Fail closed on exec approval timeout

[drobison00]

Summary

• Problem: Unanswered exec approval requests used the built-in fallback that treated timeout silence as approval.
• Why it matters: Operators who enable approval gating expect commands to require a human decision instead of eventually running after no response.
• What changed: The default exec approval ask fallback now denies on timeout, and focused unit tests assert the new effective policy and decision behavior.
• What did NOT change (scope boundary): Explicit configurations that set a different fallback are still parsed through the existing policy machinery; no workflow, CI, release, or automation files changed.

Change Type (select all)

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes #
• Related Changelog: drop self-thanks #691
• This PR fixes a bug or regression

Root Cause (if applicable)

• Root cause: The built-in exec approval ask fallback was full, so a missing approval decision after timeout resolved as approved instead of denied.
• Missing detection / guardrail: The effective policy test expected the permissive built-in default, and there was no direct shared-decision test locking in fail-closed timeout behavior for the default path.
• Contributing context (if known): The timeout resolver already supports fail-closed behavior when askFallback is deny; the default selected the permissive branch.

Regression Test Plan (if applicable)

• Coverage level that should have caught this:
  • Unit test
  • Seam / integration test
  • End-to-end test
  • Existing coverage already sufficient
• Target test or file: src/agents/bash-tools.exec-host-shared.test.ts, src/infra/exec-approvals-policy.test.ts
• Scenario the test should lock in: An omitted approval fallback reports the OpenClaw default as deny, and a null approval decision with fail-closed fallback returns approval-timeout without approval.
• Why this is the smallest reliable guardrail: The bug is selected by the shared default and shared decision helper, so unit coverage at those two points catches both policy reporting and execution-path decision semantics.
• Existing test that already covers this (if any): Gateway and node approval suites already cover explicit fallback handling and were rerun after the default change.
• If no new test is added, why not: N/A.

User-visible / Behavior Changes

Unanswered exec approval requests now deny by default after the configured approval timeout. Operators who intentionally want timeout auto-approval must configure that fallback explicitly.

Diagram (if applicable)

Before:
[approval request] -> [no human decision before timeout] -> [default fallback full] -> [command approved]

After:
[approval request] -> [no human decision before timeout] -> [default fallback deny] -> [command denied]

Security Impact (required)

• New permissions/capabilities? No
• Secrets/tokens handling changed? No
• New/changed network calls? No
• Command/tool execution surface changed? Yes
• Data access scope changed? No
• If any Yes, explain risk + mitigation: Command execution approval timeout behavior now fails closed by default, reducing unattended execution risk. Explicit fallback configuration remains available for operators who deliberately choose it.

Repro + Verification

Environment

• OS: Linux 6.8.0-117-generic x86_64
• Runtime/container: Node v22.14.0, pnpm 11.2.2; repo warns that Node >=22.19.0 is preferred
• Model/provider: N/A
• Integration/channel (if any): N/A
• Relevant config (redacted): Default exec approval policy with omitted askFallback

Steps

1. Inspect the built-in exec approval fallback in src/infra/exec-approvals.ts.
2. Resolve the effective exec approval policy with an approvals file that omits askFallback.
3. Resolve a base exec approval decision with decision: null and fail-closed fallback.
4. Run the focused shared, policy, gateway, and node approval test suites.

Expected

• The omitted fallback resolves to deny from the OpenClaw default.
• A timed-out, unanswered approval resolves to approvedByAsk: false with approval-timeout.
• Gateway and node approval tests still pass.

Actual

• Matches expected behavior after the fix.

Evidence

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Targeted validation passed:

pnpm test src/agents/bash-tools.exec-host-shared.test.ts src/infra/exec-approvals-policy.test.ts
Test Files 2 passed; Tests 84 passed

pnpm test src/agents/bash-tools.exec-host-gateway.test.ts src/agents/bash-tools.exec-host-node.test.ts
Test Files 2 passed; Tests 64 passed

Human Verification (required)

What you personally verified (not just CI), and how:

• Verified scenarios: Default fallback constant is deny; policy summary reports OpenClaw default (deny); shared timeout decision denies with approval-timeout; gateway/node approval suites pass.
• Edge cases checked: Existing explicit fallback handling remains covered by the focused gateway/node suites.
• What you did not verify: Full repository test suite; runtime manual approval UI flow.

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

If a bot review conversation is addressed by this PR, resolve that conversation yourself. Do not leave bot review conversation cleanup for maintainers.

Compatibility / Migration

• Backward compatible? No for deployments that depended on silent timeout auto-approval without explicitly configuring it; yes for operators who already configured their desired fallback.
• Config/env changes? No
• Migration needed? Yes
• If yes, exact upgrade steps: Operators who deliberately want timeout auto-approval should set askFallback explicitly in their exec approvals policy.

Risks and Mitigations

• Risk: Unattended workflows that implicitly relied on timeout approval may now stop at approval timeout.
  • Mitigation: The safer default matches approval-gating intent; operators can explicitly configure a permissive fallback if they accept that behavior.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 10, 2026, 11:59 AM ET / 15:59 UTC.

Summary
The PR changes the omitted exec-approval timeout fallback from full to deny, updates effective-policy assertions, adds timeout-decision coverage, and documents explicit permissive configuration for unattended hosts.

PR surface: Source 0, Tests +14, Docs +5. Total +19 across 6 files.

