2026.3.31: tools.exec.ask='off' and tools.exec.security='full' ignored — all exec commands require approval

[stevethomas99]

Description

After upgrading from 2026.3.28 to 2026.3.31, all exec commands require manual approval despite config explicitly setting:

"tools": {
  "exec": {
    "ask": "off",
    "security": "full"
  }
}

Also disabled channels.discord.execApprovals.enabled: false — no effect.

Steps to Reproduce

1. Upgrade from 2026.3.28 to 2026.3.31 (npm i -g openclaw@latest)
2. Set tools.exec.ask: "off" and tools.exec.security: "full" in ~/.openclaw/openclaw.json
3. Full gateway stop/start (openclaw gateway stop && openclaw gateway start)
4. Any exec call (even echo "test") returns Approval required

Expected Behavior

Exec commands should run without approval when tools.exec.ask: "off" and tools.exec.security: "full" are configured.

Actual Behavior

Every exec command prompts for approval regardless of config. The config is confirmed loaded correctly via config.get — both parsed, resolved, and runtimeConfig show the correct values. Gateway was fully restarted (stop + start, not just SIGUSR1).

Suspected Cause

Likely related to the 2026.3.31 changelog entry:

ACP/security: replace ACP's dangerous-tool name override with semantic approval classes, so only narrow readonly reads/searches can auto-approve while indirect exec-capable and control-plane tools always require explicit prompt approval.

This appears to override the user-configured tools.exec settings.

Environment

• OS: macOS 26.3.1 (arm64)
• Node: 22.22.0
• Gateway mode: local, loopback, token auth
• Channels: Discord, Telegram, Signal, BlueBubbles
• Workaround: Rolled back to 2026.3.28

Impact

• All exec-based functionality broken (cron jobs, healthchecks, shell commands)
• Affects all channels (Discord, iMessage/BlueBubbles, etc.)
• Required full rollback to restore operations

[theDanielJLewis]

Yup. It's giving serious Windows Vista vibes!

[Hommchen]

so annoying!

[jsompis]

All cron completly failed.

[buzidjy]

是的，我也是如此。这让我感觉新版本没有经过任何的测试就发布了，以后再也不敢第一时间更新新版本了。

[nkondratyk93]

Workaround confirmed on 2026.3.31

The tools.exec config in openclaw.json alone is not sufficient — you also need to configure the host-side exec approvals in ~/.openclaw/exec-approvals.json.

As noted in #1517, tools.exec.security only sets the agent-side policy. Host-side approvals are enforced separately via exec-approvals.json and act as an upper bound.

Fix (two files):

1. ~/.openclaw/openclaw.json — agent-side policy:

"tools": {
  "exec": {
    "security": "full",
    "ask": "off"
  }
}

2. ~/.openclaw/exec-approvals.json — host-side policy (add defaults):

{
  "version": 1,
  "defaults": {
    "security": "full",
    "ask": "off"
  },
  "agents": { ... }
}

Both layers must agree. After updating both files, full gateway restart (openclaw gateway stop && openclaw gateway start).

Tested with cron jobs and heartbeat agents — exec approval errors gone.

[foreverxdord]

解决了，谢谢 done thanks

如果你在找3.31更新后免审批的解决办法，复制下面的给你的openclaw
If you are looking for an approval-free solution after the 3.31 update, copy the following openclaw for you

Workaround confirmed on macOS (2026.3.31, arm64)

Same issue here — all exec commands returning "Approval required" / "allowlist miss" after upgrade. Fix requires two files, and the tools.exec must be at the top-level tools, NOT inside agents.defaults.

File 1: ~/.openclaw/openclaw.json — add exec inside the top-level tools object:
{
"tools": {
"exec": {
"security": "full",
"ask": "off"
},
"web": {
"search": { "enabled": false }
},
...
}
}

⚠️ Do NOT put it under agents.defaults.exec — that location is ignored. It must be the top-level "tools" key.

File 2: ~/.openclaw/exec-approvals.json — create this file if it doesn't exist:
{
"version": 1,
"defaults": {
"security": "full",
"ask": "off"
}
}

Both layers must agree. The host-side exec-approvals.json acts as an upper bound and overrides the agent-side config.

After both files are updated:
openclaw gateway stop && openclaw gateway start

Test with any simple command (echo "test") — should run without approval prompt.

Tested with heartbeat agents and cron jobs — exec approval errors gone.

[vincentkoc]

Landing shortly in PR #58792. We expect this to be in the next release in the next few hours.

This issue is part of the broader exec confusion cleanup. A few reports were hard runtime regressions, but a lot of the fallout was also local policy/config mismatch after the approval changes. Where relevant here, conflicting or stale tools.exec and ~/.openclaw/exec-approvals.json settings were part of the problem, not just one runtime bug.

The PR improves the broken/unclear exec behavior, restores the main blocked paths, and adds better doctor/migration guidance for misconfiguration. Leaving this as Addresses rather than Fixes until people retest on the release build: #58792