[Bug]: exec-approvals.json not honored after gateway restart — isolated cron sessions still prompt

[drkyleahuggins]

Bug type

Regression (worked before, now fails)

Beta release blocker

No

Summary

After editing ~/.openclaw/exec-approvals.json to set security: full and ask: off at both the defaults level and per-agent level (main and *), isolated cron sessions still prompt for exec approval after gateway restarts. The running gateway appears to hold stale exec policy state that doesn't match the file on disk.

Steps to reproduce

1. Edit ~/.openclaw/exec-approvals.json:
   • Set defaults.security to "full"
   • Set defaults.ask to "off"
   • Set agents.main.security to "full"
   • Set agents.main.ask to "off"
   • Set agents.*.security to "full"
   • Set agents.*.ask to "off"
2. Restart gateway (openclaw gateway restart)
3. Trigger an isolated cron job that uses exec (e.g., a cron with sessionTarget: isolated)
4. The cron session's exec approval prompt shows Security: allowlist instead of full

Expected behavior

After gateway restart, all sessions (including isolated cron sessions) should read exec policy from exec-approvals.json and honor security: full / ask: off.

1. Gateway restart should re-read exec-approvals.json and apply settings to ALL session types, including isolated cron sessions
2. Consider supporting an exec.defaults key in openclaw.json for persistent config that survives updates
3. If security: full is set, heredoc execution should also be allowed without prompting

Actual behavior

• The main session (webchat) partially works — simple commands pass but heredocs still prompt regardless of security: full
• Isolated cron sessions show Security: allowlist in the approval prompt UI, ignoring the file on disk entirely
• The only workaround is clicking "Always allow" on each approval prompt manually

OpenClaw version

OpenClaw version: v2026.3.31

Operating system

OS: macOS 15 (arm64), Mac Studio M3 Ultra

Install method

npm global

Model

Anthropic/claude-opus-4.6

Provider / routing chain

openclaw

Additional provider/model setup details

No response

Logs, screenshots, and evidence

1. Gateway restart should re-read `exec-approvals.json` and apply settings to ALL session types, including isolated cron sessions
2. Consider supporting an `exec.defaults` key in `openclaw.json` for persistent config that survives updates
3. If `security: full` is set, heredoc execution should also be allowed without prompting

Impact and severity

Affected users/systems/channels: Any OpenClaw deployment running cron-based automation with exec commands. Specifically affects isolated cron sessions (the primary mechanism for overnight builds, content pipelines, and monitoring scripts). Gateway host exec in the main session is also partially affected (heredocs always prompt). All channels that depend on cron output are downstream casualties (Telegram notifications, content publishing, build pipelines).

Severity: Blocks workflow. Cron jobs that require exec stall silently overnight waiting for approval prompts that no human is awake to click. Builds don't ship, content doesn't generate, monitoring doesn't run. The operator has to manually re-run everything the next morning after discovering the failure. In our case, this has consumed 7+ hours of debugging across three incidents (March 17, March 31, April 1) and repeatedly broken a 20+ job overnight automation fleet.

Frequency: Always, after every gateway restart or OpenClaw update. The exec-approvals.json file on disk is consistently ignored by isolated cron sessions. The issue has reproduced on three separate OpenClaw versions (v2026.3.17, v2026.3.28, v2026.3.31). It is not intermittent — it is 100% reproducible.

Consequence: Failed overnight builds (Nemo/Nemotron build pipeline stalls), missed content generation (blog posts, social media, SEO pipelines don't fire), silent monitoring gaps (cloudflared health checks, security audits don't execute), and significant operator time spent diagnosing and re-applying the same fix after every update. There is currently no permanent fix — the only workaround is manually clicking "Always allow" on each prompt after every restart, which defeats the purpose of unattended automation.

Additional information

• This has been a recurring issue across multiple updates (first hit on v2026.3.17, again on v2026.3.28, and now v2026.3.31)
• Each OpenClaw update appears to reset or re-initialize exec state independent of the approvals JSON file
• Adding an exec key to openclaw.json (the gateway config) was rejected with Unrecognized key: "exec" — so there's no persistent config-level way to set this
• Heredoc execution (python3 << 'EOF') always prompts regardless of any setting, including security: full — this appears to be hardcoded in the gateway binary from the Feb 2026 security hardening commit (2b63592)

[martingarramon]

The exec policy for isolated cron sessions likely diverges because isolated sessions don't inherit the gateway's hot-reloaded config — they fork from the snapshot at spawn time. If the gateway caches exec-approvals.json at startup and only re-reads it for the parent session context (not for isolated session factories), a restart would still serve stale policy to cron-spawned isolates.

Worth checking whether createIsolatedSession (or its equivalent for cron) reads exec policy from the file directly or inherits it from the gateway's in-memory config. If the latter, the restart may reload the gateway config but the isolated session factory may have its own cached copy.

[drkyleahuggins]

This matches our experience exactly. The exec-approvals.json defaults are set correctly (security: full, ask: off at both defaults and agents.main levels), and the gateway restart does seem to pick it up for the main session. But isolated cron sessions consistently show Security: allowlist in the approval prompt, as if they're inheriting from a cached snapshot rather than the live file. We've hit this across v2026.3.17, v2026.3.28, and v2026.3.31 — every update resets the stale in-memory state. martingarramon's diagnosis about spawn-time inheritance is consistent with what we're seeing.

[GMTekAI]

I checked this against the current tree and the neighboring reports, and #59224 still looks like the best anchor for the exec-approval regression cluster.

What current code already explains:

• The approval flow is now shared across the host exec paths in src/agents/bash-tools.exec-host-gateway.ts, src/agents/bash-tools.exec-host-shared.ts, and src/gateway/server-methods/exec-approval.ts, which makes it less likely that each issue in this cluster is a separate root cause.
• The unknown or expired approval id behavior is also deterministic and already covered in src/gateway/server-methods/server-methods.test.ts, so reports centered on that message should likely be clustered under this broader approval-state problem rather than treated as independent regressions.
• Nearby work like #59367 appears to improve attribution and diagnostics, not approval enforcement semantics.

What still looks unresolved:

• The strongest remaining hypothesis is that isolated cron or restarted-session execution is consuming a stale or divergent exec-approval context compared with the main interactive path.
• That makes #59224 a better anchor than neighboring issues that mix in approval-ID churn, heredoc prompts, or channel-specific symptoms.

Smallest useful maintainer next step:

1. Cluster duplicate symptom reports under #59224 unless they show a distinct non-isolated repro.
2. Reproduce one minimal isolated or restarted case on current main with exec-approvals.json defaults set to security: "full" and ask: "off".
3. Compare the effective approval context between the normal interactive path and the isolated or restarted path at the point the shared exec-approval code consumes it.