#20559: Feature/cron tool control

## Summary Describe the problem and fix in 2–5 bullets: - Problem: Cron jobs can access all tools available to main agent. - Why it matters: A notification cron should not have access to possibly destructive actions. - What changed: Cron CLI now has two additional flags, `--tools-allowed` and `--tools-denied` to either allow or deny tools. ## Change Type (select all) - [ ] Bug fix - [X] Feature - [ ] Refactor - [ ] Docs - [ ] Security hardening - [ ] Chore/infra ## Scope (select all touched areas) - [ ] Gateway / orchestration - [X] Skills / tool execution - [ ] Auth / tokens - [ ] Memory / storage - [ ] Integrations - [ ] API / contracts - [ ] UI / DX - [ ] CI/CD / infra ## Linked Issue/PR - Closes #18661 ## User-visible / Behavior Changes List user-visible changes (including defaults/config). If none, write `None`. ## Security Impact (required) - New permissions/capabilities? (`No`) - Secrets/tokens handling changed? (`No`) - New/changed network calls? (`No`) - Command/tool execution surface changed? (`Yes`) - Data access scope changed? (`No`) - If any `Yes`, explain risk + mitigation: User might accidentally allow tools that they would not like the agent to access through `--tools-allowed flag. ## Repro + Verification ### Environment - OS: Ubuntu 24.04.4 LTS - Runtime/container: None - Model/provider: None - Integration/channel (if any): None - Relevant config (redacted): None ### Steps 1. Run openclaw. 2. Create an isolated cron task with flags `--tools-allowed` or `--tools-denied` 3. The new feature will 1. add the tools specified to the cron json object and 2. respect the tools from the cron config when running the job. ### Expected - 👆 aforementioned ### Actual + Evidence <img width="945" height="738" alt="image" src="https://github.com/user-attachments/assets/73173855-123a-44ff-8da2-d799be5157bb" /> Attach at least one: - [ ] Failing test/log before + passing after - [ ] Trace/log snippets - [X] Screenshot/recording - [ ] Perf numbers (if relevant) ## Human Verification (required) What you personally verified (not just CI), and how: - Verified scenarios: Cron job adds to `jobs.json` file, job runs correctly (I receive message on set channel) - Edge cases checked: `--tools-xxxx` not present. `--tools-xxxx` run without `--session isolated` ## Compatibility / Migration - Backward compatible? (`Yes`) - Config/env changes? (`No`) - Migration needed? (`No`) ## Failure Recovery (if this breaks) - How to disable/revert this change quickly: Remove `tools` from `CronJob` type + remove `tools` from `src/cron/jobs.ts` in `createJob` and `applyJobPatch` - Known bad symptoms reviewers should watch for: None yet. ## Risks and Mitigations List only real risks for this PR. Add/remove entries as needed. If none, write `None`. None <!-- greptile_comment --> <h3>Greptile Summary</h3> Added tool access control for cron jobs to restrict which tools isolated cron agents can use. The implementation adds `--tools-allowed` and `--tools-denied` flags to the cron CLI, restricted to isolated sessions only. Job-level tool restrictions are merged additively with agent config defaults at runtime, allowing fine-grained control over cron job capabilities. - Added optional `tools` field to `CronJob` type with `allow` and `deny` arrays - Implemented CLI flags for specifying allowed/denied tools (comma-separated) - Tool restrictions properly validated to require `--session isolated` - Runtime merges job tools with config tools additively to build final tool allowlist - Patch logic replaces `allow` and `deny` arrays independently when specified - Tests cover add, edit, and validation scenarios <h3>Confidence Score: 4/5</h3> - This PR is safe to merge with low risk - The implementation correctly adds tool access control for cron jobs with appropriate validation and testing. The feature is well-contained to isolated sessions and follows existing patterns. Minor behavioral quirks with patch semantics were already addressed in follow-up commits and discussed in previous review threads. No security vulnerabilities or critical bugs found. - No files require special attention _{Last reviewed commit: 7c17f51} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->