






















@@ -54,7 +54,8 @@ doctor can report the missing artifact.
5454Policy is authored, not generated from the user's current settings. A minimal
5555policy for channels, MCP servers, model providers, network posture, ingress/channel access, Gateway
5656exposure, agent workspace posture, configured sandbox runtime posture, OpenClaw
57-data-handling posture, config secret provider/auth profile posture, and tool metadata looks like this:
57+data-handling posture, config secret provider/auth profile posture, exec approval
58+file posture, and tool metadata looks like this:
58595960```jsonc
6061{
@@ -145,6 +146,15 @@ data-handling posture, config secret provider/auth profile posture, and tool met
145146"allowModes": ["api_key", "token"],
146147 },
147148 },
149+"execApprovals": {
150+"requireFile": true,
151+"defaults": { "allowSecurity": ["deny"] },
152+"agents": {
153+"allowSecurity": ["deny", "allowlist"],
154+"allowAutoAllowSkills": false,
155+"allowlist": { "expected": ["deploy", "status"] },
156+ },
157+ },
148158"tools": {
149159"requireMetadata": ["risk", "sensitivity", "owner"],
150160"profiles": {
@@ -187,9 +197,11 @@ and `group:runtime` covers shell/process tools. Tool posture policy observes
187197`tools.profile`, `tools.allow`, `tools.alsoAllow`, `tools.deny`,
188198`tools.fs.workspaceOnly`, `tools.exec.security`, `tools.exec.ask`,
189199`tools.exec.host`, `tools.elevated.enabled`, and the same per-agent
190-`agents.list[].tools.*` overrides. It does not read runtime/operator approval
191-state such as exec-approvals.json, and it does not enforce tool calls at
192-runtime. Secret evidence records
200+`agents.list[].tools.*` overrides. Exec approval policy reads the named
201+`exec-approvals.json` product artifact only when an `execApprovals` rule is
202+present; evidence records defaults, per-agent posture, and allowlist patterns
203+without socket tokens or last-used command text. Policy does not enforce tool
204+calls at runtime. Secret evidence records
193205provider/source posture and SecretRef metadata, never raw secret values. Policy
194206does not read or attest per-agent credential stores such as `auth-profiles.json`;
195207those stores remain owned by the existing auth and credential flows.
@@ -218,8 +230,8 @@ its own finding against the same observed config.
218230219231Use `scopes.<scopeName>` when one set of agents or channels needs stricter
220232policy than the top-level baseline. Agent-scoped sections use `agentIds`, which
221-supports `tools.*`, `agents.workspace.*`, `sandbox.*`, and
222-`dataHandling.memory.*`. Channel-scoped
233+supports `tools.*`, `agents.workspace.*`, `sandbox.*`, `dataHandling.memory.*`,
234+and `execApprovals.*`. Channel-scoped
223235ingress uses `channelIds`, which supports `ingress.channels.*`. Unsupported
224236sections are rejected instead of being ignored. If an `agentIds` entry is not
225237present in `agents.list[]`, OpenClaw evaluates the scoped rule against inherited
@@ -304,10 +316,10 @@ groups where those fields cannot be observed.
304316Top-level `ingress.session.requireDmScope` remains global because
305317`session.dmScope` is not channel-attributable evidence.
306318307-| Selector | Supported sections | Use when |
308-| ------------ | ----------------------------------------------------------------- | ------------------------------------------------- |
309-| `agentIds` | `tools`, `agents.workspace`, `sandbox`, and `dataHandling.memory` | One or more runtime agents need stricter rules. |
310-| `channelIds` | `ingress.channels` | One or more channels need stricter ingress rules. |
319+| Selector | Supported sections | Use when |
320+| ------------ | ---------------------------------------------------------------------------------- | ------------------------------------------------- |
321+| `agentIds` | `tools`, `agents.workspace`, `sandbox`, `dataHandling.memory`, and `execApprovals` | One or more runtime agents need stricter rules. |
322+| `channelIds` | `ingress.channels` | One or more channels need stricter ingress rules. |
311323312324Every scope present in `policy.jsonc` must be valid and enforceable.
313325@@ -401,6 +413,69 @@ allowlist such as `["all"]`.
