fix: align claude cli permissions with exec policy

Derive Claude CLI bypass mode from OpenClaw exec YOLO policy, preserve raw Claude permission-mode overrides, update docs/changelog, and cover global/per-agent policy behavior.

docs/.generated/plugin-sdk-api-baseline.sha256

@@ -1,2 +1,2 @@
-bc55649a80027756f37892424598653a81fec4bff7b074358fe34d08c7696ebc  plugin-sdk-api-baseline.json
-312a29d50b4959e4a8e242bb7559548d895a2e03d5ed1b5a395b1133de090578  plugin-sdk-api-baseline.jsonl
+f30c9e61b768ca10feca401aefca3cbc8d3a57c5020f85aa9106b4f1a61032c0  plugin-sdk-api-baseline.json
+9e5e3e66ac23dddb80cceb8a785f167eec8a108c6c5abe77f3346b01895f6756  plugin-sdk-api-baseline.jsonl

docs/gateway/cli-backends.md

@@ -169,6 +169,15 @@ resolver sees the same filtered set that OpenClaw would otherwise advertise in
 the prompt. Skill env/API key overrides are still applied by OpenClaw to the
 child process environment for the run.
 
+Claude CLI also has its own noninteractive permission mode. OpenClaw maps that
+to the existing exec policy instead of adding Claude-specific config: when the
+effective requested exec policy is YOLO (`tools.exec.security: "full"` and
+`tools.exec.ask: "off"`), OpenClaw adds `--permission-mode bypassPermissions`.
+Per-agent `agents.list[].tools.exec` settings override global `tools.exec` for
+that agent. To force a different Claude mode, set explicit raw backend args
+such as `--permission-mode default` or `--permission-mode acceptEdits` under
+`agents.defaults.cliBackends.claude-cli.args` and matching `resumeArgs`.
+
 Before OpenClaw can use the bundled `claude-cli` backend, Claude Code itself
 must already be logged in on the same host:
 

docs/providers/cloudflare-ai-gateway.md

@@ -12,7 +12,7 @@ Cloudflare AI Gateway sits in front of provider APIs and lets you add analytics,
 | ------------- | ---------------------------------------------------------------------------------------- |
 | Provider      | `cloudflare-ai-gateway`                                                                  |
 | Base URL      | `https://gateway.ai.cloudflare.com/v1/<account_id>/<gateway_id>/anthropic`               |
-| Default model | `cloudflare-ai-gateway/claude-sonnet-4-5`                                                |
+| Default model | `cloudflare-ai-gateway/claude-sonnet-4-6`                                                |
 | API key       | `CLOUDFLARE_AI_GATEWAY_API_KEY` (your provider API key for requests through the Gateway) |
 
 <Note>
@@ -39,7 +39,7 @@ For Anthropic models routed through Cloudflare AI Gateway, use your **Anthropic
     {
       agents: {
         defaults: {
-          model: { primary: "cloudflare-ai-gateway/claude-sonnet-4-5" },
+          model: { primary: "cloudflare-ai-gateway/claude-sonnet-4-6" },
         },
       },
     }

docs/tools/exec-approvals.md

@@ -125,6 +125,11 @@ Important distinction:
 
 - `tools.exec.host=auto` chooses where exec runs: sandbox when available, otherwise gateway.
 - YOLO chooses how host exec is approved: `security=full` plus `ask=off`.
+- CLI-backed providers that expose their own noninteractive permission mode can follow this policy.
+  Claude CLI adds `--permission-mode bypassPermissions` when OpenClaw's requested exec policy is
+  YOLO. Override that backend behavior with explicit Claude args under
+  `agents.defaults.cliBackends.claude-cli.args` / `resumeArgs`, for example
+  `--permission-mode default`, `acceptEdits`, or `bypassPermissions`.
 - In YOLO mode, OpenClaw does not add a separate heuristic command-obfuscation approval gate or script-preflight rejection layer on top of the configured host exec policy.
 - `auto` does not make gateway routing a free override from a sandboxed session. A per-call `host=node` request is allowed from `auto`, and `host=gateway` is only allowed from `auto` when no sandbox runtime is active. If you want a stable non-auto default, set `tools.exec.host` or use `/exec host=...` explicitly.