mirror of
https://github.com/openclaw/openclaw.git
synced 2026-04-14 21:33:56 +02:00
b8f66c260d
* Agents: add subagent orchestration controls
* Agents: add subagent orchestration controls (WIP uncommitted changes)
* feat(subagents): add depth-based spawn gating for sub-sub-agents
* feat(subagents): tool policy, registry, and announce chain for nested agents
* feat(subagents): system prompt, docs, changelog for nested sub-agents
* fix(subagents): prevent model fallback override, show model during active runs, and block context overflow fallback
Bug 1: When a session has an explicit model override (e.g., gpt/openai-codex),
the fallback candidate logic in resolveFallbackCandidates silently appended the
global primary model (opus) as a backstop. On reinjection/steer with a transient
error, the session could fall back to opus which has a smaller context window
and crash. Fix: when storedModelOverride is set, pass fallbacksOverride ?? []
instead of undefined, preventing the implicit primary backstop.
Bug 2: Active subagents showed 'model n/a' in /subagents list because
resolveModelDisplay only read entry.model/modelProvider (populated after run
completes). Fix: fall back to modelOverride/providerOverride fields which are
populated at spawn time via sessions.patch.
Bug 3: Context overflow errors (prompt too long, context_length_exceeded) could
theoretically escape runEmbeddedPiAgent and be treated as failover candidates
in runWithModelFallback, causing a switch to a model with a smaller context
window. Fix: in runWithModelFallback, detect context overflow errors via
isLikelyContextOverflowError and rethrow them immediately instead of trying the
next model candidate.
* fix(subagents): track spawn depth in session store and fix announce routing for nested agents
* Fix compaction status tracking and dedupe overflow compaction triggers
* fix(subagents): enforce depth block via session store and implement cascade kill
* fix: inject group chat context into system prompt
* fix(subagents): always write model to session store at spawn time
* Preserve spawnDepth when agent handler rewrites session entry
* fix(subagents): suppress announce on steer-restart
* fix(subagents): fallback spawned session model to runtime default
* fix(subagents): enforce spawn depth when caller key resolves by sessionId
* feat(subagents): implement active-first ordering for numeric targets and enhance task display
- Added a test to verify that subagents with numeric targets follow an active-first list ordering.
- Updated `resolveSubagentTarget` to sort subagent runs based on active status and recent activity.
- Enhanced task display in command responses to prevent truncation of long task descriptions.
- Introduced new utility functions for compacting task text and managing subagent run states.
* fix(subagents): show model for active runs via run record fallback
When the spawned model matches the agent's default model, the session
store's override fields are intentionally cleared (isDefault: true).
The model/modelProvider fields are only populated after the run
completes. This left active subagents showing 'model n/a'.
Fix: store the resolved model on SubagentRunRecord at registration
time, and use it as a fallback in both display paths (subagents tool
and /subagents command) when the session store entry has no model info.
Changes:
- SubagentRunRecord: add optional model field
- registerSubagentRun: accept and persist model param
- sessions-spawn-tool: pass resolvedModel to registerSubagentRun
- subagents-tool: pass run record model as fallback to resolveModelDisplay
- commands-subagents: pass run record model as fallback to resolveModelDisplay
* feat(chat): implement session key resolution and reset on sidebar navigation
- Added functions to resolve the main session key and reset chat state when switching sessions from the sidebar.
- Updated the `renderTab` function to handle session key changes when navigating to the chat tab.
- Introduced a test to verify that the session resets to "main" when opening chat from the sidebar navigation.
* fix: subagent timeout=0 passthrough and fallback prompt duplication
Bug 1: runTimeoutSeconds=0 now means 'no timeout' instead of applying 600s default
- sessions-spawn-tool: default to undefined (not 0) when neither timeout param
is provided; use != null check so explicit 0 passes through to gateway
- agent.ts: accept 0 as valid timeout (resolveAgentTimeoutMs already handles
0 → MAX_SAFE_TIMEOUT_MS)
Bug 2: model fallback no longer re-injects the original prompt as a duplicate
- agent.ts: track fallback attempt index; on retries use a short continuation
message instead of the full original prompt since the session file already
contains it from the first attempt
- Also skip re-sending images on fallback retries (already in session)
* feat(subagents): truncate long task descriptions in subagents command output
- Introduced a new utility function to format task previews, limiting their length to improve readability.
