Issue Station
Sign In
Tools hereToolbox

openclaw - ✅(Solved) Fix Bug: `tools.exec.host=auto` blocks agent-requested `host=node` — strict equality check prevents dynamic host switching [2 pull requests, 1 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
openclaw/openclaw#60570Fetched 2026-04-08 02:49:38
View on GitHub
Comments
0
Participants
1
Timeline
4
Reactions
0
Author
gotexisgotexis
Participants
gotexisgotexis
Timeline (top)
cross-referenced ×2referenced ×2

When tools.exec.host is set to "auto" (the default), agents cannot dynamically request host=node to execute commands on a connected node. The request is rejected at the gateway level before reaching the node.

Error Message

})) throw new Error(exec host not allowed ...);

Root Cause

Root Cause (Source Analysis)

Fix Action

Fixed

PR fix notes

PR #60573: fix: allow explicit host requests when tools.exec.host=auto

Description (problem / solution / changelog)

Summary

When tools.exec.host is set to "auto" (the default), agents were blocked from explicitly requesting host=node or host=gateway. This fix makes isRequestedExecTargetAllowed return true when configuredTarget is "auto", allowing agents to explicitly choose any host while preserving the default auto behavior (sandbox when available, otherwise gateway).

Changes

  • Modified isRequestedExecTargetAllowed in src/agents/bash-tools.exec-runtime.ts to return true when configuredTarget === "auto"
  • Updated corresponding tests in src/agents/bash-tools.exec-runtime.test.ts to expect success instead of throwing

Testing

The fix changes two test cases that previously expected exec host not allowed errors to now expect successful execution with the requested host.

Fixes openclaw/openclaw#60570

Changed files

  • src/agents/bash-tools.exec-runtime.test.ts (modified, +16/-6)
  • src/agents/bash-tools.exec-runtime.ts (modified, +4/-3)

PR #60628: fix: allow agent-requested exec host when tools.exec.host=auto

Description (problem / solution / changelog)

Summary

  • Root cause: isRequestedExecTargetAllowed() in src/agents/bash-tools.exec-runtime.ts:227 uses strict equality (requestedTarget === configuredTarget), so when config says "auto" and agent requests "node", the check fails because "node" !== "auto".
  • Fix: Add if (params.configuredTarget === "auto") return true; before the equality check, so auto acts as a permissive default that allows agents to explicitly select any host.
  • Introducing commit: f3a6d13 (Peter Steinberger, 2026-04-03)

Closes #60570

Details

ItemValue
Bug locationsrc/agents/bash-tools.exec-runtime.ts, line 227, function isRequestedExecTargetAllowed
Introducing commitf3a6d13 (test: trim helper partial mocks)
Pattern check (G8)Single-site -- requestedTarget === configuredTarget only appears once in the codebase
Call path (G9)bash-tools.exec.ts:1312 and directive-handling.impl.ts:57 both call resolveExecTarget() which calls isRequestedExecTargetAllowed() at line 248
Other test impactpi-tools-agent-config.test.ts:758 also tests "exec host not allowed" but with configuredTarget: "gateway" (non-auto), so it is unaffected

Files changed

  • src/agents/bash-tools.exec-runtime.ts -- Add early return for auto in isRequestedExecTargetAllowed()
  • src/agents/bash-tools.exec-runtime.test.ts -- Replace 2 "rejects" tests with 3 "allows" tests for auto+node/gateway/sandbox

Test plan

  • Pre-commit hooks pass (tsgo, oxlint, conflict markers, policy checks)
  • Verify resolveExecTarget({configuredTarget: "auto", requestedTarget: "node", ...}) returns effectiveHost: "node" instead of throwing
  • Verify resolveExecTarget({configuredTarget: "gateway", requestedTarget: "node", ...}) still throws "exec host not allowed"
  • Run vitest --config vitest.agents.config.ts bash-tools.exec-runtime to confirm unit tests pass

Generated with Claude Code

Changed files

  • src/agents/bash-tools.exec-runtime.test.ts (modified, +67/-8)
  • src/agents/bash-tools.exec-runtime.ts (modified, +17/-3)

Code Example

exec host not allowed (requested node; configure tools.exec.host=node to allow).

---

function isRequestedExecTargetAllowed(params) {
    return params.requestedTarget === params.configuredTarget;
}

---

function resolveExecTarget(params) {
    const configuredTarget = params.configuredTarget ?? "auto";  // from tools.exec.host
    const requestedTarget = params.requestedTarget ?? null;       // from agent's host param
    
    if (params.elevatedRequested) return { /* gateway bypass */ };
    
    // ★ This is where it fails ★
    if (requestedTarget && !isRequestedExecTargetAllowed({
        configuredTarget,   // "auto"
        requestedTarget     // "node"
    })) throw new Error(`exec host not allowed ...`);
    
    const selectedTarget = requestedTarget ?? configuredTarget;
    // ...
}

---

// pi-embedded-BYdcxQ5A.js:3610
const target = resolveExecTarget({
    configuredTarget: defaults?.host,      // tools.exec.host → "auto"
    requestedTarget: normalizeExecTarget(params.host),  // agent requested "node"
    elevatedRequested,
    sandboxAvailable: Boolean(defaults?.sandbox)
});

---

tools.exec.host = "auto"
    → configuredTarget = "auto"
    → agent requests host="node" → requestedTarget = "node"  
"node" === "auto"false
throw "exec host not allowed"

---

function isRequestedExecTargetAllowed(params) {
    if (params.configuredTarget === "auto") return true;
    return params.requestedTarget === params.configuredTarget;
}
RAW_BUFFERClick to expand / collapse

Summary

When tools.exec.host is set to "auto" (the default), agents cannot dynamically request host=node to execute commands on a connected node. The request is rejected at the gateway level before reaching the node.

