hovclaw 0.1.2 → 0.1.4

package/dist/index.js

@@ -97,7 +97,27 @@ const DEFAULT_FILE_CONFIG = {
 			"tail",
 			"wc"
 		],
-		tools: { bashEnabled: false }
+		tools: {
+			bashEnabled: false,
+			exec: {
+				enabled: false,
+				security: "allowlist",
+				ask: "on-miss",
+				approvalTimeoutMs: 12e4,
+				allowlist: [],
+				safeBins: [...[
+					"jq",
+					"grep",
+					"cut",
+					"sort",
+					"uniq",
+					"head",
+					"tail",
+					"tr",
+					"wc"
+				]]
+			}
+		}
 	},
 	channels: {
 		discord: {
@@ -202,6 +222,22 @@ const commandsConfigSchema = z.object({
 	useAccessGroups: z.boolean(),
 	allowFrom: commandAllowFromSchema
 });
+const runtimeExecConfigSchema = z.object({
+	enabled: z.boolean(),
+	security: z.enum([
+		"deny",
+		"allowlist",
+		"full"
+	]),
+	ask: z.enum([
+		"off",
+		"on-miss",
+		"always"
+	]),
+	approvalTimeoutMs: z.number().int().positive(),
+	allowlist: z.array(z.string().min(1)),
+	safeBins: z.array(z.string().min(1))
+});
 const telegramTopicConfigSchema = z.object({
 	enabled: z.boolean().optional(),
 	requireMention: z.boolean().optional(),
@@ -364,7 +400,10 @@ const fileConfigSchema = z.object({
 		allowedReadRoots: z.array(z.string().min(1)),
 		allowedWriteRoots: z.array(z.string().min(1)),
 		allowedCommandPrefixes: z.array(z.string().min(1)).min(1),
-		tools: z.object({ bashEnabled: z.boolean() })
+		tools: z.object({
+			bashEnabled: z.boolean(),
+			exec: runtimeExecConfigSchema
+		})
 	}),
 	channels: z.object({
 		discord: z.object({
@@ -441,7 +480,21 @@ const partialFileConfigSchema = z.object({
 	bindings: fileConfigSchema.shape.bindings.optional(),
 	models: fileConfigSchema.shape.models.partial().optional(),
 	commands: commandsConfigSchema.partial().optional(),
-	runtime: fileConfigSchema.shape.runtime.partial().optional(),
+	runtime: z.object({
+		mode: z.enum(["local", "container"]).optional(),
+		containerImage: z.string().min(1).optional(),
+		idleTimeoutMs: z.number().int().positive().optional(),
+		networkMode: z.string().min(1).optional(),
+		timeoutMs: z.number().int().positive().optional(),
+		maxOutputBytes: z.number().int().positive().optional(),
+		allowedReadRoots: z.array(z.string().min(1)).optional(),
+		allowedWriteRoots: z.array(z.string().min(1)).optional(),
+		allowedCommandPrefixes: z.array(z.string().min(1)).min(1).optional(),
+		tools: z.object({
+			bashEnabled: z.boolean().optional(),
+			exec: runtimeExecConfigSchema.partial().optional()
+		}).optional()
+	}).optional(),
 	channels: partialChannelsSchema,
 	gateway: partialGatewayConfigSchema,
 	scheduler: fileConfigSchema.shape.scheduler.partial().optional()
@@ -712,7 +765,17 @@ function mergeWithDefaults(partial) {
 			allowedReadRoots: partial.runtime?.allowedReadRoots ?? DEFAULT_FILE_CONFIG.runtime.allowedReadRoots,
 			allowedWriteRoots: partial.runtime?.allowedWriteRoots ?? DEFAULT_FILE_CONFIG.runtime.allowedWriteRoots,
 			allowedCommandPrefixes: partial.runtime?.allowedCommandPrefixes ?? DEFAULT_FILE_CONFIG.runtime.allowedCommandPrefixes,
-			tools: { bashEnabled: partial.runtime?.tools?.bashEnabled ?? DEFAULT_FILE_CONFIG.runtime.tools.bashEnabled }
+			tools: {
+				bashEnabled: partial.runtime?.tools?.bashEnabled ?? DEFAULT_FILE_CONFIG.runtime.tools.bashEnabled,
+				exec: {
+					enabled: partial.runtime?.tools?.exec?.enabled ?? partial.runtime?.tools?.bashEnabled ?? DEFAULT_FILE_CONFIG.runtime.tools.exec.enabled,
+					security: partial.runtime?.tools?.exec?.security ?? DEFAULT_FILE_CONFIG.runtime.tools.exec.security,
+					ask: partial.runtime?.tools?.exec?.ask ?? DEFAULT_FILE_CONFIG.runtime.tools.exec.ask,
+					approvalTimeoutMs: partial.runtime?.tools?.exec?.approvalTimeoutMs ?? DEFAULT_FILE_CONFIG.runtime.tools.exec.approvalTimeoutMs,
+					allowlist: partial.runtime?.tools?.exec?.allowlist ?? DEFAULT_FILE_CONFIG.runtime.tools.exec.allowlist,
+					safeBins: partial.runtime?.tools?.exec?.safeBins ?? DEFAULT_FILE_CONFIG.runtime.tools.exec.safeBins
+				}
+			}
 		},
 		channels: {
 			discord: {
@@ -824,7 +887,17 @@ function applyEnvOverrides(base, env) {
 			allowedReadRoots: splitCsv(env.ALLOWED_READ_ROOTS, base.runtime.allowedReadRoots),
 			allowedWriteRoots: splitCsv(env.ALLOWED_WRITE_ROOTS, base.runtime.allowedWriteRoots),
 			allowedCommandPrefixes: splitCsv(env.ALLOWED_COMMAND_PREFIXES, base.runtime.allowedCommandPrefixes),
-			tools: { bashEnabled: toBool(env.RUNTIME_BASH_ENABLED, base.runtime.tools.bashEnabled) }
+			tools: {
+				bashEnabled: toBool(env.RUNTIME_BASH_ENABLED, base.runtime.tools.bashEnabled),
+				exec: {
+					enabled: toBool(env.RUNTIME_EXEC_ENABLED, toBool(env.RUNTIME_BASH_ENABLED, base.runtime.tools.exec.enabled)),
+					security: env.RUNTIME_EXEC_SECURITY === "deny" || env.RUNTIME_EXEC_SECURITY === "allowlist" || env.RUNTIME_EXEC_SECURITY === "full" ? env.RUNTIME_EXEC_SECURITY : base.runtime.tools.exec.security,
+					ask: env.RUNTIME_EXEC_ASK === "off" || env.RUNTIME_EXEC_ASK === "on-miss" || env.RUNTIME_EXEC_ASK === "always" ? env.RUNTIME_EXEC_ASK : base.runtime.tools.exec.ask,
+					approvalTimeoutMs: toPositiveInt(env.RUNTIME_EXEC_APPROVAL_TIMEOUT_MS, base.runtime.tools.exec.approvalTimeoutMs),
+					allowlist: splitCsv(env.RUNTIME_EXEC_ALLOWLIST, base.runtime.tools.exec.allowlist),
+					safeBins: splitCsv(env.RUNTIME_EXEC_SAFE_BINS, base.runtime.tools.exec.safeBins)
+				}
+			}
 		},
 		channels: {
 			discord: {
@@ -929,7 +1002,17 @@ function loadConfig(env = process.env) {
 			allowedReadRoots: normalizeRoots(merged.runtime.allowedReadRoots),
 			allowedWriteRoots: normalizeRoots(merged.runtime.allowedWriteRoots),
 			allowedCommandPrefixes: merged.runtime.allowedCommandPrefixes,
-			tools: { bashEnabled: merged.runtime.tools.bashEnabled }
+			tools: {
+				bashEnabled: merged.runtime.tools.bashEnabled,
+				exec: {
+					enabled: merged.runtime.tools.exec.enabled || merged.runtime.tools.bashEnabled,
+					security: merged.runtime.tools.exec.security,
+					ask: merged.runtime.tools.exec.ask,
+					approvalTimeoutMs: merged.runtime.tools.exec.approvalTimeoutMs,
+					allowlist: [...merged.runtime.tools.exec.allowlist],
+					safeBins: [...merged.runtime.tools.exec.safeBins]
+				}
+			}
 		},
 		channels: {
 			discord: {
@@ -1027,6 +1110,12 @@ function legacyEnvKeys() {
 		"ALLOWED_WRITE_ROOTS",
 		"ALLOWED_COMMAND_PREFIXES",
 		"RUNTIME_BASH_ENABLED",
+		"RUNTIME_EXEC_ENABLED",
+		"RUNTIME_EXEC_SECURITY",
+		"RUNTIME_EXEC_ASK",
+		"RUNTIME_EXEC_APPROVAL_TIMEOUT_MS",
+		"RUNTIME_EXEC_ALLOWLIST",
+		"RUNTIME_EXEC_SAFE_BINS",
 		"TOOL_TIMEOUT_MS",
 		"TOOL_MAX_OUTPUT_BYTES",
 		"ENABLE_DISCORD",
@@ -2050,6 +2139,37 @@ var PiAgentManager = class {
 	}
 };
 
+//#endregion
+//#region src/channels/command-auth.ts
+function normalizeAllowFromEntry(value) {
+	return String(value).trim().toLowerCase();
+}
+function senderCandidates(msg) {
+	const candidates = /* @__PURE__ */ new Set();
+	const userId = msg.userId.trim();
+	if (userId) candidates.add(userId.toLowerCase());
+	const displayName = msg.displayName.trim();
+	if (displayName.startsWith("@")) candidates.add(displayName.toLowerCase());
+	return Array.from(candidates);
+}
+function resolveCommandsAllowFrom(config, channel) {
+	const entries = config.commands.allowFrom;
+	if (Object.keys(entries).length === 0) return null;
+	const providerSpecific = entries[channel];
