feat: add exec approvals allowlists

2026-01-18 01:33:52 +00:00
parent 3a0fd6be3c
commit 0674f1fa3c
21 changed files with 1019 additions and 101 deletions
--- a/apps/macos/Sources/Clawdbot/CommandResolver.swift
+++ b/apps/macos/Sources/Clawdbot/CommandResolver.swift
@@ -214,9 +214,10 @@ enum CommandResolver {
        subcommand: String,
        extraArgs: [String] = [],
        defaults: UserDefaults = .standard,
+        configRoot: [String: Any]? = nil,
        searchPaths: [String]? = nil) -> [String]
    {
-        let settings = self.connectionSettings(defaults: defaults)
+        let settings = self.connectionSettings(defaults: defaults, configRoot: configRoot)
        if settings.mode == .remote, let ssh = self.sshNodeCommand(
            subcommand: subcommand,
            extraArgs: extraArgs,
@@ -264,12 +265,14 @@ enum CommandResolver {
        subcommand: String,
        extraArgs: [String] = [],
        defaults: UserDefaults = .standard,
+        configRoot: [String: Any]? = nil,
        searchPaths: [String]? = nil) -> [String]
    {
        self.clawdbotNodeCommand(
            subcommand: subcommand,
            extraArgs: extraArgs,
            defaults: defaults,
+            configRoot: configRoot,
            searchPaths: searchPaths)
    }

@@ -384,8 +387,11 @@ enum CommandResolver {
        let cliPath: String
    }

-    static func connectionSettings(defaults: UserDefaults = .standard) -> RemoteSettings {
-        let root = ClawdbotConfigFile.loadDict()
+    static func connectionSettings(
+        defaults: UserDefaults = .standard,
+        configRoot: [String: Any]? = nil) -> RemoteSettings
+    {
+        let root = configRoot ?? ClawdbotConfigFile.loadDict()
        let mode = ConnectionModeResolver.resolve(root: root, defaults: defaults).mode
        let target = defaults.string(forKey: remoteTargetKey) ?? ""
        let identity = defaults.string(forKey: remoteIdentityKey) ?? ""
--- a/apps/macos/Sources/Clawdbot/GatewayEnvironment.swift
+++ b/apps/macos/Sources/Clawdbot/GatewayEnvironment.swift
@@ -27,7 +27,11 @@ struct Semver: Comparable, CustomStringConvertible, Sendable {
        else { return nil }
        // Strip prerelease suffix (e.g., "11-4" → "11", "5-beta.1" → "5")
        let patchRaw = String(parts[2])
-        let patchNumeric = patchRaw.split { $0 == "-" || $0 == "+" }.first.flatMap { Int($0) } ?? 0
+        guard let patchToken = patchRaw.split(whereSeparator: { $0 == "-" || $0 == "+" }).first,
+              let patchNumeric = Int(patchToken)
+        else {
+            return nil
+        }
        return Semver(major: major, minor: minor, patch: patchNumeric)
    }

--- a/apps/macos/Sources/Clawdbot/GeneralSettings.swift
+++ b/apps/macos/Sources/Clawdbot/GeneralSettings.swift
@@ -83,27 +83,7 @@ struct GeneralSettings: View {
                        subtitle: "Allow the agent to capture a photo or short video via the built-in camera.",
                        binding: self.$cameraEnabled)

-                    VStack(alignment: .leading, spacing: 6) {
-                        Text("Node Run Commands")
-                            .font(.body)
-
-                        Picker("", selection: self.$state.systemRunPolicy) {
-                            ForEach(SystemRunPolicy.allCases) { policy in
-                                Text(policy.title).tag(policy)
-                            }
-                        }
-                        .labelsHidden()
-                        .pickerStyle(.menu)
-
-                        Text("""
-                        Controls remote command execution on this Mac when it is paired as a node. \
-                        "Always Ask" prompts on each command; "Always Allow" runs without prompts; \
-                        "Never" disables `system.run`.
-                        """)
-                        .font(.footnote)
-                        .foregroundStyle(.tertiary)
-                        .fixedSize(horizontal: false, vertical: true)
-                    }
+                    SystemRunSettingsView()

                    VStack(alignment: .leading, spacing: 6) {
                        Text("Location Access")
--- a/apps/macos/Sources/Clawdbot/MacNodeConfigFile.swift
+++ b/apps/macos/Sources/Clawdbot/MacNodeConfigFile.swift
@@ -38,39 +38,14 @@ enum MacNodeConfigFile {
        }
    }

-    static func systemRunPolicy() -> SystemRunPolicy? {
-        let root = self.loadDict()
-        let systemRun = root["systemRun"] as? [String: Any]
-        let raw = systemRun?["policy"] as? String
-        guard let raw, let policy = SystemRunPolicy(rawValue: raw) else { return nil }
-        return policy
+    private static func systemRunSection(from root: [String: Any]) -> [String: Any] {
+        root["systemRun"] as? [String: Any] ?? [:]
    }

