Issue Station
Sign In
Tools hereToolbox

openclaw - ✅(Solved) Fix Generation tools Not Live when tools.alsoAllow is set without tools.allow on v2026.5.4 [2 pull requests, 2 comments, 3 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
openclaw/openclaw#77841Fetched 2026-05-06 06:20:24
View on GitHub
Comments
2
Participants
3
Timeline
6
Reactions
2
Author
buyuangtampanbuyuangtampan
Participants
buyuangtampanbuyuangtampanclawsweeper[bot]clawsweeper[bot]itzuimaoitzuimao
Timeline (top)
commented ×2cross-referenced ×2mentioned ×1subscribed ×1

On v2026.5.4, generation provider startup from explicit agents.defaults.*GenerationModel is fixed, but generation tools can still remain Enabled / catalog-only / Not Live when global tools policy uses tools.alsoAllow without an explicit tools.allow.

This appears to be a separate follow-up edge case from #77244.

Related:

Error Message

tools.catalog included media generation tools:

Root Cause

On v2026.5.4, generation provider startup from explicit agents.defaults.*GenerationModel is fixed, but generation tools can still remain Enabled / catalog-only / Not Live when global tools policy uses tools.alsoAllow without an explicit tools.allow.

This appears to be a separate follow-up edge case from #77244.

Related:

Fix Action

Fix / Workaround

Workaround that fixed it

So the valid workaround was to merge group:memory into tools.allow and remove tools.alsoAllow:

PR fix notes

PR #77855: fix(agents): preserve media tools for alsoAllow policies

Description (problem / solution / changelog)

Summary

  • preserve implicit allow-all semantics from tools.alsoAllow-only policies when constructing built-in media generation tools
  • keep the default-plugin discovery marker bounded to plugin loading while letting configured image/video/music generation tools become live
  • add regression coverage for the issue path and a changelog entry

Fixes #77841.

Real behavior proof

Behavior or issue addressed: tools.alsoAllow without tools.allow should preserve implicit allow-all semantics for built-in media generation tools. The fixed behavior is that configured image_generate, music_generate, and video_generate appear in tools.effective instead of staying catalog-only / Not Live.

Real environment tested: Real local OpenClaw Gateway started from this PR branch on macOS, OpenClaw 2026.5.4 (0a3e57d), with an isolated config under /private/tmp/openclaw-77841-proof-token/state. The config used tools.alsoAllow: ["group:memory"], explicit agents.defaults.*GenerationModel values, and enabled openai/google provider plugins.

Exact steps or command run after this patch: Started a real Gateway, created a real session over Gateway RPC, then called tools.effective for that session:

OPENCLAW_STATE_DIR=/private/tmp/openclaw-77841-proof-token/state \
OPENCLAW_CONFIG_PATH=/private/tmp/openclaw-77841-proof-token/state/openclaw.json \
OPENCLAW_SKIP_CHANNELS=1 OPENCLAW_NO_ONBOARD=1 \
node scripts/run-node.mjs gateway run --port 19041 --bind loopback --auth token --token proof-token --allow-unconfigured --ws-log compact

OPENCLAW_STATE_DIR=/private/tmp/openclaw-77841-proof-token/state \
OPENCLAW_CONFIG_PATH=/private/tmp/openclaw-77841-proof-token/state/openclaw.json \
node scripts/run-node.mjs gateway call sessions.create \
--token proof-token \
--params '{"key":"main","agentId":"main","label":"77841 proof"}' \
--json --timeout 15000

OPENCLAW_STATE_DIR=/private/tmp/openclaw-77841-proof-token/state \
OPENCLAW_CONFIG_PATH=/private/tmp/openclaw-77841-proof-token/state/openclaw.json \
node scripts/run-node.mjs gateway call tools.effective \
--token proof-token \
--params '{"sessionKey":"agent:main:main"}' \
--json --timeout 15000

Evidence after fix: Terminal output from the real Gateway run:

