fix(nodes-tool): add exec approval flow for agent tool run action (#4726)

Merged via /review-pr -> /prepare-pr -> /merge-pr. Prepared head SHA: b8ed4f1b6e Co-authored-by: rmorse <853547+rmorse@users.noreply.github.com> Co-authored-by: steipete <58493+steipete@users.noreply.github.com> Reviewed-by: @steipete
2026-05-08 05:41:24 +00:00 · 2026-02-13 19:04:24 +01:00
parent e84318e4bc
commit 6bc6cdad94
4 changed files with 224 additions and 21 deletions
--- a/src/agents/openclaw-tools.camera.e2e.test.ts
+++ b/src/agents/openclaw-tools.camera.e2e.test.ts
@@ -132,4 +132,125 @@ describe("nodes run", () => {
      invokeTimeoutMs: 45_000,
    });
  });
+
+  it("requests approval and retries with allow-once decision", async () => {
+    let invokeCalls = 0;
+    callGateway.mockImplementation(async ({ method, params }) => {
+      if (method === "node.list") {
+        return { nodes: [{ nodeId: "mac-1", commands: ["system.run"] }] };
+      }
+      if (method === "node.invoke") {
+        invokeCalls += 1;
+        if (invokeCalls === 1) {
+          throw new Error("SYSTEM_RUN_DENIED: approval required");
+        }
+        expect(params).toMatchObject({
+          nodeId: "mac-1",
+          command: "system.run",
+          params: {
+            command: ["echo", "hi"],
+            approved: true,
+            approvalDecision: "allow-once",
+          },
+        });
+        return { payload: { stdout: "", stderr: "", exitCode: 0, success: true } };
+      }
+      if (method === "exec.approval.request") {
+        expect(params).toMatchObject({
+          command: "echo hi",
+          host: "node",
+          timeoutMs: 120_000,
+        });
+        return { decision: "allow-once" };
+      }
+      throw new Error(`unexpected method: ${String(method)}`);
+    });
+
+    const tool = createOpenClawTools().find((candidate) => candidate.name === "nodes");
+    if (!tool) {
+      throw new Error("missing nodes tool");
+    }
+
+    await tool.execute("call1", {
+      action: "run",
+      node: "mac-1",
+      command: ["echo", "hi"],
+    });
+    expect(invokeCalls).toBe(2);
+  });
+
+  it("fails with user denied when approval decision is deny", async () => {
+    callGateway.mockImplementation(async ({ method }) => {
+      if (method === "node.list") {
+        return { nodes: [{ nodeId: "mac-1", commands: ["system.run"] }] };
+      }
+      if (method === "node.invoke") {
+        throw new Error("SYSTEM_RUN_DENIED: approval required");
+      }
+      if (method === "exec.approval.request") {
+        return { decision: "deny" };
+      }
+      throw new Error(`unexpected method: ${String(method)}`);
+    });
+
+    const tool = createOpenClawTools().find((candidate) => candidate.name === "nodes");
+    if (!tool) {
+      throw new Error("missing nodes tool");
+    }
+
+    await expect(
+      tool.execute("call1", {
+        action: "run",
+        node: "mac-1",
+        command: ["echo", "hi"],
+      }),
+    ).rejects.toThrow("exec denied: user denied");
+  });
+
+  it("fails closed for timeout and invalid approval decisions", async () => {
+    const tool = createOpenClawTools().find((candidate) => candidate.name === "nodes");
+    if (!tool) {
+      throw new Error("missing nodes tool");
+    }
+
+    callGateway.mockImplementation(async ({ method }) => {
+      if (method === "node.list") {
+        return { nodes: [{ nodeId: "mac-1", commands: ["system.run"] }] };
+      }
+      if (method === "node.invoke") {
+        throw new Error("SYSTEM_RUN_DENIED: approval required");
+      }
+      if (method === "exec.approval.request") {
+        return {};
+      }
+      throw new Error(`unexpected method: ${String(method)}`);
+    });
+    await expect(
+      tool.execute("call1", {
+        action: "run",
+        node: "mac-1",
+        command: ["echo", "hi"],
+      }),
+    ).rejects.toThrow("exec denied: approval timed out");
+
+    callGateway.mockImplementation(async ({ method }) => {
+      if (method === "node.list") {
