allow-always silently fails for shell builtins (cd, etc.)

[epavlenko]

Problem

When an exec approval is triggered for a compound command starting with a shell builtin (e.g. cd deer-flow && ls), the user receives a standard approval prompt. Choosing allow-always returns ✅ Exec approval allowed always, but no pattern is actually persisted to the allowlist.

On the next attempt to run the same (or similar) command, the agent is blocked again and requests approval for the same command that was already "always allowed".

Root cause

allow-always resolves the approved binary's path (e.g. /usr/bin/ls → pattern /usr/bin/ls) and adds it to exec-approvals.json. But cd is a shell builtin — it has no resolved path. The allowlist entry is never created, yet the user receives a success confirmation.

Steps to reproduce

1. Agent runs a compound command: cd some-dir && ls
2. Approval notification appears (because cd doesn't match any allowlist pattern)
3. User replies: /approve <id> allow-always
4. System responds: ✅ Exec approval allowed always
5. Agent retries the same command → blocked again, requests approval
6. Check exec-approvals.json — no new entry was added

Expected behavior

Either:

• Persist a pattern that covers the builtin (e.g. allow the compound command), or
• Return an error/warning: "Cannot add shell builtin cd to allowlist. Use allow-once instead."

The current silent success + no persistence is misleading.

Environment

• OpenClaw 2026.3.2
• Ubuntu Linux 6.8.0-100-generic
• Channel: Telegram

[rnrnstar2]

Priority Assessment: P1 (High)

Impact: Security/Functionality - allow-always silently failing for shell builtins (cd, etc.) creates a security gap where users believe commands are pre-approved but they actually fail silently.

Classification: Security / Core Functionality

Recommendation: Ensure shell builtin detection works correctly with allow-always, or provide clear error feedback instead of silent failure.

---

Triaged by AgentOS Repo Head (agentos-sentry-poll)

[steipete]

Closing this as implemented after Codex review.

Current main already handles non-persistable allow-always approvals by storing a durable exact-command approval, so shell builtins like cd no longer re-prompt on rerun.

What I checked:

• Durable exact-command approvals are recognized: hasDurableExecApproval now accepts hashed exact-command approvals (=command:<digest>) even when normal allowlist analysis does not produce executable matches. (src/infra/exec-approvals.ts:792, 9f4ef6162dbd)
• Fallback persistence when no allowlist pattern can be derived: Gateway exec path persists normal allow-always patterns first, then falls back to addDurableCommandApproval(...) when patterns.length === 0. That covers shell-builtin cases where no executable path can be persisted. (src/agents/bash-tools.exec-host-gateway.ts:324, 9f4ef6162dbd)
• Node-host path has the same fallback: system.run on the node host also stores a durable exact-command approval when allow-always cannot derive persistable executable patterns. (src/node-host/invoke-system-run.ts:626, 9f4ef6162dbd)
• Regression test covers shell-wrapper reruns: There is explicit test coverage that a shell-wrapper command using cd . is re-allowed from a durable exact-command approval instead of prompting again. (src/node-host/invoke-system-run.test.ts:1512, 9f4ef6162dbd)
• Policy test confirms exact-command durable trust: Unit coverage asserts that an allow-always exact-command digest is treated as durable trust even when command analysis is not otherwise satisfied. (src/infra/exec-approvals-policy.test.ts:164, 9f4ef6162dbd)
• Behavior is already in the latest release: The latest release tag v2026.4.22 already contains the patterns.length === 0 -> addDurableCommandApproval(...) fallback in both gateway and node-host paths. (src/agents/bash-tools.exec-host-gateway.ts:324, 00bd2cf7a376)

So I’m closing this as already implemented rather than keeping a duplicate issue open.

Review notes: reviewed against 9f4ef6162dbd; fix evidence: release v2026.4.22, commit 00bd2cf7a376.