2026-05-05T09:58:20.462-04:00 [gateway] http server listening (10 plugins: acpx, bonjour, browser, device-pair, file-transfer, google, memory-core, openai, phone-control, talk-voice; 1.7s)
2026-05-05T09:58:20.668-04:00 [gateway] ready

Session creation output:

{
  "ok": true,
  "key": "agent:main:main",
  "sessionId": "b21b9865-22b6-4e8d-affa-4202a3bf48b8",
  "runStarted": false
}

Relevant tools.effective excerpts from the live Gateway response:

{
  "id": "image_generate",
  "label": "Image Generation",
  "source": "core"
}
{
  "id": "music_generate",
  "label": "Music Generation",
  "source": "core"
}
{
  "id": "video_generate",
  "label": "Video Generation",
  "source": "core"
}

Observed result after fix: tools.effective included all three configured media generation tools (image_generate, music_generate, and video_generate) as live built-in tools while the config still used tools.alsoAllow: ["group:memory"] without tools.allow.

What was not tested: I did not run a live provider media-generation request; this proof only verifies Gateway tool availability/effective inventory for the reported Not Live regression. Provider auth/readiness and actual image/video/music generation remain covered by their existing provider tests and runtime behavior.

Tests

  • pnpm test src/agents/openclaw-tools.media-factory-plan.test.ts
  • pnpm test src/agents/openclaw-tools.media-factory-plan.test.ts src/agents/tool-policy.test.ts src/agents/tools-effective-inventory.test.ts src/gateway/tools-invoke-http.test.ts
  • pnpm check:changed

Changed files

  • CHANGELOG.md (modified, +1/-0)
  • src/agents/openclaw-tools.media-factory-plan.test.ts (modified, +38/-0)
  • src/agents/openclaw-tools.ts (modified, +20/-1)

PR #77901: fix(tools): keep media tools live with alsoAllow

Description (problem / solution / changelog)

Summary

  • Problem: tools.alsoAllow without tools.allow is treated as implicit allow-all in the main tool policy, but the media tool factory received a reduced allowlist that made image_generate, video_generate, and music_generate look disallowed.
  • Why it matters: media generation tools could be catalog-visible but not live/effective even when explicit generation models and provider plugins were configured.
  • What changed: the policy extraction now carries a private core-tool allow-all marker for alsoAllow-only policies, and the built-in media factory maps that marker back to * while preserving the existing bounded optional-plugin discovery marker.
  • What did NOT change (scope boundary): optional plugin tool discovery remains bounded; this PR does not address the separate warning wording issue in #77801.

Change Type (select all)

  • Bug fix
  • Feature
  • Refactor required for the fix
  • Docs
  • Security hardening
  • Chore/infra

Scope (select all touched areas)

  • Gateway / orchestration
  • Skills / tool execution
  • Auth / tokens
  • Memory / storage
  • Integrations
  • API / contracts
  • UI / DX
  • CI/CD / infra
  • Agent tool policy

Linked Issue/PR

  • Closes #77841
  • Related #77801
  • This PR fixes a bug or regression

Real behavior proof (required for external PRs)

  • Behavior or issue addressed: media generation factories now preserve implicit allow-all behavior when policy input came from tools.alsoAllow without tools.allow.
  • Real environment tested: local macOS OpenClaw checkout on 2026-05-05, Node via pnpm exec tsx, production tool-policy and media-factory planning code with a real temporary workspace.
  • Exact steps or command run after this patch: pnpm exec tsx ran production APIs: pickSandboxToolPolicy(alsoAllow) -> collectExplicitAllowlist -> resolveOptionalMediaToolFactoryPlan.
  • Evidence after fix: terminal output from the real OpenClaw policy/factory path:
REAL_OPENCLAW_MEDIA_TOOLS_PROOF {"workspaceBasename":"openclaw-real-tools-proof-1oLQF2","command":"pickSandboxToolPolicy(alsoAllow) -> collectExplicitAllowlist -> resolveOptionalMediaToolFactoryPlan","allowlist":["group:memory","__openclaw_implicit_core_tools__","__openclaw_default_plugin_tools__"],"hasLiteralWildcard":false,"mediaFactoryPlan":{"imageGenerate":true,"videoGenerate":true,"musicGenerate":true,"pdf":true},"memoryGroupStillRequested":true}
  • Observed result after fix: the extracted allowlist still does not contain a literal *, so optional plugin discovery remains bounded, while the built-in media factory sees image/video/music generation as available under the internal core allow-all marker.
  • What was not tested: a live Gateway restart with real OpenAI/Google credentials; explicit generation model config is sufficient to prove the fixed factory-planning branch without making provider calls.
  • Before evidence: source inspection matched the issue: collectExplicitAllowlist removed the synthetic wildcard from alsoAllow-only policy, leaving a nonempty reduced allowlist that made the media factory treat generation tools as disallowed.