-    static func setSystemRunPolicy(_ policy: SystemRunPolicy) {
+    private static func updateSystemRunSection(_ mutate: (inout [String: Any]) -> Void) {
        var root = self.loadDict()
-        var systemRun = root["systemRun"] as? [String: Any] ?? [:]
-        systemRun["policy"] = policy.rawValue
-        root["systemRun"] = systemRun
-        self.saveDict(root)
-    }
-
-    static func systemRunAllowlist() -> [String]? {
-        let root = self.loadDict()
-        let systemRun = root["systemRun"] as? [String: Any]
-        return systemRun?["allowlist"] as? [String]
-    }
-
-    static func setSystemRunAllowlist(_ allowlist: [String]) {
-        let cleaned = allowlist
-            .map { $0.trimmingCharacters(in: .whitespacesAndNewlines) }
-            .filter { !$0.isEmpty }
-        var root = self.loadDict()
-        var systemRun = root["systemRun"] as? [String: Any] ?? [:]
-        if cleaned.isEmpty {
-            systemRun.removeValue(forKey: "allowlist")
-        } else {
-            systemRun["allowlist"] = cleaned
-        }
+        var systemRun = self.systemRunSection(from: root)
+        mutate(&systemRun)
        if systemRun.isEmpty {
            root.removeValue(forKey: "systemRun")
        } else {
@@ -78,4 +53,147 @@ enum MacNodeConfigFile {
        }
        self.saveDict(root)
    }
+
+    private static func agentSection(_ systemRun: [String: Any], agentId: String) -> [String: Any]? {
+        let agents = systemRun["agents"] as? [String: Any]
+        return agents?[agentId] as? [String: Any]
+    }
+
+    private static func updateAgentSection(
+        _ systemRun: inout [String: Any],
+        agentId: String,
+        mutate: (inout [String: Any]) -> Void)
+    {
+        var agents = systemRun["agents"] as? [String: Any] ?? [:]
+        var entry = agents[agentId] as? [String: Any] ?? [:]
+        mutate(&entry)
+        if entry.isEmpty {
+            agents.removeValue(forKey: agentId)
+        } else {
+            agents[agentId] = entry
+        }
+        if agents.isEmpty {
+            systemRun.removeValue(forKey: "agents")
+        } else {
+            systemRun["agents"] = agents
+        }
+    }
+
+    static func systemRunPolicy(agentId: String? = nil) -> SystemRunPolicy? {
+        let root = self.loadDict()
+        let systemRun = self.systemRunSection(from: root)
+        if let agentId, let agent = self.agentSection(systemRun, agentId: agentId) {
+            let raw = agent["policy"] as? String
+            if let raw, let policy = SystemRunPolicy(rawValue: raw) { return policy }
+        }
+        let raw = systemRun["policy"] as? String
+        guard let raw, let policy = SystemRunPolicy(rawValue: raw) else { return nil }
+        return policy
+    }
+
+    static func setSystemRunPolicy(_ policy: SystemRunPolicy, agentId: String? = nil) {
+        self.updateSystemRunSection { systemRun in
+            if let agentId {
+                self.updateAgentSection(&systemRun, agentId: agentId) { entry in
+                    entry["policy"] = policy.rawValue
+                }
+                return
+            }
+            systemRun["policy"] = policy.rawValue
+        }
+    }
+
+    static func systemRunAutoAllowSkills(agentId: String?) -> Bool? {
+        let root = self.loadDict()
+        let systemRun = self.systemRunSection(from: root)
+        if let agentId, let agent = self.agentSection(systemRun, agentId: agentId) {
+            if let value = agent["autoAllowSkills"] as? Bool { return value }
+        }
+        return systemRun["autoAllowSkills"] as? Bool
+    }
+
+    static func setSystemRunAutoAllowSkills(_ enabled: Bool, agentId: String?) {
+        self.updateSystemRunSection { systemRun in
+            if let agentId {
+                self.updateAgentSection(&systemRun, agentId: agentId) { entry in
+                    entry["autoAllowSkills"] = enabled
+                }
+                return
+            }
+            systemRun["autoAllowSkills"] = enabled
+        }
+    }
+
+    static func systemRunAllowlist(agentId: String?) -> [SystemRunAllowlistEntry]? {
+        let root = self.loadDict()
+        let systemRun = self.systemRunSection(from: root)
+        let raw: [Any]? = {
+            if let agentId, let agent = self.agentSection(systemRun, agentId: agentId) {
+                return agent["allowlist"] as? [Any]
+            }
+            return systemRun["allowlist"] as? [Any]
+        }()
+        guard let raw else { return nil }
+
+        if raw.allSatisfy({ $0 is String }) {
+            let legacy = raw.compactMap { $0 as? String }
+            return legacy.compactMap { key in
+                let pattern = key.trimmingCharacters(in: .whitespacesAndNewlines)
+                guard !pattern.isEmpty else { return nil }
+                return SystemRunAllowlistEntry(
+                    pattern: pattern,
+                    enabled: true,
+                    matchKind: .argv,
+                    source: .manual)
+            }
+        }
+
+        return raw.compactMap { item in
+            guard let dict = item as? [String: Any] else { return nil }
+            return SystemRunAllowlistEntry(dict: dict)
+        }
+    }
+
+    static func setSystemRunAllowlist(_ allowlist: [SystemRunAllowlistEntry], agentId: String?) {
+        let cleaned = allowlist
+            .map { $0 }
+            .filter { !$0.pattern.trimmingCharacters(in: .whitespacesAndNewlines).isEmpty }
+        let raw = cleaned.map { $0.asDict() }
+        self.updateSystemRunSection { systemRun in
+            if let agentId {
+                self.updateAgentSection(&systemRun, agentId: agentId) { entry in
+                    if raw.isEmpty {
+                        entry.removeValue(forKey: "allowlist")
+                    } else {
+                        entry["allowlist"] = raw
+                    }
+                }
+                return
+            }
+            if raw.isEmpty {
+                systemRun.removeValue(forKey: "allowlist")
+            } else {
+                systemRun["allowlist"] = raw
+            }
+        }
+    }
+
+    static func systemRunAllowlistStrings() -> [String]? {
+        let root = self.loadDict()
+        let systemRun = self.systemRunSection(from: root)
+        return systemRun["allowlist"] as? [String]
+    }
+
+    static func setSystemRunAllowlistStrings(_ allowlist: [String]) {
+        let cleaned = allowlist
+            .map { $0.trimmingCharacters(in: .whitespacesAndNewlines) }
+            .filter { !$0.isEmpty }
+        self.updateSystemRunSection { systemRun in
+            if cleaned.isEmpty {
+                systemRun.removeValue(forKey: "allowlist")
+            } else {
+                systemRun["allowlist"] = cleaned
+            }
+        }
+    }
 }
--- a/apps/macos/Sources/Clawdbot/NodeMode/MacNodeRuntime.swift
+++ b/apps/macos/Sources/Clawdbot/NodeMode/MacNodeRuntime.swift
@@ -428,8 +428,32 @@ actor MacNodeRuntime {
            return Self.errorResponse(req, code: .invalidRequest, message: "INVALID_REQUEST: command required")
        }

