fix(gateway): restrict non-owner loopback tools

[eleqtrizit]

Summary

• Restricts owner-only gateway core tools from explicit non-owner MCP loopback callers.
• Preserves existing owner loopback access and the conservative HTTP non-owner default.

Changes

• Applies the owner-only tool denylist when loopback resolution receives senderIsOwner: false.
• Renames the shared owner-only core tool constant so it is no longer HTTP-specific.
• Adds regression coverage for non-owner loopback filtering while preserving omitted loopback owner-state behavior.

Validation

• node scripts/run-vitest.mjs src/gateway/tool-resolution.exclude.test.ts src/gateway/tool-resolution.test.ts src/gateway/mcp-http.test.ts
• .agents/skills/autoreview/scripts/autoreview --mode local

Real behavior proof
Behavior addressed: explicit non-owner loopback tool resolution no longer returns owner-only gateway core tools.
Real environment tested: local OpenClaw checkout on branch 742.
Exact steps or command run after this patch: node scripts/run-vitest.mjs src/gateway/tool-resolution.exclude.test.ts src/gateway/tool-resolution.test.ts src/gateway/mcp-http.test.ts.
Evidence after fix: focused gateway Vitest shard passed with 12 files and 196 tests.
Observed result after fix: non-owner loopback filtering is covered by regression tests; owner/omitted loopback behavior and MCP HTTP tests still pass.
What was not tested: live external channel traffic.

Notes

• No CHANGELOG.md update.
• USER.md worklog was updated locally and intentionally not committed.
• Agent transcript omitted because adding sanitized logs requires explicit approval.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 9, 2026, 3:29 PM ET / 19:29 UTC.

Summary
The branch applies the owner-only gateway core-tool denylist to explicit non-owner MCP loopback resolution, splits loopback schema caching by owner state, renames the shared denylist constant, and adds focused regression tests.

PR surface: Source +4, Tests +78. Total +82 across 5 files.

Reproducibility: yes. from source inspection: current shipped/main code only applies the owner-only denylist to HTTP, while loopback explicit false reaches the shared resolver without that deny. I did not run the repro locally in this read-only review, but the PR adds after-fix live JSON-RPC proof and regression coverage.

Review metrics: 2 noteworthy metrics.

• Owner-only tools affected: 3 tools newly filtered for explicit non-owner loopback callers. cron, gateway, and nodes are privileged control-plane tools, so this count defines the merge compatibility and security boundary.
• Loopback owner cache states: 2 states changed to 3 states. The cache now distinguishes owner, non-owner, and unknown-owner schemas so explicit non-owner calls cannot reuse unknown-owner cached tools.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🦞 diamond lobster
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P2] Get maintainer acceptance that explicit non-owner MCP loopback callers should lose cron, gateway, and nodes access before merge.

Risk before merge

• [P1] Existing explicit non-owner MCP loopback callers that depended on cron, gateway, or nodes will now receive the MCP availability error instead of seeing those tools.
• [P1] This changes an owner/non-owner authorization boundary, so maintainers still need to explicitly accept the compatibility impact as intended security hardening.

Maintainer options:

1. Accept the loopback hardening (recommended)
   Maintainers can land the PR as a security hardening after acknowledging that explicit non-owner loopback callers lose cron, gateway, and nodes access.
2. Require a compatibility path
   If existing non-owner child-process MCP workflows must keep these tools, require a maintainer-approved migration or explicit compatibility design before merge.
3. Pause for boundary ownership
   If owner/non-owner loopback semantics are still unsettled, pause this PR rather than landing a partial authorization-policy decision.

Next step before merge

• No automated repair is needed after the cache-key fix, but the protected maintainer/security-boundary PR needs human acceptance of the intentional loopback compatibility impact.

Security
Cleared: The diff narrows explicit non-owner access to privileged gateway tools and does not add dependency, secret, workflow, or supply-chain exposure.