- Updated the command handler to use the new formatting function, ensuring task descriptions are truncated appropriately.
- Adjusted related tests to verify that long task descriptions are now truncated in the output.
* refactor(subagents): update subagent registry path resolution and improve command output formatting
- Replaced direct import of STATE_DIR with a utility function to resolve the state directory dynamically.
- Enhanced the formatting of command output for active and recent subagents, adding separators for better readability.
- Updated related tests to reflect changes in command output structure.
* fix(subagent): default sessions_spawn to no timeout when runTimeoutSeconds omitted
The previous fix (75a791106) correctly handled the case where
runTimeoutSeconds was explicitly set to 0 ("no timeout"). However,
when models omit the parameter entirely (which is common since the
schema marks it as optional), runTimeoutSeconds resolved to undefined.
undefined flowed through the chain as:
sessions_spawn → timeout: undefined (since undefined != null is false)
→ gateway agent handler → agentCommand opts.timeout: undefined
→ resolveAgentTimeoutMs({ overrideSeconds: undefined })
→ DEFAULT_AGENT_TIMEOUT_SECONDS (600s = 10 minutes)
This caused subagents to be killed at exactly 10 minutes even though
the user's intent (via TOOLS.md) was for subagents to run without a
timeout.
Fix: default runTimeoutSeconds to 0 (no timeout) when neither
runTimeoutSeconds nor timeoutSeconds is provided by the caller.
Subagent spawns are long-running by design and should not inherit the
600s agent-command default timeout.
* fix(subagent): accept timeout=0 in agent-via-gateway path (second 600s default)
* fix: thread timeout override through getReplyFromConfig dispatch path
getReplyFromConfig called resolveAgentTimeoutMs({ cfg }) with no override,
always falling back to the config default (600s). Add timeoutOverrideSeconds
to GetReplyOptions and pass it through as overrideSeconds so callers of the
dispatch chain can specify a custom timeout (0 = no timeout).
This complements the existing timeout threading in agentCommand and the
cron isolated-agent runner, which already pass overrideSeconds correctly.
* feat(model-fallback): normalize OpenAI Codex model references and enhance fallback handling
- Added normalization for OpenAI Codex model references, specifically converting "gpt-5.3-codex" to "openai-codex" before execution.
- Updated the `resolveFallbackCandidates` function to utilize the new normalization logic.
- Enhanced tests to verify the correct behavior of model normalization and fallback mechanisms.
- Introduced a new test case to ensure that the normalization process works as expected for various input formats.
* feat(tests): add unit tests for steer failure behavior in openclaw-tools
- Introduced a new test file to validate the behavior of subagents when steer replacement dispatch fails.
- Implemented tests to ensure that the announce behavior is restored correctly and that the suppression reason is cleared as expected.
- Enhanced the subagent registry with a new function to clear steer restart suppression.
- Updated related components to support the new test scenarios.
* fix(subagents): replace stop command with kill in slash commands and documentation
- Updated the `/subagents` command to replace `stop` with `kill` for consistency in controlling sub-agent runs.
- Modified related documentation to reflect the change in command usage.
- Removed legacy timeoutSeconds references from the sessions-spawn-tool schema and tests to streamline timeout handling.
- Enhanced tests to ensure correct behavior of the updated commands and their interactions.
* feat(tests): add unit tests for readLatestAssistantReply function
- Introduced a new test file for the `readLatestAssistantReply` function to validate its behavior with various message scenarios.
- Implemented tests to ensure the function correctly retrieves the latest assistant message and handles cases where the latest message has no text.
- Mocked the gateway call to simulate different message histories for comprehensive testing.
* feat(tests): enhance subagent kill-all cascade tests and announce formatting
- Added a new test to verify that the `kill-all` command cascades through ended parents to active descendants in subagents.
- Updated the subagent announce formatting tests to reflect changes in message structure, including the replacement of "Findings:" with "Result:" and the addition of new expectations for message content.
- Improved the handling of long findings and stats in the announce formatting logic to ensure concise output.
- Refactored related functions to enhance clarity and maintainability in the subagent registry and tools.
* refactor(subagent): update announce formatting and remove unused constants
- Modified the subagent announce formatting to replace "Findings:" with "Result:" and adjusted related expectations in tests.
- Removed constants for maximum announce findings characters and summary words, simplifying the announcement logic.
- Updated the handling of findings to retain full content instead of truncating, ensuring more informative outputs.
