
























1+---
2+summary: "Permission modes for host exec, Codex Guardian approvals, and ACPX harness sessions"
3+read_when:
4+ - Choosing auto, ask, allowlist, full, or deny for command permissions
5+ - Configuring Codex Guardian-reviewed approvals through tools.exec.mode
6+ - Comparing OpenClaw exec approvals with ACPX harness permissions
7+title: "Permission modes"
8+---
9+10+Permission modes decide how much authority an agent has before it can run host commands, write files, or ask a backend harness for extra access. Start with `tools.exec.mode: "auto"` when you want OpenClaw to use allowlists first, then Codex native auto-review or a human approval route for misses.
11+12+<Note>
13+ Permission mode is separate from `tools.exec.host=auto`. `tools.exec.host`
14+ chooses where a command runs. `tools.exec.mode` chooses how host exec is
15+ approved.
16+</Note>
17+18+## Recommended default
19+20+Use `auto` for coding agents that need useful host access without making every miss a human prompt:
21+22+```bash
23+openclaw config set tools.exec.mode auto
24+openclaw approvals get
25+openclaw gateway restart
26+```
27+28+Then verify the effective policy:
29+30+```bash
31+openclaw exec-policy show
32+```
33+34+In `auto` mode, OpenClaw runs deterministic allowlist matches directly. Approval misses go through OpenClaw's native auto reviewer first, then fall back to the configured human approval route when needed.
35+36+## OpenClaw host exec modes
37+38+`tools.exec.mode` is the normalized policy surface for host `exec`.
39+40+| Mode | Behavior | Use when |
41+| ----------- | -------------------------------------------- | ----------------------------------------------------- |
42+| `deny` | Block host exec. | No host commands are allowed. |
43+| `allowlist` | Run only allowlisted commands. | You have a known-safe command set. |
44+| `ask` | Run allowlist matches and ask on misses. | A human should review new commands. |
45+| `auto` | Run allowlist matches, then use auto-review. | Coding sessions need practical guarded access. |
46+| `full` | Run host exec without prompts. | This trusted host/session should skip approval gates. |
47+48+For the full host exec policy, local approvals file, allowlist schema, safe bins, and forwarding behavior, see [Exec approvals](/tools/exec-approvals).
49+50+## Codex Guardian mapping
51+52+For native Codex app-server sessions, `tools.exec.mode: "auto"` maps to Codex Guardian-reviewed approvals when the local Codex requirements allow it. OpenClaw usually sends:
53+54+| Codex field | Typical value |
55+| ------------------- | ----------------- |
56+| `approvalPolicy` | `on-request` |
57+| `approvalsReviewer` | `auto_review` |
58+| `sandbox` | `workspace-write` |
59+60+In `auto` mode, OpenClaw does not preserve legacy unsafe Codex overrides such as `approvalPolicy: "never"` or `sandbox: "danger-full-access"`. Use `tools.exec.mode: "full"` only when you intentionally want the no-approval posture.
61+62+For app-server setup, auth order, and native Codex runtime details, see [Codex harness](/plugins/codex-harness).
63+64+## ACPX harness permissions
65+66+ACPX sessions are non-interactive, so they cannot click a TTY permission prompt. ACPX uses separate harness-level settings under `plugins.entries.acpx.config`:
67+68+| Setting | Common value | Meaning |
69+| --------------------------- | --------------- | ------------------------------------------- |
70+| `permissionMode` | `approve-reads` | Auto-approve reads only. |
71+| `permissionMode` | `approve-all` | Auto-approve writes and shell commands. |
72+| `permissionMode` | `deny-all` | Deny all permission prompts. |
73+| `nonInteractivePermissions` | `fail` | Abort when a prompt would be required. |
74+| `nonInteractivePermissions` | `deny` | Deny the prompt and continue when possible. |
75+76+Set ACPX permissions separately from OpenClaw exec approvals:
77+78+```bash
79+openclaw config set plugins.entries.acpx.config.permissionMode approve-all
80+openclaw config set plugins.entries.acpx.config.nonInteractivePermissions fail
81+openclaw gateway restart
82+```
83+84+Use `approve-all` as the ACPX break-glass equivalent of a no-prompt harness session. For setup details and failure modes, see [ACP agents setup](/tools/acp-agents-setup#permission-configuration).
85+86+## Choosing a mode
87+88+| Goal | Configure |
89+| --------------------------------------------- | ----------------------------------------------------------- |
90+| Block host commands completely | `tools.exec.mode: "deny"` |
91+| Let known-safe commands run only | `tools.exec.mode: "allowlist"` |
92+| Ask a human for every new command shape | `tools.exec.mode: "ask"` |
93+| Use Codex/OpenClaw auto-review before humans | `tools.exec.mode: "auto"` |
94+| Skip host exec approvals entirely | `tools.exec.mode: "full"` plus matching host approvals file |
95+| Make non-interactive ACPX sessions write/exec | `plugins.entries.acpx.config.permissionMode: "approve-all"` |
96+97+If a command still prompts or fails after changing mode, inspect both layers:
98+99+```bash
100+openclaw approvals get
101+openclaw exec-policy show
102+```
103+104+Host exec uses the stricter result of OpenClaw config and the host-local approvals file. ACPX harness permissions do not loosen host exec approvals, and host exec approvals do not loosen ACPX harness prompts.
105+106+## Related
107+108+- [Exec approvals](/tools/exec-approvals)
109+- [Exec approvals - advanced](/tools/exec-approvals-advanced)
110+- [Codex harness](/plugins/codex-harness)
111+- [ACP agents setup](/tools/acp-agents-setup#permission-configuration)
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。