-        let wasAllowlisted = SystemRunAllowlist.contains(command)
-        switch Self.systemRunPolicy() {
+        let trimmedAgent = params.agentId?.trimmingCharacters(in: .whitespacesAndNewlines) ?? ""
+        let agentId = trimmedAgent.isEmpty ? nil : trimmedAgent
+        let policy = SystemRunPolicy.load(agentId: agentId)
+        let allowlistEntries = SystemRunAllowlistStore.load(agentId: agentId)
+        let resolution = SystemRunCommandResolution.resolve(command: command, cwd: params.cwd)
+        let allowlistMatch = SystemRunAllowlistStore.match(
+            command: command,
+            resolution: resolution,
+            entries: allowlistEntries)
+        let autoAllowSkills = MacNodeConfigFile.systemRunAutoAllowSkills(agentId: agentId) ?? false
+        let skillAllow: Bool
+        if autoAllowSkills, let name = resolution?.executableName {
+            let bins = await SkillBinsCache.shared.currentBins()
+            skillAllow = bins.contains(name)
+        } else {
+            skillAllow = false
+        }
+
+        let shouldPrompt: Bool = {
+            if policy == .never { return false }
+            if allowlistMatch != nil { return false }
+            if skillAllow { return false }
+            return policy == .ask
+        }()
+
+        switch policy {
        case .never:
            return Self.errorResponse(
                req,
@@ -438,16 +462,24 @@ actor MacNodeRuntime {
        case .always:
            break
        case .ask:
-            if !wasAllowlisted {
+            if shouldPrompt {
                let services = await self.mainActorServices()
-                let decision = await services.confirmSystemRun(
+                let decision = await services.confirmSystemRun(context: SystemRunPromptContext(
                    command: SystemRunAllowlist.displayString(for: command),
-                    cwd: params.cwd)
+                    cwd: params.cwd,
+                    agentId: agentId,
+                    executablePath: resolution?.resolvedPath))
                switch decision {
                case .allowOnce:
                    break
                case .allowAlways:
-                    SystemRunAllowlist.add(command)
+                    if let resolvedPath = resolution?.resolvedPath, !resolvedPath.isEmpty {
+                        _ = SystemRunAllowlistStore.add(pattern: resolvedPath, agentId: agentId)
+                    } else if let raw = command.first?.trimmingCharacters(in: .whitespacesAndNewlines),
+                              !raw.isEmpty
+                    {
+                        _ = SystemRunAllowlistStore.add(pattern: raw, agentId: agentId)
+                    }
                case .deny:
                    return Self.errorResponse(
                        req,
@@ -457,6 +489,14 @@ actor MacNodeRuntime {
            }
        }

+        if let match = allowlistMatch {
+            SystemRunAllowlistStore.markUsed(
+                entryId: match.id,
+                command: command,
+                resolvedPath: resolution?.resolvedPath,
+                agentId: agentId)
+        }
+
        let env = Self.sanitizedEnv(params.env)

        if params.needsScreenRecording == true {
--- a/apps/macos/Sources/Clawdbot/NodeMode/MacNodeRuntimeMainActorServices.swift
+++ b/apps/macos/Sources/Clawdbot/NodeMode/MacNodeRuntimeMainActorServices.swift
@@ -9,6 +9,13 @@ enum SystemRunDecision: Sendable {
    case deny
 }