- Cleaned up unused imports in the commands-subagents file to enhance code clarity.
* feat(tests): enhance billing error handling in user-facing text
- Added tests to ensure that normal text mentioning billing plans is not rewritten, preserving user context.
- Updated the `isBillingErrorMessage` and `sanitizeUserFacingText` functions to improve handling of billing-related messages.
- Introduced new test cases for various scenarios involving billing messages to ensure accurate processing and output.
- Enhanced the subagent announce flow to correctly manage active descendant runs, preventing premature announcements.
* feat(subagent): enhance workflow guidance and auto-announcement clarity
- Added a new guideline in the subagent system prompt to emphasize trust in push-based completion, discouraging busy polling for status updates.
- Updated documentation to clarify that sub-agents will automatically announce their results, improving user understanding of the workflow.
- Enhanced tests to verify the new guidance on avoiding polling loops and to ensure the accuracy of the updated prompts.
* fix(cron): avoid announcing interim subagent spawn acks
* chore: clean post-rebase imports
* fix(cron): fall back to child replies when parent stays interim
* fix(subagents): make active-run guidance advisory
* fix(subagents): update announce flow to handle active descendants and enhance test coverage
- Modified the announce flow to defer announcements when active descendant runs are present, ensuring accurate status reporting.
- Updated tests to verify the new behavior, including scenarios where no fallback requester is available and ensuring proper handling of finished subagents.
- Enhanced the announce formatting to include an `expectFinal` flag for better clarity in the announcement process.
* fix(subagents): enhance announce flow and formatting for user updates
- Updated the announce flow to provide clearer instructions for user updates based on active subagent runs and requester context.
- Refactored the announcement logic to improve clarity and ensure internal context remains private.
- Enhanced tests to verify the new message expectations and formatting, including updated prompts for user-facing updates.
- Introduced a new function to build reply instructions based on session context, improving the overall announcement process.
* fix: resolve prep blockers and changelog placement (#14447) (thanks @tyler6204)
* fix: restore cron delivery-plan import after rebase (#14447) (thanks @tyler6204)
* fix: resolve test failures from rebase conflicts (#14447) (thanks @tyler6204)
* fix: apply formatting after rebase (#14447) (thanks @tyler6204)
471 lines
18 KiB
TypeScript
471 lines
18 KiB
TypeScript
import {
|
|
codingTools,
|
|
createEditTool,
|
|
createReadTool,
|
|
createWriteTool,
|
|
readTool,
|
|
} from "@mariozechner/pi-coding-agent";
|
|
import type { OpenClawConfig } from "../config/config.js";
|
|
import type { ModelAuthMode } from "./model-auth.js";
|
|
import type { AnyAgentTool } from "./pi-tools.types.js";
|
|
import type { SandboxContext } from "./sandbox.js";
|
|
import { logWarn } from "../logger.js";
|
|
import { getPluginToolMeta } from "../plugins/tools.js";
|
|
import { isSubagentSessionKey } from "../routing/session-key.js";
|
|
import { resolveGatewayMessageChannel } from "../utils/message-channel.js";
|
|
import { resolveAgentConfig } from "./agent-scope.js";
|
|
import { createApplyPatchTool } from "./apply-patch.js";
|
|
import {
|
|
createExecTool,
|
|
createProcessTool,
|
|
type ExecToolDefaults,
|
|
type ProcessToolDefaults,
|
|
} from "./bash-tools.js";
|
|
import { listChannelAgentTools } from "./channel-tools.js";
|
|
import { createOpenClawTools } from "./openclaw-tools.js";
|
|
import { wrapToolWithAbortSignal } from "./pi-tools.abort.js";
|
|
import { wrapToolWithBeforeToolCallHook } from "./pi-tools.before-tool-call.js";
|
|
import {
|
|
isToolAllowedByPolicies,
|
|
resolveEffectiveToolPolicy,
|
|
resolveGroupToolPolicy,
|
|
resolveSubagentToolPolicy,
|
|
} from "./pi-tools.policy.js";
|
|
import {
|
|
assertRequiredParams,
