fix(search): enforce native web search tool policy

[eleqtrizit]

Summary

Enforce OpenClaw tool policy before enabling provider-native Codex/OpenAI web_search.

Changes

• Gate native web-search activation with global, provider, agent, profile, group, sender, sandbox, subagent, and inherited session tool policy layers.
• Thread native web-search policy context through embedded attempts, compaction stream rebuilds, provider stream hooks, and the OpenAI native-search wrapper.
• Keep managed web_search visible when native search is unavailable or blocked by policy.
• Update the Plugin SDK API baseline hash for the intentional optional provider context addition.
• Add regression coverage for agent/provider/sender/sandbox/inherited denies, managed-tool suppression parity, provider wrapper context propagation, and payload injection suppression.

Validation

• node scripts/run-vitest.mjs src/agents/codex-native-web-search.test.ts src/llm/providers/stream-wrappers/openai.test.ts src/agents/embedded-agent-runner-extraparams.test.ts
• corepack pnpm plugin-sdk:api:check
• corepack pnpm tsgo:core
• node scripts/check-src-extension-import-boundary.mjs --json
• node scripts/check-sdk-package-extension-import-boundary.mjs --json
• node scripts/check-test-helper-extension-import-boundary.mjs --json
• corepack pnpm check:import-cycles
• git diff --check
• corepack pnpm build

Notes

• This is hardening/policy parity; no secret exfiltration or external mutation was demonstrated in the report.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 9, 2026, 7:12 PM ET / 23:12 UTC.

Summary
The PR gates native OpenAI/Codex web search behind OpenClaw tool-policy decisions across agent runs, compaction, provider stream wrapping, SDK context, and regression tests.

PR surface: Source +293, Tests +331, Generated 0. Total +624 across 16 files.

Reproducibility: yes. from source: current main gates native web-search activation on config/model/auth but not the layered tool-policy inputs that already govern managed web_search. I did not run tests because this was a read-only review.

Review metrics: 1 noteworthy metric.

• Provider hook context: 2 optional fields added. The provider SDK context now exposes agentId and the computed native-search policy decision, so maintainers should notice the public plugin contract change before merge.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🐚 platinum hermit
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• none.

Risk before merge

• [P1] Merging adds two optional fields to provider hook context, so third-party provider plugins may observe or rely on the new native-search policy decision contract.
• [P1] Native provider web search is a security boundary; a missed runtime caller could still inject hosted web_search despite tool policy, so maintainer review should verify all entry points stay covered.

Maintainer options:

1. Land with the boolean-only seam (recommended)
   Maintainers can accept the additive provider context after confirming it stays limited to agentId plus the computed native-search policy decision and the posted proof matches the final head.
2. Require broader upgrade proof
   Ask for an additional plugin SDK/API baseline check or provider-plugin smoke if maintainers want more confidence that external provider hooks tolerate the optional fields.
3. Pause if the SDK context should not grow
   If maintainers do not want provider hooks to observe any native-search policy decision, pause this PR and rework the enforcement behind a purely core-owned wrapper path.

Next step before merge

• No automated repair is needed; the remaining action is maintainer handling for a protected, security-sensitive provider/plugin SDK boundary change.

Security
Cleared: No concrete security or supply-chain regression was found in the final diff; the earlier raw identity exposure was removed and the remaining security sensitivity is tracked as merge risk.

Review details

Best possible solution:

Keep the redacted boolean decision seam and land only after maintainer review confirms the plugin SDK baseline, CI, and native-search allow/deny proof for the security-sensitive provider path.

Do we have a high-confidence way to reproduce the issue?

Yes from source: current main gates native web-search activation on config/model/auth but not the layered tool-policy inputs that already govern managed web_search. I did not run tests because this was a read-only review.

Is this the best way to solve the issue?

Yes, with maintainer approval: the final patch computes the full policy in core and passes a redacted boolean decision to provider hooks instead of raw sender/group identity. The additive provider SDK context still needs explicit maintainer acceptance before merge.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 3a9ea1d85bef.

Label changes

Label changes:

• add proof: sufficient: Contributor real behavior proof is sufficient. The contributor posted redacted live-output for commit 89d23b3 showing denied provider/Codex paths omit native web_search, allowed paths inject it, and provider hooks do not receive raw policy context.
• add rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🐚 platinum hermit and patch quality is 🐚 platinum hermit.
• add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The contributor posted redacted live-output for commit 89d23b3 showing denied provider/Codex paths omit native web_search, allowed paths inject it, and provider hooks do not receive raw policy context.
• remove rating: 🧂 unranked krab: Current PR rating is rating: 🐚 platinum hermit, so this older rating label is no longer current.
• remove status: 📣 needs proof: Current PR status label is status: 👀 ready for maintainer look.

