openclaw/scripts/claw-broker/README.md

# Claw Broker (MVP)

Minimal privileged broker for claw.approvals.execute.

## API

- POST /v1/execute
- Bearer token via CLAW_BROKER_TOKEN

Request fields:

- executionId
- approvalRequestId
- approvalGrantId
- exactCommand
- targetHost
- targetUser
- requestedBy
- channel
- chatId
- humanUserId
- sessionId

Response fields:

- executionId
- status
- exitCode
- stdoutSummary
- stderrSummary
- startedAt
- finishedAt

## Validation

Broker re-checks in Postgres before execution:

- request/grant exist
- status allows execution
- once grant atomic consume
- command exact match
- scope match (targetHost, targetUser, channel, chatId, humanUserId, sessionId)
- dangerous shell policy
feat: add claw approval MVP with privileged broker Implement Postgres-backed claw approval flow and integrate gateway methods for create/list/get/approve/reject/execute/audit. Add a minimal systemd-run privileged broker with bearer auth, strict scope and exact-command validation, dangerous-shell blocking, atomic once-grant consumption, and execution audit updates. 2026-03-13 12:41:23 +00:00			`# Claw Broker (MVP)`

			`Minimal privileged broker for claw.approvals.execute.`

			`## API`

			`- POST /v1/execute`
			`- Bearer token via CLAW_BROKER_TOKEN`

			`Request fields:`

			`- executionId`
			`- approvalRequestId`
			`- approvalGrantId`
			`- exactCommand`
			`- targetHost`
			`- targetUser`
			`- requestedBy`
			`- channel`
			`- chatId`
			`- humanUserId`
			`- sessionId`

			`Response fields:`

			`- executionId`
			`- status`
			`- exitCode`
			`- stdoutSummary`
			`- stderrSummary`
			`- startedAt`
			`- finishedAt`

			`## Validation`

			`Broker re-checks in Postgres before execution:`

			`- request/grant exist`
			`- status allows execution`
			`- once grant atomic consume`
			`- command exact match`
			`- scope match (targetHost, targetUser, channel, chatId, humanUserId, sessionId)`
			`- dangerous shell policy`