Review details

Best possible solution:

Land the resolver and cache-key hardening after maintainers explicitly accept the non-owner loopback compatibility change, keeping owner and unknown-owner behavior protected by the new tests.

Do we have a high-confidence way to reproduce the issue?

Yes from source inspection: current shipped/main code only applies the owner-only denylist to HTTP, while loopback explicit false reaches the shared resolver without that deny. I did not run the repro locally in this read-only review, but the PR adds after-fix live JSON-RPC proof and regression coverage.

Is this the best way to solve the issue?

Yes, this is the right layer: the shared gateway resolver controls both tools/list and tools/call visibility, and the cache key fix prevents owner-state schema reuse. Handler-level filtering would be narrower but easier to drift from the cached schema and inherited denylist behavior.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against a2dd8219087a.

Label changes

Label changes:

• add proof: sufficient: Contributor real behavior proof is sufficient. The contributor posted redacted after-fix live HTTP /mcp JSON-RPC output showing non-owner tools/list omits cron/gateway/nodes and tools/call for gateway fails before execution.
• add rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🦞 diamond lobster and patch quality is 🐚 platinum hermit.
• add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The contributor posted redacted after-fix live HTTP /mcp JSON-RPC output showing non-owner tools/list omits cron/gateway/nodes and tools/call for gateway fails before execution.
• remove rating: 🧂 unranked krab: Current PR rating is rating: 🐚 platinum hermit, so this older rating label is no longer current.
• remove status: 📣 needs proof: Current PR status label is status: 👀 ready for maintainer look.

Label justifications:

• P1: This PR fixes a gateway authorization boundary where explicit non-owner MCP loopback callers could see privileged core tools.
• merge-risk: 🚨 compatibility: Existing explicit non-owner loopback callers may lose access to cron, gateway, and nodes that were visible in shipped/current behavior.
• merge-risk: 🚨 security-boundary: The diff changes the owner/non-owner authorization boundary for privileged gateway core tools on MCP loopback.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🦞 diamond lobster and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The contributor posted redacted after-fix live HTTP /mcp JSON-RPC output showing non-owner tools/list omits cron/gateway/nodes and tools/call for gateway fails before execution.
• proof: sufficient: Contributor real behavior proof is sufficient. The contributor posted redacted after-fix live HTTP /mcp JSON-RPC output showing non-owner tools/list omits cron/gateway/nodes and tools/call for gateway fails before execution.

Evidence reviewed

PR surface:

Source +4, Tests +78. Total +82 across 5 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	3	11	7	+4
Tests	2	79	1	+78
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	5	90	8	+82

What I checked:

• Repository policy read: Read the full root AGENTS.md and scoped src/gateway/AGENTS.md; the gateway/security-boundary guidance required a whole-path review, compatibility-risk handling, and focused proof assessment. (AGENTS.md:1, 443115c6328a)
• Current shipped behavior: Latest release v2026.6.5 only applies the owner-only core-tool denylist on the HTTP surface when senderIsOwner is not true, so loopback non-owner filtering is a real behavior change from shipped/current code. (src/gateway/tool-resolution.ts:119, 5181e4f7c82b)
• Resolver fix: At PR head, resolveGatewayScopedTools now denies cron, gateway, and nodes whenever senderIsOwner is explicitly false, including loopback, while preserving unknown loopback owner state. (src/gateway/tool-resolution.ts:119, 778d0e5f8d28)
• Cache-key follow-up: The previous cache-ordering blocker is addressed by splitting loopback cache ownership into owner, non-owner, and unknown-owner states. (src/gateway/mcp-http.runtime.ts:73, 778d0e5f8d28)
• Entry point and enforcement path: The loopback request layer derives false from the non-owner bearer, passes senderIsOwner into the cache/resolver, and the JSON-RPC handler rejects tools missing from the resolved schema before execution. (src/gateway/mcp-http.handlers.ts:73, 778d0e5f8d28)
• Regression coverage: The PR adds resolver coverage for explicit non-owner loopback filtering and cache coverage for both unknown-then-false and false-then-unknown owner-state ordering. (src/gateway/mcp-http.test.ts:741, 778d0e5f8d28)

