docs: add design decision comment for tools.exec.ask=off precedence

Explicitly documents the security trade-off: user-level tools.exec.ask=off takes precedence over exec-approvals.json policies. This is intentional to allow users to disable prompts in trusted environments. Addresses Greptile review on PR #43600.
2026-03-17 09:07:26 +08:00 · 2026-03-17 09:07:26 +08:00 · e3f61edcf9
commit e3f61edcf9
parent 188c5e37e1
1 changed files with 5 additions and 3 deletions
--- a/src/agents/bash-tools.exec-host-shared.ts
+++ b/src/agents/bash-tools.exec-host-shared.ts
@ -133,9 +133,11 @@ export function resolveExecHostApprovalContext(params: {
    ask: params.ask,
  });
  const hostSecurity = minSecurity(params.security, approvals.agent.security);
-  // An explicit ask=off policy (either from exec-approvals.json or tools.exec.ask)
-  // must be able to suppress prompts even when other defaults are stricter.
-  // tools.exec.ask=off takes precedence to allow users to disable prompts entirely.
+  // DESIGN DECISION: User-level tools.exec.ask=off takes precedence over exec-approvals.json policies.
+  // This allows users to disable exec prompts entirely in trusted environments (e.g., webchat/control-ui).
+  // SECURITY TRADE-OFF: A user setting tools.exec.ask=off in openclaw.json can bypass an admin-configured
+  // ask: "always" policy in exec-approvals.json. This is intentional: user opt-out wins over admin defaults.
+  // Admins requiring mandatory approvals should enforce this at the deployment level, not via exec-approvals.json.
  const hostAsk =
    params.ask === "off" || approvals.agent.ask === "off"
      ? "off"