Isolated cron sessions ignore per-agent tools.exec policy (ask=off still prompts)

[sandieman2]

Bug Report

Version: 2026.4.5 (stable)
Platform: macOS (arm64), Darwin 25.4.0

Description

Isolated cron sessions are prompting for exec approval despite both the OpenClaw config and the local exec-approvals.json having security: "full" and ask: "off" configured for the agent.

The approval prompt message states "The effective approval policy requires approval every time, so Allow Always is unavailable" — which directly contradicts the configured effective policy.

Config (relevant parts)

openclaw.json — global exec policy:

"tools": {
  "exec": {
    "security": "full",
    "ask": "off"
  }
}

openclaw.json — per-agent override (partnerships agent):

{
  "id": "partnerships",
  "tools": {
    "exec": {
      "security": "full",
      "ask": "off"
    }
  }
}

~/.openclaw/exec-approvals.json — local approvals:

{
  "version": 1,
  "defaults": {
    "security": "full",
    "ask": "off",
    "askFallback": "full"
  },
  "agents": {
    "partnerships": {
      "security": "full",
      "ask": "off",
      "askFallback": "full"
    }
  }
}

Effective policy per openclaw approvals get

agent:partnerships  security=full  ask=off  (both requested and host agree)

Actual behavior

A cron job running as the partnerships agent in an isolated session triggered an exec approval prompt forwarded to WhatsApp. The prompt says:

Pending command:
cd ~/clawd && ./skills/mcp-direct/scripts/mcp-refresh.sh all && ...

The effective approval policy requires approval every time, so Allow Always is unavailable.

Host: gateway
CWD: /Users/clawd/.openclaw/workspace-partnerships

Expected behavior

With security=full and ask=off in both config layers, exec should run without prompting. This worked correctly in prior versions.

Steps to reproduce

1. Configure an agent with tools.exec.security: "full" and tools.exec.ask: "off"
2. Ensure ~/.openclaw/exec-approvals.json matches with ask: "off"
3. Create a cron job targeting that agent with sessionTarget: "isolated"
4. The cron job runs a shell command — approval prompt is triggered despite policy

Notes

• Interactive sessions for the same agent do NOT have this problem — only isolated cron sessions
• This started happening after updating to 2026.4.5 (did not occur on prior versions)
• The approval is forwarded to WhatsApp as a native approval client

[fyzycyst]

Can confirm this also happens with security settings set to 'Allowlist', with allowlisted commands in the cron triggering an approval request (which did not happen prior to 2026.04.05).

I have scrubbed both openclaw.json and exec-approvals.json to ensure agreement between the two.

My approval path runs via Discord.

[kesslerio]

Additional reproducible data point on current builds.

Observed on 2026.4.9-beta.1 with a live isolated cron job:

• Job id: 3f35796e-eb4e-414f-bf52-7732e3bdec98
• Job name: EOD Task Review
• Agent: niemand
• Schedule: 0 18 * * 1-5 (America/Los_Angeles)
• sessionTarget: "isolated"
• Delivery: Telegram -1003878985658:topic:5
• Live payload asks the agent to run:
  • bash /home/art/projects/lobster-workflows/scripts/task-mgmt/standup.sh

Run evidence from /home/art/.openclaw/cron/runs/3f35796e-eb4e-414f-bf52-7732e3bdec98.jsonl:

• runAtMs: 1776128400007
• sessionId: 12316d0d-c607-4a78-886c-37dd4a6cc271
• Result summary delivered by the cron:

Blocked on approval to run:

`bash /home/art/projects/lobster-workflows/scripts/task-mgmt/standup.sh`

Please send:
`/approve 9d86278f allow-once`

Then I’ll finish the grounded EOD summary.

The user then replied with:

/approve 9d86278f allow-always

And OpenClaw responded:

❌ Failed to submit approval: allow-always is unavailable because the effective policy requires approval every time

Why this looks like the same bug, not expected behavior:

• This is another sessionTarget: "isolated" cron case.
• The cron is asking for approval on a plain shell command that should not be forcing an every-time approval path in this setup.
• The runtime first suggests an approval flow, then rejects allow-always because it believes the effective policy is "approval every time".
• That mirrors the contradictory behavior already described in this issue.

So this is not limited to one specific job or wrapper. It also reproduces on the live EOD Task Review cron with a different command and destination.

[damzaru]

Additional reproducible data point from a WhatsApp heartbeat on current stable.

Observed on 2026.4.12 on Linux (6.8.0-106-generic, local gateway, npm global install) with:

"tools": {
  "exec": {
    "security": "full",
    "ask": "off"
  }
}

Relevant runtime state after the incident still resolves to:

• tools.exec.security = "full"
• tools.exec.ask = "off"
• heartbeat config includes "isolatedSession": true

What happened:

• A heartbeat session (agent:main:main:heartbeat) ran the normal Gmail / Calendar triage flow.
• Instead of inheriting the configured exec policy, the transcript shows the model emitted exec tool calls with explicit per-call overrides:
  • security: "allowlist"
  • ask: "on-miss"
• The gateway honored those stricter per-call values and returned approval prompts to WhatsApp.
• The heartbeat then surfaced raw approval commands to the user:

/approve 2bab4280 allow-once
/approve fc6f0ce6 allow-once

The affected commands were routine read-only heartbeat commands:

gog gmail messages search 'in:inbox is:unread newer_than:7d' --max 20 --json
gog calendar events primary --from '2026-04-14T10:14:00Z' --to '2026-04-15T10:14:00Z' --json

Transcript evidence from the heartbeat session shows the approval responses were generated with the stricter effective policy:

Approval required (id 2bab4280 ...)
Mode: foreground (interactive approvals available).
Reply with: /approve 2bab4280 allow-once|allow-always|deny

and the tool calls immediately before that included:

{
  "command": "gog gmail messages search 'in:inbox is:unread newer_than:7d' --max 20 --json",
  "security": "allowlist",
  "ask": "on-miss"
}

Why this seems relevant to this issue:

• This is another isolated-session async path (heartbeat, not interactive chat).
• The stable configured policy was full/off, but the isolated run still ended up on an approval path.
• In this case the transcript makes the mismatch visible: the isolated run is accepting or injecting stricter per-call exec policy instead of consistently applying the configured runtime policy.
• Prior heartbeat runs using the same workflow did not do this.

Impact:

• Approval spam leaked into the user-facing WhatsApp thread.
• Routine heartbeat automation became unreliable.
• The failure mode is nondeterministic because the same workflow had previously run without this approval detour.