mirror of
https://github.com/openclaw/openclaw.git
synced 2026-05-28 03:00:34 +00:00
f0b6f70053
* fix(agents): answer Claude live control_request can_use_tool via exec policy Claude CLI emits stream-json control_request frames with subtype can_use_tool when it wants to use a native tool. The Claude live-session bridge previously dropped these frames, leaving Claude waiting for a control_response until the 180/600s no-output timeout fired (see #80819). Resolve the effective OpenClaw exec policy (per-agent tools.exec -> global tools.exec -> allowlist/on-miss defaults) once at session-start time and thread it through fingerprinting and the session record. When a can_use_tool request arrives: - Allow native Bash when the resolved policy is security=full, ask=off (matching the bypassPermissions semantics OpenClaw already documents). - Otherwise deny with a message that names the resolved policy and points the agent at OpenClaw MCP tools. Unsupported control_request subtypes get a structured error response instead of a silent no-op, and stray control_response frames are silently dropped. Adds spawn-test coverage for both allow and deny paths. Fixes #80819 * fix(agents): align Claude live control_request policy with backend defaults Resolve the effective exec policy through the same defaults that extensions/anthropic/cli-shared.ts:isOpenClawRequestedYolo and src/agents/exec-defaults.ts:resolveExecDefaults already use (security ?? "full", ask ?? "off") instead of falling back to a hand-rolled allowlist/on-miss default that disagreed with the rest of the codebase. Without this, a default-config OpenClaw deployment launches Claude with --permission-mode bypassPermissions but the bridge would still deny Bash control_requests, re-creating the #80819 stall for the very default-config case the issue reports. Also thread the effective Claude permission mode into the policy decision. Prefer the operator's explicit --permission-mode in argv, falling back to what normalizeClaudePermissionArgs would have inserted for an un-overridden launch. Native Bash is auto-allowed only when the effective mode is bypassPermissions AND tools.exec resolves to full/no-ask, so explicit raw-arg overrides like --permission-mode default or acceptEdits broaden Claude's native prompting and are honored by routing through deny. Adds a no-config regression test (default deployment allows Bash, no stall) and a permission-mode-override test (tools.exec full/off plus explicit --permission-mode default in raw args denies). Existing allow/deny tests continue to pass via the synthesized-mode fallback. * fix(agents): honor effective exec policy for Claude live Bash --------- Co-authored-by: Guillaume Thirry <g.thirry@gmail.com>