openclaw
diff --git a/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎docs/cli/approvals.md‎
Lines changed: 13 additions & 0 deletions b/‎docs/cli/approvals.md‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎docs/tools/exec-approvals.md‎
Lines changed: 3 additions & 0 deletions b/‎docs/tools/exec-approvals.md‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎docs/tools/slash-commands.md‎
Lines changed: 1 addition & 1 deletion b/‎docs/tools/slash-commands.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎extensions/discord/src/monitor/exec-approvals.test.ts‎
Lines changed: 25 additions & 0 deletions b/‎extensions/discord/src/monitor/exec-approvals.test.ts‎
Lines changed: 25 additions & 0 deletions
diff --git a/‎extensions/discord/src/monitor/exec-approvals.ts‎
Lines changed: 25 additions & 4 deletions b/‎extensions/discord/src/monitor/exec-approvals.ts‎
Lines changed: 25 additions & 4 deletions
diff --git a/‎extensions/slack/src/monitor/exec-approvals.test.ts‎
Lines changed: 31 additions & 0 deletions b/‎extensions/slack/src/monitor/exec-approvals.test.ts‎
Lines changed: 31 additions & 0 deletions
diff --git a/‎extensions/slack/src/monitor/exec-approvals.ts‎
Lines changed: 3 additions & 0 deletions b/‎extensions/slack/src/monitor/exec-approvals.ts‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎extensions/telegram/src/exec-approval-forwarding.ts‎
Lines changed: 2 additions & 0 deletions b/‎extensions/telegram/src/exec-approval-forwarding.ts‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎extensions/telegram/src/exec-approvals-handler.test.ts‎
Lines changed: 44 additions & 0 deletions b/‎extensions/telegram/src/exec-approvals-handler.test.ts‎
Lines changed: 44 additions & 0 deletions
@@ -28,6 +28,7 @@ Docs: https://docs.openclaw.ai
 - Matrix/runtime: resolve the verification/bootstrap runtime from a distinct packaged Matrix entry so global npm installs stop failing on crypto bootstrap with missing-module or recursive runtime alias errors. (#59249) Thanks @gumadeiras.
 - Matrix/streaming: preserve ordered block flushes before tool, message, and agent boundaries, add explicit `channels.matrix.blockStreaming` opt-in so Matrix `streaming: "off"` stays final-only by default, and move MiniMax plain-text final handling into the MiniMax provider runtime instead of the shared core heuristic. (#59266) thanks @gumadeiras
 - Agents/compaction: resolve compaction wait before final reply/channel flush completion so slow end-of-run delivery drains no longer delay compaction completion. (#59308) thanks @gumadeiras
+- Exec approvals: align approval UX, effective-policy reporting, and `allow-always` availability with the host policy so CLI, doctor, and approval surfaces explain the real host-effective decision path. (#59283) Thanks @gumadeiras.
 
 ## 2026.4.2
 
 
@@ -24,6 +24,19 @@ openclaw approvals get --node <id|name|ip>
 openclaw approvals get --gateway
 ```
 
+`openclaw approvals get` now shows the effective exec policy for local, gateway, and node targets:
+
+- requested `tools.exec` policy
+- host approvals-file policy
+- effective result after precedence rules are applied
+
+Precedence is intentional:
+
+- the host approvals file is the enforceable source of truth
+- requested `tools.exec` policy can narrow or broaden intent, but the effective result is still derived from the host rules
+- `--node` combines the node host approvals file with gateway `tools.exec` policy, because both still apply at runtime
+- if gateway config is unavailable, the CLI falls back to the node approvals snapshot and notes that the final runtime policy could not be computed
+
 ## Replace approvals from a file
 
 ```bash
 
@@ -17,6 +17,9 @@ Effective policy is the **stricter** of `tools.exec.*` and approvals defaults; i
 Host exec also uses the local approvals state on that machine. A host-local
 `ask: "always"` in `~/.openclaw/exec-approvals.json` keeps prompting even if
 session or config defaults request `ask: "on-miss"`.
+Use `openclaw approvals get`, `openclaw approvals get --gateway`, or
+`openclaw approvals get --node <id|name|ip>` to inspect the requested policy,
+host policy sources, and the effective result.
 