+struct SystemRunPromptContext: Sendable {
+    let command: String
+    let cwd: String?
+    let agentId: String?
+    let executablePath: String?
+}
+
@MainActor
 protocol MacNodeRuntimeMainActorServices: Sendable {
    func recordScreen(
@@ -25,7 +32,7 @@ protocol MacNodeRuntimeMainActorServices: Sendable {
        maxAgeMs: Int?,
        timeoutMs: Int?) async throws -> CLLocation

-    func confirmSystemRun(command: String, cwd: String?) async -> SystemRunDecision
+    func confirmSystemRun(context: SystemRunPromptContext) async -> SystemRunDecision
 }

@MainActor
@@ -67,16 +74,24 @@ final class LiveMacNodeRuntimeMainActorServices: MacNodeRuntimeMainActorServices
            timeoutMs: timeoutMs)
    }

-    func confirmSystemRun(command: String, cwd: String?) async -> SystemRunDecision {
+    func confirmSystemRun(context: SystemRunPromptContext) async -> SystemRunDecision {
        let alert = NSAlert()
        alert.alertStyle = .warning
        alert.messageText = "Allow this command?"

-        var details = "Clawdbot wants to run:\n\n\(command)"
-        let trimmedCwd = cwd?.trimmingCharacters(in: .whitespacesAndNewlines) ?? ""
+        var details = "Clawdbot wants to run:\n\n\(context.command)"
+        let trimmedCwd = context.cwd?.trimmingCharacters(in: .whitespacesAndNewlines) ?? ""
        if !trimmedCwd.isEmpty {
            details += "\n\nWorking directory:\n\(trimmedCwd)"
        }
+        let trimmedAgent = context.agentId?.trimmingCharacters(in: .whitespacesAndNewlines) ?? ""
+        if !trimmedAgent.isEmpty {
+            details += "\n\nAgent:\n\(trimmedAgent)"
+        }
+        let trimmedPath = context.executablePath?.trimmingCharacters(in: .whitespacesAndNewlines) ?? ""
+        if !trimmedPath.isEmpty {
+            details += "\n\nExecutable:\n\(trimmedPath)"
+        }
        details += "\n\nThis runs on this Mac via node mode."
        alert.informativeText = details

