[Bug]: WhatsApp text /approve cannot resolve exec approvals, while Telegram resolves the same ID

[balaji1968-kingler]

Bug type

Approval routing / channel command handling bug

Summary

In OpenClaw 2026.5.18, WhatsApp can trigger an exec approval and receive the approval prompt, but a manually typed WhatsApp /approve <id> allow-once fails with:

Failed to submit approval: unknown or expired approval id

The same pending approval ID can then be approved successfully from Telegram, and the original command resumes and completes. This suggests the approval object is still valid and globally pending, but the WhatsApp text-command approval path cannot see or resolve it.

Environment

• OpenClaw: 2026.5.18
• Runtime: Docker gateway container on Windows 11 / WSL2 host
• Agent: main
• Channels involved: WhatsApp direct chat and Telegram
• Approval config: approvals.exec.mode = "both"
• Codex plugin disabled

Reproduction

1. From WhatsApp direct chat, send an agent command that requires exec approval, for example:

Run: python3 /home/node/.openclaw/workspace/projects/health-fitness/scripts/health_raw_cleanup.py

Reply: DONE when the script completes.

2. WhatsApp receives an exec approval prompt. In this repro, WhatsApp delivered the same prompt twice.

3. Approve from WhatsApp using the short approval slug:

/approve d8f84298 allow-once

4. WhatsApp replies:

Failed to submit approval: unknown or expired approval id

5. Repeat with the full UUID:

/approve d8f84298-34a5-4c29-b3e5-458157c103ec allow-once

6. WhatsApp still fails with the same unknown or expired approval id error.

7. Approve the same pending ID from Telegram.

8. Telegram succeeds, and the exec command resumes and completes.

Expected behavior

A WhatsApp /approve <id> allow-once command from an authorized operator should resolve a pending exec approval created by a WhatsApp-originated turn, just as Telegram approval does.

Actual behavior

WhatsApp receives the approval prompt but cannot resolve the pending approval ID. Telegram can resolve the same ID afterward, proving the ID was not expired or consumed.

Sanitized log evidence

Relevant sequence from gateway logs, sanitized:

[whatsapp] Inbound message ... (run request)
[ws] res ✓ exec.approval.request
[whatsapp] Sending message ...
[whatsapp] Sending message ...              # duplicate approval prompt
[telegram] outbound send ok ...             # approval also delivered to Telegram

[whatsapp] Inbound message ... (/approve ...)
[ws] res ✗ exec.approval.resolve errorCode=INVALID_REQUEST errorMessage=unknown or expired approval id
[ws] res ✗ plugin.approval.resolve errorCode=INVALID_REQUEST errorMessage=unknown or expired approval id

[ws] res ✓ exec.approval.waitDecision ...
[telegram] outbound send ok ...
[ws] res ✓ exec.approval.resolve ...         # Telegram resolves same approval successfully
[agent/embedded] strict-agentic execution contract active: runId=exec-approval-followup:<same-approval-id>:...
DONE

No unauthorized or Ignoring /approve from unauthorized sender message was observed in this repro.

Additional observations

The forwarded WhatsApp approval prompt renders a broken generic instruction line:

Reply with: /approve  allow-once|allow-always|deny

The approval ID is shown elsewhere in the prompt, but the Reply with: line omits it. This looks like a separate rendering bug and may confuse manual approval, but it does not explain this repro because both short ID and full UUID were manually typed and still failed.

The duplicate WhatsApp prompt is also likely a separate delivery/dedup issue with mode = "both", where the originating WhatsApp session route and an explicit WhatsApp target are both delivered because their route tuples are not byte-identical.

Source-inspection hypothesis

Inspection of the source suggests the failure may be a visibility/client-path mismatch rather than parsing or authorization.

The generic text /approve path appears to be:

• src/auto-reply/reply/commands-approve.ts
• parseApproveCommand(...) parses /approve d8f84298 allow-once
• handleApproveCommand(...) calls exec.approval.resolve through plain callGateway
• the ID passed is parsed.id

By contrast, Telegram inline approval appears to use an operator approval-runtime client path:

• extensions/telegram/src/exec-approval-resolver.ts
• resolveApprovalOverGateway(...)
• uses approvalRuntimeToken / approval-runtime client visibility

Gateway approval visibility appears to check admin/operator approval-runtime visibility first, then falls back to record-specific device/connection/client identity. A generic WhatsApp text-command callGateway connection may pass sender authorization but still be unable to see a pending approval bound to another device/connection/client identity, causing the resolver to return unknown or expired approval id.

This would explain why:

• WhatsApp sender authorization does not show an auth error.
• WhatsApp resolver returns unknown or expired approval id.
• Telegram can resolve the same approval afterward.

Suggested fix direction

After the existing sender authorization checks pass in handleApproveCommand, generic text /approve resolution may need to use the same approval-runtime resolver path as Telegram inline approval, for example resolveApprovalOverGateway(...), instead of plain callGateway.

