Description

After running openclaw approvals allowlist add to add allowlist patterns, the exec approval system cannot be fully disabled. The gateway UI continues showing approval popups for every command executed by cron jobs and the main agent, even after:

1. Setting Security Mode to "Full" in Control UI → Nodes
2. Setting approvals.exec.enabled: false in openclaw.json
3. Removing the entire approvals section from openclaw.json
4. Deleting ~/.openclaw/exec-approvals.json and ~/.openclaw/exec-approvals.sock
5. Running openclaw approvals set --stdin with {"version":1,"defaults":{"security":"full"},"agents":{}}
6. Multiple gateway restarts after each change

Current Behavior

• Main session commands show "Approval required" text but execute (cosmetic issue)
• Cron job sessions show Security: "allowlist" and Ask: "on-miss" in UI popups
• Clicking "Always allow" on each popup works but there are dozens of cron commands
• The exec-approvals.json file is recreated on gateway restart even after deletion

Expected Behavior

Setting Security Mode to "Full" in the Control UI should:

1. Suppress all UI approval popups
2. Apply to ALL sessions (main + cron/isolated)
3. Not require individual command-by-command approval

Alternatively, there should be a way to factory-reset the approval system to its default state (as if openclaw approvals allowlist add was never run).

Steps to Reproduce

1. Run openclaw approvals allowlist add --agent main "ls *" (any pattern)
2. This creates ~/.openclaw/exec-approvals.json with a socket
3. Try to disable: Control UI → Nodes → Security Mode → Full → Save
4. Restart gateway
5. Run any command — UI popup still appears

Environment

• OpenClaw 2026.3.8 (3caab92)
• macOS 25.3.0 (arm64) / Mac Mini
• Node v22.22.0
• Model: Claude Sonnet/Opus

Question

How do you fully reset the exec approval system to factory defaults? Is there a command like openclaw approvals reset or a config flag to suppress UI notifications entirely?