+	if (Array.isArray(providerSpecific)) return providerSpecific;
+	const global = entries["*"];
+	if (Array.isArray(global)) return global;
+	return [];
+}
+function isCommandAuthorized(config, msg) {
+	const allowFrom = resolveCommandsAllowFrom(config, msg.channel);
+	if (allowFrom === null) return true;
+	const normalizedAllow = new Set(allowFrom.map((entry) => normalizeAllowFromEntry(entry)));
+	if (normalizedAllow.has("*")) return true;
+	for (const candidate of senderCandidates(msg)) if (normalizedAllow.has(candidate)) return true;
+	return false;
+}
+
 //#endregion
 //#region src/channels/discord.ts
 const DISCORD_CHUNK_LIMIT = 1900;
@@ -3084,99 +3204,6 @@ async function requestDaemonRestartFromCurrentProcess(env = process.env) {
 	};
 }
 
-//#endregion
-//#region src/compat/openclaw-mirror.ts
-function resolveOpenClawHome(env = process.env) {
-	const override = env.OPENCLAW_STATE_DIR?.trim();
-	if (override) return path.resolve(override.startsWith("~") ? path.join(os.homedir(), override.slice(1)) : override);
-	return path.join(os.homedir(), ".openclaw");
-}
-function resolveOpenClawConfigPath(openclawHome) {
-	return path.join(openclawHome, "openclaw.json");
-}
-function resolveOpenClawSharedSkillsPath(openclawHome) {
-	return path.join(openclawHome, "skills");
-}
-function buildMirrorConfig(config) {
-	const fallbackWorkspace = config.agents.defaults.workspace || path.join(config.hovclawHome, "workspace");
-	const agentList = config.agents.list.length > 0 ? config.agents.list : [{
-		id: "main",
-		name: "Main",
-		workspace: fallbackWorkspace,
-		default: true
-	}];
-	const extraDirs = /* @__PURE__ */ new Set();
-	extraDirs.add(config.skillsDir);
-	for (const agent of agentList) {
-		const workspace = (agent.workspace || fallbackWorkspace).trim();
-		if (!workspace) continue;
-		extraDirs.add(path.join(workspace, "skills"));
-	}
-	return {
-		agent: { workspace: fallbackWorkspace },
-		agents: {
-			defaults: { workspace: fallbackWorkspace },
-			list: agentList
-		},
-		skills: { load: { extraDirs: Array.from(extraDirs) } }
-	};
-}
-function ensureDir(dirPath) {
-	fs.mkdirSync(dirPath, {
-		recursive: true,
-		mode: 448
-	});
-}
-function syncSkillsDir(sharedSkillsPath, sourceSkillsPath) {
-	if (!fs.existsSync(sourceSkillsPath)) {
-		ensureDir(sharedSkillsPath);
-		return false;
-	}
-	try {
-		if (fs.lstatSync(sharedSkillsPath).isSymbolicLink()) {
-			const linkTarget = fs.readlinkSync(sharedSkillsPath);
-			if (path.resolve(path.dirname(sharedSkillsPath), linkTarget) === sourceSkillsPath) return true;
-			fs.unlinkSync(sharedSkillsPath);
-		}
-	} catch {}
-	if (!fs.existsSync(sharedSkillsPath)) try {
-		fs.symlinkSync(sourceSkillsPath, sharedSkillsPath, "dir");
-		return true;
-	} catch {}
-	ensureDir(sharedSkillsPath);
-	for (const entry of fs.readdirSync(sourceSkillsPath, { withFileTypes: true })) {
-		const src = path.join(sourceSkillsPath, entry.name);
-		const dst = path.join(sharedSkillsPath, entry.name);
-		if (entry.isDirectory()) {
-			fs.cpSync(src, dst, {
-				recursive: true,
-				force: true
-			});
-			continue;
-		}
-		if (entry.isFile()) fs.copyFileSync(src, dst);
-	}
-	return false;
-}
-function writeOpenClawMirror(config) {
-	const openclawHome = resolveOpenClawHome();
-	const configPath = resolveOpenClawConfigPath(openclawHome);
-	const sharedSkillsPath = resolveOpenClawSharedSkillsPath(openclawHome);
-	ensureDir(openclawHome);
-	const mirrorConfig = buildMirrorConfig(config);
-	fs.writeFileSync(configPath, `${JSON.stringify(mirrorConfig, null, 2)}\n`, {
-		encoding: "utf8",
-		mode: 384
-	});
-	fs.chmodSync(configPath, 384);
-	return {
-		openclawHome,
-		configPath,
-		sharedSkillsPath,
-		linkedSharedSkills: syncSkillsDir(sharedSkillsPath, config.skillsDir)
-	};
-}
-
 //#endregion
 //#region src/models/catalog.ts
 function buildModelCatalog(aliases) {
@@ -3197,37 +3224,6 @@ function buildModelCatalog(aliases) {
 	}).filter((entry) => Boolean(entry)).sort((a, b) => a.ref.localeCompare(b.ref));
 }
 
-//#endregion
-//#region src/channels/command-auth.ts
-function normalizeAllowFromEntry(value) {
-	return String(value).trim().toLowerCase();
-}
-function senderCandidates(msg) {
-	const candidates = /* @__PURE__ */ new Set();
-	const userId = msg.userId.trim();
-	if (userId) candidates.add(userId.toLowerCase());
-	const displayName = msg.displayName.trim();
-	if (displayName.startsWith("@")) candidates.add(displayName.toLowerCase());
-	return Array.from(candidates);
-}
-function resolveCommandsAllowFrom(config, channel) {
-	const entries = config.commands.allowFrom;
-	if (Object.keys(entries).length === 0) return null;
-	const providerSpecific = entries[channel];
-	if (Array.isArray(providerSpecific)) return providerSpecific;
-	const global = entries["*"];
-	if (Array.isArray(global)) return global;
-	return [];
-}
-function isCommandAuthorized(config, msg) {
-	const allowFrom = resolveCommandsAllowFrom(config, msg.channel);
-	if (allowFrom === null) return true;
-	const normalizedAllow = new Set(allowFrom.map((entry) => normalizeAllowFromEntry(entry)));
-	if (normalizedAllow.has("*")) return true;
-	for (const candidate of senderCandidates(msg)) if (normalizedAllow.has(candidate)) return true;
-	return false;
-}
-
 //#endregion
 //#region src/channels/commands-registry.ts
 const TELEGRAM_COMMAND_NAME_RE = /^[a-z0-9_]{1,32}$/;
@@ -3338,6 +3334,11 @@ const BASE_COMMANDS = [
 		nativeName: "bash",
 		description: "Run a shell command through the assistant (if enabled)"
 	},
+	{
+		key: "approve",
+		nativeName: "approve",
+		description: "Approve or deny pending exec request"
+	},
 	{
 		key: "restart",
 		nativeName: "restart",
@@ -3583,7 +3584,6 @@ function reloadRuntimeConfig() {
 function persistFileConfig(next) {
 	saveConfigFile(next);
 	reloadRuntimeConfig();
-	writeOpenClawMirror(config);
 }
 function parseConfigPath(raw) {
 	const pathValue = raw?.trim();
@@ -4271,7 +4271,7 @@ function emptyState() {
 		pending: {}
 	};
 }
-function nowIso$1() {
+function nowIso$2() {
 	return (/* @__PURE__ */ new Date()).toISOString();
 }
 function randomCode() {
@@ -4312,7 +4312,7 @@ var TelegramPairingStore = class {
 			...pendingByAccount,
 			[code]: {
 				userId,
-				createdAt: nowIso$1()
+				createdAt: nowIso$2()
 			}
 		};
 		this.writeState(state);
@@ -4476,7 +4476,7 @@ function redactSensitiveData(value) {
 
 //#endregion
 //#region src/db.ts
-function nowIso() {
+function nowIso$1() {
 	return (/* @__PURE__ */ new Date()).toISOString();
 }
 var HovClawDb = class {
@@ -4604,7 +4604,7 @@ var HovClawDb = class {
 		return Boolean(row?.name);
 	}
 	upsertSession(parts, sessionKey, model, options) {
-		const createdAt = nowIso();
+		const createdAt = nowIso$1();
 		this.db.prepare(`
         INSERT INTO sessions (
           session_key,
@@ -4699,7 +4699,7 @@ var HovClawDb = class {
         ON CONFLICT(account_id) DO UPDATE SET
           last_update_id = excluded.last_update_id,
           updated_at = excluded.updated_at
-      `).run(accountId, updateId, nowIso());
+      `).run(accountId, updateId, nowIso$1());
 	}
 	hasTelegramDedupe(accountId, updateId) {
 		return typeof this.db.prepare(`
@@ -4712,7 +4712,7 @@ var HovClawDb = class {
 		this.db.prepare(`
         INSERT OR IGNORE INTO telegram_dedupe (account_id, update_id, updated_at)
         VALUES (?, ?, ?)
