Channels: add per-group tool policies

extensions/bluebubbles/src/channel.ts

@@ -10,6 +10,7 @@ import {
   normalizeAccountId,
   PAIRING_APPROVED_MESSAGE,
   resolveBlueBubblesGroupRequireMention,
+  resolveBlueBubblesGroupToolPolicy,
   setAccountEnabledInConfigSection,
 } from "clawdbot/plugin-sdk";
 
@@ -62,6 +63,7 @@ export const bluebubblesPlugin: ChannelPlugin<ResolvedBlueBubblesAccount> = {
   },
   groups: {
     resolveRequireMention: resolveBlueBubblesGroupRequireMention,
+    resolveToolPolicy: resolveBlueBubblesGroupToolPolicy,
   },
   threading: {
     buildToolContext: ({ context, hasRepliedRef }) => ({

extensions/bluebubbles/src/config-schema.ts

@@ -1,4 +1,4 @@
-import { MarkdownConfigSchema } from "clawdbot/plugin-sdk";
+import { MarkdownConfigSchema, ToolPolicySchema } from "clawdbot/plugin-sdk";
 import { z } from "zod";
 
 const allowFromEntry = z.union([z.string(), z.number()]);
@@ -21,6 +21,7 @@ const bluebubblesActionSchema = z
 
 const bluebubblesGroupConfigSchema = z.object({
   requireMention: z.boolean().optional(),
+  tools: ToolPolicySchema,
 });
 
 const bluebubblesAccountSchema = z.object({

extensions/bluebubbles/src/types.ts

@@ -4,6 +4,8 @@ export type GroupPolicy = "open" | "disabled" | "allowlist";
 export type BlueBubblesGroupConfig = {
   /** If true, only respond in this group when mentioned. */
   requireMention?: boolean;
+  /** Optional tool policy overrides for this group. */
+  tools?: { allow?: string[]; deny?: string[] };
 };
 
 export type BlueBubblesAccountConfig = {

extensions/discord/src/channel.ts

@@ -20,6 +20,7 @@ import {
   resolveDiscordAccount,
   resolveDefaultDiscordAccountId,
   resolveDiscordGroupRequireMention,
+  resolveDiscordGroupToolPolicy,
   setAccountEnabledInConfigSection,
   type ChannelMessageActionAdapter,
   type ChannelPlugin,
@@ -144,6 +145,7 @@ export const discordPlugin: ChannelPlugin<ResolvedDiscordAccount> = {
   },
   groups: {
     resolveRequireMention: resolveDiscordGroupRequireMention,
+    resolveToolPolicy: resolveDiscordGroupToolPolicy,
   },
   mentions: {
     stripPatterns: () => ["<@!?\\d+>"],

extensions/imessage/src/channel.ts

@@ -15,6 +15,7 @@ import {
   resolveDefaultIMessageAccountId,
   resolveIMessageAccount,
   resolveIMessageGroupRequireMention,
+  resolveIMessageGroupToolPolicy,
   setAccountEnabledInConfigSection,
   type ChannelPlugin,
   type ResolvedIMessageAccount,
@@ -106,6 +107,7 @@ export const imessagePlugin: ChannelPlugin<ResolvedIMessageAccount> = {
   },
   groups: {
     resolveRequireMention: resolveIMessageGroupRequireMention,
+    resolveToolPolicy: resolveIMessageGroupToolPolicy,
   },
   messaging: {
     targetResolver: {

extensions/matrix/src/channel.ts

@@ -12,7 +12,7 @@ import {
 
 import { matrixMessageActions } from "./actions.js";
 import { MatrixConfigSchema } from "./config-schema.js";
-import { resolveMatrixGroupRequireMention } from "./group-mentions.js";
+import { resolveMatrixGroupRequireMention, resolveMatrixGroupToolPolicy } from "./group-mentions.js";
 import type { CoreConfig } from "./types.js";
 import {
   listMatrixAccountIds,
@@ -167,6 +167,7 @@ export const matrixPlugin: ChannelPlugin<ResolvedMatrixAccount> = {
   },
   groups: {
     resolveRequireMention: resolveMatrixGroupRequireMention,
+    resolveToolPolicy: resolveMatrixGroupToolPolicy,
   },
   threading: {
     resolveReplyToMode: ({ cfg }) =>

