Exec approvals: unify effective policy reporting and actions (#59283)

Merged via squash. Prepared head SHA: d579b97a93 Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com> Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com> Reviewed-by: @gumadeiras
2026-04-23 15:11:42 +00:00 · 2026-04-01 22:02:39 -04:00
parent dc66c36b9e
commit ba735d0158
36 changed files with 1618 additions and 112 deletions
--- a/docs/cli/approvals.md
+++ b/docs/cli/approvals.md
@@ -24,6 +24,19 @@ openclaw approvals get --node <id|name|ip>
 openclaw approvals get --gateway
 ```

+`openclaw approvals get` now shows the effective exec policy for local, gateway, and node targets:
+
+- requested `tools.exec` policy
+- host approvals-file policy
+- effective result after precedence rules are applied
+
+Precedence is intentional:
+
+- the host approvals file is the enforceable source of truth
+- requested `tools.exec` policy can narrow or broaden intent, but the effective result is still derived from the host rules
+- `--node` combines the node host approvals file with gateway `tools.exec` policy, because both still apply at runtime
+- if gateway config is unavailable, the CLI falls back to the node approvals snapshot and notes that the final runtime policy could not be computed
+
 ## Replace approvals from a file

 ```bash