Thanks to visit codestin.com
Credit goes to github.com

Skip to content

fix(exec): check allowlist before prompting for node host #1425

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
czekaj wants to merge 1 commit into from
Closed

fix(exec): check allowlist before prompting for node host #1425

czekaj wants to merge 1 commit into from

Conversation

@czekaj
Copy link
Contributor

@czekaj czekaj commented Jan 22, 2026
edited
Loading

Summary

Problem

The node host path was always prompting for approval when ask=on-miss, even when the command was already in the allowlist. The gateway host path correctly checks the allowlist first, but the node host path was missing this check.

Additionally, #1417 accidentally reverted the fix from #1414 by passing null instead of undefined for resolvedPath and sessionKey in the approval request params. TypeBox Type.Optional(Type.String()) rejects null.

Solution

  1. Added allowlist check to node host path mirroring gateway behavior:

    • Analyze command with analyzeShellCommand()
    • Check each segment against matchAllowlist() and isSafeBinUsage()
    • Only prompt if allowlist is not satisfied

  2. Fixed nullundefined for optional params in both node and gateway host paths

Test plan

  • Added 4 unit tests for allowlist satisfaction logic (exact match, wildcard, negative, safeBins fallback)
  • All existing tests pass
  • Manual testing via Discord trigger

🤖 Generated with Claude Code

@czekaj
Copy link
Contributor Author

czekaj commented Jan 22, 2026
edited
Loading

Tested locally. This fixes executing commands from Discord DMs. After the first approval python3, curl, etc. work and the approved patterns are correctly added to ~/.clawdbot/exec-approvals.json

@czekaj @claude
fix(exec): check allowlist before prompting for node host
78d08fc 
The node host path was always prompting for approval on-miss, even when
the command was in the allowlist. This mirrors the gateway host behavior
by checking matchAllowlist() and isSafeBinUsage() before deciding to ask.

Also fixes a regression from openclaw#1417 where null was passed instead of
undefined for optional approval request params (resolvedPath, sessionKey),
which caused validation failures.

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@czekaj czekaj force-pushed the fix/node-host-allowlist-check branch from b1d74a6 to 78d08fc Compare January 22, 2026 06:25
@steipete steipete self-assigned this Jan 22, 2026
steipete pushed a commit that referenced this pull request Jan 22, 2026
@czekaj @steipete
fix(exec): align node exec approvals (#1425)
4b3e9c0 
Thanks @czekaj.

Co-authored-by: Lucas Czekaj <[email protected]>
@steipete
Copy link
Contributor

steipete commented Jan 22, 2026

Landed with a squash onto main.

Changes:

  • unify allowlist evaluation + approval gating helpers across gateway/node host
  • node exec precheck uses node approvals snapshot (allowlist-only) to skip prompts
  • added tests for allowlist evaluation + node allowlist skip

Tests:

  • pnpm lint
  • pnpm build
  • pnpm test (second run; first timed out)

Commit:

Thanks @czekaj!

@steipete steipete closed this Jan 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@steipete steipete

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@czekaj @steipete