From c51e315f3ac67aba7d7f0663c7af02807e21f293 Mon Sep 17 00:00:00 2001 From: Olamiposi <56056759+posigit@users.noreply.github.com> Date: Mon, 27 Apr 2026 23:44:17 +0100 Subject: [PATCH] docs: clarify messaging vs full tool profiles (#39954) * docs: clarify messaging vs full tool profiles * docs: normalize tools.profile references * docs: clarify messaging and full tool profiles --------- Co-authored-by: vincentkoc <25068+vincentkoc@users.noreply.github.com> --- CHANGELOG.md | 1 + docs/tools/index.md | 20 +++++++++++++++++++- scripts/changed-lanes.mjs | 4 +--- test/scripts/changed-lanes.test.ts | 13 +++++++++++++ 4 files changed, 34 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b4d599e637a..2c5291f7666 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,7 @@ Docs: https://docs.openclaw.ai ### Fixes +- Docs/tools: clarify that `tools.profile: "messaging"` is intentionally narrow and that `tools.profile: "full"` is the unrestricted baseline for broader command/control access. Carries forward #39954. Thanks @posigit. - Control UI/Agents: redact tool-call args, partial/final results, derived exec output, and configured custom secret patterns before streaming tool events to the Control UI, so tool output cannot expose provider or channel credentials. Fixes #72283. (#72319) Thanks @volcano303 and @BunsDev. - Providers/Codex: pass agent and workspace directories into provider stream wrappers so Codex native `web_search` activation can evaluate the correct auth context, and smoke-test the built status-message runtime by resolving the emitted bundle name. Carries forward #67843; refs #65909. Thanks @neilofneils404. - Models/fallbacks: treat user-selected session models as exact choices, so `/model ollama/...` and model-picker switches fail visibly when the selected provider is unreachable instead of answering from an unrelated configured fallback. Fixes #73023. Thanks @pavelyortho-cyber. diff --git a/docs/tools/index.md b/docs/tools/index.md index 7e2d1293f01..31ea6e35836 100644 --- a/docs/tools/index.md +++ b/docs/tools/index.md @@ -140,11 +140,19 @@ Per-agent override: `agents.list[].tools.profile`. | Profile | What it includes | | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | -| `full` | No restriction (same as unset) | +| `full` | Unrestricted baseline for broader command/control access; same as leaving `tools.profile` unset | | `coding` | `group:fs`, `group:runtime`, `group:web`, `group:sessions`, `group:memory`, `cron`, `image`, `image_generate`, `music_generate`, `video_generate` | | `messaging` | `group:messaging`, `sessions_list`, `sessions_history`, `sessions_send`, `session_status` | | `minimal` | `session_status` only | + +`tools.profile: "messaging"` is intentionally narrow for channel-focused +agents. It leaves out broader command/control tools such as filesystem, runtime, +browser, canvas, nodes, cron, and gateway control. Use `tools.profile: "full"` +as the unrestricted baseline for broader command/control access, then trim +access with `tools.allow` / `tools.deny` when needed. + + `coding` includes lightweight web tools (`web_search`, `web_fetch`, `x_search`) but not the full browser-control tool. Browser automation can drive real sessions and logged-in profiles, so add it explicitly with @@ -156,6 +164,16 @@ under the plugin key `bundle-mcp`. Add `tools.deny: ["bundle-mcp"]` when you want a profile to keep its normal built-ins but hide all configured MCP tools. The `minimal` profile does not include bundle MCP tools. +Example (broadest tool surface by default): + +```json5 +{ + tools: { + profile: "full", + }, +} +``` + ### Tool groups Use `group:*` shorthands in allow/deny lists: diff --git a/scripts/changed-lanes.mjs b/scripts/changed-lanes.mjs index 9cd0a809d6f..3e0a95e6ead 100644 --- a/scripts/changed-lanes.mjs +++ b/scripts/changed-lanes.mjs @@ -94,9 +94,7 @@ export function detectChangedLanes(changedPaths, options = {}) { !packageJsonIsLiveDockerTooling && !packageJsonIsTooling && paths.some((changedPath) => RELEASE_METADATA_PATHS.has(changedPath)) && - paths.every( - (changedPath) => RELEASE_METADATA_PATHS.has(changedPath) || DOCS_PATH_RE.test(changedPath), - ) + paths.every((changedPath) => RELEASE_METADATA_PATHS.has(changedPath)) ) { lanes.releaseMetadata = true; lanes.docs = paths.some((changedPath) => DOCS_PATH_RE.test(changedPath)); diff --git a/test/scripts/changed-lanes.test.ts b/test/scripts/changed-lanes.test.ts index 614ec5a8371..8ef049ca01b 100644 --- a/test/scripts/changed-lanes.test.ts +++ b/test/scripts/changed-lanes.test.ts @@ -558,6 +558,19 @@ describe("scripts/changed-lanes", () => { ]); }); + it("keeps docs plus changelog entries on the docs-only changed gate", () => { + const result = detectChangedLanes(["CHANGELOG.md", "docs/tools/index.md"]); + const plan = createChangedCheckPlan(result); + + expect(result.docsOnly).toBe(true); + expect(result.lanes).toMatchObject({ + docs: true, + releaseMetadata: false, + all: false, + }); + expect(plan.commands.map((command) => command.args[0])).not.toContain("release-metadata:check"); + }); + it("guards release metadata package changes to the top-level version field", () => { const dir = makeTempRepoRoot(tempDirs, "openclaw-release-metadata-"); git(dir, ["init", "-q", "--initial-branch=main"]);