401413| `secrets.denySources` | Secret provider sources and SecretRef sources | Deny sources such as `exec`, `file`, or another configured source name. |
402414| `secrets.allowInsecureProviders` | Insecure secret-provider posture flags | Set to `false` to reject providers that opt into insecure posture. |
403415416+#### Exec approvals
417+418+Exec approvals policy observes the active runtime `exec-approvals.json`
419+artifact. By default this is `~/.openclaw/exec-approvals.json`; when
420+`OPENCLAW_STATE_DIR` is set, Policy reads
421+`$OPENCLAW_STATE_DIR/exec-approvals.json`. Actual posture rules such as
422+`execApprovals.defaults.*` or `execApprovals.agents.*` require readable artifact
423+evidence; a missing or invalid artifact is reported as unobservable evidence
424+instead of becoming a best-effort pass against synthetic runtime defaults. Once
425+the artifact is readable, omitted approval fields inherit runtime defaults: missing
426+`defaults.security` is `full`, and missing agent security inherits that
427+default. Evidence includes `defaults`, `agents.*`, and
428+`agents.*.allowlist[].pattern` plus optional `argPattern`, effective
429+`autoAllowSkills` posture, and entry source. It does not include socket
430+path/token, `commandText`, `lastUsedCommand`, resolved paths, or timestamps.
431+432+| Policy field | Observed state | Use when |
433+| ------------------------------------------- | -------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------- |
434+| `execApprovals.requireFile` | Active runtime `exec-approvals.json` path | Set to `true` to require the approvals artifact to exist and parse. |
435+| `execApprovals.defaults.allowSecurity` | `defaults.security`, defaulting to `full` | Allow only approved default approval security modes. |
436+| `execApprovals.agents.allowSecurity` | `agents.*.security`, inheriting defaults | Allow only approved per-agent effective approval security modes. |
437+| `execApprovals.agents.allowAutoAllowSkills` | `defaults.autoAllowSkills` and `agents.*.autoAllowSkills`, inheriting runtime defaults | Set to `false` to require strict manual allowlists without implicit skill CLI approval. |
438+| `execApprovals.agents.allowlist.expected` | Aggregate `agents.*.allowlist[]` pattern and optional argPattern entries | Require the approvals allowlist to match the reviewed pattern set. |
439+440+For example, require the approvals artifact, deny permissive defaults, and
441+allow only reviewed exec approval posture for selected agents:
442+443+```jsonc
444+{
445+"execApprovals": {
446+"requireFile": true,
447+"defaults": {
448+// Security modes: "deny", "allowlist", or "full".
449+// This default permits only the locked-down deny posture.
450+"allowSecurity": ["deny"],
451+ },
452+ },
453+"scopes": {
454+"restricted-shell": {
455+"agentIds": ["family-agent", "groups-agent"],
456+"execApprovals": {
457+"agents": {
458+// Selected agents may use reviewed allowlist posture, but not "full".
459+"allowSecurity": ["allowlist"],
460+// false means skill CLIs must appear in the reviewed allowlist instead of
461+// being implicitly approved by autoAllowSkills.
462+"allowAutoAllowSkills": false,
463+"allowlist": {
464+"expected": [
465+// Simple entry: exact reviewed executable pattern with no argPattern.
466+"travel-hub",
467+// Constrained entry: pattern plus reviewed argument regex.
468+ { "pattern": "calendar-cli", "argPattern": "^sync\\b" },
469+"/bin/date",
470+ ],
471+ },
472+ },
473+ },
474+ },
475+ },
476+}
477+```
478+404479#### Auth profiles
405480406481| Policy field | Observed state | Use when |
@@ -769,6 +844,13 @@ Policy currently verifies:
769844| `policy/secrets-insecure-provider` | A secret provider opts into insecure posture when policy denies it. |
770845| `policy/auth-profile-invalid-metadata` | A config auth profile is missing valid provider or mode metadata. |
771846| `policy/auth-profile-unapproved-mode` | A config auth profile mode is outside the policy allowlist. |
847+| `policy/exec-approvals-missing` | Policy requires `exec-approvals.json`, but the artifact is missing. |
848+| `policy/exec-approvals-invalid` | The configured exec approvals artifact cannot be parsed. |
849+| `policy/exec-approvals-default-security-unapproved` | Exec approval defaults use a security mode outside the policy allowlist. |
850+| `policy/exec-approvals-agent-security-unapproved` | A per-agent effective exec approval security mode is outside the allowlist. |
851+| `policy/exec-approvals-auto-allow-skills-enabled` | An exec approval agent implicitly auto-allows skill CLIs when policy denies it. |
852+| `policy/exec-approvals-allowlist-missing` | The approvals allowlist is missing a pattern required by policy. |
853+| `policy/exec-approvals-allowlist-unexpected` | The approvals allowlist includes a pattern not expected by policy. |
772854| `policy/tools-missing-risk-level` | A governed tool declaration is missing risk metadata. |
773855| `policy/tools-unknown-risk-level` | A governed tool declaration uses an unknown risk value. |
774856| `policy/tools-missing-sensitivity-token` | A governed tool declaration is missing sensitivity metadata. |
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。