Root Cause (if applicable)

  • Root cause: the plugin-tool allowlist extraction intentionally removed the synthetic wildcard from alsoAllow-only policy to avoid loading all optional plugin tools, but the same reduced list was reused by built-in media factory availability checks.
  • Missing detection / guardrail: tests covered restrictive allowlists and explicit model config availability, but not the alsoAllow-only policy path where core tools should remain effectively allow-all.
  • Contributing context (if known): optional plugin discovery and built-in media factory planning share pluginToolAllowlist, but they need different interpretations of the implicit allow-all marker.

Regression Test Plan (if applicable)

  • Coverage level that should have caught this:
    • Unit test
    • Seam / integration test
    • End-to-end test
    • Existing coverage already sufficient
  • Target test or file: src/agents/openclaw-tools.media-factory-plan.test.ts and src/agents/tool-policy.test.ts
  • Scenario the test should lock in: an alsoAllow-only policy exposes built-in media generation factories without reintroducing a literal wildcard into optional plugin discovery.
  • Why this is the smallest reliable guardrail: it directly validates the extracted allowlist and the media factory plan without starting a full Gateway.
  • Existing test that already covers this (if any): none for alsoAllow-only media generation factory planning.
  • If no new test is added, why not: N/A

User-visible / Behavior Changes

With tools.alsoAllow and no tools.allow, explicitly configured image/video/music generation tools can remain live/effective instead of appearing enabled but not live.

Diagram (if applicable)

Before:
tools.alsoAllow only -> strip synthetic * -> media factory sees group:memory -> generation tools filtered

After:
tools.alsoAllow only -> strip synthetic * for plugin discovery + carry core allow-all marker -> media factory sees * -> generation tools stay live

Security Impact (required)

  • New permissions/capabilities? (Yes/No) No
  • Secrets/tokens handling changed? (Yes/No) No
  • New/changed network calls? (Yes/No) No
  • Command/tool execution surface changed? (Yes/No) No
  • Data access scope changed? (Yes/No) No
  • If any Yes, explain risk + mitigation: N/A

Repro + Verification

Environment

  • OS: macOS local checkout
  • Runtime/container: Node 22+/pnpm repo scripts
  • Model/provider: N/A for local tests; issue config used OpenAI/Google generation providers
  • Integration/channel (if any): agent tool policy / Gateway tool resolution
  • Relevant config (redacted): tools.alsoAllow: ["group:memory"] with explicit agents.defaults.*GenerationModel

Steps

  1. Create an alsoAllow-only sandbox tool policy.
  2. Extract the explicit allowlist through collectExplicitAllowlist and verify it does not contain a literal *.
  3. Pass that allowlist to optional media factory planning with explicit image/video/music generation model config.
  4. Verify image, video, and music generation factories are all available.

Expected

  • Built-in media generation factories preserve implicit allow-all semantics from alsoAllow-only policy.
  • Optional plugin discovery remains bounded by the default plugin marker instead of a literal wildcard.

Actual

  • Matches expected after this patch.

