Exec approvals: unify effective policy reporting and actions

[gumadeiras]

Summary

• add a shared effective exec-approval snapshot used by CLI, doctor, and approval UX
• make openclaw approvals get report real runtime-effective policy, including combined node host approvals + gateway tools.exec when gateway config is available
• align approval copy and action buttons with actual allowed decisions across /approve, reply payloads, Discord, Slack, and Telegram
• fix policy-reporting edge cases around inherited global tools.exec, askFallback attribution, wildcard/default-agent scopes, and config-unavailable fallback handling
• update docs and changelog to match the new approval-policy behavior

Testing

• pnpm test -- src/infra/exec-approvals-policy.test.ts src/cli/exec-approvals-cli.test.ts src/commands/doctor-security.test.ts
• pnpm test -- src/infra/exec-approval-reply.test.ts src/gateway/server-methods/server-methods.test.ts
• pnpm test -- extensions/discord/src/monitor/exec-approvals.test.ts
• pnpm test -- extensions/slack/src/monitor/exec-approvals.test.ts
• pnpm build
• pnpm check

[greptile-apps]

Greptile Summary

This PR aligns exec approval UX with the host-effective ask policy by propagating allowedDecisions through the entire approval pipeline — from host resolution in bash-tools.exec-host-gateway/node.ts, through the tool result shape (ExecToolDetails), forwarder messages, reply payloads, interactive buttons, and the Telegram extension. When a host sets ask=always, allow-always is filtered from all surfaces (message text, buttons, channelData, Telegram keyboards), and the gateway server method now enforces the same restriction at resolution time. The PR also introduces a new shared module (exec-approvals-effective.ts) that replaces the inline resolveHostExecPolicy helper previously duplicated in doctor-security.ts, and surfaces effective-policy breakdowns in openclaw approvals get and openclaw doctor.

Key changes:

• New resolveExecApprovalAllowedDecisions / isExecApprovalDecisionAllowed helpers gate allow-always when ask=always
• New exec-approvals-effective.ts module centralises requested ↔ host ↔ effective policy summaries with correct wildcard agents.* source attribution
• buildExecApprovalPendingReplyPayload and buildApprovalPendingMessage now derive the displayed decision list from allowedDecisions, not hardcoded strings
• openclaw approvals get (local + gateway) renders an effective-policy table and includes it in --json output
• /approve usage error text now points users to the pending-approval message rather than hardcoding allow-once|allow-always|deny
• Telegram handler and forwarding module pass allowedDecisions through correctly

Issues found:

• formatHostSource in exec-approvals-effective.ts is a no-op wrapper over resolveHostFieldSource — it can be removed
• The new allow-always guard in the gateway resolve handler is skipped when the approval snapshot is null; a missing-ID attempt with a disallowed decision silently falls through to the generic "not resolved" error rather than the policy-specific one

Confidence Score: 4/5

• Safe to merge — all enforcement paths are covered, tests validate the key scenarios, and no regressions were found in the approval pipeline.
• The change is well-scoped and thoroughly tested: new unit tests cover wildcard source attribution, ask=always filtering across message text, buttons, channelData, Telegram, the gateway resolver, and the CLI JSON output. The shared exec-approvals-effective.ts module correctly replaces two independent implementations. The only actionable findings are a redundant private helper (style) and a minor edge case in the gateway validation guard (won't cause incorrect approvals, just a slightly less-precise error response for a stale ID).
• src/infra/exec-approvals-effective.ts (redundant wrapper), src/gateway/server-methods/exec-approval.ts (guard skipped on null snapshot)

Prompt To Fix All With AI

This is a comment left during a code review.
Path: src/infra/exec-approvals-effective.ts
Line: 110-115

Comment:
**Redundant wrapper function**

`formatHostSource` is a pass-through to `resolveHostFieldSource` with no added formatting logic. All three call sites could invoke `resolveHostFieldSource` directly, removing this layer of indirection.

```suggestion
```

Replace all three `formatHostSource(...)` calls with `resolveHostFieldSource(...)` and remove this function entirely.

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: src/gateway/server-methods/exec-approval.ts
Line: 328-344

Comment:
**Server-side `allow-always` guard only runs when snapshot is present**

The `isExecApprovalDecisionAllowed` check is wrapped in `if (snapshot && ...)`. When `snapshot` is `null` (i.e., the approval ID isn't found), the guard is skipped and `manager.resolve` is called with an unknown ID, which will return `false`. The overall outcome is the same — the resolve fails — but an `allow-always` attempt on a missing ID won't produce the specific policy-rejection error. This is a pre-existing limitation of the ID-not-found path, but worth noting in case a distinct error response is expected for stale IDs with disallowed decisions.