|
|
CLAUDE_PARAM_GROUPS,
|
|
createOpenClawReadTool,
|
|
createSandboxedEditTool,
|
|
createSandboxedReadTool,
|
|
createSandboxedWriteTool,
|
|
normalizeToolParams,
|
|
patchToolSchemaForClaudeCompatibility,
|
|
wrapToolWorkspaceRootGuard,
|
|
wrapToolParamNormalization,
|
|
} from "./pi-tools.read.js";
|
|
import { cleanToolSchemaForGemini, normalizeToolParameters } from "./pi-tools.schema.js";
|
|
import { getSubagentDepthFromSessionStore } from "./subagent-depth.js";
|
|
import {
|
|
applyToolPolicyPipeline,
|
|
buildDefaultToolPolicyPipelineSteps,
|
|
} from "./tool-policy-pipeline.js";
|
|
import {
|
|
applyOwnerOnlyToolPolicy,
|
|
collectExplicitAllowlist,
|
|
resolveToolProfilePolicy,
|
|
} from "./tool-policy.js";
|
|
import { resolveWorkspaceRoot } from "./workspace-dir.js";
|
|
|
|
function isOpenAIProvider(provider?: string) {
|
|
const normalized = provider?.trim().toLowerCase();
|
|
return normalized === "openai" || normalized === "openai-codex";
|
|
}
|
|
|
|
function isApplyPatchAllowedForModel(params: {
|
|
modelProvider?: string;
|
|
modelId?: string;
|
|
allowModels?: string[];
|
|
}) {
|
|
const allowModels = Array.isArray(params.allowModels) ? params.allowModels : [];
|
|
if (allowModels.length === 0) {
|
|
return true;
|
|
}
|
|
const modelId = params.modelId?.trim();
|
|
if (!modelId) {
|
|
return false;
|
|
}
|
|
const normalizedModelId = modelId.toLowerCase();
|
|
const provider = params.modelProvider?.trim().toLowerCase();
|
|
const normalizedFull =
|
|
provider && !normalizedModelId.includes("/")
|
|
? `${provider}/${normalizedModelId}`
|
|
: normalizedModelId;
|
|
return allowModels.some((entry) => {
|
|
const normalized = entry.trim().toLowerCase();
|
|
if (!normalized) {
|
|
return false;
|
|
}
|
|
return normalized === normalizedModelId || normalized === normalizedFull;
|
|
});
|
|
}
|
|
|
|
function resolveExecConfig(params: { cfg?: OpenClawConfig; agentId?: string }) {
|
|
const cfg = params.cfg;
|
|
const globalExec = cfg?.tools?.exec;
|
|
const agentExec =
|
|
cfg && params.agentId ? resolveAgentConfig(cfg, params.agentId)?.tools?.exec : undefined;
|
|
return {
|
|
host: agentExec?.host ?? globalExec?.host,
|
|
security: agentExec?.security ?? globalExec?.security,
|
|
ask: agentExec?.ask ?? globalExec?.ask,
|
|
node: agentExec?.node ?? globalExec?.node,
|
|
pathPrepend: agentExec?.pathPrepend ?? globalExec?.pathPrepend,
|
|
safeBins: agentExec?.safeBins ?? globalExec?.safeBins,
|
|
backgroundMs: agentExec?.backgroundMs ?? globalExec?.backgroundMs,
|
|
timeoutSec: agentExec?.timeoutSec ?? globalExec?.timeoutSec,
|
|
approvalRunningNoticeMs:
|
|
agentExec?.approvalRunningNoticeMs ?? globalExec?.approvalRunningNoticeMs,
|
|
cleanupMs: agentExec?.cleanupMs ?? globalExec?.cleanupMs,
|
|
notifyOnExit: agentExec?.notifyOnExit ?? globalExec?.notifyOnExit,
|
|
notifyOnExitEmptySuccess:
|
|
agentExec?.notifyOnExitEmptySuccess ?? globalExec?.notifyOnExitEmptySuccess,
|
|
applyPatch: agentExec?.applyPatch ?? globalExec?.applyPatch,
|
|
};
|
|
}
|
|
|
|
function resolveFsConfig(params: { cfg?: OpenClawConfig; agentId?: string }) {
|
|
const cfg = params.cfg;
|
|
const globalFs = cfg?.tools?.fs;
|
|
const agentFs =
|
|
cfg && params.agentId ? resolveAgentConfig(cfg, params.agentId)?.tools?.fs : undefined;
|
|
return {
|
|
workspaceOnly: agentFs?.workspaceOnly ?? globalFs?.workspaceOnly,
|
|
};
|
|
}
|
|
|
|
export const __testing = {
|
|
cleanToolSchemaForGemini,
|
|
normalizeToolParams,
|
|
patchToolSchemaForClaudeCompatibility,
|
|
wrapToolParamNormalization,
|
|
assertRequiredParams,
|
|
} as const;
|
|
|
|
export function createOpenClawCodingTools(options?: {
|
|
exec?: ExecToolDefaults & ProcessToolDefaults;
|
|
messageProvider?: string;
|
|
agentAccountId?: string;
|
|
messageTo?: string;
|
|
messageThreadId?: string | number;
|
|
sandbox?: SandboxContext | null;
|
|
sessionKey?: string;
|
|
agentDir?: string;
|
|
workspaceDir?: string;
|
|
config?: OpenClawConfig;
|
|
abortSignal?: AbortSignal;
|
|
/**
|
|
* Provider of the currently selected model (used for provider-specific tool quirks).