--- a/apps/macos/Sources/Clawdbot/SystemRunApprovals.swift
+++ b/apps/macos/Sources/Clawdbot/SystemRunApprovals.swift
@@ -0,0 +1,267 @@
+import Foundation
+
+enum SystemRunAllowlistMatchKind: String {
+    case glob
+    case argv
+}
+
+enum SystemRunAllowlistSource: String {
+    case manual
+    case skill
+}
+
+struct SystemRunAllowlistEntry: Identifiable, Hashable {
+    let id: String
+    var pattern: String
+    var enabled: Bool
+    var matchKind: SystemRunAllowlistMatchKind
+    var source: SystemRunAllowlistSource?
+    var skillId: String?
+    var lastUsedAt: Date?
+    var lastUsedCommand: String?
+    var lastUsedPath: String?
+
+    init(
+        id: String = UUID().uuidString,
+        pattern: String,
+        enabled: Bool = true,
+        matchKind: SystemRunAllowlistMatchKind = .glob,
+        source: SystemRunAllowlistSource? = .manual,
+        skillId: String? = nil,
+        lastUsedAt: Date? = nil,
+        lastUsedCommand: String? = nil,
+        lastUsedPath: String? = nil)
+    {
+        self.id = id
+        self.pattern = pattern
+        self.enabled = enabled
+        self.matchKind = matchKind
+        self.source = source
+        self.skillId = skillId
+        self.lastUsedAt = lastUsedAt
+        self.lastUsedCommand = lastUsedCommand
+        self.lastUsedPath = lastUsedPath
+    }
+
+    init?(dict: [String: Any]) {
+        let id = dict["id"] as? String ?? UUID().uuidString
+        let pattern = (dict["pattern"] as? String)?.trimmingCharacters(in: .whitespacesAndNewlines) ?? ""
+        if pattern.isEmpty { return nil }
+        let enabled = dict["enabled"] as? Bool ?? true
+        let matchRaw = dict["matchKind"] as? String
+        let matchKind = SystemRunAllowlistMatchKind(rawValue: matchRaw ?? "") ?? .glob
+        let sourceRaw = dict["source"] as? String
+        let source = SystemRunAllowlistSource(rawValue: sourceRaw ?? "")
+        let skillId = (dict["skillId"] as? String)?.trimmingCharacters(in: .whitespacesAndNewlines)
+        let lastUsedAt = (dict["lastUsedAt"] as? Double).map { Date(timeIntervalSince1970: $0) }
+        let lastUsedCommand = dict["lastUsedCommand"] as? String
+        let lastUsedPath = dict["lastUsedPath"] as? String
+
+        self.init(
+            id: id,
+            pattern: pattern,
+            enabled: enabled,
+            matchKind: matchKind,
+            source: source,
+            skillId: skillId?.isEmpty == true ? nil : skillId,
+            lastUsedAt: lastUsedAt,
+            lastUsedCommand: lastUsedCommand,
+            lastUsedPath: lastUsedPath)
+    }
+
+    func asDict() -> [String: Any] {
+        var dict: [String: Any] = [
+            "id": self.id,
+            "pattern": self.pattern,
+            "enabled": self.enabled,
+            "matchKind": self.matchKind.rawValue,
+        ]
+        if let source = self.source { dict["source"] = source.rawValue }
+        if let skillId = self.skillId { dict["skillId"] = skillId }
+        if let lastUsedAt = self.lastUsedAt { dict["lastUsedAt"] = lastUsedAt.timeIntervalSince1970 }
+        if let lastUsedCommand = self.lastUsedCommand { dict["lastUsedCommand"] = lastUsedCommand }
+        if let lastUsedPath = self.lastUsedPath { dict["lastUsedPath"] = lastUsedPath }
+        return dict
+    }
+}
+
+struct SystemRunCommandResolution: Sendable {
+    let rawExecutable: String
+    let resolvedPath: String?
+    let executableName: String
+    let cwd: String?
+
+    static func resolve(command: [String], cwd: String?) -> SystemRunCommandResolution? {
+        guard let raw = command.first?.trimmingCharacters(in: .whitespacesAndNewlines), !raw.isEmpty else {
+            return nil
+        }
+        let expanded = raw.hasPrefix("~") ? (raw as NSString).expandingTildeInPath : raw
+        let hasPathSeparator = expanded.contains("/")
+        let resolvedPath: String? = {
+            if hasPathSeparator {
+                if expanded.hasPrefix("/") {
+                    return expanded
+                }
+                let base = cwd?.trimmingCharacters(in: .whitespacesAndNewlines)
+                let root = (base?.isEmpty == false) ? base! : FileManager.default.currentDirectoryPath
+                return URL(fileURLWithPath: root).appendingPathComponent(expanded).path
+            }
+            return CommandResolver.findExecutable(named: expanded)
+        }()
+        let name = resolvedPath.map { URL(fileURLWithPath: $0).lastPathComponent } ?? expanded
+        return SystemRunCommandResolution(rawExecutable: expanded, resolvedPath: resolvedPath, executableName: name, cwd: cwd)
+    }
+}
+
+enum SystemRunAllowlistStore {
+    static func load(agentId: String?) -> [SystemRunAllowlistEntry] {
+        if let entries = MacNodeConfigFile.systemRunAllowlist(agentId: agentId) {
+            return entries
+        }
+        return []
+    }
+
+    static func save(_ entries: [SystemRunAllowlistEntry], agentId: String?) {
+        MacNodeConfigFile.setSystemRunAllowlist(entries, agentId: agentId)
+    }
+
+    static func add(pattern: String, agentId: String?, source: SystemRunAllowlistSource = .manual) -> SystemRunAllowlistEntry {
+        var entries = self.load(agentId: agentId)
+        let entry = SystemRunAllowlistEntry(pattern: pattern, enabled: true, matchKind: .glob, source: source)
+        entries.append(entry)
