[{"data":1,"prerenderedAt":1103},["ShallowReactive",2],{"navigation":3,"/getting-started/working-with-agents":145,"/getting-started/working-with-agents-surround":1098},[4,28,49,88,101,127],{"title":5,"path":6,"stem":7,"children":8,"icon":27},"Getting Started","/getting-started","1.getting-started/1.index",[9,11,15,19,23],{"title":10,"path":6,"stem":7},"Introduction",{"title":12,"path":13,"stem":14},"Working with Agents","/getting-started/working-with-agents","1.getting-started/2.working-with-agents",{"title":16,"path":17,"stem":18},"Setup a Service Provider","/getting-started/setup-service-provider","1.getting-started/3.setup-service-provider",{"title":20,"path":21,"stem":22},"Setup an Identity Provider","/getting-started/setup-identity-provider","1.getting-started/4.setup-identity-provider",{"title":24,"path":25,"stem":26},"Developers","/getting-started/developers","1.getting-started/5.developers",false,{"title":29,"icon":27,"path":30,"stem":31,"children":32,"page":27},"Guides","/guides","2.guides",[33,37,41,45],{"title":34,"path":35,"stem":36},"How It Works","/guides/how-it-works","2.guides/1.how-it-works",{"title":38,"path":39,"stem":40},"Capabilities Guide","/guides/capabilities-guide","2.guides/2.capabilities-guide",{"title":42,"path":43,"stem":44},"End-to-End Tutorial","/guides/end-to-end-tutorial","2.guides/3.end-to-end-tutorial",{"title":46,"path":47,"stem":48},"Delegation Guide","/guides/delegation-guide","2.guides/4.delegation-guide",{"title":50,"path":51,"stem":52,"children":53,"icon":27},"Ecosystem","/ecosystem","3.ecosystem/1.index",[54,56,60,64,68,72,76,80,84],{"title":55,"path":51,"stem":52},"Overview",{"title":57,"path":58,"stem":59},"grapes CLI","/ecosystem/grapes","3.ecosystem/2.grapes",{"title":61,"path":62,"stem":63},"shapes CLI","/ecosystem/shapes","3.ecosystem/3.shapes",{"title":65,"path":66,"stem":67},"escapes","/ecosystem/escapes","3.ecosystem/4.escapes",{"title":69,"path":70,"stem":71},"OpenApe Proxy","/ecosystem/proxy","3.ecosystem/5.proxy",{"title":73,"path":74,"stem":75},"OpenApe Browser","/ecosystem/browser","3.ecosystem/6.browser",{"title":77,"path":78,"stem":79},"OpenApe Auth","/ecosystem/auth","3.ecosystem/7.auth",{"title":81,"path":82,"stem":83},"OpenApe Grants","/ecosystem/grants","3.ecosystem/8.grants",{"title":85,"path":86,"stem":87},"nuxt-auth-sp","/ecosystem/nuxt-auth-sp","3.ecosystem/9.nuxt-auth-sp",{"title":89,"icon":27,"path":90,"stem":91,"children":92,"page":27},"Security","/security","4.security",[93,97],{"title":94,"path":95,"stem":96},"Compliance","/security/compliance","4.security/1.compliance",{"title":98,"path":99,"stem":100},"Threat Model","/security/threat-model","4.security/2.threat-model",{"title":102,"path":103,"stem":104,"children":105,"icon":27},"Reference","/reference","5.reference/1.index",[106,107,111,115,119,123],{"title":102,"path":103,"stem":104},{"title":108,"path":109,"stem":110},"IdP Configuration","/reference/idp-configuration","5.reference/2.idp-configuration",{"title":112,"path":113,"stem":114},"SP Configuration","/reference/sp-configuration","5.reference/3.sp-configuration",{"title":116,"path":117,"stem":118},"API Endpoints","/reference/api-endpoints","5.reference/4.api-endpoints",{"title":120,"path":121,"stem":122},"escapes Config","/reference/escapes-config","5.reference/5.escapes-config",{"title":124,"path":125,"stem":126},"Proxy Config","/reference/proxy-config","5.reference/6.proxy-config",{"title":128,"path":129,"stem":130,"children":131,"icon":27},"Operations","/operations","6.operations/1.index",[132,133,137,141],{"title":128,"path":129,"stem":130},{"title":134,"path":135,"stem":136},"Deployment","/operations/deployment","6.operations/2.deployment",{"title":138,"path":139,"stem":140},"Troubleshooting","/operations/troubleshooting","6.operations/3.troubleshooting",{"title":142,"path":143,"stem":144},"Monitoring","/operations/monitoring","6.operations/4.monitoring",{"id":146,"title":12,"body":147,"description":1092,"extension":1093,"links":1094,"meta":1095,"navigation":244,"path":13,"seo":1096,"stem":14,"__hash__":1097},"docs/1.getting-started/2.working-with-agents.md",{"type":148,"value":149,"toc":1079},"minimark",[150,154,163,173,178,200,204,329,332,359,363,366,535,545,549,555,591,594,618,622,625,770,773,787,791,797,831,861,865,870,983,987,1033,1037,1040,1048,1075],[151,152,12],"h1",{"id":153},"working-with-agents",[155,156,157,158,162],"p",{},"This