|
|
* Example: "anthropic", "openai", "google", "openai-codex".
|
|
*/
|
|
modelProvider?: string;
|
|
/** Model id for the current provider (used for model-specific tool gating). */
|
|
modelId?: string;
|
|
/**
|
|
* Auth mode for the current provider. We only need this for Anthropic OAuth
|
|
* tool-name blocking quirks.
|
|
*/
|
|
modelAuthMode?: ModelAuthMode;
|
|
/** Current channel ID for auto-threading (Slack). */
|
|
currentChannelId?: string;
|
|
/** Current thread timestamp for auto-threading (Slack). */
|
|
currentThreadTs?: string;
|
|
/** Group id for channel-level tool policy resolution. */
|
|
groupId?: string | null;
|
|
/** Group channel label (e.g. #general) for channel-level tool policy resolution. */
|
|
groupChannel?: string | null;
|
|
/** Group space label (e.g. guild/team id) for channel-level tool policy resolution. */
|
|
groupSpace?: string | null;
|
|
/** Parent session key for subagent group policy inheritance. */
|
|
spawnedBy?: string | null;
|
|
senderId?: string | null;
|
|
senderName?: string | null;
|
|
senderUsername?: string | null;
|
|
senderE164?: string | null;
|
|
/** Reply-to mode for Slack auto-threading. */
|
|
replyToMode?: "off" | "first" | "all";
|
|
/** Mutable ref to track if a reply was sent (for "first" mode). */
|
|
hasRepliedRef?: { value: boolean };
|
|
/** If true, the model has native vision capability */
|
|
modelHasVision?: boolean;
|
|
/** Require explicit message targets (no implicit last-route sends). */
|
|
requireExplicitMessageTarget?: boolean;
|
|
/** If true, omit the message tool from the tool list. */
|
|
disableMessageTool?: boolean;
|
|
/** Whether the sender is an owner (required for owner-only tools). */
|
|
senderIsOwner?: boolean;
|
|
}): AnyAgentTool[] {
|
|
const execToolName = "exec";
|
|
const sandbox = options?.sandbox?.enabled ? options.sandbox : undefined;
|
|
const {
|
|
agentId,
|
|
globalPolicy,
|
|
globalProviderPolicy,
|
|
agentPolicy,
|
|
agentProviderPolicy,
|
|
profile,
|
|
providerProfile,
|
|
profileAlsoAllow,
|
|
providerProfileAlsoAllow,
|
|
} = resolveEffectiveToolPolicy({
|
|
config: options?.config,
|
|
sessionKey: options?.sessionKey,
|
|
modelProvider: options?.modelProvider,
|
|
modelId: options?.modelId,
|
|
});
|
|
const groupPolicy = resolveGroupToolPolicy({
|
|
config: options?.config,
|
|
sessionKey: options?.sessionKey,
|
|
spawnedBy: options?.spawnedBy,
|
|
messageProvider: options?.messageProvider,
|
|
groupId: options?.groupId,
|
|
groupChannel: options?.groupChannel,
|
|
groupSpace: options?.groupSpace,
|
|
accountId: options?.agentAccountId,
|
|
senderId: options?.senderId,
|
|
senderName: options?.senderName,
|
|
senderUsername: options?.senderUsername,
|
|
senderE164: options?.senderE164,
|
|
});
|
|
const profilePolicy = resolveToolProfilePolicy(profile);
|
|
const providerProfilePolicy = resolveToolProfilePolicy(providerProfile);
|
|
|
|
const mergeAlsoAllow = (policy: typeof profilePolicy, alsoAllow?: string[]) => {
|
|
if (!policy?.allow || !Array.isArray(alsoAllow) || alsoAllow.length === 0) {
|
|
return policy;
|
|
}
|
|
return { ...policy, allow: Array.from(new Set([...policy.allow, ...alsoAllow])) };
|
|
};
|
|
|
|
const profilePolicyWithAlsoAllow = mergeAlsoAllow(profilePolicy, profileAlsoAllow);
|
|
const providerProfilePolicyWithAlsoAllow = mergeAlsoAllow(
|
|
providerProfilePolicy,
|
|
providerProfileAlsoAllow,
|
|
);
|
|
// Prefer sessionKey for process isolation scope to prevent cross-session process visibility/killing.
