run with an unenforced policy.
2. Require live service proof
   Ask for a live ClickClack/provider run only if maintainers want external-service proof beyond the local dispatch and embedded policy-boundary probes.

Next step before merge

• No automated repair is needed; maintainers should make the merge call on the security-boundary and fail-closed compatibility impact.

Security
Cleared: No supply-chain or secret-handling concern was found; the diff tightens the intended runtime tool-policy propagation boundary.

Review details

Best possible solution:

Keep the narrow dispatch-layer fix, preserve the fail-closed CLI behavior for unenforceable runtime policy, and merge after maintainers accept the compatibility impact and checks are green.

Do we have a high-confidence way to reproduce the issue?

Yes. Current main has ClickClack account toolsAllow config, but the ClickClack inbound call and exported provider wrappers do not forward it into reply dispatch.

Is this the best way to solve the issue?

Yes. The PR repairs the missing handoff at the owning channel, wrapper, shared dispatch, and agent-runner boundaries rather than adding a duplicate policy source.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 6c7644268f59.

Label changes

Label changes:

• add merge-risk: 🚨 compatibility: Existing CLI-backed ClickClack accounts with toolsAllow can now fail closed because CLI backends cannot enforce the runtime policy.
• add proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes copied terminal output from the final head covering provider wrappers, shared dispatch, embedded execution, and a production embedded-agent boundary probe that leaves only message allowed.
• add rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🐚 platinum hermit and patch quality is 🐚 platinum hermit.
• add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (terminal): The PR body includes copied terminal output from the final head covering provider wrappers, shared dispatch, embedded execution, and a production embedded-agent boundary probe that leaves only message allowed.
• remove rating: 🧂 unranked krab: Current PR rating is rating: 🐚 platinum hermit, so this older rating label is no longer current.
• remove status: 📣 needs proof: Current PR status label is status: 👀 ready for maintainer look.

Label justifications:

• P1: The PR fixes a security-sensitive path where account tool allowlists could be dropped before agent execution.
• merge-risk: 🚨 security-boundary: The diff changes enforcement plumbing for runtime tool policies, where incomplete propagation could expose disallowed tools.
• merge-risk: 🚨 compatibility: Existing CLI-backed ClickClack accounts with toolsAllow can now fail closed because CLI backends cannot enforce the runtime policy.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🐚 platinum hermit and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (terminal): The PR body includes copied terminal output from the final head covering provider wrappers, shared dispatch, embedded execution, and a production embedded-agent boundary probe that leaves only message allowed.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes copied terminal output from the final head covering provider wrappers, shared dispatch, embedded execution, and a production embedded-agent boundary probe that leaves only message allowed.

Evidence reviewed

PR surface:

Source +30, Tests +157. Total +187 across 12 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	8	32	2	+30
Tests	4	157	0	+157
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	12	189	2	+187

Acceptance criteria:

• [P1] node scripts/run-vitest.mjs run --config test/vitest/vitest.extension-clickclack.config.ts extensions/clickclack/src/inbound.test.ts --reporter=verbose.
• [P1] node scripts/run-vitest.mjs run src/auto-reply/dispatch.test.ts src/auto-reply/reply/agent-runner-execution.test.ts src/auto-reply/reply/provider-dispatcher.test.ts --reporter=verbose.
• [P1] pnpm tsgo:core.
• [P1] pnpm tsgo:test:src.
• [P1] pnpm tsgo:extensions.

What I checked:

• ClickClack account policy handoff: The PR head passes params.account.toolsAllow into the shared inbound reply dispatch object. (extensions/clickclack/src/inbound.ts:177, 46a21f032302)
• Provider wrapper blocker fixed: Both exported provider dispatcher wrappers forward params.toolsAllow into the shared dispatch helpers on the final PR head. (src/auto-reply/reply/provider-dispatcher.ts:21, 46a21f032302)
• Shared reply dispatch preserves runtime policy: dispatchInboundMessage merges the runtime toolsAllow into reply options before calling dispatchReplyFromConfig; both buffered and plain helper paths pass the field through. (src/auto-reply/dispatch.ts:473, 46a21f032302)
• Embedded agent execution receives policy: The PR head forwards params.opts?.toolsAllow into both CLI and embedded run parameter objects; CLI preparation already rejects runtime allowlists it cannot enforce. (src/auto-reply/reply/agent-runner-execution.ts:2324, 46a21f032302)
• Tool filtering boundary: Current main filters constructed embedded-agent tools by runtime allowlist, treats an empty allowlist as no tools, and uses the filtered tool names for context-engine availableTools. (src/agents/embedded-agent-runner/run/attempt-tool-construction-plan.ts:92, 6c7644268f59)
• CLI fail-closed contract: Current main rejects toolsAllow during CLI preparation because CLI backends cannot enforce runtime allowlists, and the existing test covers that behavior. (src/agents/cli-runner/prepare.ts:163, 6c7644268f59)

Likely related people:

• Bek: Current-main blame ties the central ClickClack inbound dispatch, provider wrapper, shared dispatch, embedded allowlist collection, and CLI fail-closed guard to bce3d5b. (role: introduced adjacent dispatch/runtime surface; confidence: high; commits: bce3d5bf92d5; files: extensions/clickclack/src/inbound.ts, src/auto-reply/reply/provider-dispatcher.ts, src/auto-reply/dispatch.ts)
• @andyk-ms: Commit 4d8c07b added the original per-run toolsAllow feature surface for cron agent turns, which is the same runtime allowlist concept this PR now threads through reply dispatch. (role: introduced toolsAllow feature surface; confidence: medium; commits: 4d8c07b97c0b; files: src/agents/pi-embedded-runner/run/attempt.ts, src/agents/pi-embedded-runner/run/params.ts)
• Jordan Brant Baker: Commit b4e4f96 repaired a prior dropped optional-parameter forwarding bug for toolsAllow and related embedded-run fields, making this area relevant routing context. (role: adjacent forwarding owner; confidence: medium; commits: b4e4f96fd568; files: src/agents/embedded-agent-runner/run/attempt.ts, src/agents/embedded-agent-runner/run/params.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[mmaps]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26829230653
• Updated: 2026-06-02T15:21:39.354Z

[steipete]

Landed this via #90405 in commit 797bcd5.

That PR preserves your two ClickClack tool-policy dispatch commits and adds the missing ACP fail-closed path for sessions where restrictive runtime tool policy cannot be enforced. Thanks @mmaps.

Closing this PR as superseded by the landed maintainer branch.