[Bug]: "Always Allow" fails silently and does not persist allowlist for unresolved short commands (basenames)

[cbcbq]

Bug type

Behavior bug (incorrect output/state without crash)

Summary

When a user clicks the "Always Allow" button on an interactive execution approval prompt (e.g., in Discord or Telegram) for a short command (like id, jq, or sed), the system fails to persist the command to the exec-approvals.json allowlist. As a result, subsequent executions of the same command still require manual approval, rendering the "Always Allow" button ineffective for these commands.

Additionally, there is no UI feedback informing the user that the persistence failed.

Steps to reproduce

1. Ensure the agent attempts to run a short command without an absolute path (e.g., id or jq -r ...).
2. Receive the execution approval prompt in Discord/Telegram.
3. Click the "Always Allow" button.
4. Attempt to run the exact same command via the agent again.
5. Observed: The system prompts for approval again.
6. Check ~/.openclaw/exec-approvals.json, the command is missing from the allowlist.

Expected behavior

When a user clicks "Always Allow":

• The system should attempt to resolve the absolute path of the command (e.g., equivalent to which <command>) and persist the resolved absolute path to the allowlist.

Actual behavior

"Always Allow" fails silently and behaving exactly like "Allow once" without any warning or feedback to user

OpenClaw version

2026.3.8 (3caab92)

Operating system

Ubuntu 24.04

Install method

npm global

Model

gemini-3-pro

Provider / routing chain

openclaw -> apikey

Config file / key location

No response

Additional provider/model setup details

No response

Logs, screenshots, and evidence

Impact and severity

No response

Additional information

No response

[newcodebook]

Good report — and the symptom (“Always Allow” behaves like “Allow once”) matches what happens when the approval system can’t safely persist an unresolved basename like id / jq (no absolute path to store).

Workaround (manual allowlist add with absolute paths):

1. Resolve the command path on the host that actually runs exec:

command -v id
command -v jq

2. Add the resolved absolute path(s) to the approvals allowlist:

openclaw approvals allowlist add --agent "*" "$(command -v id)"
openclaw approvals allowlist add --agent "*" "$(command -v jq)"

3. Verify it landed:

openclaw approvals get

Why this helps: approvals are keyed on concrete executable paths / patterns; a bare jq can map to different binaries depending on PATH, shells, nodes, etc., so persisting it without resolution is ambiguous.

If you want an additional mitigation while waiting for a fix: prompt your agent to use absolute paths (e.g. /usr/bin/jq) for any “always allow” commands you expect to repeat.

Recommended reading:

• OpenClaw Exec Approvals and Safe Bins: Why tools.exec.security="full" Can Still Be Blocked
• OpenClaw Config Generator / openclaw.json

[cbcbq]

Good report — and the symptom (“Always Allow” behaves like “Allow once”) matches what happens when the approval system can’t safely persist an unresolved basename like id / jq (no absolute path to store).

Workaround (manual allowlist add with absolute paths):

1. Resolve the command path on the host that actually runs exec:

command -v id
command -v jq
2. Add the resolved absolute path(s) to the approvals allowlist:

openclaw approvals allowlist add --agent "" "$(command -v id)"
openclaw approvals allowlist add --agent "" "$(command -v jq)"
3. Verify it landed:

openclaw approvals get
Why this helps: approvals are keyed on concrete executable paths / patterns; a bare jq can map to different binaries depending on PATH, shells, nodes, etc., so persisting it without resolution is ambiguous.

If you want an additional mitigation while waiting for a fix: prompt your agent to use absolute paths (e.g. /usr/bin/jq) for any “always allow” commands you expect to repeat.

Recommended reading:

• OpenClaw Exec Approvals and Safe Bins: Why tools.exec.security="full" Can Still Be Blocked
• OpenClaw Config Generator / openclaw.json

Good report — and the symptom (“Always Allow” behaves like “Allow once”) matches what happens when the approval system can’t safely persist an unresolved basename like id / jq (no absolute path to store).

Workaround (manual allowlist add with absolute paths):

1. Resolve the command path on the host that actually runs exec:

command -v id
command -v jq
2. Add the resolved absolute path(s) to the approvals allowlist:

openclaw approvals allowlist add --agent "" "$(command -v id)"
openclaw approvals allowlist add --agent "" "$(command -v jq)"
3. Verify it landed:

openclaw approvals get
Why this helps: approvals are keyed on concrete executable paths / patterns; a bare jq can map to different binaries depending on PATH, shells, nodes, etc., so persisting it without resolution is ambiguous.

If you want an additional mitigation while waiting for a fix: prompt your agent to use absolute paths (e.g. /usr/bin/jq) for any “always allow” commands you expect to repeat.

Recommended reading:

• OpenClaw Exec Approvals and Safe Bins: Why tools.exec.security="full" Can Still Be Blocked
• OpenClaw Config Generator / openclaw.json

Thanks the workaround makes sense, and it matches what I observed in practice.

i think the awkward part is mainly the UX: when the popup says “Always Allow” for jq / id, the user naturally expects exactly that choice to persist and work next time. If the approval system actually needs a resolved absolute path, it would be much more intuitive to canonicalize the executable on the gateway/exec host at approval time and store/display that resolved path.

Right now it feels like the UI accepts one thing (jq) while the backend enforces another (/usr/bin/jq), so the result is not really WYSIWYG from the user’s perspective.

The manual absolute-path workaround is good for now, but I think resolving + persisting the canonical executable path during “Always Allow” would make the behavior much clearer.

[steipete]

Closing this as implemented after Codex review.

Current main already resolves short PATH-based commands to absolute executable paths before persisting an allow-always approval, and it also has a durable exact-command fallback when no stable binary path can be derived. The reported "Always Allow behaves like Allow once" path is implemented/fixed on main and shipped in the latest release.

What I checked:

• Basename commands resolve through PATH: resolveExecutablePath() searches PATH entries and returns the concrete executable path, and buildExecutableResolution() stores that as resolvedPath, so a basename like jq/id is canonicalized before approval persistence. (src/infra/executable-path.ts:93, 50e36983bb2d)
• PATH resolution is regression-tested: The command-resolution test explicitly covers a PATH executable (rg -n foo) and expects resolveCommandResolution() to produce the absolute executable path from the PATH fixture. (src/infra/exec-command-resolution.test.ts:101, 50e36983bb2d)
• Allow Always persists resolved binary paths: collectAllowAlwaysPatterns() takes the resolved execution target candidate path and adds that concrete path to the persisted allow-always pattern set; persistAllowAlwaysPatterns() then writes those patterns into the approvals allowlist. (src/infra/exec-approvals-allowlist.ts:961, 50e36983bb2d)
• Gateway approval flow no longer degrades to allow-once: On an allow-always decision, the gateway exec path persists resolved allowlist patterns, and if none can be derived it falls back to a durable exact-command approval hash instead of silently acting like allow-once. (src/agents/bash-tools.exec-host-gateway.ts:324, 50e36983bb2d)
• Fix is present in the latest release: git diff --stat v2026.4.22..HEAD -- src/infra/exec-approvals-allowlist.ts src/infra/exec-command-resolution.ts src/infra/exec-command-resolution.test.ts src/agents/bash-tools.exec-host-gateway.ts docs/tools/exec-approvals.md showed only docs changes; the relevant code paths are unchanged between v2026.4.22 and current main. (00bd2cf7a376)

So I’m closing this as already implemented rather than keeping a duplicate issue open.

Review notes: reviewed against 50e36983bb2d; fix evidence: release v2026.4.22.