|
|
// Fallback to agentId if no sessionKey is available (e.g. legacy or global contexts).
|
|
const scopeKey =
|
|
options?.exec?.scopeKey ?? options?.sessionKey ?? (agentId ? `agent:${agentId}` : undefined);
|
|
const subagentPolicy =
|
|
isSubagentSessionKey(options?.sessionKey) && options?.sessionKey
|
|
? resolveSubagentToolPolicy(
|
|
options.config,
|
|
getSubagentDepthFromSessionStore(options.sessionKey, { cfg: options.config }),
|
|
)
|
|
: undefined;
|
|
const allowBackground = isToolAllowedByPolicies("process", [
|
|
profilePolicyWithAlsoAllow,
|
|
providerProfilePolicyWithAlsoAllow,
|
|
globalPolicy,
|
|
globalProviderPolicy,
|
|
agentPolicy,
|
|
agentProviderPolicy,
|
|
groupPolicy,
|
|
sandbox?.tools,
|
|
subagentPolicy,
|
|
]);
|
|
const execConfig = resolveExecConfig({ cfg: options?.config, agentId });
|
|
const fsConfig = resolveFsConfig({ cfg: options?.config, agentId });
|
|
const sandboxRoot = sandbox?.workspaceDir;
|
|
const sandboxFsBridge = sandbox?.fsBridge;
|
|
const allowWorkspaceWrites = sandbox?.workspaceAccess !== "ro";
|
|
const workspaceRoot = resolveWorkspaceRoot(options?.workspaceDir);
|
|
const workspaceOnly = fsConfig.workspaceOnly === true;
|
|
const applyPatchConfig = execConfig.applyPatch;
|
|
// Secure by default: apply_patch is workspace-contained unless explicitly disabled.
|
|
// (tools.fs.workspaceOnly is a separate umbrella flag for read/write/edit/apply_patch.)
|
|
const applyPatchWorkspaceOnly = workspaceOnly || applyPatchConfig?.workspaceOnly !== false;
|
|
const applyPatchEnabled =
|
|
!!applyPatchConfig?.enabled &&
|
|
isOpenAIProvider(options?.modelProvider) &&
|
|
isApplyPatchAllowedForModel({
|
|
modelProvider: options?.modelProvider,
|
|
modelId: options?.modelId,
|
|
allowModels: applyPatchConfig?.allowModels,
|
|
});
|
|
|
|
if (sandboxRoot && !sandboxFsBridge) {
|
|
throw new Error("Sandbox filesystem bridge is unavailable.");
|
|
}
|
|
|
|
const base = (codingTools as unknown as AnyAgentTool[]).flatMap((tool) => {
|
|
if (tool.name === readTool.name) {
|
|
if (sandboxRoot) {
|
|
const sandboxed = createSandboxedReadTool({
|
|
root: sandboxRoot,
|
|
bridge: sandboxFsBridge!,
|
|
});
|
|
return [workspaceOnly ? wrapToolWorkspaceRootGuard(sandboxed, sandboxRoot) : sandboxed];
|
|
}
|
|
const freshReadTool = createReadTool(workspaceRoot);
|
|
const wrapped = createOpenClawReadTool(freshReadTool);
|
|
return [workspaceOnly ? wrapToolWorkspaceRootGuard(wrapped, workspaceRoot) : wrapped];
|
|
}
|
|
if (tool.name === "bash" || tool.name === execToolName) {
|
|
return [];
|
|
}
|
|
if (tool.name === "write") {
|
|
if (sandboxRoot) {
|
|
return [];
|
|
}
|
|
// Wrap with param normalization for Claude Code compatibility
|
|
const wrapped = wrapToolParamNormalization(
|
|
createWriteTool(workspaceRoot),
|
|
CLAUDE_PARAM_GROUPS.write,
|
|
);
|
|
return [workspaceOnly ? wrapToolWorkspaceRootGuard(wrapped, workspaceRoot) : wrapped];
|
|
}
|
|
if (tool.name === "edit") {
