PR #84357: fix: constrain wildcard subagent targets

• Repository: openclaw/openclaw
• Author: joshavant
• State: closed | merged: True
• Link: https://github.com/openclaw/openclaw/pull/84357

Description (problem / solution / changelog)

Summary

• Problem: agents.*.subagents.allowAgents: ["*"] let sessions_spawn.agentId target arbitrary unconfigured agent ids, creating ad hoc state roots.
• Solution: Treat wildcard subagent allowlists as “any configured target” while preserving explicit allowlist entries.
• What changed: Native subagent and ACP spawn policy now pass configured target ids into the shared target policy; docs and config comments describe the tightened wildcard behavior.
• What did NOT change: Explicit allowlisted-but-unconfigured target ids still work, including mixed allowlists like ["*", "beta"].

Motivation

• Closes #84040 by making the wildcard match the configured agent registry instead of acting as an open-ended agent-id creation escape.

Change Type (select all)

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes #84040
• This PR fixes a bug or regression

Real behavior proof (required for external PRs)

• Behavior addressed: sessions_spawn with allowAgents: ["*"] rejects an unconfigured explicit agentId instead of spawning a new arbitrary agent state root.
• Real environment tested: AWS Crabbox direct provider, provider=aws, lease cbx_687b1eaafdfc, run run_5a730368b161, built branch from source, live Gateway, OpenAI openai/gpt-5.5.
• Exact steps or command run after this patch: Started Gateway with one configured agent main, main.subagents.allowAgents: ["*"], exposed sessions_spawn, then ran a live parent agent turn that called sessions_spawn once with agentId: "bogus-84040-b397f15f".
• Evidence after fix: Run output reported ISSUE_84040_FIX_EVIDENCE with finalText: "ISSUE_84040_PARENT_REJECTED_b397f15f", one sessions_spawn tool call, transcript containing both forbidden and configured agent registry, rogueAgentDirExists: false, and rogueWorkspaceDirExists: false.
• Observed result after fix: The model saw the forbidden tool result and replied with the rejected sentinel; no rogue agent or workspace directory was created.
• What was not tested: Live Telegram/channel delivery was not involved; this is a Gateway/OpenAI subagent tool-path proof.
• Before evidence: Current-main AWS repro accepted a bogus agentId and created agents/bogus-84040-.../sessions plus workspace/bogus-84040-....

Root Cause (if applicable)

• Root cause: The shared subagent target policy treated allowAgents containing "*" as unconditional allow-any before checking whether the target id existed in the configured registry.
• Missing detection / guardrail: Existing tests covered wildcard acceptance but not wildcard rejection for unconfigured ids.
• Contributing context (if known): Explicit allowlists historically allowed unconfigured ids, so the fix preserves explicit entries while narrowing only wildcard expansion.

Regression Test Plan (if applicable)

• Coverage level that should have caught this:
  • Unit test
  • Seam / integration test
  • End-to-end test
  • Existing coverage already sufficient
• Target test or file: src/agents/subagent-target-policy.test.ts, src/agents/openclaw-tools.subagents.sessions-spawn.allowlist.test.ts, src/agents/acp-spawn.test.ts.
• Scenario the test should lock in: Wildcard allowlists include configured ids plus requester, reject unconfigured ids, and preserve explicit entries in mixed wildcard allowlists.
• Why this is the smallest reliable guardrail: The shared target-policy test proves the pure contract; native and ACP spawn tests prove both callers pass configured target ids correctly.
• Existing test that already covers this (if any): Existing wildcard tests only asserted broad acceptance.
• If no new test is added, why not: N/A.

User-visible / Behavior Changes

subagents.allowAgents: ["*"] now means any configured target agent, not arbitrary agent ids. Operators who intentionally need an unconfigured target can still list that id explicitly.

Diagram (if applicable)

Before:
sessions_spawn(agentId=bogus) -> allowAgents ["*"] -> accepted -> bogus agent/workspace state

After:
sessions_spawn(agentId=bogus) -> allowAgents ["*"] -> registry check -> forbidden

Security Impact (required)

• New permissions/capabilities? No
• Secrets/tokens handling changed? No
• New/changed network calls? No
• Command/tool execution surface changed? Yes
• Data access scope changed? Yes
• If any Yes, explain risk + mitigation: The change narrows wildcard delegation to configured agents, reducing accidental or model-driven creation of arbitrary agent state/workspace roots. Explicit allowlist entries preserve intentional compatibility.

Repro + Verification

Environment

• OS: Linux on AWS Crabbox
• Runtime/container: Node 24 via repository build on direct AWS Crabbox
• Model/provider: OpenAI openai/gpt-5.5
• Integration/channel (if any): Gateway RPC only; no external channel
• Relevant config (redacted): one configured main agent with subagents.allowAgents: ["*"]; OpenAI API key sourced from environment

Steps

1. Build OpenClaw from this branch.
2. Start Gateway with one configured main agent and main.subagents.allowAgents: ["*"].
3. Run a live parent agent turn that calls sessions_spawn once with an unconfigured bogus agentId.

Expected

• The tool call returns forbidden with a configured-registry error and no bogus state root is created.

Actual

• Parent final text was ISSUE_84040_PARENT_REJECTED_b397f15f; transcript contained forbidden and configured agent registry; no rogue agent/workspace directories existed.

Evidence

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

• Verified scenarios: Target-policy pure contract, native sessions_spawn allowlist enforcement, ACP envelope allowlist enforcement, live AWS Gateway/OpenAI repro path.
• Edge cases checked: Mixed wildcard-plus-explicit allowlists preserve explicit unconfigured ids; explicit self-target behavior remains denyable; default omitted-agent self-spawn remains allowed.
• What you did not verify: Channel-specific delivery flows.

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

• Backward compatible? Mostly
• Config/env changes? Yes
• Migration needed? No
• If yes, exact upgrade steps: If an operator intentionally used ["*"] to target an unconfigured id, add that id explicitly to allowAgents.

Risks and Mitigations

• Risk: Operators relying on wildcard to target ad hoc ids will now see a forbidden result.
  • Mitigation: Explicit allowlist entries still allow those ids, and the error lists configured/allowed targets.

Changed files

• CHANGELOG.md (modified, +1/-0)
• docs/gateway/config-agents.md (modified, +1/-1)
• docs/gateway/config-tools.md (modified, +1/-1)
• docs/tools/subagents.md (modified, +1/-1)
• src/agents/acp-spawn.test.ts (modified, +72/-0)
• src/agents/acp-spawn.ts (modified, +33/-2)
• src/agents/openclaw-tools.subagents.sessions-spawn.allowlist.test.ts (modified, +26/-1)
• src/agents/subagent-spawn.ts (modified, +6/-1)
• src/agents/subagent-target-policy.test.ts (modified, +55/-0)
• src/agents/subagent-target-policy.ts (modified, +14/-1)
• src/config/types.agent-defaults.ts (modified, +1/-1)
• src/config/types.agents.ts (modified, +1/-1)