diff --git a/src/agents/bash-tools.exec-host-shared.ts b/src/agents/bash-tools.exec-host-shared.ts
index b74d5f9312a..30625f10000 100644
--- a/src/agents/bash-tools.exec-host-shared.ts
+++ b/src/agents/bash-tools.exec-host-shared.ts
@@ -133,9 +133,11 @@ export function resolveExecHostApprovalContext(params: {
     ask: params.ask,
   });
   const hostSecurity = minSecurity(params.security, approvals.agent.security);
-  // An explicit ask=off policy (either from exec-approvals.json or tools.exec.ask)
-  // must be able to suppress prompts even when other defaults are stricter.
-  // tools.exec.ask=off takes precedence to allow users to disable prompts entirely.
+  // DESIGN DECISION: User-level tools.exec.ask=off takes precedence over exec-approvals.json policies.
+  // This allows users to disable exec prompts entirely in trusted environments (e.g., webchat/control-ui).
+  // SECURITY TRADE-OFF: A user setting tools.exec.ask=off in openclaw.json can bypass an admin-configured
+  // ask: "always" policy in exec-approvals.json. This is intentional: user opt-out wins over admin defaults.
+  // Admins requiring mandatory approvals should enforce this at the deployment level, not via exec-approvals.json.
   const hostAsk =
     params.ask === "off" || approvals.agent.ask === "off"
       ? "off"