|
|
if (sandboxRoot) {
|
|
return [];
|
|
}
|
|
// Wrap with param normalization for Claude Code compatibility
|
|
const wrapped = wrapToolParamNormalization(
|
|
createEditTool(workspaceRoot),
|
|
CLAUDE_PARAM_GROUPS.edit,
|
|
);
|
|
return [workspaceOnly ? wrapToolWorkspaceRootGuard(wrapped, workspaceRoot) : wrapped];
|
|
}
|
|
return [tool];
|
|
});
|
|
const { cleanupMs: cleanupMsOverride, ...execDefaults } = options?.exec ?? {};
|
|
const execTool = createExecTool({
|
|
...execDefaults,
|
|
host: options?.exec?.host ?? execConfig.host,
|
|
security: options?.exec?.security ?? execConfig.security,
|
|
ask: options?.exec?.ask ?? execConfig.ask,
|
|
node: options?.exec?.node ?? execConfig.node,
|
|
pathPrepend: options?.exec?.pathPrepend ?? execConfig.pathPrepend,
|
|
safeBins: options?.exec?.safeBins ?? execConfig.safeBins,
|
|
agentId,
|
|
cwd: workspaceRoot,
|
|
allowBackground,
|
|
scopeKey,
|
|
sessionKey: options?.sessionKey,
|
|
messageProvider: options?.messageProvider,
|
|
backgroundMs: options?.exec?.backgroundMs ?? execConfig.backgroundMs,
|
|
timeoutSec: options?.exec?.timeoutSec ?? execConfig.timeoutSec,
|
|
approvalRunningNoticeMs:
|
|
options?.exec?.approvalRunningNoticeMs ?? execConfig.approvalRunningNoticeMs,
|
|
notifyOnExit: options?.exec?.notifyOnExit ?? execConfig.notifyOnExit,
|
|
notifyOnExitEmptySuccess:
|
|
options?.exec?.notifyOnExitEmptySuccess ?? execConfig.notifyOnExitEmptySuccess,
|
|
sandbox: sandbox
|
|
? {
|
|
containerName: sandbox.containerName,
|
|
workspaceDir: sandbox.workspaceDir,
|
|
containerWorkdir: sandbox.containerWorkdir,
|
|
env: sandbox.docker.env,
|
|
}
|
|
: undefined,
|
|
});
|
|
const processTool = createProcessTool({
|
|
cleanupMs: cleanupMsOverride ?? execConfig.cleanupMs,
|
|
scopeKey,
|
|
});
|
|
const applyPatchTool =
|
|
!applyPatchEnabled || (sandboxRoot && !allowWorkspaceWrites)
|
|
? null
|
|
: createApplyPatchTool({
|
|
cwd: sandboxRoot ?? workspaceRoot,
|
|
sandbox:
|
|
sandboxRoot && allowWorkspaceWrites
|
|
? { root: sandboxRoot, bridge: sandboxFsBridge! }
|
|
: undefined,
|
|
workspaceOnly: applyPatchWorkspaceOnly,
|
|
});
|
|
const tools: AnyAgentTool[] = [
|
|
...base,
|
|
...(sandboxRoot
|
|
? allowWorkspaceWrites
|
|
? [
|
|
workspaceOnly
|
|
? wrapToolWorkspaceRootGuard(
|
|
createSandboxedEditTool({ root: sandboxRoot, bridge: sandboxFsBridge! }),
|
|
sandboxRoot,
|
|
)
|
|
: createSandboxedEditTool({ root: sandboxRoot, bridge: sandboxFsBridge! }),
|
|
workspaceOnly
|
|
? wrapToolWorkspaceRootGuard(
|
|
createSandboxedWriteTool({ root: sandboxRoot, bridge: sandboxFsBridge! }),
|
|
sandboxRoot,
|
|
)
|
|
: createSandboxedWriteTool({ root: sandboxRoot, bridge: sandboxFsBridge! }),
|
|
]
|
|
: []
|
|
: []),
|
|
...(applyPatchTool ? [applyPatchTool as unknown as AnyAgentTool] : []),
|
|
execTool as unknown as AnyAgentTool,
|
|
processTool as unknown as AnyAgentTool,
|
|
// Channel docking: include channel-defined agent tools (login, etc.).
