vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-03 21:31:26 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
8bdca2323d1a56b0fb59f50f6f002beb5ee2bbda
openclaw/docs/cli/approvals.md
Gustavo Madeira Santana ba735d0158 Exec approvals: unify effective policy reporting and actions (#59283) 
Merged via squash.

Prepared head SHA: d579b97a93
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
2026-04-01 22:02:39 -04:00

2.2 KiB
Raw Blame History

summary, read_when, title
summary read_when title
CLI reference for `openclaw approvals` (exec approvals for gateway or node hosts)
You want to edit exec approvals from the CLI
You need to manage allowlists on gateway or node hosts
approvals

openclaw approvals

Manage exec approvals for the local host, gateway host, or a node host. By default, commands target the local approvals file on disk. Use --gateway to target the gateway, or --node to target a specific node.

Related:

Common commands

openclaw approvals get
openclaw approvals get --node <id|name|ip>
openclaw approvals get --gateway

openclaw approvals get now shows the effective exec policy for local, gateway, and node targets:

  • requested tools.exec policy
  • host approvals-file policy
  • effective result after precedence rules are applied

Precedence is intentional:

  • the host approvals file is the enforceable source of truth
  • requested tools.exec policy can narrow or broaden intent, but the effective result is still derived from the host rules
  • --node combines the node host approvals file with gateway tools.exec policy, because both still apply at runtime
  • if gateway config is unavailable, the CLI falls back to the node approvals snapshot and notes that the final runtime policy could not be computed

Replace approvals from a file

openclaw approvals set --file ./exec-approvals.json
openclaw approvals set --node <id|name|ip> --file ./exec-approvals.json
openclaw approvals set --gateway --file ./exec-approvals.json

Allowlist helpers

openclaw approvals allowlist add "~/Projects/**/bin/rg"
openclaw approvals allowlist add --agent main --node <id|name|ip> "/usr/bin/uptime"
openclaw approvals allowlist add --agent "*" "/usr/bin/uname"

openclaw approvals allowlist remove "~/Projects/**/bin/rg"

Notes

  • --node uses the same resolver as openclaw nodes (id, name, ip, or id prefix).
  • --agent defaults to "*", which applies to all agents.
  • The node host must advertise system.execApprovals.get/set (macOS app or headless node host).
  • Approvals files are stored per host at ~/.openclaw/exec-approvals.json.
Reference in New Issue View Git Blame Copy Permalink