The important security constraint is that the approval-runtime resolver should only be used after the existing human/channel authorization checks have passed. The proposed change should be a transport/visibility fix, not an auth bypass.

Impact

WhatsApp can be used to trigger commands and receive approval prompts, but manual WhatsApp approval is not reliable. Operators must use Telegram as a workaround for approval resolution.

Not included

No phone numbers, chat IDs, group IDs, raw session JSONL, tokens, hostnames, or private runtime logs are included in this report.

[clawsweeper]

Thanks for the context here. I did a careful shell check against current main, and this is already implemented.

Current main now routes shared chat /approve submissions through the trusted approval-runtime resolver after the existing authorization and gateway-scope checks, which addresses the WhatsApp exec approval visibility failure reported here. The fix is merged on main but is not yet proven in a shipped tag.

I found the merged PR that appears to have closed this: #84678: fix(approval): route /approve through approval resolver.

So I’m closing this as already implemented rather than keeping a duplicate issue open.

Review details

Best possible solution:

Keep the merged shared approval-runtime resolver path for manual /approve; track duplicate-prompt or prompt-copy issues separately if they still reproduce on current main.

Do we have a high-confidence way to reproduce the issue?

No current-main failure reproduction was run. The 2026.5.18 reporter logs plus pre-fix source path establish the old failure, and current main shows that path has been replaced by the approval-runtime resolver.

Is this the best way to solve the issue?

Yes. Routing authorized shared /approve commands through resolveApprovalOverGateway is the narrow fix because it preserves existing channel authorization while using the same trusted approval-runtime visibility contract as native approval clients.

Security review:

Security review cleared: The current-main fix keeps approval-runtime resolution behind existing sender authorization and gateway approval-scope checks.

What I checked:

• Current shared approve path uses approval resolver: handleApproveCommand now calls resolveApprovalOverGateway for approved exec/plugin methods after sender authorization and operator.approvals/operator.admin gateway-scope checks. (src/auto-reply/reply/commands-approve.ts:193, 8284c035a096)
• WhatsApp command coverage asserts resolver routing: The focused command test builds a WhatsApp /approve abc allow-once command and asserts the shared handler calls the approval resolver for exec.approval.resolve. (src/auto-reply/reply/commands-approve.test.ts:489, 8284c035a096)
• Gateway approval-runtime visibility contract is covered: Gateway tests cover that internal.approvalRuntime clients with operator.approvals can resolve requester-bound approvals that ordinary approval-scoped clients cannot see. (src/gateway/server-methods/approval-shared.test.ts:1007, 8284c035a096)
• Fix provenance from blame: git blame shows commit b58572e283bce6ee947fc833f7aab1cf826953d8 introduced the resolver call in the shared /approve command path. (src/auto-reply/reply/commands-approve.ts:193, b58572e283bc)
• Merged related PR provenance: The related merged PR https://github.com/openclaw/openclaw/pull/84678 landed as fix(approval): route /approve through approval resolver at 2026-05-20T16:00:37-07:00. (b58572e283bc)
• Release provenance: git tag --contains b58572e283bce6ee947fc833f7aab1cf826953d8 produced no tags, and the available GitHub release check shows latest release v2026.5.19; the fix is current-main-only in this checkout. (b58572e283bc)

Likely related people:

• kevinslin: Authored the merged PR that changed shared /approve from the generic gateway path to the approval-runtime resolver. (role: fix implementer; confidence: high; commits: b58572e283bc; files: src/auto-reply/reply/commands-approve.ts, src/auto-reply/reply/commands-approve.test.ts, docs/tools/slash-commands.md)
• steipete: Current approval resolver and gateway visibility code in this checkout is largely attributed to recent approval infrastructure work. (role: recent approval infrastructure contributor; confidence: medium; commits: c8a953af9371, 4ea80632036c, 279e6453fc51; files: src/infra/approval-gateway-resolver.ts, src/gateway/server-methods/approval-shared.ts)
• pgondhi987: Recent history shows requester-metadata approval visibility and caller-context gateway scope work in the same approval boundary. (role: approval visibility contributor; confidence: medium; commits: 386d321634b3, 652f5f9b1087; files: src/gateway/server-methods/approval-shared.ts, src/gateway/operator-approvals-client.ts, src/auto-reply/reply/commands-approve.ts)
• gumadeiras: Worked on channel approval capability seams and native approval lifecycle assembly adjacent to shared approval routing. (role: channel approval seam contributor; confidence: medium; commits: c87c8e66bf7d, d78512b09d1d; files: src/auto-reply/reply/commands-approve.ts, src/infra/approval-gateway-resolver.ts, src/channels/plugins/types.adapters.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 8284c035a096; fix evidence: merged PR #84678, commit b58572e283bc, main fix timestamp 2026-05-20T16:00:37-07:00.