Skip to content

fix(cli): emit agent-tool diagnostic instead of plugins.allow suggestion#77220

Closed
hclsys wants to merge 2 commits intoopenclaw:mainfrom
hclsys:fix/77214-cli-agent-tool-subcommand-error
Closed

fix(cli): emit agent-tool diagnostic instead of plugins.allow suggestion#77220
hclsys wants to merge 2 commits intoopenclaw:mainfrom
hclsys:fix/77214-cli-agent-tool-subcommand-error

Conversation

@hclsys
Copy link
Copy Markdown
Contributor

@hclsys hclsys commented May 4, 2026

Root cause

resolveMissingPluginCommandMessage in src/cli/run-main-policy.ts falls straight through to the plugins.allow suggestion branch when the user types an unrecognized subcommand. It has no awareness of contracts.tools — the tool names a plugin registers for agent model-use. So openclaw wecom_mcp (a tool name, not a CLI command) produces:

The `openclaw wecom_mcp` command is unavailable because `plugins.allow` excludes "wecom_mcp". Add "wecom_mcp" to `plugins.allow` if you want that bundled plugin CLI surface.

That's wrong: wecom_mcp is never a CLI subcommand, and adding it to plugins.allow does nothing useful.

Fix

  • src/plugins/manifest-command-aliases.runtime.ts — adds resolveManifestToolOwner, which loads the manifest registry and searches each plugin's contracts.tools array for a matching tool name.
  • src/cli/run-main-policy.ts — adds resolveToolOwner?: (toolName: string) => string | undefined to the options of resolveMissingPluginCommandMessage; calls it just before the plugins.allow branch. If it returns a plugin ID, emits a targeted diagnostic instead.
  • src/cli/run-main.ts — wires resolveToolOwner: (toolName) => resolveManifestToolOwner({ toolName, config }) at the runtime call site alongside the existing resolveCommandAliasOwner.

Example output after fix

"wecom_mcp" is an agent tool registered by the "wecom" plugin, not a CLI subcommand. Use it from an agent session (model tool-use), not the CLI.

Tests

Two new unit tests in src/cli/run-main.test.ts:

  • emits agent-tool message when resolveToolOwner identifies the tool owner
  • falls through to plugins.allow message when resolveToolOwner returns undefined

All 29 existing tests continue to pass.

Fixes #77214.

@openclaw-barnacle openclaw-barnacle Bot added cli CLI command changes size: S labels May 4, 2026
@hclsys hclsys mentioned this pull request May 4, 2026
Open
@clawsweeper
Copy link
Copy Markdown
Contributor

clawsweeper Bot commented May 4, 2026
edited
Loading

Codex review: needs changes before merge.

Summary
The PR adds manifest contracts.tools lookup to missing CLI command diagnostics, wires it into CLI startup, adds focused unit tests, and adds a changelog fix entry.

Reproducibility: yes. from source inspection. Current main reaches the misleading plugins.allow fallback for agent-tool names, and the PR diff has a concrete collision path where browser would be routed to the new agent-tool diagnostic because the browser plugin declares contracts.tools: ["browser"].

Next step before merge
Queue a narrow repair on the PR branch to keep plugin-id CLI roots from being treated as agent tools before re-review.

Security
Cleared: Cleared: the diff only changes CLI diagnostics, manifest metadata lookup, tests, and changelog text, with no dependency, CI, permission, secret, install, build, or release execution-path changes.

Review findings

  • [P2] Preserve plugin-id allowlist diagnostics — src/cli/run-main-policy.ts:173-179
Review details

Best possible solution:

Keep manifest-backed tool lookup, but make it skip inputs that are also known plugin ids or CLI roots, then add regression coverage for openclaw browser under restrictive plugins.allow.

Do we have a high-confidence way to reproduce the issue?

Yes, from source inspection. Current main reaches the misleading plugins.allow fallback for agent-tool names, and the PR diff has a concrete collision path where browser would be routed to the new agent-tool diagnostic because the browser plugin declares contracts.tools: ["browser"].

Is this the best way to solve the issue?

No as currently implemented. Manifest contracts.tools is the right ownership seam, but the implementation must preserve known plugin-id command roots before returning an agent-tool diagnostic.

