Bug type
Regression / breaking change without migration path
Summary
After updating to 2026.4.1, exec commands fail with "allowlist miss" in existing single-operator setups. The security model silently changed from permissive to allowlist as the default, with no migration, no warning, and no clear way to opt out.
Setting tools.exec.ask = "off" has no effect because ask and security are orthogonal — ask=off only controls whether a prompt appears, but if security=allowlist and the allowlist is empty, exec is still blocked. This is not documented and not obvious.
The only working combination is security=full + ask=off in exec-approvals.json, but this file and its valid values are not documented anywhere in the config system.
Steps to reproduce
- Existing single-operator local gateway setup, exec was working before update
- Update to 2026.4.1
- Agent attempts any exec command
- Gets "allowlist miss" error — blocked
- Set
tools.exec.ask = "off" — still blocked
- Set
tools.exec.security = "none" — validation error, "none" is not valid
- Set
exec-approvals.json defaults ask: "off", security: "none" — "none" silently invalid, falls back to allowlist, still blocked
- Only fix: manually set
security: "full" in exec-approvals.json for both defaults and agents["*"]
Why this is bad
tools.exec.ask and tools.exec.security are not clearly documented as separate axesexec-approvals.json is not documented — its location, format, and valid values are unknown to operators- Valid values for
security (deny, allowlist, full) are not exposed in openclaw config set help
"none" is silently treated as invalid and falls back to allowlist instead of erroring- Single-operator private setups have no reason to need an allowlist — there should be a clear
operator or private mode that disables all approval friction
Time lost
2+ hours across exec approval popup issues and allowlist blocking. A working setup was completely locked down by the update with no recovery path visible to the user.
Environment
- Version: 2026.4.1
- Platform: macOS, single-user LaunchAgent gateway
- Agent: local operator, no untrusted input
Bug type
Regression / breaking change without migration path
Summary
After updating to 2026.4.1, exec commands fail with "allowlist miss" in existing single-operator setups. The security model silently changed from permissive to
allowlistas the default, with no migration, no warning, and no clear way to opt out.Setting
tools.exec.ask = "off"has no effect becauseaskandsecurityare orthogonal —ask=offonly controls whether a prompt appears, but ifsecurity=allowlistand the allowlist is empty, exec is still blocked. This is not documented and not obvious.The only working combination is
security=full+ask=offinexec-approvals.json, but this file and its valid values are not documented anywhere in the config system.Steps to reproduce
tools.exec.ask = "off"— still blockedtools.exec.security = "none"— validation error, "none" is not validexec-approvals.jsondefaultsask: "off",security: "none"— "none" silently invalid, falls back toallowlist, still blockedsecurity: "full"inexec-approvals.jsonfor bothdefaultsandagents["*"]Why this is bad
tools.exec.askandtools.exec.securityare not clearly documented as separate axesexec-approvals.jsonis not documented — its location, format, and valid values are unknown to operatorssecurity(deny,allowlist,full) are not exposed inopenclaw config sethelp"none"is silently treated as invalid and falls back toallowlistinstead of erroringoperatororprivatemode that disables all approval frictionTime lost
2+ hours across exec approval popup issues and allowlist blocking. A working setup was completely locked down by the update with no recovery path visible to the user.
Environment