+        self.save(entries, agentId: agentId)
+        return entry
+    }
+
+    static func update(_ entry: SystemRunAllowlistEntry, agentId: String?) {
+        var entries = self.load(agentId: agentId)
+        guard let index = entries.firstIndex(where: { $0.id == entry.id }) else { return }
+        entries[index] = entry
+        self.save(entries, agentId: agentId)
+    }
+
+    static func remove(entryId: String, agentId: String?) {
+        let entries = self.load(agentId: agentId).filter { $0.id != entryId }
+        self.save(entries, agentId: agentId)
+    }
+
+    static func markUsed(entryId: String, command: [String], resolvedPath: String?, agentId: String?) {
+        var entries = self.load(agentId: agentId)
+        guard let index = entries.firstIndex(where: { $0.id == entryId }) else { return }
+        entries[index].lastUsedAt = Date()
+        entries[index].lastUsedCommand = SystemRunAllowlist.displayString(for: command)
+        entries[index].lastUsedPath = resolvedPath
+        self.save(entries, agentId: agentId)
+    }
+
+    static func match(
+        command: [String],
+        resolution: SystemRunCommandResolution?,
+        entries: [SystemRunAllowlistEntry]) -> SystemRunAllowlistEntry?
+    {
+        guard !entries.isEmpty else { return nil }
+        let argvKey = SystemRunAllowlist.legacyKey(for: command)
+        let resolvedPath = resolution?.resolvedPath
+        let executableName = resolution?.executableName
+        let rawExecutable = resolution?.rawExecutable
+
+        for entry in entries {
+            guard entry.enabled else { continue }
+            switch entry.matchKind {
+            case .argv:
+                if argvKey == entry.pattern { return entry }
+            case .glob:
+                let pattern = entry.pattern.trimmingCharacters(in: .whitespacesAndNewlines)
+                if pattern.isEmpty { continue }
+                let hasPath = pattern.contains("/") || pattern.contains("~")
+                if hasPath {
+                    let target = resolvedPath ?? rawExecutable
+                    if let target, SystemRunGlob.matches(pattern: pattern, target: target) {
+                        return entry
+                    }
+                } else if let name = executableName, SystemRunGlob.matches(pattern: pattern, target: name) {
+                    return entry
+                }
+            }
+        }
+        return nil
+    }
+}
+
+enum SystemRunGlob {
+    static func matches(pattern rawPattern: String, target: String) -> Bool {
+        let trimmed = rawPattern.trimmingCharacters(in: .whitespacesAndNewlines)
+        guard !trimmed.isEmpty else { return false }
+        let expanded = trimmed.hasPrefix("~") ? (trimmed as NSString).expandingTildeInPath : trimmed
+        guard let regex = self.regex(for: expanded) else { return false }
+        let range = NSRange(location: 0, length: target.utf16.count)
+        return regex.firstMatch(in: target, options: [], range: range) != nil
+    }
+
+    private static func regex(for pattern: String) -> NSRegularExpression? {
+        var regex = "^"
+        var idx = pattern.startIndex
+        while idx < pattern.endIndex {
+            let ch = pattern[idx]
+            if ch == "*" {
+                let next = pattern.index(after: idx)
+                if next < pattern.endIndex, pattern[next] == "*" {
+                    regex += ".*"
+                    idx = pattern.index(after: next)
+                } else {
+                    regex += "[^/]*"
+                    idx = next
+                }
+                continue
+            }
+            if ch == "?" {
+                regex += "."
+                idx = pattern.index(after: idx)
+                continue
+            }
+            regex += NSRegularExpression.escapedPattern(for: String(ch))
+            idx = pattern.index(after: idx)
+        }
+        regex += "$"
+        return try? NSRegularExpression(pattern: regex)
+    }
+}
+
+actor SkillBinsCache {
+    static let shared = SkillBinsCache()
+
+    private var bins: Set<String> = []
+    private var lastRefresh: Date?
+    private let refreshInterval: TimeInterval = 90
+
+    func currentBins(force: Bool = false) async -> Set<String> {
+        if force || self.isStale() {
+            await self.refresh()
+        }
+        return self.bins
+    }
+
+    func refresh() async {
+        do {
+            let report = try await GatewayConnection.shared.skillsStatus()
+            var next = Set<String>()
+            for skill in report.skills {
+                for bin in skill.requirements.bins {
+                    let trimmed = bin.trimmingCharacters(in: .whitespacesAndNewlines)
+                    if !trimmed.isEmpty { next.insert(trimmed) }
+                }
+            }
+            self.bins = next
+            self.lastRefresh = Date()
+        } catch {
+            if self.lastRefresh == nil {
+                self.bins = []
+            }
+        }
+    }
+
+    private func isStale() -> Bool {
+        guard let lastRefresh else { return true }
+        return Date().timeIntervalSince(lastRefresh) > self.refreshInterval
+    }
+}
--- a/apps/macos/Sources/Clawdbot/SystemRunPolicy.swift
+++ b/apps/macos/Sources/Clawdbot/SystemRunPolicy.swift
@@ -18,7 +18,10 @@ enum SystemRunPolicy: String, CaseIterable, Identifiable {
        }
    }

