From 57fde0e98e160edeb4a5c679eeff6a473f211a1e Mon Sep 17 00:00:00 2001 From: "openclaw-docs-sync[bot]" Date: Fri, 10 Apr 2026 06:16:45 +0000 Subject: [PATCH] chore(sync): mirror docs from openclaw/openclaw@4bf94aa0d6699b7cbb9ffdf5f3f8413b598b5715 --- .openclaw-sync/source.json | 4 +-- docs/cli/approvals.md | 51 +++++++++++++++++++++++++++++++++++- docs/tools/exec-approvals.md | 26 ++++++++++++++++++ 3 files changed, 78 insertions(+), 3 deletions(-) diff --git a/.openclaw-sync/source.json b/.openclaw-sync/source.json index 94e252366..121ab6a15 100644 --- a/.openclaw-sync/source.json +++ b/.openclaw-sync/source.json @@ -1,5 +1,5 @@ { "repository": "openclaw/openclaw", - "sha": "71617ef2f056e786a39362542594090854ce62bd", - "syncedAt": "2026-04-10T05:41:50.837Z" + "sha": "4bf94aa0d6699b7cbb9ffdf5f3f8413b598b5715", + "syncedAt": "2026-04-10T06:16:44.477Z" } diff --git a/docs/cli/approvals.md b/docs/cli/approvals.md index 9381bd0ce..951d7f088 100644 --- a/docs/cli/approvals.md +++ b/docs/cli/approvals.md @@ -1,5 +1,5 @@ --- -summary: "CLI reference for `openclaw approvals` (exec approvals for gateway or node hosts)" +summary: "CLI reference for `openclaw approvals` and `openclaw exec-policy`" read_when: - You want to edit exec approvals from the CLI - You need to manage allowlists on gateway or node hosts @@ -18,6 +18,45 @@ Related: - Exec approvals: [Exec approvals](/tools/exec-approvals) - Nodes: [Nodes](/nodes) +## `openclaw exec-policy` + +`openclaw exec-policy` is the local convenience command for keeping the requested +`tools.exec.*` config and the local host approvals file aligned in one step. + +Use it when you want to: + +- inspect the local requested policy, host approvals file, and effective merge +- apply a local preset such as YOLO or deny-all +- synchronize local `tools.exec.*` and local `~/.openclaw/exec-approvals.json` + +Examples: + +```bash +openclaw exec-policy show +openclaw exec-policy show --json + +openclaw exec-policy preset yolo +openclaw exec-policy preset cautious --json + +openclaw exec-policy set --host gateway --security full --ask off --ask-fallback full +``` + +Output modes: + +- no `--json`: prints the human-readable table view +- `--json`: prints machine-readable structured output + +Current scope: + +- `exec-policy` is **local-only** +- it updates the local config file and the local approvals file together +- it does **not** push policy to the gateway host or a node host +- `--host node` is rejected in this command because node exec approvals are fetched from the node at runtime and must be managed through node-targeted approvals commands instead +- `openclaw exec-policy show` marks `host=node` scopes as node-managed at runtime instead of deriving an effective policy from the local approvals file + +If you need to edit remote host approvals directly, keep using `openclaw approvals set --gateway` +or `openclaw approvals set --node `. + ## Common commands ```bash @@ -100,6 +139,16 @@ Why `tools.exec.host=gateway` in this example: This matches the current host-default YOLO behavior. Tighten it if you want approvals. +Local shortcut: + +```bash +openclaw exec-policy preset yolo +``` + +That local shortcut updates both the requested local `tools.exec.*` config and the +local approvals defaults together. It is equivalent in intent to the manual two-step +setup above, but only for the local machine. + ## Allowlist helpers ```bash diff --git a/docs/tools/exec-approvals.md b/docs/tools/exec-approvals.md index 39c335fe7..5a0fd378b 100644 --- a/docs/tools/exec-approvals.md +++ b/docs/tools/exec-approvals.md @@ -20,6 +20,11 @@ session or config defaults request `ask: "on-miss"`. Use `openclaw approvals get`, `openclaw approvals get --gateway`, or `openclaw approvals get --node ` to inspect the requested policy, host policy sources, and the effective result. +For the local machine, `openclaw exec-policy show` exposes the same merged view and +`openclaw exec-policy set|preset` can synchronize the local requested policy with the +local host approvals file in one step. When a local scope requests `host=node`, +`openclaw exec-policy show` reports that scope as node-managed at runtime instead of +pretending the local approvals file is the effective source of truth. If the companion app UI is **not available**, any request that requires a prompt is resolved by the **ask fallback** (default: deny). @@ -143,6 +148,21 @@ openclaw approvals set --stdin <<'EOF' EOF ``` +Local shortcut for the same gateway-host policy on the current machine: + +```bash +openclaw exec-policy preset yolo +``` + +That local shortcut updates both: + +- local `tools.exec.host/security/ask` +- local `~/.openclaw/exec-approvals.json` defaults + +It is intentionally local-only. If you need to change gateway-host or node-host approvals +remotely, continue using `openclaw approvals set --gateway` or +`openclaw approvals set --node `. + For a node host, apply the same approvals file on that node instead: ```bash @@ -158,6 +178,12 @@ openclaw approvals set --node --stdin <<'EOF' EOF ``` +Important local-only limitation: + +- `openclaw exec-policy` does not synchronize node approvals +- `openclaw exec-policy set --host node` is rejected +- node exec approvals are fetched from the node at runtime, so node-targeted updates must use `openclaw approvals --node ...` + Session-only shortcut: - `/exec security=full ask=off` changes only the current session.