Label justifications:

• P1: The PR changes security-sensitive native web-search policy enforcement where an incorrect merge could expose provider-hosted search despite OpenClaw tool policy.
• merge-risk: 🚨 compatibility: The diff expands provider hook context and refreshes the Plugin SDK API baseline, which can affect third-party provider plugin expectations.
• merge-risk: 🚨 security-boundary: The diff moves tool-policy decisions into native provider web-search injection paths, which is an authorization/security boundary for external web access.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🐚 platinum hermit and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The contributor posted redacted live-output for commit 89d23b3 showing denied provider/Codex paths omit native web_search, allowed paths inject it, and provider hooks do not receive raw policy context.
• proof: sufficient: Contributor real behavior proof is sufficient. The contributor posted redacted live-output for commit 89d23b3 showing denied provider/Codex paths omit native web_search, allowed paths inject it, and provider hooks do not receive raw policy context.

Evidence reviewed

PR surface:

Source +293, Tests +331, Generated 0. Total +624 across 16 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	10	304	11	+293
Tests	5	332	1	+331
Docs	0	0	0	0
Config	0	0	0	0
Generated	1	2	2	0
Other	0	0	0	0
Total	16	638	14	+624

What I checked:

• Repository policy read: Root and scoped AGENTS.md files for agents, embedded runner, plugin SDK, plugins, extensions, and docs were read; they made provider/plugin SDK and security-boundary changes compatibility-sensitive review surfaces. (AGENTS.md:1, 3a9ea1d85bef)
• Current-main behavior: Current main resolves native Codex search activation from global config, model API/provider, and auth only; it does not include agent/group/sender/sandbox/session tool policy in the native activation decision. (src/agents/codex-native-web-search-core.ts:95, 3a9ea1d85bef)
• Current wrapper behavior: Current main's Codex native-search stream wrapper calls resolveCodexNativeSearchActivation with config, model provider, model API, and agentDir only, so native payload injection can bypass the richer runtime tool-policy context. (src/llm/providers/stream-wrappers/openai.ts:648, 3a9ea1d85bef)
• Policy contract: OpenClaw tool policy expands groups such as group:web before allow/deny matching, and all active policies must allow a tool for it to remain available. (src/agents/tool-policy-match.ts:47, 3a9ea1d85bef)
• Docs contract: The public docs define group:web as web_search, x_search, and web_fetch, while the web-search docs describe native OpenAI/Codex search as replacing or supplementing managed web_search under config. Public docs: docs/gateway/config-tools.md. (docs/gateway/config-tools.md:38, 3a9ea1d85bef)
• Final PR diff: The final diff removes the earlier raw provider-hook policy context shape and exposes only agentId plus nativeWebSearchAllowedByToolPolicy on provider hook context while computing the full policy decision in core. (src/plugins/types.ts:706, 89d23b37803f)

Likely related people:

• steipete: GitHub path history shows repeated recent work on Codex native-search docs, OpenAI provider identity, plugin SDK public helpers, and extension sources that overlap this PR's provider/native-search boundary. (role: plugin/provider SDK area owner by history; confidence: high; commits: e996956c294c, 4c33aaa86c16, a16c6ca94b23; files: src/agents/codex-native-web-search-core.ts, src/plugin-sdk/provider-stream.ts, src/plugins/types.ts)
• vincentkoc: GitHub path history shows recent provider-runtime and provider-stream work, including provider fanout and OpenRouter/provider stream changes adjacent to the stream-wrapper and SDK surfaces touched here. (role: recent provider/runtime contributor; confidence: medium; commits: d07ba5f2656d, 34b3471f8553, 27b15a19e84c; files: src/plugin-sdk/provider-stream.ts, src/plugins/types.ts, src/llm/providers/stream-wrappers/openai.ts)
• Jacob Tomlinson: The shallow local checkout blames the central native-search and provider-wrapper files to commit 8c3ba33, so this is a weak but current-main routing signal rather than deep authorship proof. (role: current checkout blame boundary; confidence: low; commits: 8c3ba3346311; files: src/agents/codex-native-web-search-core.ts, src/llm/providers/stream-wrappers/openai.ts, src/plugin-sdk/provider-stream.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[eleqtrizit]

@clawsweeper re-review

Follow-up fixes pushed in 7f45e7bf90:

• Direct OpenAI Responses native web_search now checks the shared native web-search policy decision before injecting { type: "web_search" }.
• Added OpenAI provider regression coverage for agent-level web_search deny preserving the managed tool.
• Fixed the compaction hook test expectation for nativeWebSearchPolicyContext.
• Rebased onto current upstream/main.

