diff --git a/docs/tools/exec-approvals.md b/docs/tools/exec-approvals.md index 0063f0034d1..9d8f61e0059 100644 --- a/docs/tools/exec-approvals.md +++ b/docs/tools/exec-approvals.md @@ -14,6 +14,9 @@ commands on a real host (`gateway` or `node`). Think of it like a safety interlo commands are allowed only when policy + allowlist + (optional) user approval all agree. Exec approvals are **in addition** to tool policy and elevated gating (unless elevated is set to `full`, which skips approvals). Effective policy is the **stricter** of `tools.exec.*` and approvals defaults; if an approvals field is omitted, the `tools.exec` value is used. +Host exec also uses the local approvals state on that machine. A host-local +`ask: "always"` in `~/.openclaw/exec-approvals.json` keeps prompting even if +session or config defaults request `ask: "on-miss"`. If the companion app UI is **not available**, any request that requires a prompt is resolved by the **ask fallback** (default: deny). @@ -98,6 +101,7 @@ Example schema: - **off**: never prompt. - **on-miss**: prompt only when allowlist does not match. - **always**: prompt on every command. +- `allow-always` durable trust does not suppress prompts when effective ask mode is `always` ### Ask fallback (`askFallback`) @@ -132,6 +136,7 @@ Allowlists are **per agent**. If multiple agents exist, switch which agent you editing in the macOS app. Patterns are **case-insensitive glob matches**. Patterns should resolve to **binary paths** (basename-only entries are ignored). Legacy `agents.default` entries are migrated to `agents.main` on load. +Shell chains such as `echo ok && pwd` still need every top-level segment to satisfy allowlist rules. Examples: diff --git a/docs/tools/exec.md b/docs/tools/exec.md index 88694358b2a..6921068c28b 100644 --- a/docs/tools/exec.md +++ b/docs/tools/exec.md @@ -132,6 +132,8 @@ Manual allowlist enforcement matches **resolved binary paths only** (no basename allowlisted or a safe bin. Chaining (`;`, `&&`, `||`) and redirections are rejected in allowlist mode unless every top-level segment satisfies the allowlist (including safe bins). Redirections remain unsupported. +Durable `allow-always` trust does not bypass that rule: a chained command still requires every +top-level segment to match. `autoAllowSkills` is a separate convenience path in exec approvals. It is not the same as manual path allowlist entries. For strict explicit trust, keep `autoAllowSkills` disabled.