mirror of
https://github.com/openclaw/openclaw.git
synced 2026-06-26 11:49:33 +00:00
9aea104cc8
#91499 auto-stamps the creator's tool surface as a default toolsAllow cap on agentTurn cron payloads whenever the creating session is tool-restricted (a narrowing allow-policy or an explicit deny). CLI backends cannot enforce a runtime toolsAllow — cli-runner/prepare.ts rejects any defined allow-list — so every scheduled agentTurn that resolves to a CLI backend (e.g. claude-cli) fails to start. This silently broke per-thread scheduled continuations on CLI backends. A CLI backend is not a runtime tool-policy boundary: it runs with its own configured tool set, as the operator, on the local machine, and refuses a runtime allow-list outright. An inherited default cap is therefore unenforceable on a CLI backend. Decide at run time, where the backend is known: - Flag the default. capCronAgentTurnToolsAllow stamps toolsAllowIsDefault when it fills in the creator surface because the cron requested nothing (or a bare "*"). An explicit narrowing or empty allow-list is a real per-cron restriction and carries no flag. - Drop only the default, only on CLI. The run-executor drops a flagged default in the CLI branch and lets the run proceed. An explicit per-cron restriction (no flag) is deliberately passed through, so prepare.ts still fails it closed and surfaces that the requested policy needs an embedded runtime. Embedded runs are untouched and keep the full cap enforced. - Persist the flag. New nullable cron_jobs.payload_tools_allow_is_default column (additive ensureColumn migration + codec read/write) so the decision survives a gateway restart, plus toolsAllowIsDefault on the gateway-protocol agentTurn payload schema — the stamped payload is otherwise rejected by the contract's additionalProperties:false. - Preserve the flag across updates. A no-toolsAllow update (reschedule, prompt edit) no longer carries the stored default forward as a literal value — that routed it through the explicit-narrowing branch, stripped the flag, and re-broke the job on CLI after the next restart. The default is re-derived (flag intact); an explicit restriction is still carried forward unflagged. Net policy: on CLI only the unenforceable inherited default is relaxed; explicit per-cron restrictions still fail closed; embedded backends are unchanged. Tests: run-executor drops the flagged default but propagates an explicit restriction on CLI; cron-tool stamps/clears the flag across create and update and preserves it across a no-toolsAllow update; store round-trips the flag (and its absence) through SQLite. Not covered: agentTurn crons created during the regression window carry a flagless toolsAllow and remain fail-closed on CLI until recreated or updated with an explicit toolsAllow.