Permission mode is separate from
tools.exec.host=auto. tools.exec.host
chooses where a command runs. tools.exec.mode chooses how host exec is
approved.Recommended default
Useauto for coding agents that need useful host access without making every miss a human prompt:
OpenClaw host exec modes
tools.exec.mode is the normalized policy surface for host exec. Each mode resolves to an underlying security (allowlist strictness) and ask (prompt-on-miss) pair:
ask and auto share the same allowlist/ask settings; auto additionally enables the native auto-reviewer, which decides misses itself and only defers to the configured human approval route when it cannot safely approve.
For the full host exec policy, local approvals file, allowlist schema, safe bins, and forwarding behavior, see Exec approvals.
Codex Guardian mapping
For native Codex app-server sessions,tools.exec.mode: "auto" drives Codex toward Guardian-reviewed approvals when the local Codex requirements allow it. Typical resulting values:
auto mode forces this policy over any configured Codex sandbox/approval overrides, so it does not preserve legacy unsafe combinations such as approvalPolicy: "never" with sandbox: "danger-full-access". tools.exec.mode: "deny" and "allowlist" block Codex app-server local execution entirely. Use tools.exec.mode: "full" only when you intentionally want the no-approval posture.
For app-server setup, auth order, and native Codex runtime details, see Codex harness.
ACPX harness permissions
ACPX sessions are non-interactive, so they cannot click a TTY permission prompt. ACPX uses separate harness-level settings underplugins.entries.acpx.config:
Set ACPX permissions separately from OpenClaw exec approvals:
approve-all as the ACPX break-glass equivalent of a no-prompt harness session. For setup details and failure modes, see ACP agents setup.
Choosing a mode
If a command still prompts or fails after changing mode, inspect both layers: