#23582: fix(tool-policy): add group:fs and group:runtime to group:openclaw

## What broke `group:openclaw` is documented everywhere as *"all built-in OpenClaw tools (excludes provider plugins)"* — in `configuration-reference.md`, `sandbox-vs-tool-policy-vs-elevated.md`, `tools/index.md`, and `multi-agent-sandbox-tools.md`. It is the natural choice when writing a tool policy that should cover the full native tool surface. But it was silently missing two entire sub-groups: | Missing group | Tools omitted | |---|---| | `group:fs` | `read`, `write`, `edit`, `apply_patch` | | `group:runtime` | `exec`, `process` | ## Security impact **allow side:** A subagent with `tools.allow: ["group:openclaw"]` could not read or write files or execute commands without the operator separately adding `group:fs` and `group:runtime`. The policy appeared correct but was incomplete. **deny side (worse):** An operator writing `tools.deny: ["group:openclaw"]` to block all native tools would leave `read`, `write`, `exec`, and `process` fully unblocked — the opposite of the stated intent. This is the class of bug the [openclaw formal models](https://github.com/openclaw/openclaw-formal-models) are designed to catch: a group expansion invariant violation. ## Fix Add the missing tools with inline section comments that mirror the named sub-groups, making future omissions visible at a glance. ## Verification The existing test `"includes core tool groups in group:openclaw"` was expanded into `"includes all named sub-groups in group:openclaw"` — it now asserts every tool from every named sub-group is present, acting as a regression guard. ```sh pnpm test src/agents/tool-policy.e2e.test.ts ``` Fixes #23610 [AI-assisted] <!-- greptile_comment --> <h3>Greptile Summary</h3> Fixes a critical security gap in tool-policy group expansion where `group:openclaw` was missing `group:fs` (read, write, edit, apply_patch) and `group:runtime` (exec, process) tools. **Key changes:** - Added missing filesystem and runtime tools to `group:openclaw` definition in `src/agents/tool-policy-shared.ts:40-75` - Reorganized tools with inline comments matching named sub-groups for maintainability - Strengthened regression coverage in `src/agents/tool-policy.e2e.test.ts:62-93` by expanding test to verify all sub-groups **Security impact:** - **Deny side (critical):** Policies using `deny: ["group:openclaw"]` would leave `read`, `write`, `exec`, and `process` fully unblocked — the opposite of stated intent - **Allow side:** Subagents with `allow: ["group:openclaw"]` couldn't access filesystem or runtime tools without explicitly adding the missing groups <h3>Confidence Score: 5/5</h3> - Safe to merge — fixes critical security gap with comprehensive test coverage - The fix correctly addresses a documented security vulnerability (group expansion invariant violation) by adding missing tools to `group:openclaw`. All tools from all named sub-groups are now accounted for. The change includes inline documentation to prevent future omissions, and the test was strengthened to verify all sub-groups are present, acting as a regression guard. - No files require special attention _{Last reviewed commit: 4462a6a} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->