PR #84000: fix(agents): respect tool policy for sessions_yield [AI-assisted] (#83981)

• Repository: openclaw/openclaw
• Author: luyao618
• State: open | merged: False
• Link: https://github.com/openclaw/openclaw/pull/84000

Description (problem / solution / changelog)

🤖 AI-assisted (built with Codex via Hermes orchestration). Test level: lightly tested. Prompt summary available on request.

Summary

• Problem: sessions_yield was always built and registered inside createOpenClawTools, regardless of the effective tool policy. Allow/deny filtering only ran later in the pipeline, so agents could still discover and invoke sessions_yield even when tools.deny listed it or when an explicit tools.allow excluded it.
• Why it matters: Agents would intermittently call sessions_yield mid-task in restricted-policy contexts, ending the turn unexpectedly and forcing manual resume. Policy expectations were silently violated.
• What changed: Gate sessions_yield at construction time using isToolAllowedByPolicyName against the same explicitFactoryAllowlist / explicitFactoryDenylist already used for message and update_plan. The tool is no longer created (and its onYield callback no longer wired) when policy disallows it.
• What did NOT change (scope boundary): No changes to the tool's runtime behavior, to other tools, to filter pipelines downstream, to subagent inheritance, or to plugin tool resolution.

Change Type (select all)

• Bug fix

Scope (select all touched areas)

• Agents

Linked Issue/PR

• Closes #83981
• This PR fixes a bug or regression

Root Cause

• Root cause: createSessionsYieldTool was always present in the tools array literal in src/agents/openclaw-tools.ts. Allow/deny resolution happened after the tool and its callback were already constructed, so it remained visible in the effective tool catalog and could still be invoked.
• Missing detection / guardrail: No unit test asserted that sessions_yield is omitted from createOpenClawTools output when tools.deny or a narrow tools.allow excludes it. Other gated tools (message, update_plan) had this proof; sessions_yield did not.
• Contributing context (if known): sessions_yield was added as a default-on tool; the pattern of gating at construction time (mirrored from message/update_plan) was not extended to it.

Regression Test Plan

• Coverage level that should have caught this:
  • Unit test
• Target test or file: src/agents/openclaw-tools.sessions-yield-policy.test.ts
• Scenario the test should lock in: createOpenClawTools includes sessions_yield by default, but omits it when tools.deny contains sessions_yield, when a narrow tools.allow does not list it, and when pluginToolDenylist contains it.
• Why this is the smallest reliable guardrail: It exercises the exact public factory entry point and asserts the resulting tool inventory, which is what agents and the catalog ultimately consume.
• Existing test that already covers this (if any): N/A
• If no new test is added, why not: N/A

User-visible / Behavior Changes

• When tools.deny lists sessions_yield (or an explicit tools.allow excludes it), the tool is no longer offered to agents and cannot be invoked. Default behavior (no policy) is unchanged: sessions_yield remains available.

Security Impact (required)

• New permissions/capabilities? No
• This change tightens an existing capability gate (policy is now honored for sessions_yield as for other gated tools). It can only reduce, not expand, what an agent can do in a given configuration.

Changed files

• src/agents/openclaw-tools.sessions-yield-policy.test.ts (added, +52/-0)
• src/agents/openclaw-tools.ts (modified, +13/-4)