Exec approvals: align inherited host policy warnings

2026-05-01 22:00:22 +00:00 · 2026-04-01 19:28:15 -04:00
parent 3512a4e138
commit dd1c45d266
5 changed files with 170 additions and 21 deletions
--- a/src/cli/exec-approvals-cli.test.ts
+++ b/src/cli/exec-approvals-cli.test.ts
@@ -251,6 +251,57 @@ describe("exec approvals CLI", () => {
    );
  });

+  it("reports agent scopes with inherited global requested policy", async () => {
+    localSnapshot.file = {
+      version: 1,
+      agents: {
+        runner: {
+          security: "allowlist",
+          ask: "always",
+        },
+      },
+    };
+    readBestEffortConfig.mockResolvedValue({
+      tools: {
+        exec: {
+          security: "full",
+          ask: "off",
+        },
+      },
+      agents: {
+        list: [{ id: "runner" }],
+      },
+    });
+
+    await runApprovalsCommand(["approvals", "get", "--json"]);
+
+    expect(defaultRuntime.writeJson).toHaveBeenCalledWith(
+      expect.objectContaining({
+        effectivePolicy: expect.objectContaining({
+          scopes: expect.arrayContaining([
+            expect.objectContaining({
+              scopeLabel: "agent:runner",
+              security: expect.objectContaining({
+                requested: "full",
+                requestedSource: "tools.exec.security",
+                effective: "allowlist",
+              }),
+              ask: expect.objectContaining({
+                requested: "off",
+                requestedSource: "tools.exec.ask",
+                effective: "always",
+              }),
+              askFallback: expect.objectContaining({
+                source: "OpenClaw default (deny)",
+              }),
+            }),
+          ]),
+        }),
+      }),
+      0,
+    );
+  });
+
  it("defaults allowlist add to wildcard agent", async () => {
    const saveExecApprovals = vi.mocked(execApprovals.saveExecApprovals);
    saveExecApprovals.mockClear();