 If the companion app UI is **not available**, any request that requires a prompt is
 resolved by the **ask fallback** (default: deny).
 
@@ -80,7 +80,7 @@ Text + native (when enabled):
 - `/status` (show current status; includes provider usage/quota for the current model provider when available)
 - `/tasks` (list background tasks for the current session; shows active and recent task details with agent-local fallback counts)
 - `/allowlist` (list/add/remove allowlist entries)
-- `/approve <id> allow-once|allow-always|deny` (resolve exec approval prompts)
+- `/approve <id> <decision>` (resolve exec approval prompts; use the pending approval message for the available decisions)
 - `/context [list|detail|json]` (explain “context”; `detail` shows per-file + per-tool + per-skill + system prompt size)
 - `/btw <question>` (ask an ephemeral side question about the current session without changing future session context; see [/tools/btw](/tools/btw))
 - `/export-session [path]` (alias: `/export`) (export current session to HTML with full system prompt)
 
@@ -1090,6 +1090,31 @@ describe("DiscordExecApprovalHandler delivery routing", () => {
       }),
     );
   });
+
+  it("omits allow-always when exec approvals disallow it", async () => {
+    const handler = createHandler({
+      enabled: true,
+      approvers: ["123"],
+      target: "dm",
+    });
+
+    mockSuccessfulDmDelivery({ throwOnUnexpectedRoute: true });
+
+    await handler.handleApprovalRequested(
+      createRequest({
+        ask: "always",
+        allowedDecisions: ["allow-once", "deny"],
+      }),
+    );
+
+    const dmCall = mockRestPost.mock.calls.find(
+      ([route]) => route === Routes.channelMessages("dm-1"),
+    );
+    const payload = JSON.stringify(dmCall?.[1]?.body);
+    expect(payload).toContain("Allow Once");
+    expect(payload).toContain("Deny");
+    expect(payload).not.toContain("Allow Always");
+  });
 });
 
 describe("DiscordExecApprovalHandler resolve routing", () => {
 
@@ -190,15 +190,36 @@ class ExecApprovalActionButton extends Button {
 }
 
 class ExecApprovalActionRow extends Row<Button> {
-  constructor(approvalId: string) {
+  constructor(params: {
+    approvalId: string;
+    ask?: string | null;
+    allowedDecisions?: readonly ExecApprovalDecision[];
+  }) {
     super([
-      ...buildExecApprovalActionDescriptors({ approvalCommandId: approvalId }).map(
-        (descriptor) => new ExecApprovalActionButton({ approvalId, descriptor }),
+      ...buildExecApprovalActionDescriptors({
+        approvalCommandId: params.approvalId,
+        ask: params.ask,
+        allowedDecisions: params.allowedDecisions,
+      }).map(
+        (descriptor) => new ExecApprovalActionButton({ approvalId: params.approvalId, descriptor }),
       ),
     ]);
   }
 }
 
+function createApprovalActionRow(request: ApprovalRequest): Row<Button> {
+  if (isPluginApprovalRequest(request)) {
+    return new ExecApprovalActionRow({
+      approvalId: request.id,
+    });
+  }
+  return new ExecApprovalActionRow({
+    approvalId: request.id,
+    ask: request.request.ask,
+    allowedDecisions: request.request.allowedDecisions,
+  });
+}
+
 function buildExecApprovalMetadataLines(request: ExecApprovalRequest): string[] {
   const lines: string[] = [];
   if (request.request.cwd) {
@@ -466,7 +487,7 @@ export class DiscordExecApprovalHandler {
       isConfigured: () => Boolean(this.opts.config.enabled && this.getApprovers().length > 0),
       shouldHandle: (request) => this.shouldHandle(request),
       buildPendingContent: ({ request }) => {
-        const actionRow = new ExecApprovalActionRow(request.id);
+        const actionRow = createApprovalActionRow(request);
         const container = isPluginApprovalRequest(request)
           ? createPluginApprovalRequestContainer({
               request,
 
@@ -130,6 +130,37 @@ describe("SlackExecApprovalHandler", () => {
     );
   });
 
