feat: route exec approvals via gateway

2026-01-20 12:03:18 +00:00
parent 67be9aed28
commit 87343c374e
12 changed files with 359 additions and 5 deletions
--- a/apps/macos/Sources/Clawdbot/ExecApprovalsSocket.swift
+++ b/apps/macos/Sources/Clawdbot/ExecApprovalsSocket.swift
@@ -46,6 +46,7 @@ private struct ExecHostRequest: Codable {
    var needsScreenRecording: Bool?
    var agentId: String?
    var sessionKey: String?
+    var approvalDecision: ExecApprovalDecision?
 }

 private struct ExecHostRunResult: Codable {
@@ -328,8 +329,21 @@ private enum ExecHostExecutor {
            return false
        }()

-        var approvedByAsk = false
-        if requiresAsk {
+        let approvalDecision = request.approvalDecision
+        if approvalDecision == .deny {
+            return ExecHostResponse(
+                type: "exec-res",
+                id: UUID().uuidString,
+                ok: false,
+                payload: nil,
+                error: ExecHostError(
+                    code: "UNAVAILABLE",
+                    message: "SYSTEM_RUN_DENIED: user denied",
+                    reason: "user-denied"))
+        }
+
+        var approvedByAsk = approvalDecision != nil
+        if requiresAsk, approvalDecision == nil {
            let decision = ExecApprovalsPromptPresenter.prompt(
                ExecApprovalPromptRequest(
                    command: displayCommand,
@@ -364,6 +378,13 @@ private enum ExecHostExecutor {
            }
        }

+        if approvalDecision == .allowAlways, security == .allowlist {
+            let pattern = resolution?.resolvedPath ?? resolution?.rawExecutable ?? command.first ?? ""
+            if !pattern.isEmpty {
+                ExecApprovalsStore.addAllowlistEntry(agentId: trimmedAgent, pattern: pattern)
+            }
+        }
+
        if security == .allowlist, allowlistMatch == nil, !skillAllow, !approvedByAsk {
            return ExecHostResponse(
                type: "exec-res",