Reproducibility: yes. Current main has a high-confidence source path: omitted askFallback resolves to full, and a null approval decision with that fallback returns timeout approval; this review did not execute a live 30-minute approval flow.

Review metrics: 1 noteworthy metric.

• Config/default surfaces: 1 default changed, 0 options added, 0 migrations added. The existing askFallback option remains available, but omission changes meaning for upgrades without a machine-applied migration.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🐚 platinum hermit
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Obtain owner approval that the shipped omitted fallback may change and that documentation-only upgrade guidance is sufficient.

Risk before merge

• [P2] Existing installations that omit askFallback can change from timeout auto-approval to approval-timeout denial after upgrade, stopping unattended or no-UI exec workflows until operators explicitly configure full.
• [P1] The docs explain the required explicit setting, but the PR provides no automatic migration because omission itself currently encodes the shipped permissive behavior; maintainers must decide whether documentation-only upgrade guidance is sufficient.

Maintainer options:

1. Approve fail-closed as an intentional breaking default (recommended)
   Land the coherent patch only after an owner explicitly accepts that previously unattended omitted-config workflows may stop and confirms the documentation is the intended upgrade path.
2. Preserve the shipped omitted behavior
   Keep full as the omitted fallback and use the existing explicit policy and cautious preset paths for operators who want timeout denial.

Next step before merge

• [P1] The next action is explicit approval from the exec-approval owners on whether to accept the shipped-default compatibility break; no narrow automated repair remains.

Security
Cleared: The diff reduces unattended command-execution authority and introduces no new dependency, secret, permission, download, workflow, or supply-chain surface.

Review details

Best possible solution:

Adopt one explicit permanent policy: either approve the fail-closed omitted default with prominent upgrade guidance and deliberate compatibility ownership, or preserve the shipped omitted behavior and require security-conscious operators and presets to select askFallback: "deny" explicitly.

Do we have a high-confidence way to reproduce the issue?

Yes. Current main has a high-confidence source path: omitted askFallback resolves to full, and a null approval decision with that fallback returns timeout approval; this review did not execute a live 30-minute approval flow.

Is this the best way to solve the issue?

Unclear pending product judgment. The implementation is the narrowest code change for a fail-closed default, but changing an established shipped default is not automatically the best upgrade policy merely because it is safer.

AGENTS.md: found and applied where relevant.

Codex review notes: reasoning high; reviewed against e24c3df27d28.

Label changes

Label changes:

• add rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🐚 platinum hermit and patch quality is 🐚 platinum hermit.
• add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Override: A maintainer applied proof: override for this PR.
• remove rating: 🧂 unranked krab: Current PR rating is rating: 🐚 platinum hermit, so this older rating label is no longer current.
• remove status: ⏳ waiting on author: Current PR status label is status: 👀 ready for maintainer look.

Label justifications:

• P2: This is meaningful command-execution security hardening with limited scope, but it is not an active core outage or demonstrated urgent regression.
• merge-risk: 🚨 compatibility: Merging changes a shipped omitted-config default and can halt existing unattended exec workflows after upgrade.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🐚 platinum hermit and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Override: A maintainer applied proof: override for this PR.

Evidence reviewed

PR surface:

Source 0, Tests +14, Docs +5. Total +19 across 6 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	1	1	1	0
Tests	3	20	6	+14
Docs	2	10	5	+5
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	6	31	12	+19

What I checked:

• Current-main behavior: Current main resolves an omitted askFallback through DEFAULT_EXEC_APPROVAL_ASK_FALLBACK = "full", and the shared decision helper treats a null decision with full fallback as approved after timeout. (src/infra/exec-approvals.ts:285, e24c3df27d28)
• Complete patch alignment: The current PR head changes the single runtime default and consistently updates CLI reporting, policy tests, shared timeout coverage, and both public approval docs; no unresolved line-level correctness defect remains in the reviewed diff. (src/infra/exec-approvals.ts:285, a9df494150b7)
• Shipped compatibility provenance: The permissive default was introduced with the exec-approval effective-policy unification and is present in release tags beginning with v2026.4.2, including latest release v2026.6.5; this is therefore an upgrade-sensitive default change, not correction of an unreleased typo. (src/infra/exec-approvals.ts:285, ba735d015809)
• Existing explicit policy path: OpenClaw already supports explicit deny, allowlist, and full fallback values, and the yolo and cautious presets write explicit choices, so the unresolved question is the permanent omitted-value policy rather than a missing configuration mechanism. (src/cli/exec-policy-cli.ts:35, e24c3df27d28)
• Repository policy application: The full root and scoped policies were applied: fallback and default changes that can stop existing workflows require compatibility and upgrade review, while docs must state the operator-facing behavior. (AGENTS.md:61, e24c3df27d28)

Likely related people:

• @gumadeiras: Introduced the current effective-policy reporting and permissive omitted fallback in the merged exec approvals unification work, making this the strongest history signal for the default contract. (role: feature owner; confidence: high; commits: ba735d015809; files: src/infra/exec-approvals.ts, src/infra/exec-approvals-policy.test.ts, src/cli/exec-approvals-cli.ts)
• Vincent Koc: Recent main history carries the current approval implementation and related release state, so this person is a secondary routing candidate for current-tree context; the historical ownership signal is weaker than the unification author. (role: recent area contributor; confidence: low; commits: 5181e4f7c82b; files: src/infra/exec-approvals.ts, src/agents/bash-tools.exec-host-shared.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.