+  it("omits allow-always when exec approvals disallow it", async () => {
+    const app = buildApp();
+    const handler = new SlackExecApprovalHandler({
+      app,
+      accountId: "default",
+      config: buildConfig("dm").channels!.slack!.execApprovals!,
+      cfg: buildConfig("dm"),
+    });
+
+    await handler.handleApprovalRequested(
+      buildRequest({
+        ask: "always",
+        allowedDecisions: ["allow-once", "deny"],
+      }),
+    );
+
+    const dmCall = sendMessageSlackMock.mock.calls.find(([to]) => to === "user:U123APPROVER");
+    const blocks = dmCall?.[2]?.blocks as Array<Record<string, unknown>> | undefined;
+    const actionsBlock = blocks?.find((block) => block.type === "actions");
+    const buttons = Array.isArray(actionsBlock?.elements) ? actionsBlock.elements : [];
+    const buttonTexts = buttons.map((button) =>
+      typeof button === "object" && button && typeof button.text === "object" && button.text
+        ? String((button.text as { text?: unknown }).text ?? "")
+        : "",
+    );
+
+    expect(buttonTexts).toContain("Allow Once");
+    expect(buttonTexts).toContain("Deny");
+    expect(buttonTexts).not.toContain("Allow Always");
+  });
+
   it("updates the pending approval card in place after resolution", async () => {
     const app = buildApp();
     const update = app.client.chat.update as ReturnType<typeof vi.fn>;
 
@@ -6,6 +6,7 @@ import {
   createChannelNativeApprovalRuntime,
   getExecApprovalApproverDmNoticeText,
   resolveExecApprovalCommandDisplay,
+  resolveExecApprovalRequestAllowedDecisions,
   type ExecApprovalChannelRuntime,
   type ExecApprovalDecision,
   type ExecApprovalRequest,
@@ -99,6 +100,8 @@ function buildSlackPendingApprovalBlocks(request: ExecApprovalRequest): SlackBlo
       text: "",
       interactive: buildApprovalInteractiveReply({
         approvalId: request.id,
+        ask: request.request.ask,
+        allowedDecisions: resolveExecApprovalRequestAllowedDecisions(request.request),
       }),
     }) ?? [];
   return [
 
@@ -1,5 +1,6 @@
 import {
   buildExecApprovalPendingReplyPayload,
+  resolveExecApprovalRequestAllowedDecisions,
   resolveExecApprovalCommandDisplay,
   type ExecApprovalRequest,
 } from "openclaw/plugin-sdk/approval-runtime";
@@ -37,6 +38,7 @@ export function buildTelegramExecApprovalPendingPayload(params: {
     cwd: params.request.request.cwd ?? undefined,
     host: params.request.request.host === "node" ? "node" : "gateway",
     nodeId: params.request.request.nodeId ?? undefined,
+    allowedDecisions: resolveExecApprovalRequestAllowedDecisions(params.request.request),
     expiresAtMs: params.request.expiresAtMs,
     nowMs: params.nowMs,
   });
 
@@ -114,6 +114,50 @@ describe("TelegramExecApprovalHandler", () => {
     );
   });
 
+  it("hides allow-always actions when ask=always", async () => {
+    const cfg = {
+      channels: {
+        telegram: {
+          execApprovals: {
+            enabled: true,
+            approvers: ["8460800771"],
+            target: "channel",
+          },
+        },
+      },
+    } as OpenClawConfig;
+    const { handler, sendMessage } = createHandler(cfg);
+
+    await handler.handleRequested({
+      ...baseRequest,
+      request: {
+        ...baseRequest.request,
+        ask: "always",
+      },
+    });
+
+    expect(sendMessage).toHaveBeenCalledWith(
+      "-1003841603622",
+      expect.not.stringContaining("allow-always"),
+      expect.objectContaining({
+        buttons: [
+          [
+            {
+              text: "Allow Once",
+              callback_data: "/approve 9f1c7d5d-b1fb-46ef-ac45-662723b65bb7 allow-once",
+              style: "success",
+            },
+            {
+              text: "Deny",
+              callback_data: "/approve 9f1c7d5d-b1fb-46ef-ac45-662723b65bb7 deny",
+              style: "danger",
+            },
+          ],
+        ],
+      }),
+    );
+  });
+
   it("falls back to approver DMs when channel routing is unavailable", async () => {
     const cfg = {
       channels: {