docs: clarify messaging vs full tool profiles (#39954)

* docs: clarify messaging vs full tool profiles * docs: normalize tools.profile references * docs: clarify messaging and full tool profiles --------- Co-authored-by: vincentkoc <25068+vincentkoc@users.noreply.github.com>
2026-05-06 05:30:42 +00:00 · 2026-04-27 23:44:17 +01:00
parent cc80a40d86
commit c51e315f3a
4 changed files with 34 additions and 4 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -16,6 +16,7 @@ Docs: https://docs.openclaw.ai

 ### Fixes

+- Docs/tools: clarify that `tools.profile: "messaging"` is intentionally narrow and that `tools.profile: "full"` is the unrestricted baseline for broader command/control access. Carries forward #39954. Thanks @posigit.
 - Control UI/Agents: redact tool-call args, partial/final results, derived exec output, and configured custom secret patterns before streaming tool events to the Control UI, so tool output cannot expose provider or channel credentials. Fixes #72283. (#72319) Thanks @volcano303 and @BunsDev.
 - Providers/Codex: pass agent and workspace directories into provider stream wrappers so Codex native `web_search` activation can evaluate the correct auth context, and smoke-test the built status-message runtime by resolving the emitted bundle name. Carries forward #67843; refs #65909. Thanks @neilofneils404.
 - Models/fallbacks: treat user-selected session models as exact choices, so `/model ollama/...` and model-picker switches fail visibly when the selected provider is unreachable instead of answering from an unrelated configured fallback. Fixes #73023. Thanks @pavelyortho-cyber.
--- a/docs/tools/index.md
+++ b/docs/tools/index.md
@@ -140,11 +140,19 @@ Per-agent override: `agents.list[].tools.profile`.

 | Profile     | What it includes                                                                                                                                  |
 | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `full`      | No restriction (same as unset)                                                                                                                    |
+| `full`      | Unrestricted baseline for broader command/control access; same as leaving `tools.profile` unset                                                   |
 | `coding`    | `group:fs`, `group:runtime`, `group:web`, `group:sessions`, `group:memory`, `cron`, `image`, `image_generate`, `music_generate`, `video_generate` |
 | `messaging` | `group:messaging`, `sessions_list`, `sessions_history`, `sessions_send`, `session_status`                                                         |
 | `minimal`   | `session_status` only                                                                                                                             |

+<Note>
+`tools.profile: "messaging"` is intentionally narrow for channel-focused
+agents. It leaves out broader command/control tools such as filesystem, runtime,
+browser, canvas, nodes, cron, and gateway control. Use `tools.profile: "full"`
+as the unrestricted baseline for broader command/control access, then trim
+access with `tools.allow` / `tools.deny` when needed.
+</Note>
+
 `coding` includes lightweight web tools (`web_search`, `web_fetch`, `x_search`)
 but not the full browser-control tool. Browser automation can drive real
 sessions and logged-in profiles, so add it explicitly with
@@ -156,6 +164,16 @@ under the plugin key `bundle-mcp`. Add `tools.deny: ["bundle-mcp"]` when you
 want a profile to keep its normal built-ins but hide all configured MCP tools.
 The `minimal` profile does not include bundle MCP tools.

+Example (broadest tool surface by default):
+
+```json5
+{
+  tools: {
+    profile: "full",
+  },
+}
+```
+
 ### Tool groups

 Use `group:*` shorthands in allow/deny lists:
--- a/scripts/changed-lanes.mjs
+++ b/scripts/changed-lanes.mjs
@@ -94,9 +94,7 @@ export function detectChangedLanes(changedPaths, options = {}) {
    !packageJsonIsLiveDockerTooling &&
    !packageJsonIsTooling &&
    paths.some((changedPath) => RELEASE_METADATA_PATHS.has(changedPath)) &&
-    paths.every(
-      (changedPath) => RELEASE_METADATA_PATHS.has(changedPath) || DOCS_PATH_RE.test(changedPath),
-    )
+    paths.every((changedPath) => RELEASE_METADATA_PATHS.has(changedPath))
  ) {
    lanes.releaseMetadata = true;
    lanes.docs = paths.some((changedPath) => DOCS_PATH_RE.test(changedPath));
--- a/test/scripts/changed-lanes.test.ts
+++ b/test/scripts/changed-lanes.test.ts
@@ -558,6 +558,19 @@ describe("scripts/changed-lanes", () => {
    ]);
  });

+  it("keeps docs plus changelog entries on the docs-only changed gate", () => {
+    const result = detectChangedLanes(["CHANGELOG.md", "docs/tools/index.md"]);
+    const plan = createChangedCheckPlan(result);
+
+    expect(result.docsOnly).toBe(true);
+    expect(result.lanes).toMatchObject({
+      docs: true,
+      releaseMetadata: false,
+      all: false,
+    });
+    expect(plan.commands.map((command) => command.args[0])).not.toContain("release-metadata:check");
+  });
+
  it("guards release metadata package changes to the top-level version field", () => {
    const dir = makeTempRepoRoot(tempDirs, "openclaw-release-metadata-");
    git(dir, ["init", "-q", "--initial-branch=main"]);