Full review comments:

  • [P2] Preserve plugin-id allowlist diagnostics — src/cli/run-main-policy.ts:173-179
    This branch runs before the existing plugins.allow fallback and does not skip names that are also plugin ids. Bundled plugins such as browser declare contracts.tools: ["browser"], so openclaw browser with a restrictive allowlist would now say browser is only an agent tool instead of giving the documented plugin allowlist guidance. Skip tool-owner diagnostics when the input is a known plugin id, or otherwise preserve the plugin command-root path.
    Confidence: 0.93

Overall correctness: patch is incorrect
Overall confidence: 0.91

Acceptance criteria:

  • pnpm test src/cli/run-main.test.ts
  • pnpm exec oxfmt --check --threads=1 src/cli/run-main-policy.ts src/cli/run-main.test.ts src/plugins/manifest-command-aliases.runtime.ts CHANGELOG.md
  • pnpm check:changed in Testbox before merge handoff

What I checked:

  • Current main fallback: On current main, resolveMissingPluginCommandMessage emits the plugins.allow CLI-surface suggestion for unknown roots under a restrictive allowlist and has no tool-owner lookup before that branch. (src/cli/run-main-policy.ts:171, ef0dbcf49d85)
  • Current runtime wiring: The current CLI startup diagnostic imports and passes only resolveManifestCommandAliasOwner, so current main cannot distinguish manifest-declared agent tools at this seam. (src/cli/run-main.ts:642, ef0dbcf49d85)
  • PR regression point: The supplied PR diff inserts resolveToolOwner inside the restrictive allowlist branch before returning the existing plugins.allow message, so a matching tool name wins over plugin-id diagnostics. (src/cli/run-main-policy.ts:173, 8f3dd9afd3c2)
  • Plugin-id/tool-name collision: The bundled browser plugin has id browser, declares contracts.tools: ["browser"], and also declares a browser command alias, so the PR's new branch would report openclaw browser as an agent tool when plugins.allow excludes it. (extensions/browser/openclaw.plugin.json:2, ef0dbcf49d85)
  • Other same-name plugin tools: A manifest scan found additional plugin ids that also appear in their own contracts.tools list: zalouser, llm-task, tlon, diffs, lobster, and browser. (ef0dbcf49d85)
  • Browser docs expect allowlist guidance: The public browser CLI docs tell users to check plugins.allow and include browser when openclaw browser is missing, which is the behavior the PR would obscure for this collision case. Public docs: docs/cli/browser.md. (docs/cli/browser.md:83, ef0dbcf49d85)

Likely related people:

  • steipete: Recent history links Peter Steinberger to disabled plugin command-alias diagnostics, manifest command-alias helper splitting, and plugin metadata consumer unification in the same CLI/plugin diagnostic area. (role: recent maintainer and feature-history owner; confidence: high; commits: d763b8385467, 777c6f758091, 25ce2e853f96; files: src/cli/run-main-policy.ts, src/cli/run-main.test.ts, src/plugins/manifest-command-aliases.runtime.ts)
  • vincentkoc: Recent history links Vincent Koc to runtime metadata fallback work in the manifest metadata lookup path reused by the proposed resolveManifestToolOwner. (role: adjacent plugin metadata maintainer; confidence: medium; commits: c149de7750cf; files: src/plugins/manifest-command-aliases.runtime.ts, src/plugins/plugin-metadata-snapshot.ts, src/plugins/manifest-contract-eligibility.ts)

Remaining risk / open question:

  • The supplied GitHub snapshot reports mergeable=false, so the branch may also need a rebase after the diagnostic regression is fixed.
  • Validation was not run in this read-only review; the PR branch should run the focused CLI test and changed gate after repair.

Codex review notes: model gpt-5.5, reasoning high; reviewed against ef0dbcf49d85.

hclsys added a commit to hclsys/moltbot that referenced this pull request May 4, 2026
@hclsys @claude
fix(changelog): correct PR reference openclaw#77215 openclaw#77220
d855d82 
Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
@hclsys
Copy link
Copy Markdown
Contributor Author

hclsys commented May 4, 2026

Pushed fixup for clawsweeper P3: corrected CHANGELOG reference (#77215)(#77220). Commit d855d82.

@hclsys @claude
fix(cli): emit agent-tool diagnostic instead of plugins.allow suggestion
0c8451a 
When an unrecognized CLI subcommand matches a tool name in
contracts.tools of an installed plugin, surface a targeted message
explaining it is an agent tool (not a CLI subcommand) rather than
incorrectly suggesting the user add it to plugins.allow.

Adds resolveManifestToolOwner (manifest-command-aliases.runtime.ts)
and wires resolveToolOwner option through resolveMissingPluginCommandMessage.

Fixes openclaw#77214.

Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
@hclsys hclsys force-pushed the fix/77214-cli-agent-tool-subcommand-error branch from d855d82 to 0c8451a Compare May 4, 2026 16:59
@hclsys
Copy link
Copy Markdown
Contributor Author

hclsys commented May 4, 2026

Pushed CHANGELOG entry (commit 8f3dd9afd3): added the missing CLI/diagnostics fix entry referencing #77214. This resolves the remaining clawsweeper P3 finding.

@hclsys
Copy link
Copy Markdown
Contributor Author

hclsys commented May 4, 2026

Closing — stale past the empirical 20h ceiling with no maintainer signal. Happy to revisit if the underlying issue stays relevant.

@hclsys hclsys closed this May 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

cli CLI command changes size: S

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

CLI suggests plugins.allow for unknown subcommands when input is actually an agent tool name

1 participant

@hclsys