refactor(security): centralize dangerous tool lists

src/gateway/tools-invoke-http.ts

@@ -22,6 +22,7 @@ import { logWarn } from "../logger.js";
 import { isTestDefaultMemorySlotDisabled } from "../plugins/config-state.js";
 import { getPluginToolMeta } from "../plugins/tools.js";
 import { isSubagentSessionKey } from "../routing/session-key.js";
+import { DEFAULT_GATEWAY_HTTP_TOOL_DENY } from "../security/dangerous-tools.js";
 import { normalizeMessageChannel } from "../utils/message-channel.js";
 import { authorizeGatewayConnect, type ResolvedGatewayAuth } from "./auth.js";
 import {
@@ -36,22 +37,6 @@ import { getBearerToken, getHeader } from "./http-utils.js";
 const DEFAULT_BODY_BYTES = 2 * 1024 * 1024;
 const MEMORY_TOOL_NAMES = new Set(["memory_search", "memory_get"]);
 
-/**
- * Tools denied via HTTP /tools/invoke regardless of session policy.
- * Prevents RCE and privilege escalation from HTTP API surface.
- * Configurable via gateway.tools.{deny,allow} in openclaw.json.
- */
-const DEFAULT_GATEWAY_HTTP_TOOL_DENY = [
-  // Session orchestration — spawning agents remotely is RCE
-  "sessions_spawn",
-  // Cross-session injection — message injection across sessions
-  "sessions_send",
-  // Gateway control plane — prevents gateway reconfiguration via HTTP
-  "gateway",
-  // Interactive setup — requires terminal QR scan, hangs on HTTP
-  "whatsapp_login",
-];
-
 type ToolsInvokeBody = {
   tool?: unknown;
   action?: unknown;