Likely related people:

• Vincent Koc: Current-main blame for the resolver denylist, loopback cache key, and dangerous-tool constant points to commit 1240de7, and recent history shows additional touches to these gateway/security files. (role: recent area contributor; confidence: high; commits: 1240de7588d4, 5181e4f7c82b; files: src/gateway/tool-resolution.ts, src/gateway/mcp-http.runtime.ts, src/security/dangerous-tools.ts)
• Peter Steinberger: History shows the MCP loopback transport split and dangerous-tool centralization were introduced in commits 25b069a and 233483d, both central to this PR's boundary. (role: feature owner; confidence: high; commits: 25b069a6f3cd, 233483d2b913, 3de09fbe7427; files: src/gateway/mcp-http.runtime.ts, src/gateway/mcp-http.ts, src/security/dangerous-tools.ts)
• Brian Mendonca: Commit d51a469 added the cron default deny behavior for /tools/invoke, which is part of the owner-only core-tool history this PR generalizes to loopback non-owners. (role: introduced related HTTP restriction; confidence: medium; commits: d51a4695f0ce; files: src/security/dangerous-tools.ts, src/gateway/tools-invoke-http.cron-regression.test.ts)
• Jacob Tomlinson: Commit 29cb1e3 tightened Gateway HTTP tool-invoke authorization and touched the same dangerous-tool and HTTP tool-invocation boundary. (role: adjacent owner; confidence: medium; commits: 29cb1e3c7edd; files: src/gateway/tools-invoke-http.ts, src/security/dangerous-tools.ts)
• Agustin Rivera: Commit fe0f686 previously worked on non-owner message-tool ownership propagation through Matrix, agent, and gateway loopback paths, beyond authorship of this PR branch. (role: adjacent owner; confidence: medium; commits: fe0f686c9228; files: src/gateway/mcp-http.runtime.ts, src/gateway/tool-resolution.ts, src/gateway/mcp-http.request.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[eleqtrizit]

Behavioral proof for the ClawSweeper proof request.

Behavior addressed: explicit non-owner MCP loopback callers no longer see or call owner-only gateway core tools (cron, gateway, nodes). Owner loopback callers still see those tools and can reach the gateway implementation.

Real environment tested: local OpenClaw checkout on branch 742 at 82bdc5400d.

Exact command run after this patch:

timeout 30s env HOME="$(mktemp -d)" node --import tsx/esm <<'EOF_SCRIPT'
# HTTP POST /mcp loopback harness using production resolveGatewayScopedTools,
# buildMcpToolSchema, and handleMcpJsonRpc. Bearer tokens are synthetic/redacted.
# Plugin discovery disabled with the production disablePluginTools flag to keep
# the proof focused on the gateway-scoped loopback authorization boundary.
EOF_SCRIPT

Evidence after fix:

{
  "surface": "HTTP POST /mcp loopback harness",
  "codePath": "production resolveGatewayScopedTools + buildMcpToolSchema + handleMcpJsonRpc",
  "pluginDiscovery": "disabled with production disablePluginTools flag",
  "nonOwnerListStatus": 200,
  "ownerListStatus": 200,
  "nonOwnerToolCount": 16,
  "ownerToolCount": 19,
  "nonOwnerOwnerOnlyVisible": {
    "cron": false,
    "gateway": false,
    "nodes": false
  },
  "ownerOwnerOnlyVisible": {
    "cron": true,
    "gateway": true,
    "nodes": true
  },
  "nonOwnerGatewayCallIsError": true,
  "nonOwnerGatewayCallText": "Tool not available: gateway",
  "ownerGatewayCallIsError": true,
  "ownerGatewayCallText": "Unknown action: health"
}

Observed result after fix: non-owner tools/list omits cron, gateway, and nodes; non-owner tools/call for gateway fails at the MCP availability boundary with Tool not available: gateway; owner tools/list still includes all three owner-only tools, and owner tools/call for gateway reaches the gateway tool implementation (Unknown action: health, matching the advisory's owner-control behavior).