-    static func load(from defaults: UserDefaults = .standard) -> SystemRunPolicy {
+    static func load(agentId: String? = nil, from defaults: UserDefaults = .standard) -> SystemRunPolicy {
+        if let policy = MacNodeConfigFile.systemRunPolicy(agentId: agentId) {
+            return policy
+        }
        if let policy = MacNodeConfigFile.systemRunPolicy() {
            return policy
        }
@@ -40,7 +43,7 @@ enum SystemRunPolicy: String, CaseIterable, Identifiable {
 }

 enum SystemRunAllowlist {
-    static func key(for argv: [String]) -> String {
+    static func legacyKey(for argv: [String]) -> String {
        let trimmed = argv.map { $0.trimmingCharacters(in: .whitespacesAndNewlines) }
        guard !trimmed.isEmpty else { return "" }
        if let data = try? JSONEncoder().encode(trimmed),
@@ -62,28 +65,14 @@ enum SystemRunAllowlist {
        }.joined(separator: " ")
    }

-    static func load(from defaults: UserDefaults = .standard) -> Set<String> {
-        if let allowlist = MacNodeConfigFile.systemRunAllowlist() {
+    static func loadLegacy(from defaults: UserDefaults = .standard) -> Set<String> {
+        if let allowlist = MacNodeConfigFile.systemRunAllowlistStrings() {
            return Set(allowlist)
        }
        if let legacy = defaults.stringArray(forKey: systemRunAllowlistKey), !legacy.isEmpty {
-            MacNodeConfigFile.setSystemRunAllowlist(legacy)
+            MacNodeConfigFile.setSystemRunAllowlistStrings(legacy)
            return Set(legacy)
        }
        return []
    }
-
-    static func contains(_ argv: [String], defaults: UserDefaults = .standard) -> Bool {
-        let key = key(for: argv)
-        return self.load(from: defaults).contains(key)
-    }
-
-    static func add(_ argv: [String], defaults: UserDefaults = .standard) {
-        let key = key(for: argv)
-        guard !key.isEmpty else { return }
-        var allowlist = self.load(from: defaults)
-        if allowlist.insert(key).inserted {
-            MacNodeConfigFile.setSystemRunAllowlist(Array(allowlist).sorted())
-        }
-    }
 }
--- a/apps/macos/Sources/Clawdbot/SystemRunSettingsView.swift
+++ b/apps/macos/Sources/Clawdbot/SystemRunSettingsView.swift
@@ -0,0 +1,291 @@
+import Foundation
+import Observation
+import SwiftUI
+
+struct SystemRunSettingsView: View {
+    @State private var model = SystemRunSettingsModel()
+    @State private var tab: SystemRunSettingsTab = .policy
+    @State private var newPattern: String = ""
+
+    var body: some View {
+        VStack(alignment: .leading, spacing: 8) {
+            HStack(alignment: .center, spacing: 12) {
+                Text("Node Run Commands")
+                    .font(.body)
+                Spacer(minLength: 0)
+                if self.model.agentIds.count > 1 {
+                    Picker("Agent", selection: Binding(
+                        get: { self.model.selectedAgentId },
+                        set: { self.model.selectAgent($0) }))
+                    {
+                        ForEach(self.model.agentIds, id: \.self) { id in
+                            Text(id).tag(id)
+                        }
+                    }
+                    .pickerStyle(.menu)
+                    .frame(width: 160, alignment: .trailing)
+                }
+            }
+
+            Picker("", selection: self.$tab) {
+                ForEach(SystemRunSettingsTab.allCases) { tab in
+                    Text(tab.title).tag(tab)
+                }
+            }
+            .pickerStyle(.segmented)
+            .frame(width: 280)
+
+            if self.tab == .policy {
+                self.policyView
+            } else {
+                self.allowlistView
+            }
+        }
+        .task { await self.model.refresh() }
+        .onChange(of: self.tab) { _, _ in
+            Task { await self.model.refreshSkillBins() }
+        }
+    }
+
+    private var policyView: some View {
+        VStack(alignment: .leading, spacing: 6) {
+            Picker("", selection: Binding(
+                get: { self.model.policy },
+                set: { self.model.setPolicy($0) }))
+            {
+                ForEach(SystemRunPolicy.allCases) { policy in
+                    Text(policy.title).tag(policy)
+                }
+            }
+            .labelsHidden()
+            .pickerStyle(.menu)
+
+            Text("Controls remote command execution on this Mac when it is paired as a node. \"Always Ask\" prompts on each command; \"Always Allow\" runs without prompts; \"Never\" disables system.run.")
+                .font(.footnote)
+                .foregroundStyle(.tertiary)
+                .fixedSize(horizontal: false, vertical: true)
+        }
+    }
+
+    private var allowlistView: some View {
+        VStack(alignment: .leading, spacing: 10) {
+            Toggle("Auto-allow skill CLIs", isOn: Binding(
+                get: { self.model.autoAllowSkills },
+                set: { self.model.setAutoAllowSkills($0) }))
+
+            if self.model.autoAllowSkills, !self.model.skillBins.isEmpty {
+                Text("Skill CLIs: \(self.model.skillBins.joined(separator: ", "))")
+                    .font(.footnote)
+                    .foregroundStyle(.secondary)
+            }
+
+            HStack(spacing: 8) {
+                TextField("Add allowlist pattern (supports globs)", text: self.$newPattern)
+                    .textFieldStyle(.roundedBorder)
+                Button("Add") {
+                    let pattern = self.newPattern.trimmingCharacters(in: .whitespacesAndNewlines)
+                    guard !pattern.isEmpty else { return }
+                    self.model.addEntry(pattern)
+                    self.newPattern = ""
+                }
+                .buttonStyle(.bordered)
+                .disabled(self.newPattern.trimmingCharacters(in: .whitespacesAndNewlines).isEmpty)
+            }
+
+            if self.model.entries.isEmpty {
+                Text("No allowlisted commands yet.")
+                    .font(.footnote)
+                    .foregroundStyle(.secondary)
+            } else {
+                VStack(alignment: .leading, spacing: 8) {
+                    ForEach(Array(self.model.entries.enumerated()), id: \.element.id) { index, _ in
+                        SystemRunAllowlistRow(
+                            entry: Binding(
+                                get: { self.model.entries[index] },
+                                set: { self.model.updateEntry($0) }),
+                            onRemove: { self.model.removeEntry($0.id) })
