Bug type

Behavior bug (incorrect output/state without crash)

Summary

When a user clicks "Always allow" on an exec approval prompt for a host=node command, the allowlist entry is persisted to the node's ~/.openclaw/exec-approvals.json, but the gateway continues prompting because it reads its own local file instead of querying the node's allowlist. Requires gateway restart as workaround.

Steps to reproduce

1. Configure a Mac node paired with a remote gateway (Docker)
2. Agent triggers exec with host=node
3. Approval prompt appears on macOS — click Always allow
4. Command runs successfully
5. Agent triggers the same command again
6. Approval prompt appears again

Expected behavior

After clicking "Always allow", the same command should run without prompting on subsequent requests.

Actual behavior

Approval prompt reappears every time. The node saves the allowlist entry to its local exec-approvals.json, but the gateway reads its own local copy via loadExecApprovals() in src/infra/exec-approvals.ts — which doesn't have the node's entry. Gateway restart is required as workaround.

Root cause: resolveExecApprovals() always reads the gateway-local file. For host=node, it should query the node's allowlist via system.execApprovals.get RPC or delegate the check to the node.

OpenClaw version

2026.3.13 (61d171a)

Operating system

Gateway: Linux (Docker/Railway), Node: macOS

Install method

Docker (Railway template) + npm headless node host

Model

anthropic/claude-opus-4-6

Provider / routing chain

Direct Anthropic API

Config file / key location

No response

Additional provider/model setup details

No response

Logs, screenshots, and evidence

Impact and severity

No response

Additional information

No response