openclaw - 💡(How to fix) Fix Policy plugin: support per-agent scoping for tool/exec/sandbox rules [1 pull requests]

Summary

The Policy plugin (openclaw policy, new in v2026.5.22 — thanks!) covers global/uniform conformance well, but multi-agent workspaces often need rules that vary by agent. Today the rule grammar is single-scoped (one allowlist for the whole config), which forces operators back to ad-hoc audit scripts whenever different agents intentionally have different postures.

Concrete blockers I hit

While adopting policy on my Lobster workspace (11 agents, v2026.5.22), I have to keep my custom ~447-line security-audit.sh alive because policy can't express any of these per-agent rules — all rules below would false-positive against my intentional configuration if forced to global scope:

The docs section on tool posture explicitly notes that policy observes per-agent overrides:

Tool posture policy observes tools.profile, tools.allow, tools.alsoAllow, tools.deny, … and the same per-agent agents.list[].tools.* overrides.

But the rules themselves don't scope to a target agent — observation is per-agent, enforcement is uniform.

Asks (in priority order)

1. Per-agent rule scoping. Add an agent selector to existing rule blocks so the same fields can be scoped to one or more agent ids. Sketch:

   {
     \"agents\": {
       \"workspace\": [
         {
           \"agent\": [\"lobster-groups\", \"lobster-family\"],
           \"denyTools\": [\"sessions_spawn\", \"write\", \"edit\", \"browser\", \"canvas\", \"cron\", \"gateway\"]
         },
         {
           \"agent\": \"lobster-node\",
           \"allowedAccess\": [\"rw\"]  // intentional outlier
         }
       ]
     },
     \"tools\": {
       \"exec\": [
         { \"agent\": \"lobster-node\", \"allowSecurity\": [\"full\"], \"requireAsk\": [\"off\"], \"allowHosts\": [\"node\"] },
         { \"agent\": \"*\", \"not\": [\"lobster-node\"], \"allowSecurity\": [\"allowlist\", \"deny\"], \"allowHosts\": [\"gateway\"] }
       ]
     }
   }

   Could also be expressed as a top-level overrides block keyed by agent glob. Whatever fits the existing grammar.

2. Per-agent tools.alsoAllow allowlist rule. A new field like tools.alsoAllow.expected that compares a fixed expected allowlist (per agent) against agents.list[].tools.alsoAllow and reports adds/removes as findings. This is the single biggest piece of my custom script — ~120 lines of per-agent allowlist drift detection. Would also be useful as tools.profile.expected and tools.deny.expected for symmetry.

3. Selectors via group tags. Optional but powerful: let me tag a set of agents (tag: \"restricted\") and scope rules by tag, so I don't have to enumerate ids in every rule block. Useful when agent rosters grow.

Why this matters for adoption

Policy + doctor --lint is the right architectural direction — single conformance signal, hash-stable attestation, no parallel audit system. But the moment a workspace has more than one role per agent, the operator needs per-agent rules and falls back to scripts. Per-agent scoping closes that gap and unblocks retirement of custom audit scripts.

Context: discovered while doing the v2026.5.22 upgrade walkthrough. Sister issue #85929 covers the openclaw path depth + object-value limits I hit during the secrets migration in the same session.

cc @giodl73-repo since this builds on your #78051 substrate and the new Policy plugin.