+        return { nodes: [{ nodeId: "mac-1", commands: ["system.run"] }] };
+      }
+      if (method === "node.invoke") {
+        throw new Error("SYSTEM_RUN_DENIED: approval required");
+      }
+      if (method === "exec.approval.request") {
+        return { decision: "allow-never" };
+      }
+      throw new Error(`unexpected method: ${String(method)}`);
+    });
+    await expect(
+      tool.execute("call1", {
+        action: "run",
+        node: "mac-1",
+        command: ["echo", "hi"],
+      }),
+    ).rejects.toThrow("exec denied: invalid approval decision");
+  });
 });
--- a/src/agents/tools/nodes-tool.ts
+++ b/src/agents/tools/nodes-tool.ts
@@ -436,17 +436,74 @@ export function createNodesTool(options?: {
              typeof params.needsScreenRecording === "boolean"
                ? params.needsScreenRecording
                : undefined;
-            const raw = await callGatewayTool<{ payload: unknown }>("node.invoke", gatewayOpts, {
+            const runParams = {
+              command,
+              cwd,
+              env,
+              timeoutMs: commandTimeoutMs,
+              needsScreenRecording,
+              agentId,
+              sessionKey,
+            };
+
+            // First attempt without approval flags.
+            try {
+              const raw = await callGatewayTool<{ payload?: unknown }>("node.invoke", gatewayOpts, {
+                nodeId,
+                command: "system.run",
+                params: runParams,
+                timeoutMs: invokeTimeoutMs,
+                idempotencyKey: crypto.randomUUID(),
+              });
+              return jsonResult(raw?.payload ?? {});
+            } catch (firstErr) {
+              const msg = firstErr instanceof Error ? firstErr.message : String(firstErr);
+              if (!msg.includes("SYSTEM_RUN_DENIED: approval required")) {
+                throw firstErr;
+              }
+            }
+
+            // Node requires approval – create a pending approval request on
+            // the gateway and wait for the user to approve/deny via the UI.
+            const APPROVAL_TIMEOUT_MS = 120_000;
+            const cmdText = command.join(" ");
+            const approvalResult = await callGatewayTool(
+              "exec.approval.request",
+              { ...gatewayOpts, timeoutMs: APPROVAL_TIMEOUT_MS + 5_000 },
+              {
+                command: cmdText,
+                cwd,
+                host: "node",
+                agentId,
+                sessionKey,
+                timeoutMs: APPROVAL_TIMEOUT_MS,
+              },
+            );
+            const decisionRaw =
+              approvalResult && typeof approvalResult === "object"
+                ? (approvalResult as { decision?: unknown }).decision
+                : undefined;
+            const approvalDecision =
+              decisionRaw === "allow-once" || decisionRaw === "allow-always" ? decisionRaw : null;
+
+            if (!approvalDecision) {
+              if (decisionRaw === "deny") {
+                throw new Error("exec denied: user denied");
+              }
+              if (decisionRaw === undefined || decisionRaw === null) {
+                throw new Error("exec denied: approval timed out");
+              }
+              throw new Error("exec denied: invalid approval decision");
+            }
+
+            // Retry with the approval decision.
+            const raw = await callGatewayTool<{ payload?: unknown }>("node.invoke", gatewayOpts, {
              nodeId,
              command: "system.run",
              params: {
-                command,
-                cwd,
-                env,
-                timeoutMs: commandTimeoutMs,
-                needsScreenRecording,
-                agentId,
-                sessionKey,
+                ...runParams,
+                approved: true,
+                approvalDecision,
              },
              timeoutMs: invokeTimeoutMs,
              idempotencyKey: crypto.randomUUID(),