Back to Openclaw

Permission modes

docs/tools/permission-modes.md

2026.7.16.2 KB
Original Source

Permission modes decide how much authority an agent has before it runs host commands, writes files, or asks a backend harness for extra access.

<Note> Permission mode is separate from `tools.exec.host=auto`. `tools.exec.host` chooses where a command runs. `tools.exec.mode` chooses how host exec is approved. </Note>

Use auto for coding agents that need useful host access without making every miss a human prompt:

bash
openclaw config set tools.exec.mode auto
openclaw approvals get
openclaw gateway restart

Then verify the effective policy:

bash
openclaw exec-policy show

OpenClaw host exec modes

tools.exec.mode is the normalized policy surface for host exec. Each mode resolves to an underlying security (allowlist strictness) and ask (prompt-on-miss) pair:

Modesecurity / askBehaviorUse when
denydeny / offBlock host exec entirely.No host commands are allowed.
allowlistallowlist / offRun only allowlisted commands; silently deny misses.You have a known-safe command set.
askallowlist / on-missRun allowlist matches; ask a human on misses.A human should review every new command.
autoallowlist / on-missRun allowlist matches; send misses through auto-review before falling back to human approval.Coding sessions need practical guarded access.
fullfull / offRun host exec without prompts.This trusted host/session should skip approval gates.

ask and auto share the same allowlist/ask settings; auto additionally enables the native auto-reviewer, which decides misses itself and only defers to the configured human approval route when it cannot safely approve.

For the full host exec policy, local approvals file, allowlist schema, safe bins, and forwarding behavior, see Exec approvals.

Codex Guardian mapping

For native Codex app-server sessions, tools.exec.mode: "auto" drives Codex toward Guardian-reviewed approvals when the local Codex requirements allow it. Typical resulting values:

Codex fieldTypical value
approvalPolicyon-request
approvalsReviewerauto_review
sandboxworkspace-write

auto mode forces this policy over any configured Codex sandbox/approval overrides, so it does not preserve legacy unsafe combinations such as approvalPolicy: "never" with sandbox: "danger-full-access". tools.exec.mode: "deny" and "allowlist" block Codex app-server local execution entirely. Use tools.exec.mode: "full" only when you intentionally want the no-approval posture.

For app-server setup, auth order, and native Codex runtime details, see Codex harness.

ACPX harness permissions

ACPX sessions are non-interactive, so they cannot click a TTY permission prompt. ACPX uses separate harness-level settings under plugins.entries.acpx.config:

SettingValuesMeaning
permissionModeapprove-readsAuto-approve reads only.
permissionModeapprove-allAuto-approve writes and shell commands.
permissionModedeny-allDeny all permission prompts.
nonInteractivePermissionsfailAbort when a prompt would be required.
nonInteractivePermissionsdenyDeny the prompt and continue when possible.

Set ACPX permissions separately from OpenClaw exec approvals:

bash
openclaw config set plugins.entries.acpx.config.permissionMode approve-all
openclaw config set plugins.entries.acpx.config.nonInteractivePermissions fail
openclaw gateway restart

Use approve-all as the ACPX break-glass equivalent of a no-prompt harness session. For setup details and failure modes, see ACP agents setup.

Choosing a mode

GoalConfigure
Block host commands completelytools.exec.mode: "deny"
Let known-safe commands run onlytools.exec.mode: "allowlist"
Ask a human for every new command shapetools.exec.mode: "ask"
Use Codex/OpenClaw auto-review before humanstools.exec.mode: "auto"
Skip host exec approvals entirelytools.exec.mode: "full" plus matching host approvals file
Make non-interactive ACPX sessions write/execplugins.entries.acpx.config.permissionMode: "approve-all"

If a command still prompts or fails after changing mode, inspect both layers:

bash
openclaw approvals get
openclaw exec-policy show

Host exec uses the stricter result of OpenClaw config and the host-local approvals file. ACPX harness permissions do not loosen host exec approvals, and host exec approvals do not loosen ACPX harness prompts.