-      `).run(accountId, updateId, nowIso());
+      `).run(accountId, updateId, nowIso$1());
 	}
 	pruneTelegramDedupe(olderThanIso) {
 		return this.db.prepare(`
@@ -4721,7 +4721,7 @@ var HovClawDb = class {
       `).run(olderThanIso).changes;
 	}
 	appendMessage(sessionKey, role, content) {
-		this.db.prepare(`INSERT INTO messages (session_key, role, content, created_at) VALUES (?, ?, ?, ?)`).run(sessionKey, role, content, nowIso());
+		this.db.prepare(`INSERT INTO messages (session_key, role, content, created_at) VALUES (?, ?, ?, ?)`).run(sessionKey, role, content, nowIso$1());
 	}
 	getMessages(sessionKey) {
 		return this.db.prepare(`
@@ -4742,7 +4742,7 @@ var HovClawDb = class {
         ON CONFLICT(session_key) DO UPDATE SET
           state_json = excluded.state_json,
           updated_at = excluded.updated_at
-      `).run(sessionKey, stateJson, nowIso());
+      `).run(sessionKey, stateJson, nowIso$1());
 	}
 	getAgentState(sessionKey) {
 		return this.db.prepare(`SELECT state_json FROM agent_state WHERE session_key = ?`).get(sessionKey)?.state_json ?? null;
@@ -4763,7 +4763,7 @@ var HovClawDb = class {
           cost_usd,
           created_at
         ) VALUES (?, ?, ?, ?, ?, ?, ?)
-      `).run(record.sessionKey, record.provider, record.model, record.inputTokens, record.outputTokens, record.costUsd, record.createdAt ?? nowIso());
+      `).run(record.sessionKey, record.provider, record.model, record.inputTokens, record.outputTokens, record.costUsd, record.createdAt ?? nowIso$1());
 	}
 	upsertScheduledJob(job) {
 		this.db.prepare(`
@@ -4897,7 +4897,7 @@ var HovClawDb = class {
 		this.db.prepare(`
         INSERT INTO audit_log (ts, session_key, actor, event_type, payload_json)
         VALUES (?, ?, ?, ?, ?)
-      `).run(record.ts ?? nowIso(), record.sessionKey ?? null, record.actor, record.eventType, JSON.stringify(sanitizedPayload));
+      `).run(record.ts ?? nowIso$1(), record.sessionKey ?? null, record.actor, record.eventType, JSON.stringify(sanitizedPayload));
 	}
 	getAuditEvents(eventType) {
 		const query = eventType ? `SELECT ts, session_key, actor, event_type, payload_json FROM audit_log WHERE event_type = ? ORDER BY id DESC` : `SELECT ts, session_key, actor, event_type, payload_json FROM audit_log ORDER BY id DESC`;
@@ -4911,6 +4911,585 @@ var HovClawDb = class {
 	}
 };
 
+//#endregion
+//#region src/exec-approvals.ts
+const DEFAULT_FILE_VERSION = 1;
+const DEFAULT_APPROVAL_TIMEOUT_MS = 12e4;
+const ONE_TIME_APPROVAL_TTL_MS = 5 * 6e4;
+const SHELL_DISALLOWED_PATTERN = /[;&|`$()<>]|[\r\n]/;
+const SHELL_QUOTE_OR_ESCAPE_PATTERN = /["'\\]/;
+function nowIso() {
+	return (/* @__PURE__ */ new Date()).toISOString();
+}
+function normalizeExecSecurity(value) {
+	if (value === "deny" || value === "allowlist" || value === "full") return value;
+	return null;
+}
+function normalizeExecAsk(value) {
+	if (value === "off" || value === "on-miss" || value === "always") return value;
+	return null;
+}
+function normalizeAllowlist(entries) {
+	if (!Array.isArray(entries)) return [];
+	const out = [];
+	const seen = /* @__PURE__ */ new Set();
+	for (const entry of entries) {
+		if (!entry || typeof entry !== "object") continue;
+		const pattern = typeof entry.pattern === "string" ? entry.pattern.trim() : "";
+		if (!pattern) continue;
+		const lowered = pattern.toLowerCase();
+		if (seen.has(lowered)) continue;
+		seen.add(lowered);
+		out.push({
+			pattern,
+			lastUsedAt: typeof entry.lastUsedAt === "string" ? entry.lastUsedAt : void 0,
+			lastUsedCommand: typeof entry.lastUsedCommand === "string" ? entry.lastUsedCommand : void 0,
+			lastResolvedPath: typeof entry.lastResolvedPath === "string" ? entry.lastResolvedPath : void 0
+		});
+	}
+	return out;
+}
+function normalizeFile(value, defaults) {
+	if (!value || typeof value !== "object" || Array.isArray(value)) return {
+		version: DEFAULT_FILE_VERSION,
+		defaults: {
+			security: defaults.security,
+			ask: defaults.ask
+		},
+		agents: {}
+	};
+	const raw = value;
+	const security = typeof raw.defaults?.security === "string" ? normalizeExecSecurity(raw.defaults.security) : null;
+	const ask = typeof raw.defaults?.ask === "string" ? normalizeExecAsk(raw.defaults.ask) : null;
+	const agents = {};
+	if (raw.agents && typeof raw.agents === "object" && !Array.isArray(raw.agents)) for (const [agentId, agentValue] of Object.entries(raw.agents)) {
+		if (!agentId.trim()) continue;
+		agents[agentId] = { allowlist: agentValue && typeof agentValue === "object" && !Array.isArray(agentValue) ? normalizeAllowlist(agentValue.allowlist) : [] };
+	}
+	return {
+		version: DEFAULT_FILE_VERSION,
+		defaults: {
+			security: security ?? defaults.security,
+			ask: ask ?? defaults.ask
+		},
+		agents
+	};
+}
+function normalizePathForMatch(value) {
+	if (process.platform === "win32") return value.replace(/\\/g, "/").toLowerCase();
+	return value;
+}
+function resolveExecutablePath(executable, cwd, env) {
+	if (!executable.trim()) return;
+	if (executable.includes("/") || executable.includes("\\")) {
+		const absolute = path.isAbsolute(executable) ? path.resolve(executable) : path.resolve(cwd, executable);
+		if (fs.existsSync(absolute)) return absolute;
+		return;
+	}
+	const pathEntries = (env.PATH || process.env.PATH || "").split(path.delimiter).filter(Boolean);
+	for (const entry of pathEntries) {
+		const candidate = path.join(entry, executable);
+		if (fs.existsSync(candidate)) return candidate;
+	}
+}
+function analyzeCommand(command, cwd, env) {
+	const trimmed = command.trim();
+	if (!trimmed) return {
+		ok: false,
+		reason: "empty command",
+		args: []
+	};
+	if (SHELL_DISALLOWED_PATTERN.test(trimmed)) return {
+		ok: false,
+		reason: "disallowed shell syntax",
+		args: []
+	};
+	if (SHELL_QUOTE_OR_ESCAPE_PATTERN.test(trimmed)) return {
+		ok: false,
+		reason: "quoted/escaped shell syntax is not allowed",
+		args: []
+	};
+	const tokens = trimmed.split(/\s+/).filter(Boolean);
+	if (tokens.length === 0) return {
+		ok: false,
+		reason: "empty command",
+		args: []
+	};
+	const executableRaw = tokens[0];
+	const resolvedPath = resolveExecutablePath(executableRaw, cwd, env);
+	return {
+		ok: true,
+		executableRaw,
+		executableName: resolvedPath ? path.basename(resolvedPath) : path.basename(executableRaw),
+		resolvedPath,
+		args: tokens.slice(1)
+	};
+}
+function hasPathLikeArg(value) {
+	if (!value || value === "-") return false;
+	if (value.startsWith("/") || value.startsWith("./") || value.startsWith("../") || value.startsWith("~/") || /^[A-Za-z]:[\\/]/.test(value)) return true;
+	return value.includes("/") || value.includes("\\");
+}
+function isSafeBinUsage(analysis, safeBins) {
+	if (!analysis.ok || !analysis.executableName) return false;
+	const executable = analysis.executableName.toLowerCase();
+	if (!safeBins.has(executable)) return false;
+	for (const arg of analysis.args) {
+		if (arg.startsWith("-")) {
+			const eqIndex = arg.indexOf("=");
+			if (eqIndex > 0 && hasPathLikeArg(arg.slice(eqIndex + 1))) return false;
+			continue;
+		}
+		if (hasPathLikeArg(arg)) return false;
+	}
+	return true;
+}
