fix: scope session entry policy context

docs/.generated/plugin-sdk-api-baseline.sha256

@@ -1,2 +1,2 @@
-cbeddff94b5dc510178b4a33433bac8ac00691ccd71f490abf359c9348a5b3e4  plugin-sdk-api-baseline.json
-0d8ee33684cea3cf0f0f564419bf3378b7cfdd2c1a3798e621bcec3e7e219109  plugin-sdk-api-baseline.jsonl
+b7044c16230d4ed03b2d7f39a6443174bfdbf424868cc173f45bd6e90539bce1  plugin-sdk-api-baseline.json
+7770b6b656780180bdc4c363e23054815709f4744515d89f709c14c0e1f84d9b  plugin-sdk-api-baseline.jsonl

src/agents/pi-tools.before-tool-call.ts

@@ -479,7 +479,6 @@ export async function runBeforeToolCallHook(args: {
     const toolContext = {
       toolName,
       ...(args.ctx?.agentId && { agentId: args.ctx.agentId }),
-      ...(args.ctx?.config && { config: args.ctx.config }),
       ...(args.ctx?.sessionKey && { sessionKey: args.ctx.sessionKey }),
       ...(args.ctx?.sessionId && { sessionId: args.ctx.sessionId }),
       ...(args.ctx?.runId && { runId: args.ctx.runId }),
@@ -494,6 +493,7 @@ export async function runBeforeToolCallHook(args: {
         ...(args.toolCallId && { toolCallId: args.toolCallId }),
       },
       toolContext,
+      args.ctx?.config ? { config: args.ctx.config } : undefined,
     );
     if (trustedPolicyResult?.block) {
       return {

src/plugins/contracts/session-entry-projection.contract.test.ts

@@ -262,6 +262,7 @@ describe("plugin session extension SessionEntry projection", () => {
 
   it("exposes scoped session extension reads to trusted tool policies", async () => {
     const seen: unknown[] = [];
+    const seenConfig: unknown[] = [];
     const { config, registry } = createPluginRegistryFixture();
     registerTestPlugin({
       registry,
@@ -281,6 +282,7 @@ describe("plugin session extension SessionEntry projection", () => {
           description: "inspect session extension",
           evaluate(_event, ctx) {
             seen.push(ctx.getSessionExtension?.("policy"));
+            seenConfig.push((ctx as { config?: unknown }).config);
             return undefined;
           },
         });
@@ -321,8 +323,8 @@ describe("plugin session extension SessionEntry projection", () => {
               {
                 toolName: "apply_patch",
                 sessionKey: "agent:main:main",
-                config: tempConfig as never,
               },
+              { config: tempConfig as never },
             ),
           ).resolves.toBeUndefined();
 
@@ -347,6 +349,7 @@ describe("plugin session extension SessionEntry projection", () => {
     }
 
     expect(seen).toEqual([{ gate: "open" }, undefined]);
+    expect(seenConfig).toEqual([undefined, undefined]);
   });
 
   it("does not touch top-level SessionEntry slots when sessionEntrySlotKey is omitted", async () => {

src/plugins/hook-types.ts

@@ -398,7 +398,6 @@ export type PluginHookReplyDispatchResult = {
 
 export type PluginHookToolContext = {
   agentId?: string;
-  config?: OpenClawConfig;
   sessionKey?: string;
   sessionId?: string;
   runId?: string;

src/plugins/trusted-tool-policy.ts

@@ -1,3 +1,4 @@
+import type { OpenClawConfig } from "../config/types.openclaw.js";
 import type {
   PluginHookBeforeToolCallEvent,
   PluginHookBeforeToolCallResult,
@@ -10,6 +11,7 @@ import { getActivePluginRegistry } from "./runtime.js";
 export async function runTrustedToolPolicies(
   event: PluginHookBeforeToolCallEvent,
   ctx: PluginHookToolContext,
+  options?: { config?: OpenClawConfig },
 ): Promise<PluginHookBeforeToolCallResult | undefined> {
   const policies = getActivePluginRegistry()?.trustedToolPolicies ?? [];
   let adjustedParams = event.params;
@@ -26,12 +28,12 @@ export async function runTrustedToolPolicies(
         if (sessionExtensionCache.has(cacheKey)) {
           return sessionExtensionCache.get(cacheKey) as T | undefined;
         }
-        if (!ctx.config) {
+        if (!options?.config) {
           sessionExtensionCache.set(cacheKey, undefined);
           return undefined;
         }
         const value = getPluginSessionExtensionSync<T>({
-          cfg: ctx.config,
+          cfg: options.config,
           pluginId: registration.pluginId,
           sessionKey: ctx.sessionKey,
           namespace: normalizedNamespace,