[Feature] Per-binary exec trust (path or hash)

[smonett]

Problem

The current exec trust model uses safeBinTrustedDirs — entire directories whose binaries are trusted. This is coarse: trusting /opt/homebrew/bin trusts every binary Homebrew installs, including potentially untrusted packages.

The alternative is creating individual wrapper scripts in a trusted directory that forward to the real binary. This works but creates maintenance overhead and breaks when binaries are updated or relocated.

Workaround

I maintain 7 pinned wrapper scripts in ~/.openclaw/bin/ (openclaw, python3, node, rg, memo, remindctl, gh) that forward to the real binaries. The bin directory is trusted instead of all of Homebrew.

Proposed Solution

Add per-binary trust by path:

{
  "exec": {
    "trustedBinaries": [
      "/opt/homebrew/bin/gh",
      "/opt/homebrew/bin/rg",
      "/opt/homebrew/bin/node"
    ]
  }
}

Or with optional hash verification for higher security:

{
  "exec": {
    "trustedBinaries": [
      { "path": "/opt/homebrew/bin/gh", "sha256": "abc123..." }
    ]
  }
}

Impact

Low. Quality-of-life improvement that reduces wrapper maintenance. More relevant for security-conscious deployments.

Environment

• OpenClaw 2026.4.10 (npm, macOS)

[smonett]

Consolidated into #65824 and closing. The meta issue contains this request (with 4.15 audit notes) plus 9 others — please review there.