extensions/matrix/src/config-schema.ts

@@ -1,4 +1,4 @@
-import { MarkdownConfigSchema } from "clawdbot/plugin-sdk";
+import { MarkdownConfigSchema, ToolPolicySchema } from "clawdbot/plugin-sdk";
 import { z } from "zod";
 
 const allowFromEntry = z.union([z.string(), z.number()]);
@@ -26,6 +26,7 @@ const matrixRoomSchema = z
     enabled: z.boolean().optional(),
     allow: z.boolean().optional(),
     requireMention: z.boolean().optional(),
+    tools: ToolPolicySchema,
     autoReply: z.boolean().optional(),
     users: z.array(allowFromEntry).optional(),
     skills: z.array(z.string()).optional(),

extensions/matrix/src/group-mentions.ts

@@ -1,4 +1,4 @@
-import type { ChannelGroupContext } from "clawdbot/plugin-sdk";
+import type { ChannelGroupContext, GroupToolPolicyConfig } from "clawdbot/plugin-sdk";
 
 import { resolveMatrixRoomConfig } from "./matrix/monitor/rooms.js";
 import type { CoreConfig } from "./types.js";
@@ -32,3 +32,30 @@ export function resolveMatrixGroupRequireMention(params: ChannelGroupContext): b
   }
   return true;
 }
+
+export function resolveMatrixGroupToolPolicy(
+  params: ChannelGroupContext,
+): GroupToolPolicyConfig | undefined {
+  const rawGroupId = params.groupId?.trim() ?? "";
+  let roomId = rawGroupId;
+  const lower = roomId.toLowerCase();
+  if (lower.startsWith("matrix:")) {
+    roomId = roomId.slice("matrix:".length).trim();
+  }
+  if (roomId.toLowerCase().startsWith("channel:")) {
+    roomId = roomId.slice("channel:".length).trim();
+  }
+  if (roomId.toLowerCase().startsWith("room:")) {
+    roomId = roomId.slice("room:".length).trim();
+  }
+  const groupChannel = params.groupChannel?.trim() ?? "";
+  const aliases = groupChannel ? [groupChannel] : [];
+  const cfg = params.cfg as CoreConfig;
+  const resolved = resolveMatrixRoomConfig({
+    rooms: cfg.channels?.matrix?.groups ?? cfg.channels?.matrix?.rooms,
+    roomId,
+    aliases,
+    name: groupChannel || undefined,
+  }).config;
+  return resolved?.tools;
+}

extensions/matrix/src/types.ts

@@ -18,6 +18,8 @@ export type MatrixRoomConfig = {
   allow?: boolean;
   /** Require mentioning the bot to trigger replies. */
   requireMention?: boolean;
+  /** Optional tool policy overrides for this room. */
+  tools?: { allow?: string[]; deny?: string[] };
   /** If true, reply without mention requirements. */
   autoReply?: boolean;
   /** Optional allowlist for room senders (user IDs or localparts). */

extensions/msteams/src/channel.ts

@@ -9,6 +9,7 @@ import {
 import { msteamsOnboardingAdapter } from "./onboarding.js";
 import { msteamsOutbound } from "./outbound.js";
 import { probeMSTeams } from "./probe.js";
+import { resolveMSTeamsGroupToolPolicy } from "./policy.js";
 import {
   normalizeMSTeamsMessagingTarget,
   normalizeMSTeamsUserInput,
@@ -77,6 +78,9 @@ export const msteamsPlugin: ChannelPlugin<ResolvedMSTeamsAccount> = {
       hasRepliedRef,
     }),
   },
+  groups: {
+    resolveToolPolicy: resolveMSTeamsGroupToolPolicy,
+  },
   reload: { configPrefixes: ["channels.msteams"] },
   configSchema: buildChannelConfigSchema(MSTeamsConfigSchema),
   config: {

extensions/msteams/src/policy.ts

@@ -1,6 +1,8 @@
 import type {
   AllowlistMatch,
+  ChannelGroupContext,
   GroupPolicy,
+  GroupToolPolicyConfig,
   MSTeamsChannelConfig,
   MSTeamsConfig,
   MSTeamsReplyStyle,
@@ -86,6 +88,50 @@ export function resolveMSTeamsRouteConfig(params: {
   };
 }
 
+export function resolveMSTeamsGroupToolPolicy(
+  params: ChannelGroupContext,
+): GroupToolPolicyConfig | undefined {
+  const cfg = params.cfg.channels?.msteams;
+  if (!cfg) return undefined;
+  const groupId = params.groupId?.trim();
+  const groupChannel = params.groupChannel?.trim();
+  const groupSpace = params.groupSpace?.trim();
+
+  const resolved = resolveMSTeamsRouteConfig({
+    cfg,
+    teamId: groupSpace,
+    teamName: groupSpace,
+    conversationId: groupId,
+    channelName: groupChannel,
+  });
+
+  if (resolved.channelConfig) {
+    return resolved.channelConfig.tools ?? resolved.teamConfig?.tools;
+  }
+  if (resolved.teamConfig?.tools) return resolved.teamConfig.tools;
+
+  if (!groupId) return undefined;
+
+  const channelCandidates = buildChannelKeyCandidates(
+    groupId,
+    groupChannel,
+    groupChannel ? normalizeChannelSlug(groupChannel) : undefined,
+  );
+  for (const teamConfig of Object.values(cfg.teams ?? {})) {
+    const match = resolveChannelEntryMatchWithFallback({
+      entries: teamConfig?.channels ?? {},
+      keys: channelCandidates,
+      wildcardKey: "*",
+      normalizeKey: normalizeChannelSlug,
+    });
+    if (match.entry) {
+      return match.entry.tools ?? teamConfig?.tools;
+    }
+  }
+
+  return undefined;
+}
+
 export type MSTeamsReplyPolicy = {
   requireMention: boolean;
   replyStyle: MSTeamsReplyStyle;

extensions/nextcloud-talk/src/channel.ts

@@ -24,6 +24,7 @@ import { nextcloudTalkOnboardingAdapter } from "./onboarding.js";
 import { getNextcloudTalkRuntime } from "./runtime.js";
 import { sendMessageNextcloudTalk } from "./send.js";
 import type { CoreConfig } from "./types.js";
+import { resolveNextcloudTalkGroupToolPolicy } from "./policy.js";
 
 const meta = {
   id: "nextcloud-talk",
@@ -159,6 +160,7 @@ export const nextcloudTalkPlugin: ChannelPlugin<ResolvedNextcloudTalkAccount> =
 
       return true;
     },
+    resolveToolPolicy: resolveNextcloudTalkGroupToolPolicy,
   },
   messaging: {
     normalizeTarget: normalizeNextcloudTalkMessagingTarget,

extensions/nextcloud-talk/src/config-schema.ts

@@ -4,6 +4,7 @@ import {
   DmPolicySchema,
   GroupPolicySchema,
   MarkdownConfigSchema,
+  ToolPolicySchema,
   requireOpenAllowFrom,
 } from "clawdbot/plugin-sdk";
 import { z } from "zod";
@@ -11,6 +12,7 @@ import { z } from "zod";
 export const NextcloudTalkRoomSchema = z
   .object({
     requireMention: z.boolean().optional(),
+    tools: ToolPolicySchema,
     skills: z.array(z.string()).optional(),
     enabled: z.boolean().optional(),
     allowFrom: z.array(z.string()).optional(),

extensions/nextcloud-talk/src/policy.ts

@@ -1,4 +1,4 @@
-import type { AllowlistMatch, GroupPolicy } from "clawdbot/plugin-sdk";
+import type { AllowlistMatch, ChannelGroupContext, GroupPolicy, GroupToolPolicyConfig } from "clawdbot/plugin-sdk";
 import {
   buildChannelKeyCandidates,
   normalizeChannelSlug,
@@ -86,6 +86,21 @@ export function resolveNextcloudTalkRoomMatch(params: {
   };
 }
 
+export function resolveNextcloudTalkGroupToolPolicy(
+  params: ChannelGroupContext,
+): GroupToolPolicyConfig | undefined {
+  const cfg = params.cfg as { channels?: { "nextcloud-talk"?: { rooms?: Record<string, NextcloudTalkRoomConfig> } } };
+  const roomToken = params.groupId?.trim();
+  if (!roomToken) return undefined;
+  const roomName = params.groupChannel?.trim() || undefined;
+  const match = resolveNextcloudTalkRoomMatch({
+    rooms: cfg.channels?.["nextcloud-talk"]?.rooms,
+    roomToken,
+    roomName,
+  });
+  return match.roomConfig?.tools ?? match.wildcardConfig?.tools;
+}
+
 export function resolveNextcloudTalkRequireMention(params: {
   roomConfig?: NextcloudTalkRoomConfig;
   wildcardConfig?: NextcloudTalkRoomConfig;

extensions/nextcloud-talk/src/types.ts

@@ -7,6 +7,8 @@ import type {
 
 export type NextcloudTalkRoomConfig = {
   requireMention?: boolean;
+  /** Optional tool policy overrides for this room. */
+  tools?: { allow?: string[]; deny?: string[] };
   /** If specified, only load these skills for this room. Omit = all skills; empty = no skills. */
   skills?: string[];
   /** If false, disable the bot for this room. */

extensions/slack/src/channel.ts

@@ -21,6 +21,7 @@ import {
   resolveSlackAccount,
   resolveSlackReplyToMode,
   resolveSlackGroupRequireMention,
+  resolveSlackGroupToolPolicy,
   buildSlackThreadingToolContext,
   setAccountEnabledInConfigSection,
   slackOnboardingAdapter,
@@ -161,6 +162,7 @@ export const slackPlugin: ChannelPlugin<ResolvedSlackAccount> = {
   },
   groups: {
     resolveRequireMention: resolveSlackGroupRequireMention,
+    resolveToolPolicy: resolveSlackGroupToolPolicy,
   },
   threading: {
     resolveReplyToMode: ({ cfg, accountId, chatType }) =>

extensions/telegram/src/channel.ts

@@ -17,6 +17,7 @@ import {
   resolveDefaultTelegramAccountId,
   resolveTelegramAccount,
   resolveTelegramGroupRequireMention,
+  resolveTelegramGroupToolPolicy,
   setAccountEnabledInConfigSection,
   telegramOnboardingAdapter,
   TelegramConfigSchema,
@@ -154,6 +155,7 @@ export const telegramPlugin: ChannelPlugin<ResolvedTelegramAccount> = {
   },
   groups: {
     resolveRequireMention: resolveTelegramGroupRequireMention,
+    resolveToolPolicy: resolveTelegramGroupToolPolicy,
   },
   threading: {
     resolveReplyToMode: ({ cfg }) => cfg.channels?.telegram?.replyToMode ?? "first",

extensions/whatsapp/src/channel.ts

@@ -21,6 +21,7 @@ import {
   resolveDefaultWhatsAppAccountId,
   resolveWhatsAppAccount,
   resolveWhatsAppGroupRequireMention,
+  resolveWhatsAppGroupToolPolicy,
   resolveWhatsAppHeartbeatRecipients,
   whatsappOnboardingAdapter,
   WhatsAppConfigSchema,
@@ -198,6 +199,7 @@ export const whatsappPlugin: ChannelPlugin<ResolvedWhatsAppAccount> = {
   },
   groups: {
     resolveRequireMention: resolveWhatsAppGroupRequireMention,
+    resolveToolPolicy: resolveWhatsAppGroupToolPolicy,
     resolveGroupIntroHint: () =>
       "WhatsApp IDs: SenderId is the participant JID; [message_id: ...] is the message id for reactions (use SenderId as participant).",
   },

extensions/zalouser/src/channel.ts

@@ -2,8 +2,10 @@ import type {
   ChannelAccountSnapshot,
   ChannelDirectoryEntry,
   ChannelDock,
+  ChannelGroupContext,
   ChannelPlugin,
   ClawdbotConfig,
+  GroupToolPolicyConfig,
 } from "clawdbot/plugin-sdk";
 import {
   applyAccountNameToChannelSection,
@@ -79,6 +81,26 @@ function mapGroup(params: {
   };
 }
 
+function resolveZalouserGroupToolPolicy(
+  params: ChannelGroupContext,
+): GroupToolPolicyConfig | undefined {
+  const account = resolveZalouserAccountSync({
+    cfg: params.cfg as ClawdbotConfig,
+    accountId: params.accountId ?? undefined,
+  });
+  const groups = account.config.groups ?? {};
+  const groupId = params.groupId?.trim();
+  const groupChannel = params.groupChannel?.trim();
+  const candidates = [groupId, groupChannel, "*"].filter(
+    (value): value is string => Boolean(value),
+  );
+  for (const key of candidates) {
+    const entry = groups[key];
+    if (entry?.tools) return entry.tools;
+  }
+  return undefined;
+}
+
 export const zalouserDock: ChannelDock = {
   id: "zalouser",
   capabilities: {
@@ -101,6 +123,7 @@ export const zalouserDock: ChannelDock = {
   },
   groups: {
     resolveRequireMention: () => true,
+    resolveToolPolicy: resolveZalouserGroupToolPolicy,
   },
   threading: {
     resolveReplyToMode: () => "off",
@@ -188,6 +211,7 @@ export const zalouserPlugin: ChannelPlugin<ResolvedZalouserAccount> = {
   },
   groups: {
     resolveRequireMention: () => true,
+    resolveToolPolicy: resolveZalouserGroupToolPolicy,
   },
   threading: {
     resolveReplyToMode: () => "off",

extensions/zalouser/src/config-schema.ts

@@ -1,4 +1,4 @@
-import { MarkdownConfigSchema } from "clawdbot/plugin-sdk";
+import { MarkdownConfigSchema, ToolPolicySchema } from "clawdbot/plugin-sdk";
 import { z } from "zod";
 
 const allowFromEntry = z.union([z.string(), z.number()]);
@@ -6,6 +6,7 @@ const allowFromEntry = z.union([z.string(), z.number()]);
 const groupConfigSchema = z.object({
   allow: z.boolean().optional(),
   enabled: z.boolean().optional(),
+  tools: ToolPolicySchema,
 });
 
 const zalouserAccountSchema = z.object({

extensions/zalouser/src/types.ts

@@ -75,7 +75,7 @@ export type ZalouserAccountConfig = {
   dmPolicy?: "pairing" | "allowlist" | "open" | "disabled";
   allowFrom?: Array<string | number>;
   groupPolicy?: "open" | "allowlist" | "disabled";
-  groups?: Record<string, { allow?: boolean; enabled?: boolean }>;
+  groups?: Record<string, { allow?: boolean; enabled?: boolean; tools?: { allow?: string[]; deny?: string[] } }>;
   messagePrefix?: string;
 };
 
@@ -87,7 +87,7 @@ export type ZalouserConfig = {
   dmPolicy?: "pairing" | "allowlist" | "open" | "disabled";
   allowFrom?: Array<string | number>;
   groupPolicy?: "open" | "allowlist" | "disabled";
-  groups?: Record<string, { allow?: boolean; enabled?: boolean }>;
+  groups?: Record<string, { allow?: boolean; enabled?: boolean; tools?: { allow?: string[]; deny?: string[] } }>;
   messagePrefix?: string;
   accounts?: Record<string, ZalouserAccountConfig>;
 };