+function matchAllowlistPattern(pattern, executableName, resolvedPath) {
+	const trimmed = pattern.trim();
+	if (!trimmed) return false;
+	const normalizedPattern = normalizePathForMatch(trimmed);
+	const normalizedExecutable = executableName.toLowerCase();
+	const normalizedResolved = resolvedPath ? normalizePathForMatch(resolvedPath) : "";
+	if (!trimmed.includes("/") && !trimmed.includes("\\") && !trimmed.endsWith("*")) return normalizedPattern === normalizedExecutable;
+	if (trimmed.endsWith("*")) {
+		const prefix = normalizePathForMatch(trimmed.slice(0, -1));
+		return normalizedResolved.length > 0 && normalizedResolved.startsWith(prefix) || normalizedExecutable.startsWith(prefix);
+	}
+	if (normalizedResolved.length > 0 && normalizedResolved === normalizedPattern) return true;
+	return normalizedExecutable === normalizedPattern;
+}
+function makeCommandApprovalKey(agentId, command) {
+	return crypto.createHash("sha256").update(`${agentId}::${command.trim()}`).digest("hex");
+}
+var ExecApprovalsManager = class {
+	filePath;
+	onRequested;
+	onResolved;
+	defaults;
+	pending = /* @__PURE__ */ new Map();
+	oneTimeApprovals = /* @__PURE__ */ new Map();
+	constructor(options) {
+		this.filePath = path.join(options.storeDir, "exec-approvals.json");
+		this.defaults = options.defaults;
+		this.onRequested = options.onRequested;
+		this.onResolved = options.onResolved;
+	}
+	getConfigPath() {
+		return this.filePath;
+	}
+	ensureDir() {
+		fs.mkdirSync(path.dirname(this.filePath), {
+			recursive: true,
+			mode: 448
+		});
+	}
+	readRaw() {
+		if (!fs.existsSync(this.filePath)) return null;
+		const raw = fs.readFileSync(this.filePath, "utf8");
+		return JSON.parse(raw);
+	}
+	writeFile(value) {
+		this.ensureDir();
+		fs.writeFileSync(this.filePath, `${JSON.stringify(value, null, 2)}\n`, {
+			encoding: "utf8",
+			mode: 384
+		});
+		fs.chmodSync(this.filePath, 384);
+	}
+	getSnapshot() {
+		try {
+			return normalizeFile(this.readRaw(), this.defaults);
+		} catch {
+			return normalizeFile(null, this.defaults);
+		}
+	}
+	setSnapshot(next) {
+		const normalized = normalizeFile(next, this.defaults);
+		this.writeFile(normalized);
+		return normalized;
+	}
+	resolveDefaults(policy) {
+		const snapshot = this.getSnapshot();
+		return {
+			security: snapshot.defaults.security ?? policy.security,
+			ask: snapshot.defaults.ask ?? policy.ask
+		};
+	}
+	getAgentAllowlist(agentId, policyAllowlist) {
+		const byAgent = this.getSnapshot().agents[agentId]?.allowlist ?? [];
+		const merged = [];
+		const seen = /* @__PURE__ */ new Set();
+		for (const entry of policyAllowlist) {
+			const pattern = entry.trim();
+			if (!pattern) continue;
+			const key = pattern.toLowerCase();
+			if (seen.has(key)) continue;
+			seen.add(key);
+			merged.push({ pattern });
+		}
+		for (const entry of byAgent) {
+			const pattern = entry.pattern.trim();
+			if (!pattern) continue;
+			const key = pattern.toLowerCase();
+			if (seen.has(key)) continue;
+			seen.add(key);
+			merged.push(entry);
+		}
+		return merged;
+	}
+	addAllowlistEntry(agentId, pattern) {
+		const normalizedPattern = pattern.trim();
+		if (!normalizedPattern) return;
+		const snapshot = this.getSnapshot();
+		const current = snapshot.agents[agentId]?.allowlist ?? [];
+		if (current.some((entry) => entry.pattern.toLowerCase() === normalizedPattern.toLowerCase())) return;
+		const nextAllowlist = [...current, {
+			pattern: normalizedPattern,
+			lastUsedAt: nowIso()
+		}];
+		snapshot.agents[agentId] = { allowlist: nextAllowlist };
+		this.writeFile(snapshot);
+	}
+	recordAllowlistUse(agentId, pattern, command, resolvedPath) {
+		const snapshot = this.getSnapshot();
+		const current = snapshot.agents[agentId]?.allowlist ?? [];
+		const lowered = pattern.toLowerCase();
+		const nextAllowlist = current.map((entry) => {
+			if (entry.pattern.toLowerCase() !== lowered) return entry;
+			return {
+				...entry,
+				lastUsedAt: nowIso(),
+				lastUsedCommand: command,
+				lastResolvedPath: resolvedPath
+			};
+		});
+		snapshot.agents[agentId] = { allowlist: nextAllowlist };
+		this.writeFile(snapshot);
+	}
+	request(params) {
+		const now = Date.now();
+		const timeoutMs = Math.max(5e3, Number.isFinite(params.timeoutMs) ? Math.floor(params.timeoutMs) : DEFAULT_APPROVAL_TIMEOUT_MS);
+		const record = {
+			id: crypto.randomUUID(),
+			createdAtMs: now,
+			expiresAtMs: now + timeoutMs,
+			command: params.command,
+			agentId: params.agentId,
+			sessionKey: params.sessionKey,
+			resolvedPath: params.resolvedPath,
+			timeoutMs,
+			target: params.target
+		};
+		this.pending.set(record.id, {
+			record,
+			onApproved: params.onApproved
+		});
+		this.onRequested?.(record);
+		return record;
+	}
+	getPending(recordId) {
+		const pending = this.pending.get(recordId);
+		if (!pending) return null;
+		if (pending.record.expiresAtMs <= Date.now()) {
+			this.pending.delete(recordId);
+			return null;
+		}
+		return pending.record;
+	}
+	resolve(recordId, decision, resolvedBy) {
+		const pending = this.pending.get(recordId);
+		if (!pending) return null;
+		if (pending.record.expiresAtMs <= Date.now()) {
+			this.pending.delete(recordId);
+			return null;
+		}
+		this.pending.delete(recordId);
+		const resolvedRecord = {
+			...pending.record,
+			decision,
+			resolvedBy,
+			resolvedAtMs: Date.now()
+		};
+		if (decision === "allow-always" && resolvedRecord.resolvedPath) this.addAllowlistEntry(resolvedRecord.agentId, resolvedRecord.resolvedPath);
+		if (decision === "allow-once") {
+			const key = makeCommandApprovalKey(resolvedRecord.agentId, resolvedRecord.command);
+			this.oneTimeApprovals.set(key, {
+				key,
+				expiresAtMs: Date.now() + ONE_TIME_APPROVAL_TTL_MS
+			});
+		}
+		this.onResolved?.(resolvedRecord);
+		if ((decision === "allow-once" || decision === "allow-always") && pending.onApproved) pending.onApproved(resolvedRecord).catch(() => {});
+		return resolvedRecord;
+	}
+	consumeOneTimeApproval(agentId, command) {
+		const key = makeCommandApprovalKey(agentId, command);
+		const pending = this.oneTimeApprovals.get(key);
+		if (!pending) return false;
+		this.oneTimeApprovals.delete(key);
+		if (pending.expiresAtMs <= Date.now()) return false;
+		return true;
+	}
+};
+function evaluateExecPolicy(params) {
+	const cwd = params.cwd || process.cwd();
+	const env = params.env || process.env;
+	const analysis = analyzeCommand(params.command, cwd, env);
+	const defaults = params.manager.resolveDefaults(params.policy);
+	const security = defaults.security;
+	const ask = defaults.ask;
+	if (!analysis.ok) return {
+		analysisOk: false,
+		reason: analysis.reason,
+		executableName: analysis.executableName,
+		resolvedPath: analysis.resolvedPath,
+		allowlistSatisfied: false,
+		safeBinSatisfied: false,
+		requiresApproval: false,
+		denied: true,
+		deniedReason: analysis.reason ? `exec denied: ${analysis.reason}` : "exec denied: invalid command"
+	};
+	if (security === "deny") return {
+		analysisOk: analysis.ok,
+		reason: analysis.reason,
+		executableName: analysis.executableName,
+		resolvedPath: analysis.resolvedPath,