Source proof checked:

• src/gateway/tool-resolution.ts:119 applies GATEWAY_OWNER_ONLY_CORE_TOOLS when senderIsOwner === false, including loopback callers.
• src/gateway/mcp-http.handlers.ts:73 returns the resolved schema for tools/list; src/gateway/mcp-http.handlers.ts:84 rejects absent tools before execution with Tool not available: <tool>.
• src/security/dangerous-tools.ts:41 defines the owner-only set as cron, gateway, and nodes.

Regression command:

node scripts/run-vitest.mjs src/gateway/tool-resolution.exclude.test.ts src/gateway/tool-resolution.test.ts src/gateway/mcp-http.test.ts

Regression output:

Test Files  12 passed (12)
Tests       196 passed (196)
Duration    30.06s
[test] passed 1 Vitest shard in 37.79s

What was not tested: live external channel traffic. Full startMcpLoopbackServer startup in this local checkout hung during broad real tool construction, so the posted proof uses an HTTP /mcp harness around the production resolver/schema/JSON-RPC handler with plugin discovery disabled by the existing production flag.

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Superseded
• Detail: A newer re-review for this item started before this run finished, so GitHub cancelled this older run. Check the latest ClawSweeper run for the current result.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27229895099
• Updated: 2026-06-09T19:20:51.201Z

[eleqtrizit]

Updated behavioral proof after addressing the ClawSweeper cache-key finding.

Head tested: 778d0e5f8d (fix(gateway): split loopback owner cache key).

Change made for the new P1 finding:

• src/gateway/mcp-http.runtime.ts now keys loopback cache ownership as three distinct states: owner, non-owner, and unknown-owner.
• src/gateway/mcp-http.test.ts now covers both cache orderings: unknown-owner then explicit non-owner, and explicit non-owner then unknown-owner. The test proves cron cannot leak into the explicit non-owner cached schema and that unknown-owner compatibility does not inherit the filtered non-owner schema.

Behavioral proof command rerun after the cache fix:

timeout 30s env HOME="$(mktemp -d)" node --import tsx/esm <<'EOF_SCRIPT'
# HTTP POST /mcp loopback harness using production resolveGatewayScopedTools,
# buildMcpToolSchema, and handleMcpJsonRpc. Bearer tokens are synthetic/redacted.
# Plugin discovery disabled with the production disablePluginTools flag to keep
# the proof focused on the gateway-scoped loopback authorization boundary.
EOF_SCRIPT

Behavioral proof output:

{
  "surface": "HTTP POST /mcp loopback harness",
  "codePath": "production resolveGatewayScopedTools + buildMcpToolSchema + handleMcpJsonRpc",
  "pluginDiscovery": "disabled with production disablePluginTools flag",
  "nonOwnerListStatus": 200,
  "ownerListStatus": 200,
  "nonOwnerToolCount": 16,
  "ownerToolCount": 19,
  "nonOwnerOwnerOnlyVisible": {
    "cron": false,
    "gateway": false,
    "nodes": false
  },
  "ownerOwnerOnlyVisible": {
    "cron": true,
    "gateway": true,
    "nodes": true
  },
  "nonOwnerGatewayCallIsError": true,
  "nonOwnerGatewayCallText": "Tool not available: gateway",
  "ownerGatewayCallIsError": true,
  "ownerGatewayCallText": "Unknown action: health"
}

Regression validation after the cache fix:

node scripts/run-vitest.mjs src/gateway/mcp-http.test.ts src/gateway/tool-resolution.exclude.test.ts src/gateway/tool-resolution.test.ts

Test Files  12 passed (12)
Tests       200 passed (200)
Duration    28.32s
[test] passed 1 Vitest shard in 36.12s

Autoreview:

.agents/skills/autoreview/scripts/autoreview --mode local
autoreview clean: no accepted/actionable findings reported
overall: patch is correct (0.82)

What was not tested: live external channel traffic. Full startMcpLoopbackServer startup in this local checkout hung during broad real tool construction, so the posted behavior proof uses an HTTP /mcp harness around the production resolver/schema/JSON-RPC handler with plugin discovery disabled by the existing production flag.