|
|
...listChannelAgentTools({ cfg: options?.config }),
|
|
...createOpenClawTools({
|
|
sandboxBrowserBridgeUrl: sandbox?.browser?.bridgeUrl,
|
|
allowHostBrowserControl: sandbox ? sandbox.browserAllowHostControl : true,
|
|
agentSessionKey: options?.sessionKey,
|
|
agentChannel: resolveGatewayMessageChannel(options?.messageProvider),
|
|
agentAccountId: options?.agentAccountId,
|
|
agentTo: options?.messageTo,
|
|
agentThreadId: options?.messageThreadId,
|
|
agentGroupId: options?.groupId ?? null,
|
|
agentGroupChannel: options?.groupChannel ?? null,
|
|
agentGroupSpace: options?.groupSpace ?? null,
|
|
agentDir: options?.agentDir,
|
|
sandboxRoot,
|
|
sandboxFsBridge,
|
|
workspaceDir: workspaceRoot,
|
|
sandboxed: !!sandbox,
|
|
config: options?.config,
|
|
pluginToolAllowlist: collectExplicitAllowlist([
|
|
profilePolicy,
|
|
providerProfilePolicy,
|
|
globalPolicy,
|
|
globalProviderPolicy,
|
|
agentPolicy,
|
|
agentProviderPolicy,
|
|
groupPolicy,
|
|
sandbox?.tools,
|
|
subagentPolicy,
|
|
]),
|
|
currentChannelId: options?.currentChannelId,
|
|
currentThreadTs: options?.currentThreadTs,
|
|
replyToMode: options?.replyToMode,
|
|
hasRepliedRef: options?.hasRepliedRef,
|
|
modelHasVision: options?.modelHasVision,
|
|
requireExplicitMessageTarget: options?.requireExplicitMessageTarget,
|
|
disableMessageTool: options?.disableMessageTool,
|
|
requesterAgentIdOverride: agentId,
|
|
}),
|
|
];
|
|
// Security: treat unknown/undefined as unauthorized (opt-in, not opt-out)
|
|
const senderIsOwner = options?.senderIsOwner === true;
|
|
const toolsByAuthorization = applyOwnerOnlyToolPolicy(tools, senderIsOwner);
|
|
const subagentFiltered = applyToolPolicyPipeline({
|
|
tools: toolsByAuthorization,
|
|
toolMeta: (tool) => getPluginToolMeta(tool),
|
|
warn: logWarn,
|
|
steps: [
|
|
...buildDefaultToolPolicyPipelineSteps({
|
|
profilePolicy: profilePolicyWithAlsoAllow,
|
|
profile,
|
|
providerProfilePolicy: providerProfilePolicyWithAlsoAllow,
|
|
providerProfile,
|
|
globalPolicy,
|
|
globalProviderPolicy,
|
|
agentPolicy,
|
|
agentProviderPolicy,
|
|
groupPolicy,
|
|
agentId,
|
|
}),
|
|
{ policy: sandbox?.tools, label: "sandbox tools.allow" },
|
|
{ policy: subagentPolicy, label: "subagent tools.allow" },
|
|
],
|
|
});
|
|
// Always normalize tool JSON Schemas before handing them to pi-agent/pi-ai.
|
|
// Without this, some providers (notably OpenAI) will reject root-level union schemas.
|
|
const normalized = subagentFiltered.map(normalizeToolParameters);
|
|
const withHooks = normalized.map((tool) =>
|
|
wrapToolWithBeforeToolCallHook(tool, {
|
|
agentId,
|
|
sessionKey: options?.sessionKey,
|
|
}),
|
|
);
|
|
const withAbort = options?.abortSignal
|
|
? withHooks.map((tool) => wrapToolWithAbortSignal(tool, options.abortSignal))
|
|
: withHooks;
|
|
|
|
// NOTE: Keep canonical (lowercase) tool names here.
|
|
// pi-ai's Anthropic OAuth transport remaps tool names to Claude Code-style names
|
|
// on the wire and maps them back for tool dispatch.
|
|
return withAbort;
|
|
}
|