How can I resolve this? If you propose a fix, please make it concise.

_{Reviews (1): Last reviewed commit: "exec: align approval UX with host policy" | Re-trigger Greptile}

[Copilot]

Pull request overview

This PR aligns exec-approval UX (reply text/buttons, forwarded fallback text, /approve parsing guidance) with the effective ask policy, and adds shared effective-policy reporting for openclaw approvals get and doctor.

Changes:

• Add resolveExecApprovalAllowedDecisions() and thread allowed decisions through exec approval messaging, buttons, and validation (hiding “allow always” when ask=always).
• Introduce shared effective-policy summarization (resolveExecPolicyScopeSummary) and surface it in openclaw approvals get + doctor (including correct wildcard agents.* source attribution).
• Update /approve usage text, agent system prompt guidance, and docs to match runtime behavior.

Reviewed changes

Copilot reviewed 31 out of 31 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
src/plugin-sdk/approval-runtime.ts	Re-export allowed-decision helper for plugin/extension consumers.
src/infra/exec-approvals.ts	Add allowed-decision resolution + decision-allowed predicate for runtime validation.
src/infra/exec-approvals-policy.test.ts	Add tests covering effective-policy explanation and wildcard attribution.
src/infra/exec-approvals-effective.ts	New shared “requested/host/effective” exec policy summarization utilities.
src/infra/exec-approval-reply.ts	Render pending approval replies/buttons based on allowed decisions; adjust copy.
src/infra/exec-approval-reply.test.ts	Verify “allow always” is omitted when ask=always.
src/infra/exec-approval-forwarder.ts	Forwarded fallback text now reflects allowed decisions and updated background-mode note.
src/infra/exec-approval-forwarder.test.ts	Test forwarded text excludes allow-always when ask=always.
src/gateway/server-methods/server-methods.test.ts	Add handler test ensuring allow-always is rejected when ask=always.
src/gateway/server-methods/exec-approval.ts	Enforce decision availability server-side via isExecApprovalDecisionAllowed.
src/commands/doctor-security.ts	Switch to shared effective-policy summary for conflict warnings.
src/commands/doctor-security.test.ts	Ensure wildcard agent policy sources appear in warnings.
src/cli/exec-approvals-cli.ts	Add effective-policy reporting to approvals get (table + JSON).
src/cli/exec-approvals-cli.test.ts	Update mocks/assertions for config fetching + effectivePolicy JSON output.
src/auto-reply/reply/commands-approve.ts	Update /approve usage text to avoid hard-coded decision list.
src/agents/system-prompt.ts	Remove hard-coded decision list from exec approval guidance.
src/agents/system-prompt.test.ts	Assert prompt no longer includes `allow-once
src/agents/pi-embedded-subscribe.handlers.tools.ts	Preserve/validate allowedDecisions from tool details into reply payload.
src/agents/pi-embedded-subscribe.handlers.tools.test.ts	Test filtered allowed decisions are preserved (no allow-always).
src/agents/bash-tools.exec.approval-id.test.ts	Update expectations to support dynamic decision lists and new notes.
src/agents/bash-tools.exec-types.ts	Extend exec tool details to optionally include allowedDecisions.
src/agents/bash-tools.exec-runtime.ts	Render pending approval message based on allowed decisions; adjust background note.
src/agents/bash-tools.exec-host-shared.ts	Include allowedDecisions in pending tool result/details.
src/agents/bash-tools.exec-host-node.ts	Populate allowedDecisions from effective ask on node host.
src/agents/bash-tools.exec-host-gateway.ts	Populate allowedDecisions from effective ask on gateway host.
extensions/telegram/src/exec-approvals-handler.ts	Hide allow-always actions in Telegram approvals when ask=always.
extensions/telegram/src/exec-approvals-handler.test.ts	Test Telegram UI omits allow-always when ask=always.
extensions/telegram/src/exec-approval-forwarding.ts	Include allowedDecisions when building Telegram pending payload.
docs/tools/slash-commands.md	Update /approve docs to reference “see pending message for decisions”.
docs/tools/exec-approvals.md	Document using openclaw approvals get to inspect effective policy.
docs/cli/approvals.md	Document new effective-policy section and precedence rules in CLI output.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b6a4e4ea3c

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e53db04284

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 047567a871

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5ac3113e03

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[gumadeiras]

Merged via squash.

• Prepared head SHA: d579b97a93b720876048c85fe6fed2a51d5893ef
• Merge commit: ba735d015809f1732eae13cf2c9f838c5d3def1f

Thanks @gumadeiras!

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d579b97a93

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".