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27230114740
• Updated: 2026-06-09T19:30:26.794Z

[eleqtrizit]

Relevance

Confirmed in scope — a legitimate privilege escalation where the owner-only tool denylist (cron, gateway, nodes) was only enforced on the HTTP surface but not on the MCP loopback surface. The code already distinguished owner vs non-owner tokens at the auth layer and plumbed senderIsOwner through to the shared resolver, but the condition at src/gateway/tool-resolution.ts:119 was gated on surface === "http" only, leaving loopback unprotected. Non-owner loopback callers could list and invoke these privileged control-plane tools.

Compatibility

The fix is additive hardening with no breaking changes:

• Owner loopback callers (senderIsOwner: true): completely unaffected — they bypass the denylist as before.
• Non-owner loopback callers (senderIsOwner: false): lose access to cron, gateway, and nodes — tools they should never have had access to. This is the intended security enforcement.
• Loopback callers without identity (senderIsOwner: undefined): preserved — they retain existing behavior for backward compatibility.
• HTTP surface: completely unchanged — no regression risk.
• No config, CLI, protocol, or plugin SDK surface changes.

ClawSweeper

ClawSweeper reviewed the PR and rated it 🐚 platinum hermit with proof: sufficient and status: 👀 ready for maintainer look. The two merge-risk labels (compatibility and security-boundary) flag the intentional change in non-owner loopback authorization, which requires maintainer acceptance. No remaining contributor-facing blockers.

Code Reviews Completed

Multiple independent reviews were completed across the full surface:

• Vulnerability scope & relevance: Confirmed the issue is in scope per SECURITY.md, not already fixed on main, and fixable with a targeted low-risk change.
• Code correctness: The resolver condition correctly handles all five identity/surface combinations. The deny propagates into both pluginToolDenylist and inheritedToolDenylist, so child/session policy inheritance cannot re-expose the owner-only tools. The JSON-RPC handler rejects absent tools before execution.
• Cache safety: The loopback tool cache key was split into three states (owner, non-owner, unknown-owner) to prevent schema cross-contamination between different owner-state callers. Regression tests cover both cache orderings.
• Compatibility: Verified no exported types, config schemas, CLI flags, gateway protocol fields, or plugin SDK surfaces were changed. The constant rename is internal-only.
• CI: All CI lanes pass — no failures, timeouts, or action-required conclusions related to the code changes.
• Real behavior proof: Live HTTP /mcp harness using production resolveGatewayScopedTools, buildMcpToolSchema, and handleMcpJsonRpc confirmed non-owner tools/list omits cron/gateway/nodes, non-owner tools/call returns "Tool not available: gateway", and owner callers still reach the gateway implementation.
• Autoreview: Clean — no accepted or actionable findings reported.
• Test suite: 200 tests pass across the gateway tool-resolution, exclude, and MCP HTTP test files.

Proof

Check	Result
Vulnerability in scope	✅ Confirmed
Not already fixed on main	✅ Confirmed
Fix minimal and targeted	✅ +82 LOC across 5 files, core fix is +6/-7
All identity/surface cases correct	✅ Verified all 5 combinations
Cache key prevents cross-contamination	✅ 3-state split, both orderings tested
Tests pass	✅ 200/200
Autoreview clean	✅ No findings
CI passing	✅ All relevant lanes green
Real behavior proof	✅ Live harness confirms correct filtering
ClawSweeper	✅ Platinum hermit, proof sufficient, ready for maintainer look