vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-05 05:30:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: add local exec-policy CLI (#64050)

Browse Source 
* feat: add local exec-policy CLI

* fix: harden exec-policy CLI output

* fix: harden exec approvals writes

* fix: tighten local exec-policy sync

* docs: document exec-policy CLI

* fix: harden exec-policy rollback and approvals path checks

* fix: reject exec-policy sync when host remains node

* fix: validate approvals path before mkdir

* fix: guard exec-policy rollback against newer approvals writes

* fix: restore exec approvals via hardened rollback path

* fix: guard exec-policy config writes with base hash

* docs: add exec-policy changelog entry

* fix: clarify exec-policy show for node host

* fix: strip stale exec-policy decisions
This commit is contained in:
Tak Hoffman
2026-04-10 01:16:03 -05:00
committed by GitHub
parent 2d126fc623
commit 4bf94aa0d6
14 changed files with 1256 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
docs/tools/exec-approvals.md
View File

@@ -20,6 +20,11 @@ session or config defaults request `ask: "on-miss"`.
Use `openclaw approvals get`, `openclaw approvals get --gateway`, or
`openclaw approvals get --node <id|name|ip>` to inspect the requested policy,
host policy sources, and the effective result.
For the local machine, `openclaw exec-policy show` exposes the same merged view and
`openclaw exec-policy set|preset` can synchronize the local requested policy with the
local host approvals file in one step. When a local scope requests `host=node`,
`openclaw exec-policy show` reports that scope as node-managed at runtime instead of
pretending the local approvals file is the effective source of truth.
If the companion app UI is **not available**, any request that requires a prompt is
resolved by the **ask fallback** (default: deny).
@@ -143,6 +148,21 @@ openclaw approvals set --stdin <<'EOF'
EOF
```
Local shortcut for the same gateway-host policy on the current machine:
```bash
openclaw exec-policy preset yolo
```
That local shortcut updates both:
- local `tools.exec.host/security/ask`
- local `~/.openclaw/exec-approvals.json` defaults
It is intentionally local-only. If you need to change gateway-host or node-host approvals
remotely, continue using `openclaw approvals set --gateway` or
`openclaw approvals set --node <id|name|ip>`.
For a node host, apply the same approvals file on that node instead:
```bash
@@ -158,6 +178,12 @@ openclaw approvals set --node <id|name|ip> --stdin <<'EOF'
EOF
```
Important local-only limitation:
- `openclaw exec-policy` does not synchronize node approvals
- `openclaw exec-policy set --host node` is rejected
- node exec approvals are fetched from the node at runtime, so node-targeted updates must use `openclaw approvals --node ...`
Session-only shortcut:
- `/exec security=full ask=off` changes only the current session.