+		allowlistSatisfied: false,
+		safeBinSatisfied: false,
+		requiresApproval: false,
+		denied: true,
+		deniedReason: "exec denied: security=deny"
+	};
+	const mergedAllowlist = params.manager.getAgentAllowlist(params.agentId, params.policy.allowlist);
+	const safeBins = new Set(params.policy.safeBins.map((entry) => entry.trim().toLowerCase()).filter(Boolean));
+	const oneTimeApproved = params.manager.consumeOneTimeApproval(params.agentId, params.command);
+	const safeBinSatisfied = isSafeBinUsage(analysis, safeBins);
+	let allowlistSatisfied = false;
+	let allowlistPattern;
+	if (analysis.ok && analysis.executableName) if (oneTimeApproved) {
+		allowlistSatisfied = true;
+		allowlistPattern = "one-time-approval";
+	} else {
+		for (const entry of mergedAllowlist) if (matchAllowlistPattern(entry.pattern, analysis.executableName, analysis.resolvedPath)) {
+			allowlistSatisfied = true;
+			allowlistPattern = entry.pattern;
+			break;
+		}
+		if (!allowlistSatisfied && safeBinSatisfied) {
+			allowlistSatisfied = true;
+			allowlistPattern = `safe-bin:${analysis.executableName.toLowerCase()}`;
+		}
+	}
+	if (security === "full") {
+		if (ask === "always") return {
+			analysisOk: analysis.ok,
+			reason: analysis.reason,
+			executableName: analysis.executableName,
+			resolvedPath: analysis.resolvedPath,
+			allowlistSatisfied,
+			allowlistPattern,
+			safeBinSatisfied,
+			requiresApproval: true,
+			denied: false
+		};
+		return {
+			analysisOk: analysis.ok,
+			reason: analysis.reason,
+			executableName: analysis.executableName,
+			resolvedPath: analysis.resolvedPath,
+			allowlistSatisfied,
+			allowlistPattern,
+			safeBinSatisfied,
+			requiresApproval: false,
+			denied: false
+		};
+	}
+	if (allowlistSatisfied && ask !== "always") return {
+		analysisOk: analysis.ok,
+		reason: analysis.reason,
+		executableName: analysis.executableName,
+		resolvedPath: analysis.resolvedPath,
+		allowlistSatisfied,
+		allowlistPattern,
+		safeBinSatisfied,
+		requiresApproval: false,
+		denied: false
+	};
+	if (ask === "off") return {
+		analysisOk: analysis.ok,
+		reason: analysis.reason,
+		executableName: analysis.executableName,
+		resolvedPath: analysis.resolvedPath,
+		allowlistSatisfied,
+		allowlistPattern,
+		safeBinSatisfied,
+		requiresApproval: false,
+		denied: true,
+		deniedReason: allowlistSatisfied ? "exec denied: ask=off" : "exec denied: allowlist miss"
+	};
+	return {
+		analysisOk: analysis.ok,
+		reason: analysis.reason,
+		executableName: analysis.executableName,
+		resolvedPath: analysis.resolvedPath,
+		allowlistSatisfied,
+		allowlistPattern,
+		safeBinSatisfied,
+		requiresApproval: true,
+		denied: false
+	};
+}
+
+//#endregion
+//#region src/exec-chat.ts
+const APPROVE_USAGE = "Usage: /approve <id> allow-once|allow-always|deny";
+const BASH_USAGE = "Usage: /bash <command>";
+function normalizeDecision(value) {
+	const normalized = value.trim().toLowerCase();
+	if (normalized === "allow-once" || normalized === "allow-always" || normalized === "deny") return normalized;
+	return null;
+}
+function formatExecOutput$1(result) {
+	const lines = [
+		`exitCode: ${result.exitCode}`,
+		result.timedOut ? "timedOut: true" : "timedOut: false",
+		result.truncated ? "truncated: true" : "truncated: false",
+		""
+	];
+	if (result.stdout) {
+		lines.push("stdout:");
+		lines.push(result.stdout);
+		lines.push("");
+	}
+	if (result.stderr) {
+		lines.push("stderr:");
+		lines.push(result.stderr);
+	}
+	if (!result.stdout && !result.stderr) lines.push("No output.");
+	return lines.join("\n").trim();
+}
+async function executeApprovedCommand(options) {
+	const result = await options.runtime.exec(options.command, { timeoutMs: options.timeoutMs });
+	await options.channel.sendMessage(options.target, [
+		`Approval granted. Executed: ${options.command}`,
+		"",
+		formatExecOutput$1(result)
+	].join("\n"));
+}
+async function handleExecChatCommand(options) {
+	const trimmed = options.msg.text.trim();
+	if (!trimmed.startsWith("/")) return { handled: false };
+	const parsed = trimmed.split(/\s+/);
+	const command = (parsed[0] || "").toLowerCase();
+	if (command === "/approve") {
+		if (!options.commandAuthorized) {
+			await options.channel.sendMessage(options.target, "You are not authorized to use this command.");
+			return { handled: true };
+		}
+		const approvalId = parsed[1]?.trim();
+		const decision = parsed[2] ? normalizeDecision(parsed[2]) : null;
+		if (!approvalId || !decision) {
+			await options.channel.sendMessage(options.target, APPROVE_USAGE);
+			return { handled: true };
+		}
+		if (!options.execApprovals.resolve(approvalId, decision, options.msg.userId)) {
+			await options.channel.sendMessage(options.target, `Unknown or expired approval id: ${approvalId}`);
+			return { handled: true };
+		}
+		await options.channel.sendMessage(options.target, `Approval ${decision} recorded for ${approvalId}.`);
+		options.audit({
+			sessionKey: options.sessionKey,
+			actor: "channel",
+			eventType: "exec.approval.resolve",
+			payload: {
+				id: approvalId,
+				decision,
+				resolvedBy: options.msg.userId
+			}
+		});
+		return { handled: true };
+	}
+	if (command !== "/bash") return { handled: false };
+	if (!options.execPolicy.enabled) {
+		await options.channel.sendMessage(options.target, "/bash is disabled. Set runtime.tools.exec.enabled=true (or runtime.tools.bashEnabled=true) to enable.");
+		return { handled: true };
+	}
+	if (!options.commandAuthorized) {
+		await options.channel.sendMessage(options.target, "You are not authorized to use this command.");
+		return { handled: true };
+	}
+	if (!options.msg.text.slice(5).trim()) {
+		await options.channel.sendMessage(options.target, BASH_USAGE);
+		return { handled: true };
+	}
+	const bashCommand = options.msg.text.slice(5).trim();
+	const evaluation = evaluateExecPolicy({
+		command: bashCommand,
+		agentId: options.agentId,
+		policy: options.execPolicy,
+		manager: options.execApprovals,
+		cwd: process.cwd(),
+		env: process.env
+	});
+	options.audit({
+		sessionKey: options.sessionKey,
+		actor: "channel",
+		eventType: "exec.chat.request",
+		payload: {
+			command: bashCommand,
+			security: options.execPolicy.security,
+			ask: options.execPolicy.ask,
+			allowlistSatisfied: evaluation.allowlistSatisfied,
+			requiresApproval: evaluation.requiresApproval
+		}
+	});
+	if (evaluation.denied) {
+		await options.channel.sendMessage(options.target, evaluation.deniedReason || "Command denied by policy.");
+		return { handled: true };
+	}
+	if (evaluation.requiresApproval) {
+		const approval = options.execApprovals.request({
+			command: bashCommand,
+			agentId: options.agentId,
+			sessionKey: options.sessionKey,
+			resolvedPath: evaluation.resolvedPath,
+			timeoutMs: options.execPolicy.approvalTimeoutMs,
+			target: {
+				channel: options.target.channel,
+				chatId: options.target.chatId,
+				accountId: options.target.accountId
+			},
+			onApproved: async (record) => {
+				if (record.decision === "deny") return;
+				await executeApprovedCommand({
+					runtime: options.runtime,
+					channel: options.channel,