+                    }
+                }
+            }
+        }
+    }
+}
+
+private enum SystemRunSettingsTab: String, CaseIterable, Identifiable {
+    case policy
+    case allowlist
+
+    var id: String { self.rawValue }
+
+    var title: String {
+        switch self {
+        case .policy: "Policy"
+        case .allowlist: "Allowlist"
+        }
+    }
+}
+
+struct SystemRunAllowlistRow: View {
+    @Binding var entry: SystemRunAllowlistEntry
+    let onRemove: (SystemRunAllowlistEntry) -> Void
+    @State private var draftPattern: String = ""
+
+    private static let relativeFormatter: RelativeDateTimeFormatter = {
+        let formatter = RelativeDateTimeFormatter()
+        formatter.unitsStyle = .short
+        return formatter
+    }()
+
+    var body: some View {
+        VStack(alignment: .leading, spacing: 4) {
+            HStack(spacing: 8) {
+                Toggle("", isOn: self.$entry.enabled)
+                    .labelsHidden()
+
+                TextField("Pattern", text: self.patternBinding)
+                    .textFieldStyle(.roundedBorder)
+
+                if self.entry.matchKind == .argv {
+                    Text("Legacy")
+                        .font(.caption)
+                        .foregroundStyle(.secondary)
+                }
+
+                Button(role: .destructive) {
+                    self.onRemove(self.entry)
+                } label: {
+                    Image(systemName: "trash")
+                }
+                .buttonStyle(.borderless)
+            }
+
+            if let lastUsedAt = self.entry.lastUsedAt {
+                Text("Last used \(Self.relativeFormatter.localizedString(for: lastUsedAt, relativeTo: Date()))")
+                    .font(.caption)
+                    .foregroundStyle(.secondary)
+            } else if let lastUsedCommand = self.entry.lastUsedCommand, !lastUsedCommand.isEmpty {
+                Text("Last used: \(lastUsedCommand)")
+                    .font(.caption)
+                    .foregroundStyle(.secondary)
+            }
+        }
+        .onAppear {
+            self.draftPattern = self.entry.pattern
+        }
+    }
+
+    private var patternBinding: Binding<String> {
+        Binding(
+            get: { self.draftPattern.isEmpty ? self.entry.pattern : self.draftPattern },
+            set: { newValue in
+                self.draftPattern = newValue
+                self.entry.pattern = newValue
+                if self.entry.matchKind == .argv {
+                    self.entry.matchKind = .glob
+                }
+            })
+    }
+}
+
+@MainActor
+@Observable
+final class SystemRunSettingsModel {
+    var agentIds: [String] = []
+    var selectedAgentId: String = "main"
+    var defaultAgentId: String = "main"
+    var policy: SystemRunPolicy = .ask
+    var autoAllowSkills = false
+    var entries: [SystemRunAllowlistEntry] = []
+    var skillBins: [String] = []
+
+    func refresh() async {
+        await self.refreshAgents()
+        self.loadSettings(for: self.selectedAgentId)
+        await self.refreshSkillBins()
+    }
+
+    func refreshAgents() async {
+        let root = await ConfigStore.load()
+        let agents = root["agents"] as? [String: Any]
+        let list = agents?["list"] as? [[String: Any]] ?? []
+        var ids: [String] = []
+        var seen = Set<String>()
+        var defaultId: String?
+        for entry in list {
+            guard let raw = entry["id"] as? String else { continue }
+            let trimmed = raw.trimmingCharacters(in: .whitespacesAndNewlines)
+            guard !trimmed.isEmpty else { continue }
+            if !seen.insert(trimmed).inserted { continue }
+            ids.append(trimmed)
+            if (entry["default"] as? Bool) == true, defaultId == nil {
+                defaultId = trimmed
+            }
+        }
+        if ids.isEmpty {
+            ids = ["main"]
+            defaultId = "main"
+        } else if defaultId == nil {
+            defaultId = ids.first
+        }
+        self.agentIds = ids
+        self.defaultAgentId = defaultId ?? "main"
+        if !self.agentIds.contains(self.selectedAgentId) {
+            self.selectedAgentId = self.defaultAgentId
+        }
+    }
+
+    func selectAgent(_ id: String) {
+        self.selectedAgentId = id
+        self.loadSettings(for: id)
+        Task { await self.refreshSkillBins() }
+    }
+
+    func loadSettings(for agentId: String) {
+        self.policy = SystemRunPolicy.load(agentId: agentId)
+        self.autoAllowSkills = MacNodeConfigFile.systemRunAutoAllowSkills(agentId: agentId) ?? false
+        self.entries = SystemRunAllowlistStore.load(agentId: agentId)
+            .sorted { $0.pattern.localizedCaseInsensitiveCompare($1.pattern) == .orderedAscending }
+    }
+
+    func setPolicy(_ policy: SystemRunPolicy) {
+        self.policy = policy
+        MacNodeConfigFile.setSystemRunPolicy(policy, agentId: self.selectedAgentId)
+        if self.selectedAgentId == self.defaultAgentId || self.agentIds.count <= 1 {
+            AppStateStore.shared.systemRunPolicy = policy
+        }
+    }
+
+    func setAutoAllowSkills(_ enabled: Bool) {
+        self.autoAllowSkills = enabled
+        MacNodeConfigFile.setSystemRunAutoAllowSkills(enabled, agentId: self.selectedAgentId)
+        Task { await self.refreshSkillBins(force: enabled) }
+    }
+
+    func addEntry(_ pattern: String) {
+        let trimmed = pattern.trimmingCharacters(in: .whitespacesAndNewlines)
+        guard !trimmed.isEmpty else { return }
+        let entry = SystemRunAllowlistEntry(pattern: trimmed, enabled: true, matchKind: .glob, source: .manual)
+        self.entries.append(entry)
+        SystemRunAllowlistStore.save(self.entries, agentId: self.selectedAgentId)
+    }
+
+    func updateEntry(_ entry: SystemRunAllowlistEntry) {
+        guard let index = self.entries.firstIndex(where: { $0.id == entry.id }) else { return }
+        self.entries[index] = entry
+        SystemRunAllowlistStore.save(self.entries, agentId: self.selectedAgentId)
+    }
+
+    func removeEntry(_ id: String) {
+        self.entries.removeAll { $0.id == id }
+        SystemRunAllowlistStore.save(self.entries, agentId: self.selectedAgentId)
+    }
+
+    func refreshSkillBins(force: Bool = false) async {
+        guard self.autoAllowSkills else {
+            self.skillBins = []
+            return
+        }
+        let bins = await SkillBinsCache.shared.currentBins(force: force)
+        self.skillBins = bins.sorted()
+    }
+}