Validation after rebase:

• node scripts/run-vitest.mjs src/agents/codex-native-web-search.test.ts src/llm/providers/stream-wrappers/openai.test.ts src/agents/embedded-agent-runner-extraparams.test.ts extensions/openai/openai-provider.test.ts src/agents/embedded-agent-runner/compact.hooks.test.ts
• corepack pnpm plugin-sdk:api:check
• corepack pnpm tsgo:core
• node scripts/check-src-extension-import-boundary.mjs --json
• node scripts/check-sdk-package-extension-import-boundary.mjs --json
• node scripts/check-test-helper-extension-import-boundary.mjs --json
• git diff --check

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27234605433
• Updated: 2026-06-09T20:52:50.165Z

[eleqtrizit]

Behavioral proof

Commit tested: 89d23b3780

This proof uses the actual OpenAI provider stream wrapper and the core Codex native-search wrapper from the PR branch. The runtime input includes redacted sender/group values, but provider hooks receive only the final boolean policy decision.

Command run locally:

node --import tsx <redacted-runtime-payload-proof-script>

Observed redacted output:

{
  "provider_hook_denied_agent": {
    "allowedFlag": false,
    "leakedRawPolicyContext": false,
    "exposedIdentityKeys": [],
    "payloadTools": [
      { "type": "function", "name": "read" },
      { "type": "function", "name": "web_search" }
    ]
  },
  "provider_hook_allowed_agent": {
    "allowedFlag": true,
    "leakedRawPolicyContext": false,
    "exposedIdentityKeys": [],
    "payloadTools": [
      { "type": "function", "name": "read" },
      { "type": "web_search" }
    ]
  },
  "core_codex_denied_tools": [
    { "type": "function", "name": "read" }
  ],
  "core_codex_allowed_tools": [
    { "type": "function", "name": "read" },
    { "type": "web_search", "external_web_access": true }
  ]
}

What this proves:

• Denied provider-hook path: native provider web_search is not injected; the managed web_search function remains available for normal OpenClaw policy handling.
• Allowed provider-hook path: provider-native web_search is injected.
• Provider-hook boundary: nativeWebSearchPolicyContext is not present, and no sender/group identity keys are exposed to provider hooks.
• Denied core Codex wrapper path: native web_search is not injected.
• Allowed core Codex wrapper path: native web_search is injected with live external access from config.

Validation also run after the provider-boundary fix:

node scripts/run-vitest.mjs src/agents/embedded-agent-runner-extraparams.test.ts extensions/openai/openai-provider.test.ts src/agents/codex-native-web-search.test.ts src/llm/providers/stream-wrappers/openai.test.ts src/agents/embedded-agent-runner/compact.hooks.test.ts
corepack pnpm plugin-sdk:api:check
corepack pnpm tsgo:core
git diff --check
node scripts/check-src-extension-import-boundary.mjs --json
node scripts/check-sdk-package-extension-import-boundary.mjs --json
node scripts/check-test-helper-extension-import-boundary.mjs --json
corepack pnpm build

Structured local review:

.agents/skills/autoreview/scripts/autoreview --mode local

Autoreview reported two findings that I checked and rejected:

• The code-mode options finding does not apply because code-mode option rewriting returns before the policy-deny branch when visible code-mode tools are present.
• The SDK compatibility finding does not apply to shipped API: the raw native-search policy context/helper were introduced only on this PR branch and were removed here to address the provider-hook privacy boundary before merge.

[eleqtrizit]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27241541195
• Updated: 2026-06-09T23:13:37.215Z

[eleqtrizit]

Maintainer verification: native web-search entry points

I checked ClawSweeper's note about missed native provider web_search runtime callers against current head 89d23b3780.

I do not see an uncovered hosted native web-search injection path:

• src/plugin-sdk/provider-stream.ts:130 routes the shared OpenAI Responses family through createCodexNativeWebSearchWrapper() with nativeWebSearchAllowedByToolPolicy.
• extensions/openai/shared.ts:89 routes the direct OpenAI API-key Responses wrapper through createOpenAINativeWebSearchWrapper() with the same boolean policy decision.
• extensions/openai/native-web-search.ts:88 returns without payload patching when nativeWebSearchAllowedByToolPolicy === false, so direct OpenAI does not inject { type: "web_search" } on deny.
• src/agents/embedded-agent-runner/extra-params.ts:1099 computes that boolean in core from the full session/group/sender/sandbox policy context before provider hooks see it.
• src/agents/embedded-agent-runner/run/attempt.ts:2673 covers the code-mode direct wrapper path by passing the raw policy context into createCodexNativeWebSearchWrapper().
• src/llm/providers/stream-wrappers/openai.ts:641 has an early code-mode branch, but that branch does not inject hosted search; it installs the payload filter from src/llm/providers/stream-wrappers/openai.ts:168, which strips non-code-mode payload tools including hosted web_search.

