openclaw - 💡(How to fix) Fix Feature request: per-agent disabledTools config OR PreToolUse hook for built-in tool interception

Context

OpenClaw 2026.5.7 plugin SDK exposes built-in tools (Write, Edit, MultiEdit, Bash, Read, etc.) directly to the agent runtime. MCP servers can extend the tool set but cannot replace or intercept built-ins due to the reservedToolNames namespace enforcement in /app/dist/compact-BqITSh1q.js:

reservedToolNames: [...tools.map((tool) => tool.name), ...bundleMcpRuntime?.tools.map((tool) => tool.name) ?? []]

This means any MCP tool registered with the name Write is materialized as myserver__Write, never replacing the built-in Write. Plugin hooks are also fireAndForgetHook / fireAndForgetBoundedHook — they cannot return blocking decisions.

Use case

We're building a multi-agent orchestration system where a primary agent delegates work to specialist sub-agents via a shell-based dispatch chain. We want to enforce that the primary agent CANNOT bypass the dispatch chain by directly calling Write/Edit/MultiEdit on sub-agent workspaces — i.e., enforce structural delegation discipline.

Currently this is unenforceable: the primary agent's inline tool calls happen below any plugin layer.

Two possible solutions

Option A: Per-agent disabledTools config

Allow agent configs to disable specific built-in tools:

{
  "id": "primary-agent",
  "disabledTools": ["Write", "Edit", "MultiEdit"],
  "model": { }
}

Disabled tools simply aren't registered in the agent's session. Downstream consumers can then provide MCP replacements that enforce custom logic.

Option B: Blocking PreToolUse hook event

Add a new hook event that fires BEFORE a tool call is dispatched to the runtime, with the ability to return {block: true, reason: string} to abort the call:

hooks: {
  PreToolUse: async (event) => {
    if (event.toolName === "Write" && !validateMarker(event.context)) {
      return { block: true, reason: "Pre-write validation failed" };
    }
  }
}

This mirrors the Claude Code hook pattern and is well-understood.

Why this matters

Anti-fabrication guarantees in agent orchestration depend on the ability to intercept tool calls. Without one of these features, downstream consumers can only do post-hoc detection (1-2s lag, requires rollback). Pre-write blocking is the only way to GUARANTEE that agents follow dispatch discipline.

Workarounds we've tried (all blocked)

• MCP shim registration: forced into serverName__Write namespace, never replaces built-in
• Plugin PreToolUse hook: doesn't exist in current hook API (agentBootstrap, gatewayStartup, sessionPatch, messageReceived/Sent/Preprocessed/Transcribed, inboundClaim, command only)
• Disabling tools via existing config: no disabledTools/allowedTools/toolOverride keys in the agent schema

Happy to contribute a PR if there's interest. Either A or B works for our use case; A is simpler to implement, B is more flexible.