chore(sync): mirror docs from openclaw/openclaw@4bf94aa0d6

This commit is contained in:
openclaw-docs-sync[bot] 2026-04-10 06:16:45 +00:00
parent 37f6599b1c
commit 57fde0e98e
3 changed files with 78 additions and 3 deletions

View File

@ -1,5 +1,5 @@
{
"repository": "openclaw/openclaw",
"sha": "71617ef2f056e786a39362542594090854ce62bd",
"syncedAt": "2026-04-10T05:41:50.837Z"
"sha": "4bf94aa0d6699b7cbb9ffdf5f3f8413b598b5715",
"syncedAt": "2026-04-10T06:16:44.477Z"
}

View File

@ -1,5 +1,5 @@
---
summary: "CLI reference for `openclaw approvals` (exec approvals for gateway or node hosts)"
summary: "CLI reference for `openclaw approvals` and `openclaw exec-policy`"
read_when:
- You want to edit exec approvals from the CLI
- You need to manage allowlists on gateway or node hosts
@ -18,6 +18,45 @@ Related:
- Exec approvals: [Exec approvals](/tools/exec-approvals)
- Nodes: [Nodes](/nodes)
## `openclaw exec-policy`
`openclaw exec-policy` is the local convenience command for keeping the requested
`tools.exec.*` config and the local host approvals file aligned in one step.
Use it when you want to:
- inspect the local requested policy, host approvals file, and effective merge
- apply a local preset such as YOLO or deny-all
- synchronize local `tools.exec.*` and local `~/.openclaw/exec-approvals.json`
Examples:
```bash
openclaw exec-policy show
openclaw exec-policy show --json
openclaw exec-policy preset yolo
openclaw exec-policy preset cautious --json
openclaw exec-policy set --host gateway --security full --ask off --ask-fallback full
```
Output modes:
- no `--json`: prints the human-readable table view
- `--json`: prints machine-readable structured output
Current scope:
- `exec-policy` is **local-only**
- it updates the local config file and the local approvals file together
- it does **not** push policy to the gateway host or a node host
- `--host node` is rejected in this command because node exec approvals are fetched from the node at runtime and must be managed through node-targeted approvals commands instead
- `openclaw exec-policy show` marks `host=node` scopes as node-managed at runtime instead of deriving an effective policy from the local approvals file
If you need to edit remote host approvals directly, keep using `openclaw approvals set --gateway`
or `openclaw approvals set --node <id|name|ip>`.
## Common commands
```bash
@ -100,6 +139,16 @@ Why `tools.exec.host=gateway` in this example:
This matches the current host-default YOLO behavior. Tighten it if you want approvals.
Local shortcut:
```bash
openclaw exec-policy preset yolo
```
That local shortcut updates both the requested local `tools.exec.*` config and the
local approvals defaults together. It is equivalent in intent to the manual two-step
setup above, but only for the local machine.
## Allowlist helpers
```bash

View File

@ -20,6 +20,11 @@ session or config defaults request `ask: "on-miss"`.
Use `openclaw approvals get`, `openclaw approvals get --gateway`, or
`openclaw approvals get --node <id|name|ip>` to inspect the requested policy,
host policy sources, and the effective result.
For the local machine, `openclaw exec-policy show` exposes the same merged view and
`openclaw exec-policy set|preset` can synchronize the local requested policy with the
local host approvals file in one step. When a local scope requests `host=node`,
`openclaw exec-policy show` reports that scope as node-managed at runtime instead of
pretending the local approvals file is the effective source of truth.
If the companion app UI is **not available**, any request that requires a prompt is
resolved by the **ask fallback** (default: deny).
@ -143,6 +148,21 @@ openclaw approvals set --stdin <<'EOF'
EOF
```
Local shortcut for the same gateway-host policy on the current machine:
```bash
openclaw exec-policy preset yolo
```
That local shortcut updates both:
- local `tools.exec.host/security/ask`
- local `~/.openclaw/exec-approvals.json` defaults
It is intentionally local-only. If you need to change gateway-host or node-host approvals
remotely, continue using `openclaw approvals set --gateway` or
`openclaw approvals set --node <id|name|ip>`.
For a node host, apply the same approvals file on that node instead:
```bash
@ -158,6 +178,12 @@ openclaw approvals set --node <id|name|ip> --stdin <<'EOF'
EOF
```
Important local-only limitation:
- `openclaw exec-policy` does not synchronize node approvals
- `openclaw exec-policy set --host node` is rejected
- node exec approvals are fetched from the node at runtime, so node-targeted updates must use `openclaw approvals --node ...`
Session-only shortcut:
- `/exec security=full ask=off` changes only the current session.