Description

After upgrading from 2026.3.28 to 2026.3.31, all exec commands require manual approval despite config explicitly setting:

"tools": {
  "exec": {
    "ask": "off",
    "security": "full"
  }
}

Also disabled channels.discord.execApprovals.enabled: false — no effect.

Steps to Reproduce

1. Upgrade from 2026.3.28 to 2026.3.31 (npm i -g openclaw@latest)
2. Set tools.exec.ask: "off" and tools.exec.security: "full" in ~/.openclaw/openclaw.json
3. Full gateway stop/start (openclaw gateway stop && openclaw gateway start)
4. Any exec call (even echo "test") returns Approval required

Expected Behavior

Exec commands should run without approval when tools.exec.ask: "off" and tools.exec.security: "full" are configured.

Actual Behavior

Every exec command prompts for approval regardless of config. The config is confirmed loaded correctly via config.get — both parsed, resolved, and runtimeConfig show the correct values. Gateway was fully restarted (stop + start, not just SIGUSR1).

Suspected Cause

Likely related to the 2026.3.31 changelog entry:

ACP/security: replace ACP's dangerous-tool name override with semantic approval classes, so only narrow readonly reads/searches can auto-approve while indirect exec-capable and control-plane tools always require explicit prompt approval.

This appears to override the user-configured tools.exec settings.

Environment

• OS: macOS 26.3.1 (arm64)
• Node: 22.22.0
• Gateway mode: local, loopback, token auth
• Channels: Discord, Telegram, Signal, BlueBubbles
• Workaround: Rolled back to 2026.3.28

Impact

• All exec-based functionality broken (cron jobs, healthchecks, shell commands)
• Affects all channels (Discord, iMessage/BlueBubbles, etc.)
• Required full rollback to restore operations