Evidence

  • Failing test/log before + passing after
  • Trace/log snippets
  • Screenshot/recording
  • Perf numbers (if relevant)

Verification run:

pnpm test src/agents/openclaw-tools.media-factory-plan.test.ts src/agents/tool-policy.test.ts src/agents/tools-effective-inventory.test.ts src/gateway/tools-invoke-http.test.ts
Test Files  4 passed (4)
Tests       94 passed (94)

Additional checks:

pnpm exec oxfmt --check --threads=1 CHANGELOG.md src/agents/tool-policy.ts src/agents/tool-policy.test.ts src/agents/openclaw-tools.ts src/agents/openclaw-tools.media-factory-plan.test.ts
All matched files use the correct format.

git diff --check
passed

Known unrelated local typecheck blocker:

pnpm tsgo:core

This currently stops on existing src/infra/command-explainer/* web-tree-sitter type export errors outside this PR's touched files.

Human Verification (required)

  • Verified scenarios: alsoAllow-only extracted allowlist lacks a literal wildcard but still enables built-in image/video/music generation factories; restrictive explicit allowlist tests still pass; gateway tool invoke tests still pass.
  • Edge cases checked: optional plugin discovery keeps its existing default-plugin marker behavior; denylist and explicit restrictive allowlist coverage still pass in the same target suite.
  • What you did not verify: a live Gateway restart with real provider credentials.

Review Conversations

  • I replied to or resolved every bot review conversation I addressed in this PR.
  • I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

  • Backward compatible? (Yes/No) Yes
  • Config/env changes? (Yes/No) No
  • Migration needed? (Yes/No) No
  • If yes, exact upgrade steps: N/A

Risks and Mitigations

  • Risk: accidentally expanding optional plugin tool loading when alsoAllow-only is used.
    • Mitigation: the literal * is still stripped from plugin discovery; only the built-in media factory maps the new internal core marker back to allow-all.

Changed files

  • CHANGELOG.md (modified, +1/-0)
  • src/agents/openclaw-tools.media-factory-plan.test.ts (modified, +33/-0)
  • src/agents/openclaw-tools.ts (modified, +6/-1)
  • src/agents/tool-policy.test.ts (modified, +2/-0)
  • src/agents/tool-policy.ts (modified, +2/-0)

Code Example

OpenClaw 2026.5.4 (325df3e)
Gateway: systemd user service

---

{
  "tools": {
    "web": {
      "search": { "enabled": true },
      "fetch": { "enabled": true }
    },
    "exec": {
      "ask": "off",
      "security": "full"
    },
    "alsoAllow": ["group:memory"]
  },
  "agents": {
    "defaults": {
      "imageGenerationModel": { "primary": "openai/gpt-image-2" },
      "videoGenerationModel": { "primary": "openai/sora-2" },
      "musicGenerationModel": { "primary": "google/lyria-3-pro-preview" }
    }
  },
  "plugins": {
    "entries": {
      "openai": { "enabled": true },
      "google": { "enabled": true }
    }
  }
}

---

http server listening (... google, ... openai, ...)

---

[
  "image",
  "image_generate",
  "music_generate",
  "tts",
  "video_generate"
]

---

[
  "image",
  "tts"
]

---

tools cannot set both allow and alsoAllow in the same scope

---

{
  "tools": {
    "allow": ["*", "group:memory"]
  }
}

---

[
  "image",
  "image_generate",
  "music_generate",
  "tts",
  "video_generate"
]
RAW_BUFFERClick to expand / collapse

Summary

On v2026.5.4, generation provider startup from explicit agents.defaults.*GenerationModel is fixed, but generation tools can still remain Enabled / catalog-only / Not Live when global tools policy uses tools.alsoAllow without an explicit tools.allow.

This appears to be a separate follow-up edge case from #77244.

Related:

Environment

OpenClaw 2026.5.4 (325df3e)
Gateway: systemd user service

Config that reproduced the issue

Sanitized relevant config:

{
  "tools": {
    "web": {
      "search": { "enabled": true },
      "fetch": { "enabled": true }
    },
    "exec": {
      "ask": "off",
      "security": "full"
    },
    "alsoAllow": ["group:memory"]
  },
  "agents": {
    "defaults": {
      "imageGenerationModel": { "primary": "openai/gpt-image-2" },
      "videoGenerationModel": { "primary": "openai/sora-2" },
      "musicGenerationModel": { "primary": "google/lyria-3-pro-preview" }
    }
  },
  "plugins": {
    "entries": {
      "openai": { "enabled": true },
      "google": { "enabled": true }
    }
  }
}

Gateway logs showed the provider plugins were loaded:

http server listening (... google, ... openai, ...)

Gateway process env also had OPENAI_API_KEY and GEMINI_API_KEY present.

Observed behavior

tools.catalog included media generation tools:

[
  "image",
  "image_generate",
  "music_generate",
  "tts",
  "video_generate"
]

But tools.effective for agent:main:main omitted the generation tools:

[
  "image",
  "tts"
]

Control UI also showed image_generate, music_generate, and video_generate as Enabled but Not Live.

Workaround that fixed it

The config validator rejects setting both tools.allow and tools.alsoAllow in the same scope:

tools cannot set both allow and alsoAllow in the same scope

So the valid workaround was to merge group:memory into tools.allow and remove tools.alsoAllow:

{
  "tools": {
    "allow": ["*", "group:memory"]
  }
}

After Gateway restart, tools.effective included all media generation tools:

[
  "image",
  "image_generate",
  "music_generate",
  "tts",
  "video_generate"
]

Control UI also showed all five Media tools Live Now.

Suspected cause

The main tool policy pipeline seems to treat tools.alsoAllow without tools.allow as an implicit allow-all plus extras. However, the optional media tool factory appears to receive a reduced/explicit allowlist that does not preserve the implicit *, so image_generate, music_generate, and video_generate are filtered out before they reach the effective tool list.

This means #77244 fixed provider plugin startup, but the tools can still be Not Live under an alsoAllow-only global tools policy.

Expected behavior

If tools.alsoAllow without tools.allow is valid config and behaves as implicit allow-all elsewhere, optional media tool availability should preserve that implicit allow-all behavior too.

Alternatively, config validation/docs should steer users toward tools.allow: ["*", ...] for this case instead of allowing an alsoAllow-only config that silently suppresses optional media tools.

Actual behavior

Generation tools are catalog-visible but not effective/live until tools.alsoAllow is replaced with explicit tools.allow: ["*", "group:memory"].

extent analysis

TL;DR

To fix the issue, merge group:memory into tools.allow and remove tools.alsoAllow to ensure all media generation tools are included in the effective tool list.

Guidance

  • The issue arises when using tools.alsoAllow without an explicit tools.allow in the global tools policy, causing generation tools to be catalog-visible but not live.
  • To resolve this, update the config to use tools.allow with an explicit allowlist, including any additional groups or tools needed, such as ["*", "group:memory"].
  • Verify the fix by checking tools.effective for the presence of all expected media generation tools and confirming they are marked as Live in the Control UI.
  • Be aware that the config validator will reject setting both tools.allow and tools.alsoAllow in the same scope, so ensure only one is used.

Example

The corrected config would look like this:

{
  "tools": {
    "allow": ["*", "group:memory"]
  }
}

Notes

This fix assumes that the desired behavior is to have all media generation tools available and live when using an implicit allow-all policy. If a more restrictive policy is intended, the tools.allow list should be adjusted accordingly.

Recommendation

Apply the workaround by merging group:memory into tools.allow and removing tools.alsoAllow, as this ensures consistent behavior across all tools and avoids the issue of generation tools being catalog-visible but not live.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…

FAQ

Expected behavior

If tools.alsoAllow without tools.allow is valid config and behaves as implicit allow-all elsewhere, optional media tool availability should preserve that implicit allow-all behavior too.

Alternatively, config validation/docs should steer users toward tools.allow: ["*", ...] for this case instead of allowing an alsoAllow-only config that silently suppresses optional media tools.

#api#request error#file not found#serialization error#model compatibility

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING

openclaw - ✅(Solved) Fix Generation tools Not Live when tools.alsoAllow is set without tools.allow on v2026.5.4 [2 pull requests, 2 comments, 3 participants]