openclaw - 💡(How to fix) Fix tools.deny not enforced for claude-cli backend MCP — agents can call denied MCP tools

Bug

agents.list[].tools.deny is documented as a per-agent tool blocking mechanism with wildcard support (per docs/gateway/config-tools.md and docs/tools/multi-agent-sandbox-tools.md). However, when using agentRuntime.id: "claude-cli", denied MCP tools are still callable by the agent.

Reproduction (verified on 2026.5.4 and 2026.5.7)

1. Agent config:

   {
     "id": "test-agent",
     "agentRuntime": { "id": "claude-cli" },
     "tools": { "deny": ["mcp__twenty-crm"] }
   }

2. Global MCP config exposes mcp__twenty-crm__* tools via agents.defaults.cliBackends.claude-cli.args: ["--mcp-config", "/path/to/global.mcp.json"]
3. openclaw agent --agent test-agent --message "Try calling mcp__twenty-crm__list_opportunities_by_stage" — succeeds and returns real data

Expected

tools.deny: ["mcp__twenty-crm"] should block the agent from calling those tools, regardless of backend.

Actual

Agent receives full MCP tool list. The temp .mcp.json written by loadMergedBundleMcpConfig() (in dist/prepare.runtime-*.js) contains all MCP servers without applying agent's tools.deny. Claude-cli reads the config file directly and exposes everything to the model.

Suspected root cause

loadMergedBundleMcpConfig() does not have access to agent context (agentId), so it cannot apply per-agent tools.deny policy when generating the temp MCP config for claude-cli backend. Tool denial enforcement appears to apply only in embedded agent execution paths (Pi sandbox, pi-tools-*.js), not in the MCP config generation pipeline for external CLI backends.

Secondary observation

Session transcripts in ~/.openclaw/agents/<id>/sessions/*.jsonl for claude-cli backend contain only text responses, not tool_use entries (those exist for mlx-local backend with format toolCall + arguments). This makes auditing tool usage difficult for claude-cli agents from the session log alone, and any "soft compliance" detection has limited visibility.

Workarounds (none clean)

• Wrapper script — fragile, no OPENCLAW_AGENT_ID env var passed to claude-cli subprocess
• Removing MCP server from global config — breaks all agents that need it (no per-agent positive override path)
• agents.list[].cliBackends — rejected by schema (Unrecognized key: cliBackends)
• Per-agent extensions/<name>-mcp/ — these load as global bundle plugins, not per-agent

Impact

Security/permission boundary. Multi-agent setups assuming tools.deny enforces fail silently. Agents call tools they should not have access to, and (in our observed case) hallucinate attribution — agent says "I asked Wolf to update CRM" when actually it called the tool itself.

Documentation gap

Either the docs should be clarified that tools.deny is enforced only in embedded paths (not for claude-cli backend MCP), or the enforcement should be extended to cover the temp MCP config generation pipeline.

Environment

• OpenClaw versions tested: 2026.5.4, 2026.5.7
• Backend: agentRuntime.id: "claude-cli"
• macOS (Apple Silicon)
• Discovered via empirical testing on 2026-05-08 in a multi-agent production setup.