Expected Behavior

auto should mean "automatically select the default host (sandbox when available, otherwise gateway), but allow agents to explicitly request other hosts like node or gateway."

An agent calling exec(command="ls", host="node", node="linux", workdir="/home/e") should be allowed when tools.exec.host=auto, since the agent is explicitly choosing a target.

Actual Behavior

exec host not allowed (requested node; configure tools.exec.host=node to allow).

The request never reaches the node — it is rejected inside the gateway process.

Root Cause (Source Analysis)

The issue is in model-runtime-D4KJqIwp.js:

1. isRequestedExecTargetAllowed — strict equality

function isRequestedExecTargetAllowed(params) {
    return params.requestedTarget === params.configuredTarget;
}

This function only returns true when the requested target exactly equals the configured target. There is no special handling for auto.

2. resolveExecTarget — the check that throws

function resolveExecTarget(params) {
    const configuredTarget = params.configuredTarget ?? "auto";  // from tools.exec.host
    const requestedTarget = params.requestedTarget ?? null;       // from agent's host param
    
    if (params.elevatedRequested) return { /* gateway bypass */ };
    
    // ★ This is where it fails ★
    if (requestedTarget && !isRequestedExecTargetAllowed({
        configuredTarget,   // "auto"
        requestedTarget     // "node"
    })) throw new Error(`exec host not allowed ...`);
    
    const selectedTarget = requestedTarget ?? configuredTarget;
    // ...
}

3. Call site — configuredTarget comes from config

// pi-embedded-BYdcxQ5A.js:3610
const target = resolveExecTarget({
    configuredTarget: defaults?.host,      // tools.exec.host → "auto"
    requestedTarget: normalizeExecTarget(params.host),  // agent requested "node"
    elevatedRequested,
    sandboxAvailable: Boolean(defaults?.sandbox)
});

The logic chain

tools.exec.host = "auto"
    → configuredTarget = "auto"
    → agent requests host="node" → requestedTarget = "node"  
    → "node" === "auto" → false
    → throw "exec host not allowed"

Impact

Users with a paired and connected node cannot use exec host=node from agents unless they change tools.exec.host to "node" globally — which then forces all exec to default to the node, breaking local gateway execution.

There is no way to have "default to gateway, but allow node when explicitly requested."

Proposed Fix

isRequestedExecTargetAllowed should treat auto as permissive for explicit agent requests:

function isRequestedExecTargetAllowed(params) {
    if (params.configuredTarget === "auto") return true;
    return params.requestedTarget === params.configuredTarget;
}

This preserves the existing behavior:

  • auto without explicit request → sandbox or gateway (unchanged)
  • auto with explicit host=node → allowed (fixed)
  • host=gateway with explicit host=node → still blocked (unchanged)
  • host=node with explicit host=gateway → still blocked (unchanged)

Environment

  • OpenClaw v2026.4.2 (d74a122)
  • Gateway: macOS (arm64)
  • Node: Linux (headless node host, paired + connected)
  • Config: tools.exec.host: "auto", tools.exec.security: "full", tools.exec.ask: "off"

extent analysis

TL;DR

Update the isRequestedExecTargetAllowed function to treat the "auto" configuration as permissive for explicit agent requests.

Guidance

  1. Identify the root cause: The issue lies in the isRequestedExecTargetAllowed function, which does not handle the "auto" configuration correctly, causing it to reject explicit requests for other hosts.
  2. Apply the proposed fix: Update the isRequestedExecTargetAllowed function to return true when the configured target is "auto", allowing explicit agent requests to proceed.
  3. Verify the fix: Test the updated function with different configurations, such as tools.exec.host set to "auto" and an agent requesting host="node", to ensure that the request is allowed.
  4. Consider configuration implications: Be aware that this fix changes the behavior of the "auto" configuration, allowing explicit requests to override the default behavior, and ensure that this aligns with your desired workflow.

Example

The updated isRequestedExecTargetAllowed function would look like this:

function isRequestedExecTargetAllowed(params) {
    if (params.configuredTarget === "auto") return true;
    return params.requestedTarget === params.configuredTarget;
}

This change allows explicit agent requests to proceed when the configured target is "auto".

Notes

This fix assumes that the desired behavior is to allow explicit agent requests to override the default behavior when tools.exec.host is set to "auto". If this is not the desired behavior, further modifications may be necessary.

Recommendation

Apply the proposed fix to update the isRequestedExecTargetAllowed function, as it correctly addresses the issue and aligns with the expected behavior.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#conversation history#tool integration#LLM response#prompt template#agent execution

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING