a2acalling 0.6.52 → 0.6.53

package/native/macos/src-tauri/src/server.rs

@@ -44,7 +44,10 @@ pub fn start_server() -> StartResult {
         }
     };
 
-    let port = crate::discovery::read_config_port().unwrap_or(3001);
+    let port = crate::discovery::read_config_ports()
+        .first()
+        .copied()
+        .unwrap_or(3001);
     let port_str = port.to_string();
 
     let result = Command::new(&binary)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "a2acalling",
-  "version": "0.6.52",
+  "version": "0.6.53",
   "description": "Agent-to-agent calling for OpenClaw - A2A agent communication",
   "main": "src/index.js",
   "bin": {

package/src/dashboard/public/app.js

@@ -1056,6 +1056,7 @@ function renderTierEditor(tierId) {
   document.getElementById('tier-name').value = tier.name || tier.id;
   document.getElementById('tier-description').value = tier.description || '';
   document.getElementById('tier-disclosure').value = tier.disclosure || 'minimal';
+  document.getElementById('tier-tools').value = toLines(tier.allowed_tools || []);
   document.getElementById('tier-topics').value = toLines(tier.topics || []);
   document.getElementById('tier-goals').value = toLines(tier.goals || []);
 }
@@ -1072,6 +1073,7 @@ function bindSettingsActions() {
       name: document.getElementById('tier-name').value,
       description: document.getElementById('tier-description').value,
       disclosure: document.getElementById('tier-disclosure').value,
+      allowed_tools: fromLines(document.getElementById('tier-tools').value),
       topics: fromLines(document.getElementById('tier-topics').value),
       goals: fromLines(document.getElementById('tier-goals').value)
     };

package/src/dashboard/public/index.html

@@ -132,6 +132,7 @@
         <label>Name <input id="tier-name" type="text"></label>
         <label>Description <input id="tier-description" type="text"></label>
         <label>Disclosure <input id="tier-disclosure" type="text" placeholder="minimal"></label>
+        <label>Allowed Tools (one per line)<textarea id="tier-tools" rows="5" placeholder="Read&#10;Grep&#10;Glob"></textarea></label>
         <label>Topics (one per line)<textarea id="tier-topics" rows="6"></textarea></label>
         <label>Goals (one per line)<textarea id="tier-goals" rows="6"></textarea></label>
         <div class="row">

package/src/lib/claude-subagent.js

@@ -10,8 +10,8 @@
  * Stateless calls cost more tokens but are operationally safer under load.
  *
  * Permissioning is still enforced:
- * `--allowedTools` is derived per request from token capabilities + allowed topics.
- * We do not hardcode one universal allowlist anymore.
+ * `--allowedTools` is derived per request from token capabilities + allowed topics
+ * and can be further constrained by per-tier `allowed_tools` policy from onboarding.
  */
 
 const { execSync, spawn } = require('child_process');
@@ -22,8 +22,43 @@ const logger = createLogger({ component: 'a2a.claude-subagent' });
 
 const A2A_RESPONSE_REGEX = /<a2a_response>\s*([\s\S]*?)\s*<\/a2a_response>/i;
 const DEFAULT_CLAUDE_MODEL = 'claude-sonnet-4-5-20250929';
+const CLAUDE_TOOL_UNIVERSE = ['Bash', 'Bash(readonly)', 'Read', 'Grep', 'Glob', 'WebSearch', 'WebFetch'];
 const LEGACY_DEFAULT_TOOLS = ['Bash(readonly)', 'Read', 'Grep', 'Glob', 'WebSearch', 'WebFetch'];
 
+const TOOL_NAME_MAP = {
+  bash: 'Bash',
+  'bash(readonly)': 'Bash(readonly)',
+  'bash-readonly': 'Bash(readonly)',
+  read: 'Read',
+  grep: 'Grep',
+  glob: 'Glob',
+  websearch: 'WebSearch',
+  webfetch: 'WebFetch'
+};
+
+function normalizeToolName(value) {
+  const key = String(value || '').trim().toLowerCase();
+  return TOOL_NAME_MAP[key] || null;
+}
+
+function sanitizeAllowedToolList(values) {
+  if (!Array.isArray(values)) return [];
+  const out = [];
+  const seen = new Set();
+  for (const value of values) {
+    const canonical = normalizeToolName(value);
+    if (!canonical || seen.has(canonical)) continue;
+    seen.add(canonical);
+    out.push(canonical);
+  }
+  return out;
+}
+
+function formatToolListForPrompt(tools) {
+  if (!Array.isArray(tools) || tools.length === 0) return '  (none)';
+  return tools.map(tool => `  - ${tool}`).join('\n');
+}
+
 /**
  * Check if `claude` CLI is available in PATH.
  */
@@ -49,6 +84,7 @@ function isClaudeAvailable() {
  * @param {string} config.tierObjectives - formatted objectives string
  * @param {string} config.doNotDiscuss - formatted do_not_discuss string
  * @param {string} config.neverDisclose - formatted never_disclose string
+ * @param {string[]} [config.allowedTools] - Effective tool allowlist for this call
  * @param {string} config.personalityNotes
  * @param {string} config.roleContext
  * @returns {string}
@@ -64,10 +100,17 @@ function buildSubagentSystemPrompt(config) {
     tierObjectives = '  (none specified)',
     doNotDiscuss = '  (none specified)',
     neverDisclose = '  (none specified)',
+    allowedTools = [],
     personalityNotes = '',
     roleContext = ''
   } = config;
 
+  const effectiveAllowedTools = sanitizeAllowedToolList(allowedTools);
+  const allowedForPrompt = effectiveAllowedTools.length > 0
+    ? effectiveAllowedTools
+    : [...LEGACY_DEFAULT_TOOLS];
+  const blockedTools = CLAUDE_TOOL_UNIVERSE.filter(tool => !allowedForPrompt.includes(tool));
+
   return `You are ${agentName}, the personal AI agent for ${ownerName}.
 You are on a live A2A (agent-to-agent) call with ${otherAgentName}, who represents ${otherOwnerName}. ${roleContext}
 
@@ -108,6 +151,19 @@ ${doNotDiscuss}
 NEVER disclose:
 ${neverDisclose}
 
+== TOOL PERMISSIONS ==
+
+Allowed tools this call:
+${formatToolListForPrompt(allowedForPrompt)}
+
+Blocked tools this call:
+${formatToolListForPrompt(blockedTools)}
+
+Tool policy:
+- Never invoke blocked tools.
+- If you need a blocked tool, continue the conversation without it and add a "question_for_owner" flag requesting permission.
+- Include exact tool name and reason in the flag content.
+
 == BEHAVIORAL MANDATE ==
 
 You operate in three concurrent modes:
@@ -228,13 +284,11 @@ function parseSubagentResponse(resultText) {
  */
 function spawnClaude(args, timeoutMs = HARD_FALLBACK_TURN_TIMEOUT_MS) {
   return new Promise((resolve, reject) => {
+    const spawnEnv = { ...process.env, FORCE_COLOR: '0' };
+    delete spawnEnv.CLAUDECODE;
     const proc = spawn('claude', args, {
-      stdio: ['pipe', 'pipe', 'pipe'],
-      env: {
-        ...process.env,
-        FORCE_COLOR: '0',
-        CLAUDECODE: ''  // Unset to allow nested invocation
-      }
+      stdio: ['ignore', 'pipe', 'pipe'],
+      env: spawnEnv
     });
 
     let stdout = '';
@@ -310,16 +364,7 @@ function hasPermissionMatch(values, key) {
   return values.some(value => value === key || value.startsWith(`${key}.`));
 }
 
-/**
- * Resolve Claude tool allowlist from token-derived permissions.
- *
- * Notes:
- * - We preserve legacy behavior when no permission context is provided, because
- *   outbound CLI flows may run without token metadata.
- * - When permissions are present, we derive tools deterministically so runtime
- *   allowlists remain variable and auditable per token.
- */
-function resolveClaudeAllowedTools({ capabilities = [], allowedTopics = [] } = {}) {
+function deriveClaudeToolsFromPermissionSignals({ capabilities = [], allowedTopics = [] } = {}) {
   const normalizedCaps = normalizePermissionList(capabilities);
   const normalizedTopics = normalizePermissionList(allowedTopics);
   const hasPermissionContext = normalizedCaps.length > 0 || normalizedTopics.length > 0;
@@ -367,6 +412,29 @@ function resolveClaudeAllowedTools({ capabilities = [], allowedTopics = [] } = {
   return tools;
 }
 
+/**
+ * Resolve Claude tool allowlist from token-derived permissions and explicit per-tier tool policy.
+ */
+function resolveClaudeAllowedTools({ capabilities = [], allowedTopics = [], allowedTools = [] } = {}) {
+  const derivedTools = deriveClaudeToolsFromPermissionSignals({ capabilities, allowedTopics });
+  const explicitTools = sanitizeAllowedToolList(allowedTools);
+
+  if (explicitTools.length > 0) {
+    const hasPermissionSignals = normalizePermissionList(capabilities).length > 0
+      || normalizePermissionList(allowedTopics).length > 0;
+
+    if (hasPermissionSignals) {
+      // Permission signals define the ceiling; explicit tier tools can narrow it.
+      const narrowed = explicitTools.filter(tool => derivedTools.includes(tool));
+      return narrowed.length > 0 ? narrowed : derivedTools;
+    }
+
+    return explicitTools;
+  }
+
+  return derivedTools;
+}
+
 function buildClaudeToolArg(allowedTools) {
   return Array.isArray(allowedTools) ? allowedTools.join(' ').trim() : '';
 }
@@ -447,6 +515,7 @@ function summarizeFromPayload(payload, fallbackText) {
  * @param {boolean} options.closeSignal - Whether close has been signaled
  * @param {Array<string>} [options.capabilities] - Token capabilities (permission source of truth)
  * @param {Array<string>} [options.allowedTopics] - Token allowed topics (permission source of truth)
+ * @param {Array<string>} [options.allowedTools] - Token allowed tools (onboarding tier policy)
  * @param {function} [options.spawnFn] - Injectable process runner for tests
  * @param {number} [options.timeoutMs=300000] - Timeout in milliseconds
  * @returns {Promise<{ message: string, statePatch: object|null, flags: array }>}
@@ -464,6 +533,7 @@ async function runClaudeTurn(options) {
     closeSignal = false,
     capabilities = [],
     allowedTopics = [],
+    allowedTools = [],
     spawnFn = spawnClaude,
     timeoutMs = HARD_FALLBACK_TURN_TIMEOUT_MS
   } = options;
@@ -480,8 +550,8 @@ async function runClaudeTurn(options) {
   });
 
   const startAt = Date.now();
-  const allowedTools = resolveClaudeAllowedTools({ capabilities, allowedTopics });
-  const allowedToolsArg = buildClaudeToolArg(allowedTools);
+  const effectiveAllowedTools = resolveClaudeAllowedTools({ capabilities, allowedTopics, allowedTools });
+  const allowedToolsArg = buildClaudeToolArg(effectiveAllowedTools);
   const args = [
     '-p',
     '--output-format', 'json',
@@ -494,7 +564,7 @@ async function runClaudeTurn(options) {
   if (allowedToolsArg) {
     args.push('--allowedTools', allowedToolsArg);
   }
-  args.push(turnPrompt);
+  args.push('--', turnPrompt);
 
   logger.debug('Spawning Claude subagent turn', {
     event: 'subagent_turn_start',
@@ -503,7 +573,7 @@ async function runClaudeTurn(options) {
       max_turns: maxTurns,
       phase,
       is_stateless: true,
-      allowed_tools: allowedTools,
+      allowed_tools: effectiveAllowedTools,
       timeout_ms: timeoutMs
     }
   });
@@ -538,8 +608,9 @@ async function runClaudeTurn(options) {
  * @param {string} [options.reason] - Why the conversation is ending
  * @param {Array<string>} [options.capabilities] - Token capabilities for summary turn tooling
  * @param {Array<string>} [options.allowedTopics] - Token allowed topics for summary turn tooling
+ * @param {Array<string>} [options.allowedTools] - Token allowed tools for summary turn tooling
  * @param {function} [options.spawnFn] - Injectable process runner for tests
- * @param {number} [timeoutMs=300000] - Timeout in milliseconds
+ * @param {number} [options.timeoutMs=300000] - Timeout in milliseconds
  * @returns {Promise<{ summary: string, ownerSummary: string, actionItems: array, flags: array }>}
  */
 async function runClaudeSummary(options = {}) {
@@ -548,6 +619,7 @@ async function runClaudeSummary(options = {}) {
     reason,
     capabilities = [],
     allowedTopics = [],
+    allowedTools = [],
     spawnFn = spawnClaude,
     timeoutMs = HARD_FALLBACK_TURN_TIMEOUT_MS
   } = options;
@@ -557,13 +629,13 @@ async function runClaudeSummary(options = {}) {
     throw new Error('Cannot summarize without a prompt');
   }
 
-  const allowedTools = resolveClaudeAllowedTools({ capabilities, allowedTopics });
-  const allowedToolsArg = buildClaudeToolArg(allowedTools);
+  const effectiveAllowedTools = resolveClaudeAllowedTools({ capabilities, allowedTopics, allowedTools });
+  const allowedToolsArg = buildClaudeToolArg(effectiveAllowedTools);
 
   const args = [
     '-p',
     '--output-format', 'json',
-    '--model', DEFAULT_CLAUDE_MODEL,
+    '--model', DEFAULT_CLAUDE_MODEL
   ];
 
   if (allowedToolsArg) {
@@ -572,6 +644,7 @@ async function runClaudeSummary(options = {}) {
   args.push(
     '--append-system-prompt',
     `Conversation summary mode. Reason: ${reason || 'conversation ended'}. Return only structured summary JSON.`,
+    '--',
     summaryPrompt
   );
 
@@ -581,7 +654,7 @@ async function runClaudeSummary(options = {}) {
     event: 'subagent_summary_start',
     data: {
       reason: reason || 'conversation ended',
-      allowed_tools: allowedTools
+      allowed_tools: effectiveAllowedTools
     }
   });
 

package/src/lib/config.js

@@ -125,6 +125,13 @@ function validateTierPatch(tierName, tierConfig) {
     });
   }
 
+  if (tierConfig.allowed_tools !== undefined) {
+    out.allowed_tools = validateStringArray(tierConfig.allowed_tools, `${tierName}.allowed_tools`, {
+      maxItems: 30,
+      itemMaxLength: 80
+    });
+  }
+
   if (tierConfig.topics !== undefined) {
     out.topics = validateStringArray(tierConfig.topics, `${tierName}.topics`, {
       maxItems: 200,
@@ -181,6 +188,7 @@ const DEFAULT_CONFIG = {
       name: 'Public',
       description: 'Basic networking - safe for anyone',
       capabilities: ['context-read'],
+      allowed_tools: ['Read', 'Grep', 'Glob'],
       topics: ['chat'],
       goals: [],
       disclosure: 'minimal',
@@ -190,6 +198,7 @@ const DEFAULT_CONFIG = {
       name: 'Friends',
       description: 'Most capabilities, no sensitive financial data',
       capabilities: ['context-read', 'calendar.read', 'email.read', 'search'],
+      allowed_tools: ['Bash(readonly)', 'Read', 'Grep', 'Glob', 'WebSearch', 'WebFetch'],
       topics: ['chat', 'search', 'openclaw', 'a2a'],
       goals: [],
       disclosure: 'public',
@@ -199,6 +208,7 @@ const DEFAULT_CONFIG = {
       name: 'Family',
       description: 'Full access - only for your inner circle',
       capabilities: ['context-read', 'calendar', 'email', 'search', 'tools', 'memory'],
+      allowed_tools: ['Bash', 'Read', 'Grep', 'Glob', 'WebSearch', 'WebFetch'],
       topics: ['chat', 'search', 'openclaw', 'a2a', 'tools', 'memory'],
       goals: [],
       disclosure: 'public',
@@ -208,6 +218,7 @@ const DEFAULT_CONFIG = {
       name: 'Custom',
       description: 'User-defined permissions',
       capabilities: ['context-read'],
+      allowed_tools: ['Read', 'Grep', 'Glob'],
       topics: [],
       goals: [],
       disclosure: 'minimal',

package/src/lib/conversation-driver.js

@@ -132,6 +132,8 @@ class ConversationDriver {
     // If provided by caller, this keeps tool allowlists variable per token/profile.
     this.capabilities = Array.isArray(options.capabilities) ? options.capabilities : [];
     this.allowedTopics = Array.isArray(options.allowedTopics) ? options.allowedTopics : [];
+    this.allowedGoals = Array.isArray(options.allowedGoals) ? options.allowedGoals : [];
+    this.allowedTools = Array.isArray(options.allowedTools) ? options.allowedTools : [];
     this.summarizer = options.summarizer || null;
     this.ownerContext = options.ownerContext || {};
     this.claudeMode = options.runtime?.mode === 'claude';
@@ -229,8 +231,11 @@ class ConversationDriver {
       // Try runtime.summarize if available (OpenClaw path)
       if (typeof runtime.summarize === 'function') {
         try {
+          const summarySessionId = this.lastConversationId
+            ? `a2a-${this.lastConversationId}`
+            : `summary-${Date.now()}`;
           return await runtime.summarize({
-            sessionId: `summary-${Date.now()}`,
+            sessionId: summarySessionId,
             prompt,
             messages,
             callerInfo: { name: agentContext.name, owner: agentContext.owner },
@@ -414,7 +419,11 @@ class ConversationDriver {
         roleContext: 'You initiated this call.',
         capabilities: this.capabilities,
         allowedTopics: this.allowedTopics,
-        allowed_topics: this.allowedTopics
+        allowed_topics: this.allowedTopics,
+        allowedGoals: this.allowedGoals,
+        allowed_goals: this.allowedGoals,
+        allowedTools: this.allowedTools,
+        allowed_tools: this.allowedTools
       };
       if (this.claudeMode) {
         contextPayload.turnCount = turn + 1;

package/src/lib/disclosure.js

@@ -18,6 +18,17 @@ const MANIFEST_FILE = path.join(CONFIG_DIR, 'a2a-disclosure.json');
 const TIER_HIERARCHY = ['public', 'friends', 'family'];
 const logger = createLogger({ component: 'a2a.disclosure' });
 const SKIP_FILES = new Set(['heartbeat', 'skill', 'claude']);
+const CANONICAL_TOOL_NAMES = ['Bash', 'Bash(readonly)', 'Read', 'Grep', 'Glob', 'WebSearch', 'WebFetch'];
+const TOOL_NAME_MAP = {
+  bash: 'Bash',
+  'bash(readonly)': 'Bash(readonly)',
+  'bash-readonly': 'Bash(readonly)',
+  read: 'Read',
+  grep: 'Grep',
+  glob: 'Glob',
+  websearch: 'WebSearch',
+  webfetch: 'WebFetch'
+};
 
 function normalizeTopic(raw) {
   return String(raw || '').trim();
@@ -68,6 +79,26 @@ function dedupeDoNotDiscuss(items) {
   return out;
 }
 
+function dedupeStringList(items, maxLength = 80) {
+  if (!Array.isArray(items)) return [];
+  const seen = new Set();
+  const out = [];
+  for (const item of items) {
+    const normalized = normalizeTopic(item).slice(0, maxLength);
+    if (!normalized) continue;
+    const key = normalized.toLowerCase();
+    if (seen.has(key)) continue;
+    seen.add(key);
+    out.push(normalized);
+  }
+  return out;
+}
+
+function normalizeToolName(value) {
+  const key = normalizeTopic(value).toLowerCase();
+  return TOOL_NAME_MAP[key] || null;
+}
+
 function parseTopicLine(rawLine) {
   const line = normalizeTopic(rawLine);
   if (!line) return null;
@@ -148,7 +179,7 @@ function saveManifest(manifest) {
  * Get topics for a given tier, merged down the hierarchy.
  * family gets everything, friends gets friends+public, public gets public only.
  *
- * Returns { topics, objectives, do_not_discuss, never_disclose }
+ * Returns { topics, objectives, do_not_discuss, never_disclose, allowed_tools }
  */
 function getTopicsForTier(tier) {
   const manifest = loadManifest();
@@ -167,7 +198,8 @@ function getTopicsForTier(tier) {
     topics: [],
     objectives: [],
     do_not_discuss: [],
-    never_disclose: manifest.never_disclose || []
+    never_disclose: manifest.never_disclose || [],
+    allowed_tools: []
   };
 
   for (const t of tiersToMerge) {
@@ -175,6 +207,7 @@ function getTopicsForTier(tier) {
     if (tierData.topics) merged.topics.push(...tierData.topics);
     if (tierData.objectives) merged.objectives.push(...tierData.objectives);
     if (tierData.do_not_discuss) merged.do_not_discuss.push(...tierData.do_not_discuss);
+    if (tierData.allowed_tools) merged.allowed_tools.push(...tierData.allowed_tools);
   }
 
   // Remove do_not_discuss items that appear in topics (higher tiers promote them)
@@ -185,6 +218,7 @@ function getTopicsForTier(tier) {
   merged.topics = dedupeByTopic(merged.topics);
   merged.objectives = dedupeByObjective(merged.objectives);
   merged.do_not_discuss = dedupeDoNotDiscuss(merged.do_not_discuss);
+  merged.allowed_tools = dedupeStringList(merged.allowed_tools, 80);
 
   return merged;
 }
@@ -212,6 +246,9 @@ function formatTopicsForPrompt(tierTopics) {
     topics: formatTopicList(tierTopics.topics),
     objectives: formatObjectiveList(tierTopics.objectives),
     doNotDiscuss: formatDoNotDiscuss(tierTopics.do_not_discuss),
+    allowedTools: tierTopics.allowed_tools?.length
+      ? tierTopics.allowed_tools.map(item => `  - ${item}`).join('\n')
+      : '  (none specified)',
     neverDisclose: tierTopics.never_disclose?.length
       ? tierTopics.never_disclose.map(item => `  - ${item}`).join('\n')
       : '  (none specified)'
@@ -274,10 +311,11 @@ function generateDefaultManifest(contextFiles = {}) {
         public: {
           topics: [{ topic: 'What I do', description: 'Brief professional description' }],
           objectives: [{ objective: 'Networking', description: 'Connect with others in the field' }],
-          do_not_discuss: [{ topic: 'Personal details', reason: 'Redirect to direct owner contact' }]
+          do_not_discuss: [{ topic: 'Personal details', reason: 'Redirect to direct owner contact' }],
+          allowed_tools: ['Read', 'Grep', 'Glob']
         },
-        friends: { topics: [], objectives: [], do_not_discuss: [] },
-        family: { topics: [], objectives: [], do_not_discuss: [] }
+        friends: { topics: [], objectives: [], do_not_discuss: [], allowed_tools: ['Bash(readonly)', 'Read', 'Grep', 'Glob', 'WebSearch', 'WebFetch'] },
+        family: { topics: [], objectives: [], do_not_discuss: [], allowed_tools: ['Bash', 'Read', 'Grep', 'Glob', 'WebSearch', 'WebFetch'] }
       },
       never_disclose: ['API keys', 'Other users\' data', 'Financial figures'],
       personality_notes: 'Direct and technical. Prefers depth over breadth.'
@@ -321,17 +359,20 @@ function generateDefaultManifest(contextFiles = {}) {
         objectives: publicObjectives.length > 0 ? publicObjectives : [
           { objective: 'Grow network', description: 'Connect with others working on similar problems' }
         ],
-        do_not_discuss: [{ topic: 'Personal details', reason: 'Redirect to direct owner contact' }]
+        do_not_discuss: [{ topic: 'Personal details', reason: 'Redirect to direct owner contact' }],
+        allowed_tools: ['Read', 'Grep', 'Glob']
       },
       friends: {
         topics: friendsTopics,
         objectives: friendsObjectives,
-        do_not_discuss: []
+        do_not_discuss: [],
+        allowed_tools: ['Bash(readonly)', 'Read', 'Grep', 'Glob', 'WebSearch', 'WebFetch']
       },
       family: {
         topics: familyTopics,
         objectives: [],
-        do_not_discuss: []
+        do_not_discuss: [],
+        allowed_tools: ['Bash', 'Read', 'Grep', 'Glob', 'WebSearch', 'WebFetch']
       }
     },
     never_disclose: ['API keys', 'Other users\' data', 'Financial figures'],
@@ -385,7 +426,7 @@ function validateDisclosureSubmission(data) {
     errors.push(`Unknown tiers: ${extraTiers.join(', ')} — only public, friends, family are allowed`);
   }
 
-  const LIST_LIMITS = { topics: 15, objectives: 8, do_not_discuss: 10 };
+  const LIST_LIMITS = { topics: 15, objectives: 8, do_not_discuss: 10, allowed_tools: 12 };
 
   for (const tier of TIER_HIERARCHY) {
     const tierData = tiersData[tier];
@@ -455,6 +496,28 @@ function validateDisclosureSubmission(data) {
         }
       }
     }
+
+    // Validate allowed_tools array
+    if (tierData.allowed_tools !== undefined) {
+      if (!Array.isArray(tierData.allowed_tools)) {
+        errors.push(`tiers.${tier}.allowed_tools must be an array`);
+      } else {
+        if (tierData.allowed_tools.length > LIST_LIMITS.allowed_tools) {
+          errors.push(`tiers.${tier}.allowed_tools has ${tierData.allowed_tools.length} items — max ${LIST_LIMITS.allowed_tools}`);
+        }
+        for (let i = 0; i < tierData.allowed_tools.length; i++) {
+          const raw = tierData.allowed_tools[i];
+          if (typeof raw !== 'string') {
+            errors.push(`tiers.${tier}.allowed_tools[${i}] must be a string`);
+            continue;
+          }
+          const canonical = normalizeToolName(raw);
+          if (!canonical) {
+            errors.push(`tiers.${tier}.allowed_tools[${i}] invalid tool "${raw}" (allowed: ${CANONICAL_TOOL_NAMES.join(', ')})`);
+          }
+        }
+      }
+    }
   }
 
   // Validate never_disclose (optional, defaults to sensible list)
@@ -506,7 +569,11 @@ function validateDisclosureSubmission(data) {
       do_not_discuss: (tiersData[tier].do_not_discuss || []).map(item => ({
         topic: item.topic,
         reason: item.reason || ''
-      }))
+      })),
+      allowed_tools: dedupeStringList(
+        (tiersData[tier].allowed_tools || []).map(tool => normalizeToolName(tool)).filter(Boolean),
+        80
+      )
     };
   }
 
@@ -620,17 +687,20 @@ Use ALL available context to build a reasonable disclosure profile. If truly not
       ],
       "do_not_discuss": [
         { "topic": "Topic to avoid", "reason": "Why this should be redirected" }
-      ]
+      ],
+      "allowed_tools": ["Read", "Grep", "Glob"]
     },
     "friends": {
       "topics": [],
       "objectives": [],
-      "do_not_discuss": []
+      "do_not_discuss": [],
+      "allowed_tools": ["Bash(readonly)", "Read", "Grep", "Glob", "WebSearch", "WebFetch"]
     },
     "family": {
       "topics": [],
       "objectives": [],
-      "do_not_discuss": []
+      "do_not_discuss": [],
+      "allowed_tools": ["Bash", "Read", "Grep", "Glob", "WebSearch", "WebFetch"]
     }
   },
   "never_disclose": ["API keys", "Credentials", "Financial figures"],
@@ -673,6 +743,12 @@ Family callers see everything. Friends see friends + public. Public callers see
 - Sensitive subjects
 - Max 3 per tier
 
+**allowed_tools** — Tools this tier can use during calls:
+- Choose only the minimum tools needed for that tier's topics/objectives
+- Use exact tool names: Bash, Bash(readonly), Read, Grep, Glob, WebSearch, WebFetch
+- Public should usually stay read-only
+- Family can include broader tooling when justified
+
 Also identify:
 - **never_disclose** — information that should NEVER be shared regardless of tier (API keys, credentials, financial data, etc.)
 - **personality_notes** — a 1-2 sentence description of the owner's communication style