Feature Request
Summary
Add support for path/argument-based filtering in the exec allowlist, similar to Claude Code's Bash(command:path*) permission syntax.
Current Behavior
The exec allowlist only matches on the binary path:
{ "pattern": "/bin/cat" }This allows or blocks a binary entirely — there is no way to allow a binary globally but deny it for specific file path arguments.
Desired Behavior
Support optional argument/path patterns in allowlist entries, for example:
{ "pattern": "/bin/cat", "denyArgs": ["/Users/finite/.openclaw/audit-mount/*"] }Or a deny-list variant:
{
"denyExec": [
{ "binary": "/bin/cat", "argPattern": "/Users/finite/.openclaw/audit-mount/**" },
{ "binary": "/bin/ls", "argPattern": "/Users/finite/.openclaw/audit-mount/**" }
]
}Use Case
Multi-agent setups where one agent (@Audit) has an isolated encrypted workspace that other agents (HAL, sub-agents) should not be able to read via shell commands. Currently the only enforcement options are:
- Behavioral rules (LLM-level, not enforced)
- Docker sandboxing (too restrictive — breaks vault and host access for the main agent)
- Separate macOS users (complex setup)
Path-based argument filtering in the exec allowlist would allow fine-grained per-path exec restrictions without requiring Docker sandboxing or OS-level user separation.
Related
- Exec approvals docs: per-agent allowlists currently only support binary glob patterns
safeBins is the closest existing feature (stdin-only restriction), but it is global and not path-specific
Feature Request
Summary
Add support for path/argument-based filtering in the exec allowlist, similar to Claude Code's
Bash(command:path*)permission syntax.Current Behavior
The exec allowlist only matches on the binary path:
{ "pattern": "/bin/cat" }This allows or blocks a binary entirely — there is no way to allow a binary globally but deny it for specific file path arguments.
Desired Behavior
Support optional argument/path patterns in allowlist entries, for example:
{ "pattern": "/bin/cat", "denyArgs": ["/Users/finite/.openclaw/audit-mount/*"] }Or a deny-list variant:
{ "denyExec": [ { "binary": "/bin/cat", "argPattern": "/Users/finite/.openclaw/audit-mount/**" }, { "binary": "/bin/ls", "argPattern": "/Users/finite/.openclaw/audit-mount/**" } ] }Use Case
Multi-agent setups where one agent (@Audit) has an isolated encrypted workspace that other agents (HAL, sub-agents) should not be able to read via shell commands. Currently the only enforcement options are:
Path-based argument filtering in the exec allowlist would allow fine-grained per-path exec restrictions without requiring Docker sandboxing or OS-level user separation.
Related
safeBinsis the closest existing feature (stdin-only restriction), but it is global and not path-specific