I also checked the other type: "web_search" hits. The notable non-OpenAI hit is extensions/xai/src/web-search-shared.ts:109, which is a managed web-search provider implementation invoked as the web_search tool, not a hidden model-call stream wrapper that can bypass OpenClaw tool policy.

Maintainer conclusion: the native hosted OpenAI/Codex web-search injection entry points are covered at 89d23b3780; I do not think ClawSweeper's maintainer-review note requires another code change. The separate live blocker is the unrelated checks-node-agentic-control-plane-agent-chat CI failure in src/gateway/server.chat.gateway-server-chat-b.test.ts:2262.

[eleqtrizit]

Summary of All Verification Checks

Relevance

Confirmed in scope: the issue is a policy-consistency gap where native/provider Codex/OpenAI web_search tool injection bypassed agent-level tool deny policies. This is low-severity hardening (not CVE-class), with no demonstrated secret exfiltration or external mutation. The gap was verified unfixed in current main — no agentId, sessionKey, or tool policy parameters existed in the native search activation path, and no isToolAllowedByPolicies() check was performed before returning state: "native_active".

Compatibility

All changes are backward-compatible: every new parameter is optional, no config keys were removed or renamed, no CLI commands changed, no exported symbols removed, and no config schema changes were made. Existing users without deny policies see identical behavior. The Plugin SDK API baseline hash was updated for the intentional, source-compatible widening of ProviderPrepareExtraParamsContext. Import boundary checks (check-src-extension-import-boundary, check-sdk-package-extension-import-boundary, check-test-helper-extension-import-boundary) all pass with zero violations.

ClawSweeper

ClawSweeper reviewed the PR and flagged an infrastructure timeout (spawnSync codex ETIMEDOUT) — not a code quality rejection. The review was re-triggered after fixes and behavioral proof were posted. ClawSweeper also flagged the exposure of sender/group identity on provider hook context; this was addressed in a follow-up commit by narrowing the provider-facing surface to a resolved boolean (nativeWebSearchAllowedByToolPolicy) instead of raw identity data.

Code Reviews Completed

Multiple reviews were performed covering the full implementation. The core fix was iterated through several rounds: initial 6-layer policy enforcement was expanded to all 11 policy layers (profile, provider-profile, global, global-provider, agent, agent-provider, group, sender, sandbox, subagent, inherited). The direct OpenAI Responses wrapper was also fixed to check the same policy gate. All prior findings (TUI changes in diff, missing session-scoped layers, uncommitted working tree, SDK baseline hash) were addressed in subsequent commits.

---

Checks Completed

Check	Status
Core implementation — 11 policy layer enforcement in native search activation	✅
Direct OpenAI Responses wrapper policy gate	✅
Managed tool suppression parity (managed tool shown when native blocked)	✅
Compaction support (policy context preserved during session compaction)	✅
Provider hook context narrowed to resolved boolean (no raw identity exposure)	✅
Plugin SDK API baseline updated	✅
TypeScript strict mode, no any types	✅
Import boundary checks (3 scripts) — zero violations	✅
Type checking (tsgo:core)	✅
Build (pnpm build)	✅
Import cycle check (pnpm check:import-cycles)	✅
Unit tests — agent deny, session-derived group deny, provider deny, sender deny, sandbox deny, inherited session deny, managed tool suppression parity, OpenAI wrapper payload suppression	✅
Behavioral proof — standalone runtime payload proof using actual provider wrappers with denied/allowed cases	✅
Compatibility — optional params only, no config schema changes, no breaking changes	✅
ClawSweeper review — infra timeout (not code rejection), re-triggered after fixes	✅
CHANGELOG discipline — not edited (correct for contributor PR)	✅
git diff --check — no whitespace errors	✅

---

Abbreviations

Abbreviation	Definition
SDK	Software Development Kit
API	Application Programming Interface
CI	Continuous Integration
CVE	Common Vulnerabilities and Exposures
GHSA	GitHub Security Advisory
E2E	End-to-End
RSS	Resident Set Size (memory)
I/O	Input/Output
LOC	Lines of Code
TUI	Terminal User Interface
PR	Pull Request