feat(plugins): add sessions.spawn and rateLimit to plugin runtime#16558
Draft
Zephyr-Blessed wants to merge 2 commits intoopenclaw:mainfrom
Draft
feat(plugins): add sessions.spawn and rateLimit to plugin runtime#16558Zephyr-Blessed wants to merge 2 commits intoopenclaw:mainfrom
Zephyr-Blessed wants to merge 2 commits intoopenclaw:mainfrom
Conversation
Plugins can now:
1. Spawn isolated agent sessions with restricted tool policies:
`api.runtime.sessions.spawn({ message, systemPrompt, toolPolicy })`
- Enables plugins to process external requests (A2A, webhooks) safely
- Tool policy controls which tools the session can use
- Supports model override, timeout, and labeling
- Uses existing subagent infrastructure (callGateway + agent handler)
2. Rate-limit incoming requests with a sliding-window limiter:
`api.runtime.rateLimit.check(key, { maxRequests, windowMs })`
- In-memory, zero dependencies
- Plugin provides the key (IP, sender URL, agent ID)
- Protects against token/cost abuse from external callers
Use case: A2A (Agent-to-Agent) protocol plugins that receive messages
from external agents and need to process them with controlled permissions.
A friend's agent can read your calendar; a stranger gets chat-only.
Files changed:
- src/plugins/runtime/types.ts — New types for session spawn + rate limit
- src/plugins/runtime/index.ts — Implementation
- src/plugin-sdk/index.ts — Export new types
- docs/tools/plugin.md — Documentation with examples
- src/plugins/runtime/rate-limit.test.ts — Rate limiter tests
Prevents runaway costs from buggy or malicious plugins: - Max 10 concurrent plugin-spawned sessions - Max 20 spawns per minute (global across all plugins) - Both are hardcoded safeguards, not config — matches the pattern that plugins are trusted code but mistakes happen
openclaw-barnacle
bot
added
docs
6 tasks
thewilloftheshadow
force-pushed
the
main
branch
from
bfc1ccb to
f92900f
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Exposes two new capabilities on the plugin runtime:
1.
api.runtime.sessions.spawn()Plugins can spawn isolated agent sessions with restricted tool policies. This enables plugins to process external requests (webhooks, A2A messages, inter-agent communication) safely — the plugin controls which tools each session gets.
Uses the existing subagent infrastructure (
callGateway→agenthandler). No new execution machinery — just exposing whatsessions_spawnalready does internally, but accessible to plugins.Built-in safety guardrails:
tools.subagents.tools.allow/denyconfig applies to all spawned sessions2.
api.runtime.rateLimit.check()In-memory sliding-window rate limiter. Zero dependencies. Plugins provide the key (IP, sender URL, agent ID) and limits.
Use case: A2A (Agent-to-Agent) protocol
We're building an A2A plugin that enables OpenClaw agents to communicate with other agents via Google's A2A protocol. A friend's agent can ask your agent to check your calendar and book a meeting — but a stranger's agent gets chat-only access with no tools.
This requires plugins to be able to route external messages through the LLM with controlled tool access, which isn't currently possible.
Discussion: Config gating?
We considered adding a config toggle (e.g.
plugins.allowSessionSpawn: true) but decided against it because:PluginRuntimemethod requires config opt-intools.subagents.toolsconfig already controls spawned session tool accessplugins.allow/deny) is the trust gateQuestion for maintainers: Would you prefer a config gate here? We're happy to add one if the team feels it's warranted. The hardcoded concurrency/rate limits provide basic safety regardless.
Files changed
src/plugins/runtime/types.tsPluginSessionSpawnOptions,PluginSessionSpawnResult,RateLimitOptionssrc/plugins/runtime/index.tsspawnPluginSession,rateLimitCheck/Reset, concurrency guardssrc/plugin-sdk/index.tsdocs/tools/plugin.mdsrc/plugins/runtime/rate-limit.test.tsNote on tool policy override
The current implementation passes
toolPolicyviasessions.patchbefore spawning. Ifsessions.patchdoesn't supporttoolPolicyyet, the session falls back to the default subagent tool policy (which already deniessessions_spawn,gateway,cron,memory_*, etc.). TheextraSystemPromptprovides additional guidance to the LLM.A follow-up PR could add
toolPolicyOverrideto theagentgateway method for runtime-enforced per-session tool restrictions.This PR is part of the OpenClaw A2A plugin project — enabling inter-agent communication via Google's A2A protocol.