Bug Report: OpenClaw 2026.4.1 Resets exec-approvals.json Allowlist

Severity: High
Impact: Breaking change for automated workflows (cron jobs, schedulers)

Summary

After updating to OpenClaw 2026.4.1, the exec-approvals.json file was reset/initialized with strict defaults, removing all previously working allowlist entries. This broke all automated workflows (cron jobs, ClawFlow scheduler) that rely on non-interactive command execution.

Timeline

• System before: All cron jobs and scheduler workflows running successfully
• 2026-04-02 09:09 UTC: OpenClaw auto-updated to version 2026.4.1
• 2026-04-02 09:10 UTC: exec-approvals.json re-initialized with defaults
• Result: All automated workflows blocked due to missing allowlist entries

Root Cause

The CHANGELOG for 2026.4.1 includes:

- Exec/approvals: honor `exec-approvals.json` security defaults when inline or configured tool policy is unset
- Exec/approvals: make `allow-always` persist as durable user-approved trust instead of behaving like `allow-once`
- Exec/cron: resolve isolated cron no-route approval dead-ends from the effective host fallback policy when trusted automation is allowed

When the update initialized exec-approvals.json, it created a new file with:

• security: deny (default)
• Empty/minimal allowlist
• No migration of existing allowlist entries

Impact

1. Cron jobs blocked - python3 scripts cannot run without interactive approval
2. ClawFlow scheduler stopped - Last run before update, no runs after
3. No warning - User was not notified that allowlist was reset
4. No migration path - Previous allowlist configuration lost

Current Allowlist After Update

{
  "agents": {
    "main": {
      "allowlist": [
        { "pattern": "/usr/bin/openclaw" },
        { "pattern": "/usr/bin/ls" },
        { "pattern": "/usr/bin/head" }
      ]
    }
  }
}

Note: /usr/bin/python3 was missing despite being essential for cron jobs.

Workaround Applied

openclaw approvals allowlist add /usr/bin/python3
openclaw approvals allowlist add /usr/bin/git
openclaw approvals allowlist add /usr/bin/node
openclaw approvals allowlist add /usr/bin/bash
openclaw approvals allowlist add /usr/bin/sh

Expected Behavior

1. Migration: Update should preserve existing allowlist entries or migrate them
2. Warning: If exec-approvals.json is reset/recreated, user should be warned
3. Documentation: Clear upgrade notes for breaking changes
4. Non-interactive policy: Cron jobs and schedulers need a way to pre-approve binaries without interactive UI

Suggested Solutions

Option A: Migration

// Preserve existing allowlist during update
if (existingAllowlist) {
  newConfig.agents.main.allowlist = [...existingAllowlist, ...newDefaults];
}

Option B: Warning System

⚠️  exec-approvals.json has been reset to defaults.
   Previous allowlist entries have been cleared.
   Run `openclaw doctor` to review required binaries.

Option C: Cron/Service Policy

{
  "tools": {
    "exec": {
      "cronAllowlist": ["/usr/bin/python3", "/usr/bin/node", "/usr/bin/git"],
      "automationBinaries": ["python3", "node", "git"]
    }
  }
}

A separate policy for non-interactive/automated workflows that doesn't require UI approval.

Option D: Auto-detection

During update, scan existing cron jobs and suggest required allowlist entries:

Detected cron job: python3 /path/to/script.py
  → Add /usr/bin/python3 to allowlist? [Y/n]

Environment

• OpenClaw Version: 2026.4.1
• OS: Linux (Debian/Ubuntu)
• Previous working state: All automated workflows functional
• Affected components: Cron jobs, ClawFlow scheduler, any non-interactive exec

Related Files

• ~/.openclaw/exec-approvals.json - Reset during update
• /usr/lib/node_modules/openclaw/CHANGELOG.md - Version 2026.4.1

User Impact Statement:

"Mein System hat super funktioniert... warum wurde das gemacht?"

This breaking change affected a production system without warning or migration path. Automated workflows that ran for months stopped working immediately after the update.