+					target: options.target,
+					command: bashCommand,
+					timeoutMs: options.execPolicy.approvalTimeoutMs
+				});
+			}
+		});
+		await options.channel.sendMessage(options.target, [
+			"Approval required for this command.",
+			`id: ${approval.id}`,
+			`expiresAt: ${new Date(approval.expiresAtMs).toISOString()}`,
+			"",
+			`Approve with: /approve ${approval.id} allow-once|allow-always|deny`
+		].join("\n"));
+		return { handled: true };
+	}
+	try {
+		const result = await options.runtime.exec(bashCommand, { timeoutMs: options.execPolicy.approvalTimeoutMs });
+		if (evaluation.allowlistPattern && !evaluation.allowlistPattern.startsWith("safe-bin:") && evaluation.allowlistPattern !== "one-time-approval") options.execApprovals.recordAllowlistUse(options.agentId, evaluation.allowlistPattern, bashCommand, evaluation.resolvedPath);
+		await options.channel.sendMessage(options.target, formatExecOutput$1(result));
+	} catch (error) {
+		const message = error instanceof Error ? error.message : String(error);
+		await options.channel.sendMessage(options.target, `Command failed: ${message}`);
+	}
+	return { handled: true };
+}
+
 //#endregion
 //#region src/gateway/methods/agent.ts
 const agentParamsSchema = z.object({
@@ -5083,14 +5662,12 @@ const configGetMethod = async (_params, context) => {
 const configSetMethod = async (params, context) => {
 	const parsed = configSetParamsSchema.parse(params);
 	context.writeFileConfig(parsed.config);
-	writeOpenClawMirror(loadConfig());
 	return { ok: true };
 };
 const configPatchMethod = async (params, context) => {
 	const parsed = configPatchParamsSchema.parse(params);
 	const merged = deepMerge(context.readFileConfig(), parsed.patch);
 	context.writeFileConfig(merged);
-	writeOpenClawMirror(loadConfig());
 	return { ok: true };
 };
 
@@ -5109,6 +5686,68 @@ const cronStatusMethod = async (_params, context) => {
 	};
 };
 
+//#endregion
+//#region src/gateway/methods/exec-approvals.ts
+const requestParamsSchema = z.object({
+	command: z.string().min(1),
+	agentId: z.string().min(1).optional(),
+	sessionKey: z.string().min(1).optional(),
+	resolvedPath: z.string().min(1).optional(),
+	timeoutMs: z.number().int().positive().optional()
+});
+const resolveParamsSchema = z.object({
+	id: z.string().min(1),
+	decision: z.enum([
+		"allow-once",
+		"allow-always",
+		"deny"
+	]),
+	resolvedBy: z.string().min(1).optional()
+});
+const setParamsSchema = z.object({ file: z.unknown() });
+const execApprovalRequestMethod = async (params, context) => {
+	const parsed = requestParamsSchema.parse(params);
+	const record = context.execApprovals.request({
+		command: parsed.command,
+		agentId: parsed.agentId ?? "main",
+		sessionKey: parsed.sessionKey,
+		resolvedPath: parsed.resolvedPath,
+		timeoutMs: parsed.timeoutMs
+	});
+	return {
+		id: record.id,
+		createdAtMs: record.createdAtMs,
+		expiresAtMs: record.expiresAtMs,
+		command: record.command,
+		agentId: record.agentId
+	};
+};
+const execApprovalResolveMethod = async (params, context) => {
+	const parsed = resolveParamsSchema.parse(params);
+	const record = context.execApprovals.resolve(parsed.id, parsed.decision, parsed.resolvedBy);
+	if (!record) throw new Error(`Unknown or expired approval id: ${parsed.id}`);
+	return {
+		ok: true,
+		id: record.id,
+		decision: parsed.decision,
+		resolvedBy: parsed.resolvedBy ?? null,
+		resolvedAtMs: record.resolvedAtMs ?? Date.now()
+	};
+};
+const execApprovalsGetMethod = async (_params, context) => {
+	return {
+		path: context.execApprovals.getConfigPath(),
+		file: context.execApprovals.getSnapshot()
+	};
+};
+const execApprovalsSetMethod = async (params, context) => {
+	const parsed = setParamsSchema.parse(params);
+	return {
+		ok: true,
+		file: context.execApprovals.setSnapshot(parsed.file)
+	};
+};
+
 //#endregion
 //#region src/gateway/methods/health.ts
 const healthMethod = async (_params, context) => {
@@ -5347,14 +5986,20 @@ const gatewayMethodHandlers = {
 	"chat.abort": chatAbortMethod,
 	"cron.list": cronListMethod,
 	"cron.status": cronStatusMethod,
-	"logs.tail": logsTailMethod
+	"logs.tail": logsTailMethod,
+	"exec.approval.request": execApprovalRequestMethod,
+	"exec.approval.resolve": execApprovalResolveMethod,
+	"exec.approvals.get": execApprovalsGetMethod,
+	"exec.approvals.set": execApprovalsSetMethod
 };
 const gatewayEventNames = [
 	"tick",
 	"health",
 	"agent",
 	"chat",
-	"shutdown"
+	"shutdown",
+	"exec.approval.requested",
+	"exec.approval.resolved"
 ];
 
 //#endregion
@@ -5570,6 +6215,7 @@ function resolveUiDirectory() {
 }
 var HovClawGatewayServer = class {
 	db;
+	execApprovals;
 	agentManager;
 	channels;
 	readFileConfig;
@@ -5585,6 +6231,7 @@ var HovClawGatewayServer = class {
 	constructor(options) {
 		this.runtimeConfig = options.config;
 		this.db = options.db;
+		this.execApprovals = options.execApprovals;
 		this.agentManager = options.agentManager;
 		this.channels = options.channels;
 		this.readFileConfig = options.readFileConfig;
@@ -5858,6 +6505,7 @@ var HovClawGatewayServer = class {
 		const context = {
 			config: this.runtimeConfig,
 			db: this.db,
+			execApprovals: this.execApprovals,
 			agentManager: this.agentManager,
 			channels: this.channels,
 			startedAt: this.startedAt,
@@ -6851,150 +7499,386 @@ function normalizeErrorMessage(error) {
 	if (error instanceof Error) return error.message;
 	return String(error);
 }
-function createTools({ runtime, audit, bashEnabled }) {
+function resolveExecAgentId() {
+	const context = getRuntimeSessionContext();
+	if (context?.agentName?.trim()) return context.agentName.trim();
+	if (context?.sessionKey?.trim()) {
+		const first = context.sessionKey.split(":")[0];
+		if (first?.trim()) return first.trim();
+	}
+	return "main";
+}
+function formatExecOutput(result) {
+	return [
+		`exitCode: ${result.exitCode}`,
+		result.timedOut ? "timedOut: true" : "timedOut: false",
+		result.truncated ? "truncated: true" : "truncated: false",
+		"",
+		result.stdout ? `stdout:\n${result.stdout}` : "stdout: <empty>",
+		"",
+		result.stderr ? `stderr:\n${result.stderr}` : "stderr: <empty>"
+	].join("\n");
+}
+function firstToken(command) {
+	const trimmed = command.trim();
+	if (!trimmed) return "";
+	return trimmed.split(/\s+/)[0] ?? "";
+}
+function diagnosticsCommandsForPlatform(platform) {
+	const common = [
+		{
+			key: "os",
+			command: "uname -a"
+		},
+		{
+			key: "uptime",
+			command: "uptime"
+		},
+		{
+			key: "disk",
+			command: "df -h"
+		},
+		{
+			key: "processes",
+			command: "ps -A"
+		}
+	];
+	if (platform === "darwin") return [
+		...common,
+		{
+			key: "memory",
+			command: "vm_stat"
+		},
+		{
+			key: "cpu",
+			command: "sysctl -n machdep.cpu.brand_string"
+		},
+		{
+			key: "network",
+			command: "ifconfig"
+		}
+	];
+	if (platform === "linux") return [
+		...common,
+		{
+			key: "memory",
+			command: "free -m"
+		},
+		{
+			key: "cpu",
+			command: "lscpu"
+		},
+		{
+			key: "network",
+			command: "ip addr"
+		}
+	];
+	if (platform === "win32") return [
+		{
+			key: "os",
+			command: "ver"
+		},
+		{
