feat: improve exec approvals defaults and wildcard

docs/cli/approvals.md

@@ -7,8 +7,8 @@ read_when:
 
 # `clawdbot approvals`
 
-Manage exec approvals for the **gateway host** or a **node host**.
-By default, commands target the gateway. Use `--node` to edit a node’s approvals.
+Manage exec approvals for the **local host**, **gateway host**, or a **node host**.
+By default, commands target the local approvals file on disk. Use `--gateway` to target the gateway, or `--node` to target a specific node.
 
 Related:
 - Exec approvals: [Exec approvals](/tools/exec-approvals)
@@ -19,6 +19,7 @@ Related:
 ```bash
 clawdbot approvals get
 clawdbot approvals get --node <id|name|ip>
+clawdbot approvals get --gateway
 ```
 
 ## Replace approvals from a file
@@ -26,6 +27,7 @@ clawdbot approvals get --node <id|name|ip>
 ```bash
 clawdbot approvals set --file ./exec-approvals.json
 clawdbot approvals set --node <id|name|ip> --file ./exec-approvals.json
+clawdbot approvals set --gateway --file ./exec-approvals.json
 ```
 
 ## Allowlist helpers
@@ -33,6 +35,7 @@ clawdbot approvals set --node <id|name|ip> --file ./exec-approvals.json
 ```bash
 clawdbot approvals allowlist add "~/Projects/**/bin/rg"
 clawdbot approvals allowlist add --agent main --node <id|name|ip> "/usr/bin/uptime"
+clawdbot approvals allowlist add --agent "*" "/usr/bin/uname"
 
 clawdbot approvals allowlist remove "~/Projects/**/bin/rg"
 ```
@@ -40,5 +43,6 @@ clawdbot approvals allowlist remove "~/Projects/**/bin/rg"
 ## Notes
 
 - `--node` uses the same resolver as `clawdbot nodes` (id, name, ip, or id prefix).
+- `--agent` defaults to `"*"`, which applies to all agents.
 - The node host must advertise `system.execApprovals.get/set` (macOS app or headless node host).
 - Approvals files are stored per host at `~/.clawdbot/exec-approvals.json`.