openclaw - 💡(How to fix) Fix [Feature] Add agents.list[*].tools.deny + path.allow/deny for fine-grained tool scoping [1 comments, 2 participants]

Problem

OpenClaw agents.list[*].tools.allow is a flat whitelist with no way to express:

1. Tool-level denies: e.g. "this QA agent MUST NEVER run vitest / npm run test" is currently only enforceable via prose in identity.theme. If the model ignores the prose, nothing stops the tool invocation.
2. Path-scoped writes: write/edit grants access to the entire workspace. There's no way to say "this agent can edit frontend/components/** but not contracts/**".

This forces ops teams to choose between removing write/edit entirely (loss of functionality) or relying purely on prompt-level self-discipline (unenforceable).

Use cases (from a NEBA Token install running 9 production agents)

1. neba-qa — has organizational ban on vitest/npm run test per Bobby's ops rules. Currently only enforced through identity.theme HARD CONSTRAINT block.
2. neba-devops — SOUL.md says "НЕ пише application code"; we worked around it by removing write+edit from tools.allow, but this also blocks legitimate config file edits.
3. neba-orchestrator — should never edit source code (only status reports, memory files, Blocker List). No way to path-scope.

Proposed schema (backwards compatible; all fields optional)

{
  "id": "neba-qa",
  "tools": {
    "allow": ["bash", "read", "grep", "search"],
    "deny": ["vitest", "npm-run-test", "yarn-test", "pnpm-test"],
    "path": {
      "allow": ["docs/**", "*.md", ".github/**"],
      "deny": ["contracts/**", "backend/database/migrations/**"]
    }
  }
}

Enforcement points

• deny evaluated before allow (deny wins on conflict).
• path.allow / path.deny applied to all write-capable tools (write, edit, bash with stdout redirect detection).
• Violation → agent tool call fails with ScopeViolationError, logged under logging.redactPatterns-filtered audit trail.

Alternatives considered

1. External git pre-commit hook — blocks after the fact, cannot prevent bash writes to non-git-tracked files (e.g. .env).
2. Host-side tool wrapper — possible but requires rewriting every tool shim; maintenance burden scales with tool count.
3. Prose-only in identity.theme — current state; unenforceable against confused/compromised agents.

Acceptance criteria

• tools.deny blocks the named tools regardless of whether they appear in allow.
• tools.path.allow / path.deny validated via glob match against canonical path of the target file.
• Backwards-compatible: agents without deny / path keys behave identically to today.
• openclaw config validate reports malformed deny/path patterns before runtime.

Source

Discovered during external audit of a 4-installation NEBA OpenClaw deployment (Phase 4, agents EXT-11 + neba-security STRIDE analysis, 2026-04-18).