+			key: "uptime",
+			command: "net stats workstation"
+		},
+		{
+			key: "disk",
+			command: "wmic logicaldisk get size,freespace,caption"
+		},
+		{
+			key: "processes",
+			command: "tasklist"
+		},
+		{
+			key: "cpu",
+			command: "wmic cpu get name"
+		},
+		{
+			key: "memory",
+			command: "wmic os get totalvisiblememorysize,freephysicalmemory"
+		},
+		{
+			key: "network",
+			command: "ipconfig"
+		}
+	];
+	return common;
+}
+function createTools({ runtime, audit, execPolicy, execApprovals }) {
 	const parser = new Parser();
-	const bashTool = {
-		name: "bash",
-		label: "Bash",
-		description: "Run a shell command on allowed command prefixes only.",
-		parameters: Type.Object({
-			command: Type.String(),
-			timeoutMs: Type.Optional(Type.Number({
-				minimum: 1e3,
-				maximum: 12e4
-			}))
-		}),
-		execute: async (_toolCallId, params) => {
-			audit({
-				actor: "tool",
-				eventType: "tool.exec",
-				payload: { command: params.command }
+	const execSchema = Type.Object({
+		command: Type.String(),
+		timeoutMs: Type.Optional(Type.Number({
+			minimum: 1e3,
+			maximum: 12e4
+		}))
+	});
+	async function executeCommandWithPolicy(toolName, params) {
+		const command = params.command.trim();
+		if (!command) throw new Error("Command cannot be empty.");
+		const sessionContext = getRuntimeSessionContext();
+		const agentId = resolveExecAgentId();
+		const evaluation = evaluateExecPolicy({
+			command,
+			agentId,
+			policy: execPolicy,
+			manager: execApprovals,
+			cwd: sessionContext?.workspaceDir,
+			env: process.env
+		});
+		audit({
+			sessionKey: sessionContext?.sessionKey,
+			actor: "tool",
+			eventType: "tool.exec",
+			payload: {
+				toolName,
+				command,
+				security: execPolicy.security,
+				ask: execPolicy.ask,
+				allowlistSatisfied: evaluation.allowlistSatisfied,
+				safeBinSatisfied: evaluation.safeBinSatisfied,
+				analysisOk: evaluation.analysisOk,
+				requiresApproval: evaluation.requiresApproval
+			}
+		});
+		if (evaluation.denied) throw new Error(evaluation.deniedReason || "exec denied by policy");
+		if (evaluation.requiresApproval) {
+			const approval = execApprovals.request({
+				command,
+				agentId,
+				sessionKey: sessionContext?.sessionKey,
+				resolvedPath: evaluation.resolvedPath,
+				timeoutMs: execPolicy.approvalTimeoutMs
 			});
-			const result = await runtime.exec(params.command, { timeoutMs: params.timeoutMs });
 			return textResult([
-				`exitCode: ${result.exitCode}`,
-				result.timedOut ? "timedOut: true" : "timedOut: false",
-				result.truncated ? "truncated: true" : "truncated: false",
-				"",
-				result.stdout ? `stdout:\n${result.stdout}` : "stdout: <empty>",
+				`approvalRequired: true`,
+				`approvalId: ${approval.id}`,
+				`expiresAtMs: ${approval.expiresAtMs}`,
 				"",
-				result.stderr ? `stderr:\n${result.stderr}` : "stderr: <empty>"
-			].join("\n"), result);
-		}
-	};
-	const readFileTool = {
-		name: "read_file",
-		label: "Read File",
-		description: "Read a text file from an allowlisted path.",
-		parameters: Type.Object({
-			path: Type.String(),
-			maxBytes: Type.Optional(Type.Number({
-				minimum: 128,
-				maximum: 1e6
-			}))
-		}),
-		execute: async (_toolCallId, params) => {
-			audit({
-				actor: "tool",
-				eventType: "tool.read_file",
-				payload: { path: params.path }
+				"Run /approve <id> allow-once|allow-always|deny, then retry the command."
+			].join("\n"), {
+				status: "approval-pending",
+				approvalId: approval.id,
+				expiresAtMs: approval.expiresAtMs,
+				command,
+				resolvedPath: evaluation.resolvedPath,
+				analysisOk: evaluation.analysisOk
 			});
-			const result = await runtime.readFile(params.path, { maxOutputBytes: params.maxBytes });
-			return textResult(result.content, result);
 		}
-	};
-	const writeFileTool = {
-		name: "write_file",
-		label: "Write File",
-		description: "Write UTF-8 text content to an allowlisted path.",
-		parameters: Type.Object({
-			path: Type.String(),
-			content: Type.String()
-		}),
+		const result = await runtime.exec(command, { timeoutMs: params.timeoutMs });
+		if (evaluation.allowlistPattern && !evaluation.allowlistPattern.startsWith("safe-bin:") && evaluation.allowlistPattern !== "one-time-approval") execApprovals.recordAllowlistUse(agentId, evaluation.allowlistPattern, command, evaluation.resolvedPath);
+		return textResult(formatExecOutput(result), {
+			...result,
+			command,
+			resolvedPath: evaluation.resolvedPath
+		});
+	}
+	const execTool = {
+		name: "exec",
+		label: "Exec",
+		description: "Run a shell command with approval and allowlist policy.",
+		parameters: execSchema,
 		execute: async (_toolCallId, params) => {
-			audit({
-				actor: "tool",
-				eventType: "tool.write_file",
-				payload: {
-					path: params.path,
-					bytes: Buffer.byteLength(params.content, "utf8")
-				}
-			});
-			const result = await runtime.writeFile(params.path, params.content);
-			return textResult(`Wrote ${result.bytesWritten} bytes to ${params.path}.`, result);
+			return executeCommandWithPolicy("exec", params);
 		}
 	};
-	const webSearchTool = {
-		name: "web_search",
-		label: "Web Search",
-		description: "Fetch a URL and return readable article text.",
-		parameters: Type.Object({ url: Type.String({ format: "uri" }) }),
+	const bashTool = {
+		name: "bash",
+		label: "Bash",
+		description: "Compatibility alias for exec tool policy.",
+		parameters: execSchema,
 		execute: async (_toolCallId, params) => {
-			audit({
-				actor: "tool",
-				eventType: "tool.fetch_web",
-				payload: { url: params.url }
-			});
-			const result = await runtime.fetchWeb(params.url);
-			return textResult(`${result.title ? `# ${result.title}\n\n` : ""}${result.markdown}`.trim(), result);
+			return executeCommandWithPolicy("bash", params);
 		}
 	};
-	const fetchPodcastFeedTool = {
-		name: "fetch_podcast_feed",
-		label: "Fetch Podcast Feed",
-		description: "Fetch one or more RSS podcast feeds and return recent episodes.",
+	const diagnoseDeviceTool = {
+		name: "diagnose_device",
+		label: "Diagnose Device",
+		description: "Run read-only core diagnostics for OS, CPU, memory, disk, network, and process status.",
 		parameters: Type.Object({
-			urls: Type.Array(Type.String({ format: "uri" }), {
-				minItems: 1,
-				maxItems: 20
-			}),
-			limitPerFeed: Type.Optional(Type.Number({
-				minimum: 1,
-				maximum: 50
+			profile: Type.Optional(Type.String({ default: "core" })),
+			timeoutMs: Type.Optional(Type.Number({
+				minimum: 1e3,
+				maximum: 12e4
 			}))
 		}),
 		execute: async (_toolCallId, params) => {
-			const limit = params.limitPerFeed ?? 5;
-			const output = [];
-			for (const url of params.urls) try {
-				const feed = await parser.parseURL(url);
-				const episodes = (feed.items ?? []).slice(0, limit).map((item) => ({
-					title: item.title ?? "Untitled episode",
-					publishedAt: item.pubDate || item.isoDate || null,
-					link: item.link ?? "",
-					summary: (item.contentSnippet || item.content || item.summary || "").replace(/\s+/g, " ").trim().slice(0, 400) || "No summary available."
