Implements the openclaw side of Plexum decision #37: agent-driven
per-session whitelist of which tools the model sees. Cross-runtime
aligned with Plexum's host implementation (same tool names, same
input schemas, takes-effect-next-turn).
New surface:
- tools/dynamic-tools-cache.ts:
Catalog (in-memory map), Cache file (atomic tmp+rename at
<openclaw>/agents/<id>/sessions/<sid>/dynamic-tools-cache.json),
4 tool factories (list/search/cache/evict), allowTool gate,
installGlobalApi for globalThis.__padded with buffer-drain
- index.ts: install __padded early; register the 4 cache tools
as factories wrapping ctx into execute
- openclaw.plugin.json contracts.tools += 4 names
Other Hangman-Lab plugins (Fabric / HF / Dialectic) opt in to the
gate by wrapping their registerTool calls (separate commits in those
repos). Built-in openclaw tools and non-opt-in plugins remain
always-on.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Align the openclaw side of the dynamic-* tool family with the new
Plexum design (decision #31, 2026-06-04 revision):
- trim-tool-result → dynamic-trim (same on-wire schema; same semantics)
- Drop list-tool-results entirely. Agents find the opaque tool_call_id
by reading their own prior assistant message's toolCall block id
instead of querying a separate "directory" tool. This removes a
workflow-step prerequisite and matches how Anthropic-shaped APIs
surface tool_use ids to the model anyway.
- On agent_end drain, ALSO self-compact the dynamic-trim's own
tool_use.input: rewrite to {tool_call_id, _self_compacted: true}.
Without this the bulky `replacement` text sits duplicated — once in
the rewritten target tool_result, once in dynamic-trim's call input.
Picks up the selfCallId from openclaw's execute(toolCallId, ...) first
arg (was previously discarded as _id).
Cross-runtime contract: tool name, input schema, return shape, and
sentinel prefix ("[trimmed by self] ") match Plexum's dynamic-trim
in internal/dynmem/trim.go + internal/persistence/trim.go.
Sim e2e tested: dynamic-trim queues, agent_end drain rewrites both
the target tool_result content AND the trim call's tool_use input.
No takeover errors. trimmed_bytes positive on real workloads.
Two new openclaw tools that let an agent reclaim ctx tokens consumed by
past tool results once it has extracted what it needs:
list-tool-results — enumerates past toolResults in the agent's own
session jsonl (size, tool name, turns-ago, args summary, already-
trimmed flag); does NOT return content body
trim-tool-result — replaces a past toolResult's content[].text with a
short sentinel-tagged replacement, identified by tool_call_id
The actual file rewrite is deferred to the `agent_end` hook (drained
from an in-memory queue) because writing during tool execute() trips
openclaw's session-file fence (EmbeddedAttemptSessionTakeoverError) —
the fingerprint check around releaseForPrompt rejects third-party
writes. By agent_end the lock window is closed and the next turn's
fence baseline picks up our mutation cleanly.
Queue-time validation rejects bad tool_call_ids up-front so weak
models that confuse opaque call_function_*_N ids with topic/fact
numeric ids get a clear error instead of a silent skip at drain time.
install.mjs now auto-sets plugins.entries.padded-cell.hooks.
allowConversationAccess=true (required for the agent_end hook on
non-bundled plugins; without it the drain never fires and queued
trims rot in memory).
Sim-verified end-to-end: model dispatches trim, drain fires on
agent_end, next turn's list shows already_trimmed=true.
ESM conversion:
- package.json: add "type": "module"; drop stale "main": "index.ts"
- tsconfig.json: switch module/moduleResolution to "nodenext"
- plugin/index.ts: replace `module.exports = { register }` and
`module.exports.X = X` with `export default definePluginEntry({ ... })`
plus named ESM re-exports; replace `require('os')`/`require('path')`
with proper imports.
- plugin/tools/pcexec.ts: replace `require('child_process')` with import
from "node:child_process".
- plugin/commands/ego-mgr-slash.ts: replace `require('path')` with
proper path import.
- All relative imports/exports across plugin/ now carry .js extensions
as required by Node ESM (nodenext module resolution).
Plugin SDK convention update:
- Wrap default export with definePluginEntry({ id, name, description,
register }) per the current openclaw authoring contract.
- Type api parameter as OpenClawPluginApi (was `any`); the non-standard
api.registerSlashCommand call is preserved behind a guarded any-cast,
so the plugin remains a no-op for slash commands when the host doesn't
expose that hook (matches the previous defensive guard).
- Add openclaw as a devDependency (file:/usr/lib/node_modules/openclaw)
so tsc can resolve openclaw/plugin-sdk/* subpath types at build time.
- Modernize openclaw.plugin.json: drop entry/version, add
activation.onStartup so gateway_start fires for this plugin at boot,
declare contracts.tools listing pcexec/proxy-pcexec/safe_restart.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Add /ego-mgr slash command with subcommands:
- get, set, list, delete, add-column, add-public-column, show
- Uses pcexec to call ego-mgr binary with proper env vars
Translate all Chinese text to English in responses.
Note: pcexec tool name and function names remain unchanged.
- Restructure: pcexec/ and safe-restart/ → plugin/{tools,core,commands}
- New pcguard Go binary: validates AGENT_VERIFY, AGENT_ID, AGENT_WORKSPACE
- pcexec now injects AGENT_VERIFY env + appends openclaw bin to PATH
- plugin/index.ts: unified TypeScript entry point with resolveOpenclawPath()
- install.mjs: support --openclaw-profile-path, install pcguard, new paths
- README: updated structure docs + security limitations note
- Removed old root index.js and openclaw.plugin.json
