Skip to content

Comments

feat(config): tools.alsoAllow additive allowlist#1742

Merged
shakkernerd merged 7 commits intomainfrom
feat/tools-alsoAllow
Jan 26, 2026
Merged

feat(config): tools.alsoAllow additive allowlist#1742
shakkernerd merged 7 commits intomainfrom
feat/tools-alsoAllow

Conversation

@vignesh07
Copy link
Contributor

@vignesh07 vignesh07 commented Jan 25, 2026
edited
Loading

Problem

  • Users enabling a plugin tool (e.g. lobster / llm-task) often set tools.allow = ["lobster"].
  • Because allow is restrictive, that accidentally disables every other tool.

Solution

  • Add alsoAllow?: string[] to tool policy configs (global tools, agent tools, group tools, byProvider tool policies).
  • alsoAllow is merged additively into the effective allowlist.

Behavior

  • If a profile produces an allowlist, alsoAllow unions into it.
  • If an explicit allow list is present, alsoAllow unions into that.
  • If there is no allowlist in effect but alsoAllow is set, treat it as additive on top of an implicit allow-all policy (equivalent to allow: ["*", ...alsoAllow]).

UX / Guidance

  • Updated docs to recommend tools.alsoAllow: ["lobster"] instead of tools.allow: ["lobster"].
  • Improved warning text when a plugin-only allowlist is stripped to keep core tools available.

Tests

  • Gateway test: tools.profile=minimal + tools.alsoAllow=["sessions_list"] allows invoking sessions_list.
  • Gateway test: tools.alsoAllow=["sessions_list"] works even when no allow/profile is set (implicit allow-all).
  • Gateway tests are now robust to host env vars by clearing CLAWDBOT_GATEWAY_TOKEN / CLAWDBOT_GATEWAY_PASSWORD in beforeEach.

@vignesh07 vignesh07 marked this pull request as draft January 25, 2026 08:35
@vignesh07 vignesh07 marked this pull request as ready for review January 25, 2026 08:41
@vignesh07
Copy link
Contributor Author

vignesh07 commented Jan 25, 2026

@steipete this solves a hiccup with optional tools that explicitly need opt-in. For people who don't use allow lists to opt into tools.

Will increase llm-task and lobster adoption.

@openclaw-barnacle openclaw-barnacle bot added the gateway Gateway runtime label Jan 26, 2026
@shakkernerd
Copy link
Member

shakkernerd commented Jan 26, 2026

Hey @vignesh07 can you resolve conflicts please. This is a good PR to get in.

@shakkernerd shakkernerd self-assigned this Jan 26, 2026
@vignesh07 vignesh07 force-pushed the feat/tools-alsoAllow branch from 3ecbf6d to 3497be2 Compare January 26, 2026 18:06
@openclaw-barnacle openclaw-barnacle bot added the docs Improvements or additions to documentation label Jan 26, 2026
@vignesh07
Copy link
Contributor Author

vignesh07 commented Jan 26, 2026

@shakkernerd fixed conflicts. However I think it can be improved a bit by adding stricter expectations. Will send one more commit in.

@vignesh07
Copy link
Contributor Author

vignesh07 commented Jan 26, 2026

@shakkernerd good to go. Feel free to change things around before merging.

@shakkernerd shakkernerd mentioned this pull request Jan 26, 2026
Open
5 tasks
@shakkernerd
Copy link
Member

shakkernerd commented Jan 26, 2026

Looks good, thank you!
I made further notes in #2377

@shakkernerd shakkernerd merged commit ff382f6 into main Jan 26, 2026
33 of 43 checks passed
@shakkernerd shakkernerd deleted the feat/tools-alsoAllow branch January 26, 2026 20:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@shakkernerd shakkernerd

Labels

docs Improvements or additions to documentation gateway Gateway runtime

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vignesh07 @shakkernerd