Bug type

Regression (worked before, now fails)

Beta release blocker

No

Summary

After upgrading to OpenClaw v2026.3.31, isolated cron sessions fail to execute Python subprocess calls with error: exec approval required but no approval client available. This is a regression from v2026.3.28 where cron jobs executed normally.

Steps to reproduce

1. Create a cron job with isolated session that calls a Python script:

{
  "schedule": { "kind": "every", "everyMs": 3600000 },
  "payload": {
    "kind": "agentTurn",
    "message": "Run approval pipeline"
  },
  "sessionTarget": "isolated"
}

2. The isolated session attempts to execute:

subprocess.run(["python3", "tools/facebook-runner/daily_approval_runtime.py"])

3. Exec tool blocks with: exec approval required but no approval client available

Expected behavior

Isolated cron sessions should execute Python subprocess calls without blocking, as they did in v2026.3.28. Alternatively, if approval enforcement is intentional, isolated sessions should have a mechanism to bypass approval (e.g., config flag, safeBins coverage for subprocess, or auto-approval mechanism).

Actual behavior

Isolated cron sessions unconditionally block on exec tool enforcement because:

• Session-level approval policy is independent of global config.tools.exec settings
• Isolated sessions spawn with reset policy (default: require approval)
• ask: off and security: full only suppress prompts, not enforcement
• Isolated sessions have no approval client (interactive or automated)
• Result: Exec tool exits with "no approval client available"

OpenClaw version

2026.3.31

Operating system

macOS 26.4

Install method

npm

Model

anthropic/claude-sonnet-4-6

Provider / routing chain

openclaw->local->anthropic/claude-sonnet-4-6

Additional provider/model setup details

No response

Logs, screenshots, and evidence

Impact and severity

No response

Additional information

Root Cause Analysis

This appears to be a side effect of PR #57689 ("Agents/exec defaults: honor per-agent tools.exec defaults..."). While the change correctly enables tools.exec config enforcement, it does not account for isolated session contexts that lack approval clients.

Attempted Workarounds (All Failed)

1. Global config ask: off + security: full → ignored by isolated sessions
2. Gateway restart (SIGUSR1) → session-level policy cache unaffected
3. safeBins: [python3, python] + safeBinTrustedDirs → only whitelists bare binaries, not subprocess.run() invocations
4. Wrap subprocess in sh -c shell → exec tool still enforces approval on shell wrapper before subprocess runs

Reproduction Details

• Cron jobs affected: content-approval-daily, notebooklm-approval-daily (both isolated sessions)
• Error context: Happens after 2026.3.31 upgrade; reverted to 2026.3.28 and jobs run successfully
• Partial workaround: Removing tools.exec config block entirely (reverting to pre-2026.3.31 default) allows cron to execute, but loses intentional exec policy enforcement

Proposed Solutions (in priority order)

1. Add isolatedSessionPolicy config for cron/subagent jobs:

   {
     "isolatedSessionPolicy": "bypass-approval"  // or auto-approve with trusted-script whitelist
   }

   Allows explicitly trusted isolated jobs to bypass approval enforcement.

2. Extend safeBins whitelist to cover subprocess patterns:
   Currently safeBins only whitelists bare binary invocations. Extend it to recognize trusted-subprocess patterns (e.g., python3 /path/to/trusted/script.py).

3. Add approval delegation mechanism for isolated sessions:
   Isolated sessions can request approval from parent/main session via IPC/event, enabling human-in-the-loop without blocking on approval-client availability.

Impact

• Severity: High (blocks all isolated cron automation)
• Affected Users: Anyone using cron jobs with isolated sessions (subagent, ACP, background tasks)
• Workaround Available: Yes (downgrade to 2026.3.28 or remove tools.exec config)

Additional Context

Related to recent changes in exec approval handling:

• PR fix(auto-reply): thread per-agent tools.exec defaults into reply directives #57689: Agents/exec defaults
• PR fix(gateway): require node pairing before enabling node commands #57777: Gateway/node commands (node pairing approval)
• PR Gateway: harden node event trust boundaries #57691: Gateway/node events (reduced trusted surface)

All three PRs tightened approval enforcement, but none explicitly addressed isolated session contexts lacking approval clients.

Tags

bug exec cron isolated-sessions regression approval