diff --git a/CHANGELOG.md b/CHANGELOG.md index a1f200fe811..b46f81ac850 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -35,6 +35,7 @@ Docs: https://docs.openclaw.ai - Security/Voice Call: harden media stream WebSocket handling against pre-auth idle-connection DoS by adding strict pre-start timeouts, pending/per-IP connection limits, and total connection caps for streaming endpoints. This ships in the next npm release. Thanks @jiseoung for reporting. - Agents/Exec: honor explicit agent context when resolving `tools.exec` defaults for runs with opaque/non-agent session keys, so per-agent `host/security/ask` policies are applied consistently. (#11832) - Sandbox/Docker: default sandbox container user to the workspace owner `uid:gid` when `agents.*.sandbox.docker.user` is unset, fixing non-root gateway file-tool permissions under capability-dropped containers. (#20979) +- Doctor/Security: add an explicit warning that `approvals.exec.enabled=false` disables forwarding only, while enforcement remains driven by host-local `exec-approvals.json` policy. (#15047) - Telegram/Discord extensions: propagate trusted `mediaLocalRoots` through extension outbound `sendMedia` options so extension direct-send media paths honor agent-scoped local-media allowlists. (#20029, #21903, #23227) - Exec/Background: stop applying the default exec timeout to background sessions (`background: true` or explicit `yieldMs`) when no explicit timeout is set, so long-running background jobs are no longer terminated at the default timeout boundary. (#23303) - Plugins/Media sandbox: propagate trusted `mediaLocalRoots` through plugin action dispatch (including Discord/Telegram action adapters) so plugin send paths enforce the same agent-scoped local-media sandbox roots as core outbound sends. (#20258, #22718) diff --git a/src/commands/doctor-security.test.ts b/src/commands/doctor-security.test.ts index faee8f19251..1a0866dfc05 100644 --- a/src/commands/doctor-security.test.ts +++ b/src/commands/doctor-security.test.ts @@ -104,4 +104,19 @@ describe("noteSecurityWarnings gateway exposure", () => { const message = lastMessage(); expect(message).toContain('config set session.dmScope "per-channel-peer"'); }); + + it("clarifies approvals.exec forwarding-only behavior", async () => { + const cfg = { + approvals: { + exec: { + enabled: false, + }, + }, + } as OpenClawConfig; + await noteSecurityWarnings(cfg); + const message = lastMessage(); + expect(message).toContain("disables approval forwarding only"); + expect(message).toContain("exec-approvals.json"); + expect(message).toContain("openclaw approvals get --gateway"); + }); }); diff --git a/src/commands/doctor-security.ts b/src/commands/doctor-security.ts index 6d1172d2db9..dc06f6396f3 100644 --- a/src/commands/doctor-security.ts +++ b/src/commands/doctor-security.ts @@ -12,6 +12,14 @@ export async function noteSecurityWarnings(cfg: OpenClawConfig) { const warnings: string[] = []; const auditHint = `- Run: ${formatCliCommand("openclaw security audit --deep")}`; + if (cfg.approvals?.exec?.enabled === false) { + warnings.push( + "- Note: approvals.exec.enabled=false disables approval forwarding only.", + " Host exec gating still comes from ~/.openclaw/exec-approvals.json.", + ` Check local policy with: ${formatCliCommand("openclaw approvals get --gateway")}`, + ); + } + // =========================================== // GATEWAY NETWORK EXPOSURE CHECK // ===========================================