From 268c14f0210b0da04b4b343de8bd3c6d636f5704 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Sat, 14 Feb 2026 14:25:21 +0000
Subject: [PATCH] refactor(tools): centralize default policy steps

---
 src/agents/pi-tools.ts             | 48 ++++++++++--------------------
 src/agents/tool-policy-pipeline.ts | 48 ++++++++++++++++++++++++++++++
 src/gateway/tools-invoke-http.ts   | 48 ++++++++++--------------------
 3 files changed, 80 insertions(+), 64 deletions(-)

diff --git a/src/agents/pi-tools.ts b/src/agents/pi-tools.ts
index 9f69d16be53..2fd6793b8ee 100644
--- a/src/agents/pi-tools.ts
+++ b/src/agents/pi-tools.ts
@@ -43,7 +43,10 @@ import {
   wrapToolParamNormalization,
 } from "./pi-tools.read.js";
 import { cleanToolSchemaForGemini, normalizeToolParameters } from "./pi-tools.schema.js";
-import { applyToolPolicyPipeline } from "./tool-policy-pipeline.js";
+import {
+  applyToolPolicyPipeline,
+  buildDefaultToolPolicyPipelineSteps,
+} from "./tool-policy-pipeline.js";
 import {
   applyOwnerOnlyToolPolicy,
   collectExplicitAllowlist,
@@ -389,37 +392,18 @@ export function createOpenClawCodingTools(options?: {
     toolMeta: (tool) => getPluginToolMeta(tool),
     warn: logWarn,
     steps: [
-      {
-        policy: profilePolicyWithAlsoAllow,
-        label: profile ? `tools.profile (${profile})` : "tools.profile",
-        stripPluginOnlyAllowlist: true,
-      },
-      {
-        policy: providerProfilePolicyWithAlsoAllow,
-        label: providerProfile
-          ? `tools.byProvider.profile (${providerProfile})`
-          : "tools.byProvider.profile",
-        stripPluginOnlyAllowlist: true,
-      },
-      { policy: globalPolicy, label: "tools.allow", stripPluginOnlyAllowlist: true },
-      {
-        policy: globalProviderPolicy,
-        label: "tools.byProvider.allow",
-        stripPluginOnlyAllowlist: true,
-      },
-      {
-        policy: agentPolicy,
-        label: agentId ? `agents.${agentId}.tools.allow` : "agent tools.allow",
-        stripPluginOnlyAllowlist: true,
-      },
-      {
-        policy: agentProviderPolicy,
-        label: agentId
-          ? `agents.${agentId}.tools.byProvider.allow`
-          : "agent tools.byProvider.allow",
-        stripPluginOnlyAllowlist: true,
-      },
-      { policy: groupPolicy, label: "group tools.allow", stripPluginOnlyAllowlist: true },
+      ...buildDefaultToolPolicyPipelineSteps({
+        profilePolicy: profilePolicyWithAlsoAllow,
+        profile,
+        providerProfilePolicy: providerProfilePolicyWithAlsoAllow,
+        providerProfile,
+        globalPolicy,
+        globalProviderPolicy,
+        agentPolicy,
+        agentProviderPolicy,
+        groupPolicy,
+        agentId,
+      }),
       { policy: sandbox?.tools, label: "sandbox tools.allow" },
       { policy: subagentPolicy, label: "subagent tools.allow" },
     ],
diff --git a/src/agents/tool-policy-pipeline.ts b/src/agents/tool-policy-pipeline.ts
index b4a4dfda936..c6d8cbb9b54 100644
--- a/src/agents/tool-policy-pipeline.ts
+++ b/src/agents/tool-policy-pipeline.ts
@@ -14,6 +14,54 @@ export type ToolPolicyPipelineStep = {
   stripPluginOnlyAllowlist?: boolean;
 };
 
