```bash

openclaw approvals set --file ./exec-approvals.json

openclaw approvals set --stdin <<'EOF'

{ version: 1, defaults: { security: "full", ask: "off" } }

{ version: 1, defaults: { security: "full", ask: "off", askFallback: "full" } }

EOF

openclaw approvals set --node <id|name|ip> --file ./exec-approvals.json

openclaw approvals set --gateway --file ./exec-approvals.json

- YOLO is about approvals, not routing.

- If you want host exec even when a sandbox is configured, make the host choice explicit with `gateway` or `/exec host=gateway`.

This matches the current host-default YOLO behavior. Tighten it if you want approvals.

Omitted `askFallback` defaults to `deny`. Set `askFallback: "full"`

explicitly when upgrading a no-UI host that should keep never-prompt behavior.

Local shortcut:

### `askFallback`

<ParamField path="askFallback" type='"deny" | "allowlist" | "full"'>

Resolution when a prompt is required but no UI is reachable.

Resolution when a prompt is required but no UI is reachable. If this

field is omitted, OpenClaw defaults to `deny`.

- `deny` - block.

- `allowlist` - allow only if allowlist matches.

(`tools.exec.*`) **and** host-local approvals policy in

`~/.openclaw/exec-approvals.json`.

YOLO is the default host behavior unless you tighten it explicitly:

OpenClaw defaults omitted `askFallback` to `deny`. Set host

`askFallback` to `full` explicitly when a no-UI approval prompt should

fall back to allow.

| Layer | YOLO setting |

| --------------------- | -------------------------- |

That local shortcut updates both:

- Local `tools.exec.host/security/ask`.

- Local `~/.openclaw/exec-approvals.json` defaults.

- Local `~/.openclaw/exec-approvals.json` defaults, including

`askFallback: "full"`.

It is intentionally local-only. To change gateway-host or node-host

approvals remotely, use `openclaw approvals set --gateway` or

createExecApprovalPendingState,

enforceStrictInlineEvalApprovalBoundary,

MAX_EXEC_APPROVAL_FOLLOWUP_FAILURE_LOG_KEYS as maxExecApprovalFollowupFailureLogKeys,

resolveBaseExecApprovalDecision,

resolveExecApprovalUnavailableState,

resolveExecHostApprovalContext,

sendExecApprovalFollowupResult,

});

describe("enforceStrictInlineEvalApprovalBoundary", () => {

it("denies unanswered approvals when ask fallback is fail-closed", () => {

expect(

resolveBaseExecApprovalDecision({

decision: null,

askFallback: "deny",

}),

).toEqual({

approvedByAsk: false,

deniedReason: "approval-timeout",

timedOut: true,

});

});

it("denies timeout-based fallback when strict inline-eval approval is required", () => {

expect(

enforceStrictInlineEvalApprovalBoundary({

requireRecord(toolsScope.askFallback, "tools.exec askFallback"),

"tools.exec askFallback",

{

effective: "full",

source: "OpenClaw default (full)",

effective: "deny",

source: "OpenClaw default (deny)",

},

);

effective: "always",

});

expectFields(requireRecord(agentScope.askFallback, "agent askFallback"), "agent askFallback", {

effective: "allowlist",

source: "OpenClaw default (full)",

effective: "deny",

source: "OpenClaw default (deny)",

});

});

});

expect(summary.askFallback).toEqual({

effective: "full",

source: "OpenClaw default (full)",

effective: "deny",

source: "OpenClaw default (deny)",

});

});

const DEFAULT_SECURITY: ExecSecurity = "full";

const DEFAULT_ASK: ExecAsk = "off";

export const DEFAULT_EXEC_APPROVAL_ASK_FALLBACK: ExecSecurity = "full";

export const DEFAULT_EXEC_APPROVAL_ASK_FALLBACK: ExecSecurity = "deny";

const DEFAULT_AUTO_ALLOW_SKILLS = false;

const DEFAULT_SOCKET = "~/.openclaw/exec-approvals.sock";

const DEFAULT_FILE = "~/.openclaw/exec-approvals.json";