fix(exec-approvals): fs.renameSync EPERM on Windows blocks all exec calls

[MilleniumGenAI]

Summary

On Windows, every exec call fails with EPERM because writeExecApprovalsRaw in src/infra/exec-approvals.ts uses fs.renameSync(tempPath, targetPath) to atomically replace exec-approvals.json. On Windows, MoveFileExW with MOVEFILE_REPLACE_EXISTING requires DELETE permission on the target file, which fails when any handle (antivirus, search indexer, or transient gateway handle) is open on the target.

Reproduction

1. Install OpenClaw on Windows (tested on 2026.5.2, 2026.5.3-1, 2026.5.4, Windows 10.0.26200, Node 24.13.1)
2. Start the gateway
3. Any exec call produces:

EPERM: operation not permitted, rename 'C:\Users\<user>\.openclaw\.exec-approvals.<PID>.<uuid>.tmp' -> 'C:\Users\<user>\.openclaw\exec-approvals.json'

Root cause

The atomic write pattern (temp + renameSync) added as fix for #54296 is incompatible with Windows. The gateway process holds a transient handle on exec-approvals.json (read during the same exec flow), and renameSync on Windows can't overwrite a file with open handles.

Impact

• ALL exec calls fail — the approval mechanism itself is the gate that fails
• gh CLI, shell commands, sub-agents that use exec — all broken
• Only workaround is direct writeFileSync to the target file (bypassing temp+rename)
• Reproduced across multiple full gateway restarts and OpenClaw updates

Proposed fix

Add a Windows EPERM fallback in writeExecApprovalsRaw:

function writeExecApprovalsRaw(filePath: string, raw: string) {
  // ... setup unchanged ...
  try {
    fs.writeFileSync(tempPath, raw, { mode: 0o600, flag: "wx" });
    tempWritten = true;
    // Windows: renameSync fails with EPERM when target has open handles
    try {
      fs.renameSync(tempPath, filePath);
    } catch (err) {
      if ((err as NodeJS.ErrnoException).code === "EPERM") {
        fs.copyFileSync(tempPath, filePath);
        fs.unlinkSync(tempPath);
      } else {
        throw err;
      }
    }
  } finally {
    // ... cleanup unchanged ...
  }
}

Environment

• OS: Windows 10.0.26200 (x64)
• Node: v24.13.1
• OpenClaw: 2026.5.4 (also reproduced on 2026.5.2, 2026.5.3-1)
• Related: Bug: Non-atomic write of exec-approvals file + unbounded transcript readFileSync #54296 (originally requested atomic write, which introduced this regression on Windows)

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Summary
Keep open: current main still writes exec-approvals.json through an unguarded temp-file rename, and the gateway exec approval path reaches that writer before command execution. Existing JSON writers already carry Windows rename fallbacks, so this is a narrow valid bug rather than stale cleanup.

Reproducibility: no. live high-confidence Windows reproduction was run in this read-only pass. Source inspection gives a clear current-main path from gateway exec approval resolution to the unguarded fs.renameSync writer.

Next step
Safe repair candidate: the affected writer, call path, related prior report, likely tests, and existing fallback pattern are all clear, with no product decision needed.

Security
Cleared: No patch security review applies; the current failure is fail-closed, but the repair touches security-sensitive approvals storage and must retain file-safety safeguards.

Review details

Best possible solution:

Patch writeExecApprovalsRaw with a Windows EPERM/EEXIST fallback aligned with existing JSON writers, add regression coverage, preserve exec approvals file-safety guarantees, and add a changelog fix entry.

Do we have a high-confidence way to reproduce the issue?

No live high-confidence Windows reproduction was run in this read-only pass. Source inspection gives a clear current-main path from gateway exec approval resolution to the unguarded fs.renameSync writer.

Is this the best way to solve the issue?

Yes, with a guard: the narrow maintainable fix is in the exec approvals writer, not in exec policy or approval routing. It should mirror the existing JSON fallback while preserving destination validation and secure file mode.

Acceptance criteria:

• pnpm test src/infra/exec-approvals-store.test.ts
• pnpm test src/agents/bash-tools.exec-host-gateway.test.ts
• pnpm exec oxfmt --check --threads=1 src/infra/exec-approvals.ts src/infra/exec-approvals-store.test.ts CHANGELOG.md
• pnpm check:changed

What I checked:

• Current writer still uses bare rename: saveExecApprovals serializes the approvals file and writeExecApprovalsRaw writes a temp file, then calls fs.renameSync(tempPath, filePath) without an EPERM/EEXIST fallback. (src/infra/exec-approvals.ts:522, 7c13004883f6)
• Gateway exec path resolves approvals before running: processGatewayAllowlist calls resolveExecHostApprovalContext, which calls resolveExecApprovals; that path calls ensureExecApprovals and can save the approvals file before continuing. (src/agents/bash-tools.exec-host-shared.ts:199, 7c13004883f6)
• Existing Windows fallback pattern exists elsewhere: The generic JSON file writer already treats rename EPERM/EEXIST as a Windows overwrite fallback and copies the temp file over the target. (src/infra/json-file.ts:79, 7c13004883f6)
• Exec approvals tests cover atomic replacement but not EPERM fallback: Store tests assert normal atomic replacement and symlink refusal, while rg found no EPERM fallback test in exec-approvals tests. (src/infra/exec-approvals-store.test.ts:161, 7c13004883f6)
• Related prior report explains the regression source: The issue body links Bug: Non-atomic write of exec-approvals file + unbounded transcript readFileSync #54296 as the earlier atomic-write request; current source matches that atomic temp+rename implementation and still lacks the Windows fallback reported here.

Likely related people:

• Vincent Koc: git blame attributes the current exec-approvals writer, the gateway approval path, and the existing JSON rename-fallback helpers to the same recent commit. (role: introduced behavior; confidence: high; commits: a17d4371d101; files: src/infra/exec-approvals.ts, src/agents/bash-tools.exec-host-shared.ts, src/infra/json-file.ts)
• Peter Steinberger: Local history shows repeated recent maintenance and release work touching src/infra/exec-approvals.ts; the exact failing writer is not blamed to this person. (role: recent maintainer; confidence: low; commits: 325df3efefe9, 4862d349257a; files: src/infra/exec-approvals.ts)

Remaining risk / open question:

• No live Windows gateway reproduction was run in this read-only review.
• The repair must preserve exec-approvals destination safety, permissions, and the existing hard-link/symlink expectations while adding the fallback.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 7c13004883f6.