+export function buildDefaultToolPolicyPipelineSteps(params: {
+  profilePolicy?: ToolPolicyLike;
+  profile?: string;
+  providerProfilePolicy?: ToolPolicyLike;
+  providerProfile?: string;
+  globalPolicy?: ToolPolicyLike;
+  globalProviderPolicy?: ToolPolicyLike;
+  agentPolicy?: ToolPolicyLike;
+  agentProviderPolicy?: ToolPolicyLike;
+  groupPolicy?: ToolPolicyLike;
+  agentId?: string;
+}): ToolPolicyPipelineStep[] {
+  const agentId = params.agentId?.trim();
+  const profile = params.profile?.trim();
+  const providerProfile = params.providerProfile?.trim();
+  return [
+    {
+      policy: params.profilePolicy,
+      label: profile ? `tools.profile (${profile})` : "tools.profile",
+      stripPluginOnlyAllowlist: true,
+    },
+    {
+      policy: params.providerProfilePolicy,
+      label: providerProfile
+        ? `tools.byProvider.profile (${providerProfile})`
+        : "tools.byProvider.profile",
+      stripPluginOnlyAllowlist: true,
+    },
+    { policy: params.globalPolicy, label: "tools.allow", stripPluginOnlyAllowlist: true },
+    {
+      policy: params.globalProviderPolicy,
+      label: "tools.byProvider.allow",
+      stripPluginOnlyAllowlist: true,
+    },
+    {
+      policy: params.agentPolicy,
+      label: agentId ? `agents.${agentId}.tools.allow` : "agent tools.allow",
+      stripPluginOnlyAllowlist: true,
+    },
+    {
+      policy: params.agentProviderPolicy,
+      label: agentId ? `agents.${agentId}.tools.byProvider.allow` : "agent tools.byProvider.allow",
+      stripPluginOnlyAllowlist: true,
+    },
+    { policy: params.groupPolicy, label: "group tools.allow", stripPluginOnlyAllowlist: true },
+  ];
+}
+
 export function applyToolPolicyPipeline(params: {
   tools: AnyAgentTool[];
   toolMeta: (tool: AnyAgentTool) => { pluginId: string } | undefined;
diff --git a/src/gateway/tools-invoke-http.ts b/src/gateway/tools-invoke-http.ts
index 6413a0d6b50..222b883f27e 100644
--- a/src/gateway/tools-invoke-http.ts
+++ b/src/gateway/tools-invoke-http.ts
@@ -6,7 +6,10 @@ import {
   resolveGroupToolPolicy,
   resolveSubagentToolPolicy,
 } from "../agents/pi-tools.policy.js";
-import { applyToolPolicyPipeline } from "../agents/tool-policy-pipeline.js";
+import {
+  applyToolPolicyPipeline,
+  buildDefaultToolPolicyPipelineSteps,
+} from "../agents/tool-policy-pipeline.js";
 import { collectExplicitAllowlist, resolveToolProfilePolicy } from "../agents/tool-policy.js";
 import { ToolInputError } from "../agents/tools/common.js";
 import { loadConfig } from "../config/config.js";
@@ -259,37 +262,18 @@ export async function handleToolsInvokeHttpRequest(
     toolMeta: (tool) => getPluginToolMeta(tool as any),
     warn: logWarn,
     steps: [
-      {
-        policy: profilePolicyWithAlsoAllow,
-        label: profile ? `tools.profile (${profile})` : "tools.profile",
-        stripPluginOnlyAllowlist: true,
-      },
-      {
-        policy: providerProfilePolicyWithAlsoAllow,
-        label: providerProfile
-          ? `tools.byProvider.profile (${providerProfile})`
-          : "tools.byProvider.profile",
-        stripPluginOnlyAllowlist: true,
-      },
-      { policy: globalPolicy, label: "tools.allow", stripPluginOnlyAllowlist: true },
-      {
-        policy: globalProviderPolicy,
-        label: "tools.byProvider.allow",
-        stripPluginOnlyAllowlist: true,
-      },
-      {
-        policy: agentPolicy,
-        label: agentId ? `agents.${agentId}.tools.allow` : "agent tools.allow",
-        stripPluginOnlyAllowlist: true,
-      },
-      {
-        policy: agentProviderPolicy,
-        label: agentId
-          ? `agents.${agentId}.tools.byProvider.allow`
-          : "agent tools.byProvider.allow",
-        stripPluginOnlyAllowlist: true,
-      },
-      { policy: groupPolicy, label: "group tools.allow", stripPluginOnlyAllowlist: true },
+      ...buildDefaultToolPolicyPipelineSteps({
+        profilePolicy: profilePolicyWithAlsoAllow,
+        profile,
+        providerProfilePolicy: providerProfilePolicyWithAlsoAllow,
+        providerProfile,
+        globalPolicy,
+        globalProviderPolicy,
+        agentPolicy,
+        agentProviderPolicy,
+        groupPolicy,
+        agentId,
+      }),
       { policy: subagentPolicy, label: "subagent tools.allow" },
     ],
   });