fix: enforce strict exec approval optionals (#1414) (thanks @czekaj)

TypeBox Type.Optional(Type.String()) accepts string|undefined but NOT null.
Discord exec was failing with 'resolvedPath must be string' because callers
passed null explicitly. Web UI worked because it skipped the approval request.

Fixes exec approval validation error in Discord-triggered sessions.

CHANGELOG.md

@@ -14,6 +14,7 @@ Docs: https://docs.clawd.bot
 - Config: avoid stack traces for invalid configs and log the config path.
 - Doctor: warn when gateway.mode is unset with configure/config guidance.
 - macOS: include Textual syntax highlighting resources in packaged app to prevent chat crashes. (#1362)
+- Exec approvals: send optional approval params as undefined instead of null. (#1414) Thanks @czekaj.
 - UI: refresh debug panel on route-driven tab changes. (#1373) Thanks @yazinsai.
 
 ## 2026.1.21

src/agents/bash-tools.exec.ts

@@ -896,8 +896,8 @@ export function createExecTool(
                   security: hostSecurity,
                   ask: hostAsk,
                   agentId: defaults?.agentId,
-                  resolvedPath: null,
+                  resolvedPath: undefined,
-                  sessionKey: defaults?.sessionKey ?? null,
+                  sessionKey: defaults?.sessionKey,
                   timeoutMs: DEFAULT_APPROVAL_TIMEOUT_MS,
                 },
               )) as { decision?: string } | null;
@@ -1060,7 +1060,7 @@ export function createExecTool(
           const approvalSlug = createApprovalSlug(approvalId);
           const expiresAtMs = Date.now() + DEFAULT_APPROVAL_TIMEOUT_MS;
           const contextKey = `exec:${approvalId}`;
-          const resolvedPath = analysis.segments[0]?.resolution?.resolvedPath ?? null;
+          const resolvedPath = analysis.segments[0]?.resolution?.resolvedPath;
           const noticeSeconds = Math.max(1, Math.round(approvalRunningNoticeMs / 1000));
           const commandText = params.command;
           const effectiveTimeout =
@@ -1082,7 +1082,7 @@ export function createExecTool(
                   ask: hostAsk,
                   agentId: defaults?.agentId,
                   resolvedPath,
-                  sessionKey: defaults?.sessionKey ?? null,
+                  sessionKey: defaults?.sessionKey,
                   timeoutMs: DEFAULT_APPROVAL_TIMEOUT_MS,
                 },
               )) as { decision?: string } | null;

src/cli/nodes-cli/register.invoke.ts

@@ -267,8 +267,8 @@ export function registerNodesInvokeCommands(nodes: Command) {
               security: hostSecurity,
               ask: hostAsk,
               agentId,
-              resolvedPath: null,
+              resolvedPath: undefined,
-              sessionKey: null,
+              sessionKey: undefined,
               timeoutMs: 120_000,
             })) as { decision?: string } | null;
             const decision =

src/gateway/server-methods/exec-approval.test.ts

@@ -1,10 +1,93 @@
 import { describe, expect, it, vi } from "vitest";
 import { ExecApprovalManager } from "../exec-approval-manager.js";
 import { createExecApprovalHandlers } from "./exec-approval.js";
+import { validateExecApprovalRequestParams } from "../protocol/index.js";
 
 const noop = () => {};
 
 describe("exec approval handlers", () => {
+  describe("ExecApprovalRequestParams validation", () => {
+    it("accepts request with resolvedPath omitted", () => {
+      const params = {
+        command: "echo hi",
+        cwd: "/tmp",
+        host: "node",
+      };
+      expect(validateExecApprovalRequestParams(params)).toBe(true);
+    });
+
+    it("accepts request with resolvedPath as string", () => {
+      const params = {
+        command: "echo hi",
+        cwd: "/tmp",
+        host: "node",
+        resolvedPath: "/usr/bin/echo",
+      };
+      expect(validateExecApprovalRequestParams(params)).toBe(true);
+    });
+
+    it("accepts request with resolvedPath as undefined", () => {
+      const params = {
+        command: "echo hi",
+        cwd: "/tmp",
+        host: "node",
+        resolvedPath: undefined,
+      };
+      expect(validateExecApprovalRequestParams(params)).toBe(true);
+    });
+
+    // This documents the TypeBox/AJV behavior that caused the Discord exec bug:
+    // Type.Optional(Type.String()) does NOT accept null, only string or undefined.
+    it("rejects request with resolvedPath as null", () => {
+      const params = {
+        command: "echo hi",
+        cwd: "/tmp",
+        host: "node",
+        resolvedPath: null,
+      };
+      expect(validateExecApprovalRequestParams(params)).toBe(false);
+    });
+
+    it("accepts request with sessionKey omitted", () => {
+      const params = {
+        command: "echo hi",
+        cwd: "/tmp",
+        host: "node",
+      };
+      expect(validateExecApprovalRequestParams(params)).toBe(true);
+    });
+
+    it("accepts request with sessionKey as string", () => {
+      const params = {
+        command: "echo hi",
+        cwd: "/tmp",
+        host: "node",
+        sessionKey: "session-1",
+      };
+      expect(validateExecApprovalRequestParams(params)).toBe(true);
+    });
+
+    it("accepts request with sessionKey as undefined", () => {
+      const params = {
+        command: "echo hi",
+        cwd: "/tmp",
+        host: "node",
+        sessionKey: undefined,
+      };
+      expect(validateExecApprovalRequestParams(params)).toBe(true);
+    });
+
+    it("rejects request with sessionKey as null", () => {
+      const params = {
+        command: "echo hi",
+        cwd: "/tmp",
+        host: "node",
+        sessionKey: null,
+      };
+      expect(validateExecApprovalRequestParams(params)).toBe(false);
+    });
+  });
+
   it("broadcasts request + resolve", async () => {
     const manager = new ExecApprovalManager();
     const handlers = createExecApprovalHandlers(manager);