-				}));
-				output.push({
-					url,
-					title: feed.title ?? "Untitled feed",
-					episodes
+			const profile = (params.profile || "core").trim().toLowerCase();
+			if (profile !== "core") throw new Error(`Unsupported diagnostic profile: ${profile}`);
+			const timeoutMs = params.timeoutMs ?? 1e4;
+			const commands = diagnosticsCommandsForPlatform(process.platform);
+			const sections = [];
+			for (const entry of commands) try {
+				const result = await runtime.exec(entry.command, {
+					timeoutMs,
+					allowedCommandPrefixes: [firstToken(entry.command)]
+				});
+				sections.push({
+					key: entry.key,
+					command: entry.command,
+					ok: result.exitCode === 0 && !result.timedOut,
+					exitCode: result.exitCode,
+					stdout: result.stdout,
+					stderr: result.stderr,
+					timedOut: result.timedOut,
+					truncated: result.truncated
 				});
 			} catch (error) {
-				output.push({
-					url,
-					title: "Unknown feed",
-					episodes: [],
-					error: normalizeErrorMessage(error)
+				sections.push({
+					key: entry.key,
+					command: entry.command,
+					ok: false,
+					exitCode: 1,
+					stdout: "",
+					stderr: normalizeErrorMessage(error),
+					timedOut: false,
+					truncated: false
 				});
 			}
 			audit({
 				actor: "tool",
-				eventType: "tool.fetch_podcast_feed",
+				eventType: "tool.diagnose_device",
 				payload: {
-					urls: params.urls,
-					limitPerFeed: limit
+					profile,
+					commandCount: sections.length,
+					failed: sections.filter((entry) => !entry.ok).length
 				}
 			});
-			return textResult(output.map((feed) => {
-				if (feed.error) return `Feed: ${feed.url}\nError: ${feed.error}`;
-				const episodesText = feed.episodes.map((episode, index) => `${index + 1}. ${episode.title}${episode.publishedAt ? ` (${episode.publishedAt})` : ""}\n${episode.link}\n${episode.summary}`).join("\n\n");
-				return `Feed: ${feed.title}\nSource: ${feed.url}\n\n${episodesText}`;
-			}).join("\n\n---\n\n"), output);
+			const summaryLines = [
+				`profile: ${profile}`,
+				`platform: ${process.platform}`,
+				`sections: ${sections.length}`,
+				`failed: ${sections.filter((entry) => !entry.ok).length}`
+			];
+			for (const section of sections) {
+				summaryLines.push("");
+				summaryLines.push(`[${section.key}] ${section.command}`);
+				summaryLines.push(`ok=${section.ok} exitCode=${section.exitCode} timedOut=${section.timedOut}`);
+				if (section.stdout) summaryLines.push(`stdout:\n${section.stdout}`);
+				if (section.stderr) summaryLines.push(`stderr:\n${section.stderr}`);
+			}
+			return textResult(summaryLines.join("\n"), {
+				profile,
+				platform: process.platform,
+				sections
+			});
 		}
 	};
-	const tools = [];
-	if (bashEnabled) tools.push(bashTool);
-	tools.push(readFileTool, writeFileTool, webSearchTool, fetchPodcastFeedTool);
+	const tools = [
+		{
+			name: "read_file",
+			label: "Read File",
+			description: "Read a text file from an allowlisted path.",
+			parameters: Type.Object({
+				path: Type.String(),
+				maxBytes: Type.Optional(Type.Number({
+					minimum: 128,
+					maximum: 1e6
+				}))
+			}),
+			execute: async (_toolCallId, params) => {
+				audit({
+					actor: "tool",
+					eventType: "tool.read_file",
+					payload: { path: params.path }
+				});
+				const result = await runtime.readFile(params.path, { maxOutputBytes: params.maxBytes });
+				return textResult(result.content, result);
+			}
+		},
+		{
+			name: "write_file",
+			label: "Write File",
+			description: "Write UTF-8 text content to an allowlisted path.",
+			parameters: Type.Object({
+				path: Type.String(),
+				content: Type.String()
+			}),
+			execute: async (_toolCallId, params) => {
+				audit({
+					actor: "tool",
+					eventType: "tool.write_file",
+					payload: {
+						path: params.path,
+						bytes: Buffer.byteLength(params.content, "utf8")
+					}
+				});
+				const result = await runtime.writeFile(params.path, params.content);
+				return textResult(`Wrote ${result.bytesWritten} bytes to ${params.path}.`, result);
+			}
+		},
+		{
+			name: "web_search",
+			label: "Web Search",
+			description: "Fetch a URL and return readable article text.",
+			parameters: Type.Object({ url: Type.String({ format: "uri" }) }),
+			execute: async (_toolCallId, params) => {
+				audit({
+					actor: "tool",
+					eventType: "tool.fetch_web",
+					payload: { url: params.url }
+				});
+				const result = await runtime.fetchWeb(params.url);
+				return textResult(`${result.title ? `# ${result.title}\n\n` : ""}${result.markdown}`.trim(), result);
+			}
+		},
+		{
+			name: "fetch_podcast_feed",
+			label: "Fetch Podcast Feed",
+			description: "Fetch one or more RSS podcast feeds and return recent episodes.",
+			parameters: Type.Object({
+				urls: Type.Array(Type.String({ format: "uri" }), {
+					minItems: 1,
+					maxItems: 20
+				}),
+				limitPerFeed: Type.Optional(Type.Number({
+					minimum: 1,
+					maximum: 50
+				}))
+			}),
+			execute: async (_toolCallId, params) => {
+				const limit = params.limitPerFeed ?? 5;
+				const output = [];
+				for (const url of params.urls) try {
+					const feed = await parser.parseURL(url);
+					const episodes = (feed.items ?? []).slice(0, limit).map((item) => ({
+						title: item.title ?? "Untitled episode",
+						publishedAt: item.pubDate || item.isoDate || null,
+						link: item.link ?? "",
+						summary: (item.contentSnippet || item.content || item.summary || "").replace(/\s+/g, " ").trim().slice(0, 400) || "No summary available."
+					}));
+					output.push({
+						url,
+						title: feed.title ?? "Untitled feed",
+						episodes
+					});
+				} catch (error) {
+					output.push({
+						url,
+						title: "Unknown feed",
+						episodes: [],
+						error: normalizeErrorMessage(error)
+					});
+				}
+				audit({
+					actor: "tool",
+					eventType: "tool.fetch_podcast_feed",
+					payload: {
+						urls: params.urls,
+						limitPerFeed: limit
+					}
+				});
+				return textResult(output.map((feed) => {
+					if (feed.error) return `Feed: ${feed.url}\nError: ${feed.error}`;
+					const episodesText = feed.episodes.map((episode, index) => `${index + 1}. ${episode.title}${episode.publishedAt ? ` (${episode.publishedAt})` : ""}\n${episode.link}\n${episode.summary}`).join("\n\n");
+					return `Feed: ${feed.title}\nSource: ${feed.url}\n\n${episodesText}`;
+				}).join("\n\n---\n\n"), output);
+			}
+		},
+		diagnoseDeviceTool
+	];
+	if (execPolicy.enabled) tools.unshift(execTool, bashTool);
 	return tools;
 }
 
@@ -7082,7 +7966,6 @@ async function main() {
 	} catch (error) {
 		logger.warn({ error }, "Workspace bootstrap failed");
 	}
-	writeOpenClawMirror(config);
 	const db = new HovClawDb(path.join(config.storeDir, "hovclaw.db"));
 	db.ping();
 	const runtime = config.runtime.mode === "container" ? new ContainerRuntime({
@@ -7101,10 +7984,40 @@ async function main() {
 		allowedWriteRoots: config.runtime.allowedWriteRoots,
 		allowedCommandPrefixes: config.runtime.allowedCommandPrefixes
 	});
+	let emitGatewayEvent = null;
+	const execApprovals = new ExecApprovalsManager({
+		storeDir: config.storeDir,
+		defaults: {
+			security: config.runtime.tools.exec.security,
+			ask: config.runtime.tools.exec.ask
+		},
+		onRequested: (record) => {
+			emitGatewayEvent?.("exec.approval.requested", {
+				id: record.id,
+				request: {
+					command: record.command,
+					agentId: record.agentId,
+					sessionKey: record.sessionKey,
+					resolvedPath: record.resolvedPath
+				},
+				createdAtMs: record.createdAtMs,
+				expiresAtMs: record.expiresAtMs
+			});
+		},
+		onResolved: (record) => {
+			emitGatewayEvent?.("exec.approval.resolved", {
+				id: record.id,
+				decision: record.decision,
+				resolvedBy: record.resolvedBy ?? null,
+				resolvedAtMs: record.resolvedAtMs
+			});
+		}
+	});
 	const agentManager = new PiAgentManager(db, createTools({
 		runtime,
 		audit: (record) => db.appendAuditEvent(record),
-		bashEnabled: config.runtime.tools.bashEnabled
+		execPolicy: config.runtime.tools.exec,
+		execApprovals
 	}));
 	let lastMessageAt = null;
 	const telegramPairingStore = new TelegramPairingStore(config.storeDir);
@@ -7128,6 +8041,19 @@ async function main() {
 		if (!normalizedPrompt) return;
 		let thinkingLevel = config.commands.defaultThinkingLevel;
 		let thinkingLevelForced = false;
+		const commandAuthorized = isCommandAuthorized(config, msg);
+		if ((await handleExecChatCommand({
+			msg,
+			target,
+			channel,
+			runtime,
+			execApprovals,
+			execPolicy: config.runtime.tools.exec,
+			commandAuthorized,
+			agentId,
+			sessionKey,
+			audit: (record) => db.appendAuditEvent(record)
+		})).handled) return;
 		if (msg.channel === "telegram") {
 			const policy = evaluateTelegramPolicy({
 				config,
@@ -7272,12 +8198,16 @@ async function main() {
 	const gatewayServer = config.gateway.enabled ? new HovClawGatewayServer({
 		config,
 		db,
+		execApprovals,
 		agentManager,
 		channels,
 		getChannelStatus: () => channelPluginManager.buildStatusPayload(),
 		readFileConfig,
 		writeFileConfig
 	}) : null;
+	emitGatewayEvent = gatewayServer ? (event, payload) => {
+		gatewayServer.emitEvent(event, payload);
+	} : null;
 	gatewayServer?.start();
 	const healthPortRaw = process.env.HEALTH_PORT || "8787";
 	const healthPort = Number(healthPortRaw);