vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-03 21:31:26 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
64581c655d7f762526b8cb28126c1a5f29dd368d
openclaw/docs/cli/approvals.md

3.3 KiB
Raw Blame History

summary, read_when, title
summary read_when title
CLI reference for `openclaw approvals` (exec approvals for gateway or node hosts)
You want to edit exec approvals from the CLI
You need to manage allowlists on gateway or node hosts
approvals

openclaw approvals

Manage exec approvals for the local host, gateway host, or a node host. By default, commands target the local approvals file on disk. Use --gateway to target the gateway, or --node to target a specific node.

Related:

Common commands

openclaw approvals get
openclaw approvals get --node <id|name|ip>
openclaw approvals get --gateway

openclaw approvals get now shows the effective exec policy for local, gateway, and node targets:

  • requested tools.exec policy
  • host approvals-file policy
  • effective result after precedence rules are applied

Precedence is intentional:

  • the host approvals file is the enforceable source of truth
  • requested tools.exec policy can narrow or broaden intent, but the effective result is still derived from the host rules
  • --node combines the node host approvals file with gateway tools.exec policy, because both still apply at runtime
  • if gateway config is unavailable, the CLI falls back to the node approvals snapshot and notes that the final runtime policy could not be computed

Replace approvals from a file

openclaw approvals set --file ./exec-approvals.json
openclaw approvals set --node <id|name|ip> --file ./exec-approvals.json
openclaw approvals set --gateway --file ./exec-approvals.json

"Never prompt" / YOLO example

For a host that should never stop on exec approvals, set the host approvals defaults to full + off:

openclaw approvals set --stdin <<'EOF'
{
  version: 1,
  defaults: {
    security: "full",
    ask: "off",
    askFallback: "full"
  }
}
EOF

Node variant:

openclaw approvals set --node <id|name|ip> --stdin <<'EOF'
{
  version: 1,
  defaults: {
    security: "full",
    ask: "off",
    askFallback: "full"
  }
}
EOF

This changes the host approvals file only. To keep the requested OpenClaw policy aligned, also set:

openclaw config set tools.exec.host gateway
openclaw config set tools.exec.security full
openclaw config set tools.exec.ask off

Why tools.exec.host=gateway in this example:

  • host=auto still means "sandbox when available, otherwise gateway".
  • YOLO is about approvals, not routing.
  • If you want host exec even when a sandbox is configured, make the host choice explicit with gateway or /exec host=gateway.

This matches the current host-default YOLO behavior. Tighten it if you want approvals.

Allowlist helpers

openclaw approvals allowlist add "~/Projects/**/bin/rg"
openclaw approvals allowlist add --agent main --node <id|name|ip> "/usr/bin/uptime"
openclaw approvals allowlist add --agent "*" "/usr/bin/uname"

openclaw approvals allowlist remove "~/Projects/**/bin/rg"

Notes

  • --node uses the same resolver as openclaw nodes (id, name, ip, or id prefix).
  • --agent defaults to "*", which applies to all agents.
  • The node host must advertise system.execApprovals.get/set (macOS app or headless node host).
  • Approvals files are stored per host at ~/.openclaw/exec-approvals.json.
Reference in New Issue View Git Blame Copy Permalink