chore(sync): mirror docs from openclaw/openclaw@4bf94aa0d6
This commit is contained in:
parent
37f6599b1c
commit
57fde0e98e
@ -1,5 +1,5 @@
|
||||
{
|
||||
"repository": "openclaw/openclaw",
|
||||
"sha": "71617ef2f056e786a39362542594090854ce62bd",
|
||||
"syncedAt": "2026-04-10T05:41:50.837Z"
|
||||
"sha": "4bf94aa0d6699b7cbb9ffdf5f3f8413b598b5715",
|
||||
"syncedAt": "2026-04-10T06:16:44.477Z"
|
||||
}
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
summary: "CLI reference for `openclaw approvals` (exec approvals for gateway or node hosts)"
|
||||
summary: "CLI reference for `openclaw approvals` and `openclaw exec-policy`"
|
||||
read_when:
|
||||
- You want to edit exec approvals from the CLI
|
||||
- You need to manage allowlists on gateway or node hosts
|
||||
@ -18,6 +18,45 @@ Related:
|
||||
- Exec approvals: [Exec approvals](/tools/exec-approvals)
|
||||
- Nodes: [Nodes](/nodes)
|
||||
|
||||
## `openclaw exec-policy`
|
||||
|
||||
`openclaw exec-policy` is the local convenience command for keeping the requested
|
||||
`tools.exec.*` config and the local host approvals file aligned in one step.
|
||||
|
||||
Use it when you want to:
|
||||
|
||||
- inspect the local requested policy, host approvals file, and effective merge
|
||||
- apply a local preset such as YOLO or deny-all
|
||||
- synchronize local `tools.exec.*` and local `~/.openclaw/exec-approvals.json`
|
||||
|
||||
Examples:
|
||||
|
||||
```bash
|
||||
openclaw exec-policy show
|
||||
openclaw exec-policy show --json
|
||||
|
||||
openclaw exec-policy preset yolo
|
||||
openclaw exec-policy preset cautious --json
|
||||
|
||||
openclaw exec-policy set --host gateway --security full --ask off --ask-fallback full
|
||||
```
|
||||
|
||||
Output modes:
|
||||
|
||||
- no `--json`: prints the human-readable table view
|
||||
- `--json`: prints machine-readable structured output
|
||||
|
||||
Current scope:
|
||||
|
||||
- `exec-policy` is **local-only**
|
||||
- it updates the local config file and the local approvals file together
|
||||
- it does **not** push policy to the gateway host or a node host
|
||||
- `--host node` is rejected in this command because node exec approvals are fetched from the node at runtime and must be managed through node-targeted approvals commands instead
|
||||
- `openclaw exec-policy show` marks `host=node` scopes as node-managed at runtime instead of deriving an effective policy from the local approvals file
|
||||
|
||||
If you need to edit remote host approvals directly, keep using `openclaw approvals set --gateway`
|
||||
or `openclaw approvals set --node <id|name|ip>`.
|
||||
|
||||
## Common commands
|
||||
|
||||
```bash
|
||||
@ -100,6 +139,16 @@ Why `tools.exec.host=gateway` in this example:
|
||||
|
||||
This matches the current host-default YOLO behavior. Tighten it if you want approvals.
|
||||
|
||||
Local shortcut:
|
||||
|
||||
```bash
|
||||
openclaw exec-policy preset yolo
|
||||
```
|
||||
|
||||
That local shortcut updates both the requested local `tools.exec.*` config and the
|
||||
local approvals defaults together. It is equivalent in intent to the manual two-step
|
||||
setup above, but only for the local machine.
|
||||
|
||||
## Allowlist helpers
|
||||
|
||||
```bash
|
||||
|
||||
@ -20,6 +20,11 @@ session or config defaults request `ask: "on-miss"`.
|
||||
Use `openclaw approvals get`, `openclaw approvals get --gateway`, or
|
||||
`openclaw approvals get --node <id|name|ip>` to inspect the requested policy,
|
||||
host policy sources, and the effective result.
|
||||
For the local machine, `openclaw exec-policy show` exposes the same merged view and
|
||||
`openclaw exec-policy set|preset` can synchronize the local requested policy with the
|
||||
local host approvals file in one step. When a local scope requests `host=node`,
|
||||
`openclaw exec-policy show` reports that scope as node-managed at runtime instead of
|
||||
pretending the local approvals file is the effective source of truth.
|
||||
|
||||
If the companion app UI is **not available**, any request that requires a prompt is
|
||||
resolved by the **ask fallback** (default: deny).
|
||||
@ -143,6 +148,21 @@ openclaw approvals set --stdin <<'EOF'
|
||||
EOF
|
||||
```
|
||||
|
||||
Local shortcut for the same gateway-host policy on the current machine:
|
||||
|
||||
```bash
|
||||
openclaw exec-policy preset yolo
|
||||
```
|
||||
|
||||
That local shortcut updates both:
|
||||
|
||||
- local `tools.exec.host/security/ask`
|
||||
- local `~/.openclaw/exec-approvals.json` defaults
|
||||
|
||||
It is intentionally local-only. If you need to change gateway-host or node-host approvals
|
||||
remotely, continue using `openclaw approvals set --gateway` or
|
||||
`openclaw approvals set --node <id|name|ip>`.
|
||||
|
||||
For a node host, apply the same approvals file on that node instead:
|
||||
|
||||
```bash
|
||||
@ -158,6 +178,12 @@ openclaw approvals set --node <id|name|ip> --stdin <<'EOF'
|
||||
EOF
|
||||
```
|
||||
|
||||
Important local-only limitation:
|
||||
|
||||
- `openclaw exec-policy` does not synchronize node approvals
|
||||
- `openclaw exec-policy set --host node` is rejected
|
||||
- node exec approvals are fetched from the node at runtime, so node-targeted updates must use `openclaw approvals --node ...`
|
||||
|
||||
Session-only shortcut:
|
||||
|
||||
- `/exec security=full ask=off` changes only the current session.
|
||||
|
||||
Loading…
Reference in New Issue
Block a user