guide sets up the three ",[159,160,161],"a",{"href":51},"Agent Gate Applications"," to control what your AI agent can do. Every command the agent executes will require a grant — approved by a human.",[155,164,165,166,172],{},"The examples use ",[159,167,171],{"href":168,"rel":169},"https://openclaw.ai",[170],"nofollow","OpenClaw"," as the agent, but the setup works with any agent that runs CLI commands.",[174,175,177],"h2",{"id":176},"prerequisites","Prerequisites",[179,180,181,185,197],"ul",{},[182,183,184],"li",{},"A running OpenClaw instance",[182,186,187,188,192,193,196],{},"An OpenApe IdP (use the public ",[189,190,191],"code",{},"https://id.openape.at"," or ",[159,194,195],{"href":21},"run your own",")",[182,198,199],{},"Node.js 20+ and Rust toolchain (for escapes)",[174,201,203],{"id":202},"step-1-install-the-agent-gate-applications","Step 1: Install the Agent Gate Applications",[205,206,211],"pre",{"className":207,"code":208,"language":209,"meta":210,"style":210},"language-bash shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","# grapes — the grant system\nnpm i -g @openape/grapes\n\n# shapes — grant-constrained CLI execution\nnpm i -g @openape/shapes\n\n# escapes — privilege escalation (requires Rust)\ncd /tmp\ngit clone https://github.com/openape-ai/escapes.git\ncd escapes\ncargo build --release\nsudo make install\n","bash","",[189,212,213,222,239,246,252,264,269,275,285,297,305,317],{"__ignoreMap":210},[214,215,218],"span",{"class":216,"line":217},"line",1,[214,219,221],{"class":220},"sHwdD","# grapes — the grant system\n",[214,223,225,229,233,236],{"class":216,"line":224},2,[214,226,228],{"class":227},"sBMFI","npm",[214,230,232],{"class":231},"sfazB"," i",[214,234,235],{"class":231}," -g",[214,237,238],{"class":231}," @openape/grapes\n",[214,240,242],{"class":216,"line":241},3,[214,243,245],{"emptyLinePlaceholder":244},true,"\n",[214,247,249],{"class":216,"line":248},4,[214,250,251],{"class":220},"# shapes — grant-constrained CLI execution\n",[214,253,255,257,259,261],{"class":216,"line":254},5,[214,256,228],{"class":227},[214,258,232],{"class":231},[214,260,235],{"class":231},[214,262,263],{"class":231}," @openape/shapes\n",[214,265,267],{"class":216,"line":266},6,[214,268,245],{"emptyLinePlaceholder":244},[214,270,272],{"class":216,"line":271},7,[214,273,274],{"class":220},"# escapes — privilege escalation (requires Rust)\n",[214,276,278,282],{"class":216,"line":277},8,[214,279,281],{"class":280},"s2Zo4","cd",[214,283,284],{"class":231}," /tmp\n",[214,286,288,291,294],{"class":216,"line":287},9,[214,289,290],{"class":227},"git",[214,292,293],{"class":231}," clone",[214,295,296],{"class":231}," https://github.com/openape-ai/escapes.git\n",[214,298,300,302],{"class":216,"line":299},10,[214,301,281],{"class":280},[214,303,304],{"class":231}," escapes\n",[214,306,308,311,314],{"class":216,"line":307},11,[214,309,310],{"class":227},"cargo",[214,312,313],{"class":231}," build",[214,315,316],{"class":231}," --release\n",[214,318,320,323,326],{"class":216,"line":319},12,[214,321,322],{"class":227},"sudo",[214,324,325],{"class":231}," make",[214,327,328],{"class":231}," install\n",[155,330,331],{},"Verify the installation:",[205,333,335],{"className":207,"code":334,"language":209,"meta":210,"style":210},"grapes --version\nshapes --version\nescapes --help\n",[189,336,337,345,352],{"__ignoreMap":210},[214,338,339,342],{"class":216,"line":217},[214,340,341],{"class":227},"grapes",[214,343,344],{"class":231}," --version\n",[214,346,347,350],{"class":216,"line":224},[214,348,349],{"class":227},"shapes",[214,351,344],{"class":231},[214,353,354,356],{"class":216,"line":241},[214,355,65],{"class":227},[214,357,358],{"class":231}," --help\n",[174,360,362],{"id":361},"step-2-register-the-agent","Step 2: Register the Agent",[155,364,365],{},"Generate a key pair and enroll the OpenClaw agent with your IdP:",[205,367,369],{"className":207,"code":368,"language":209,"meta":210,"style":210},"# Generate the agent's key pair\nssh-keygen -t ed25519 -f ~/.ssh/openclaw_agent -N \"\"\n\n# Enroll the agent (admin operation)\ncurl -X POST https://id.openape.at/api/agent/enroll \\\n  -H \"Authorization: Bearer \u003Cyour-management-token>\" \\\n  -H \"Content-Type: application/json\" \\\n  -d \"{\\\"email\\\":\\\"agent+openclaw@yourdomain.com\\\",\\\"name\\\":\\\"openclaw\\\",\\\"publicKey\\\":\\\"$(cat ~/.ssh/openclaw_agent.pub)\\\"}\"\n",[189,370,371,376,400,404,409,427,443,456],{"__ignoreMap":210},[214,372,373],{"class":216,"line":217},[214,374,375],{"class":220},"# Generate the agent's key pair\n",[214,377,378,381,384,387,390,393,396],{"class":216,"line":224},[214,379,380],{"class":227},"ssh-keygen",[214,382,383],{"class":231}," -t",[214,385,386],{"class":231}," ed25519",[214,388,389],{"class":231}," -f",[214,391,392],{"class":231}," ~/.ssh/openclaw_agent",[214,394,395],{"class":231}," -N",[214,397,399],{"class":398},"sMK4o"," \"\"\n",[214,401,402],{"class":216,"line":241},[214,403,245],{"emptyLinePlaceholder":244},[214,405,406],{"class":216,"line":248},[214,407,408],{"class":220},"# Enroll the agent (admin operation)\n",[214,410,411,414,417,420,423],{"class":216,"line":254},[214,412,413],{"class":227},"curl",[214,415,416],{"class":231}," -X",[214,418,419],{"class":231}," POST",[214,421,422],{"class":231}," https://id.openape.at/api/agent/enroll",[214,424,426],{"class":425},"sTEyZ"," \\\n",[214,428,429,432,435,438,441],{"class":216,"line":266},[214,430,431],{"class":231},"  -H",[214,433,434],{"class":398}," \"",[214,436,437],{"class":231},"Authorization: Bearer \u003Cyour-management-token>",[214,439,440],{"class":398},"\"",[214,442,426],{"class":425},[214,444,445,447,449,452,454],{"class":216,"line":271},[214,446,431],{"class":231},[214,448,434],{"class":398},[214,450,451],{"class":231},"Content-Type: application/json",[214,453,440],{"class":398},[214,455,426],{"class":425},[214,457,458,461,463,466,469,472,474,477,479,482,484,487,489,492,494,496,498,501,503,505,507,510,512,514,516,519,522,525,527,529,532],{"class":216,"line":277},[214,459,460],{"class":231},"  -d",[214,462,434],{"class":398},[214,464,465],{"class":231},"{",[214,467,468],{"class":425},"\\\"",[214,470,471],{"class":231},"email",[214,473,468],{"class":425},[214,475,476],{"class":231},":",[214,478,468],{"class":425},[214,480,481],{"class":231},"agent+openclaw@yourdomain.com",[214,483,468],{"class":425},[214,485,486],{"class":231},",",[214,488,468],{"class":425},[214,490,491],{"class":231},"name",[214,493,468],{"class":425},[214,495,476],{"class":231},[214,497,468],{"class":425},[214,499,500],{"class":231},"openclaw",[214,502,468],{"class":425},[214,504,486],{"class":231},[214,506,468],{"class":425},[214,508,509],{"class":231},"publicKey",[214,511,468],{"class":425},[214,513,476],{"class":231},[214,515,468],{"class":425},[214,517,518],{"class":398},"$(",[214,520,521],{"class":227},"cat",[214,523,524],{"class":231}," ~/.ssh/openclaw_agent.pub",[214,526,196],{"class":398},[214,528,468],{"class":425},[214,530,531],{"class":231},"}",[214,533,534],{"class":398},"\"\n",[536,537,539],"callout",{"type":538},"info",[155,540,541,542,544],{},"Agent enrollment is an admin operation that requires the Management Token. After enrollment, all further interaction uses ",[189,543,341],{},".",[174,546,548],{"id":547},"step-3-configure-grapes","Step 3: Configure grapes",[155,550,551,552,476],{},"Create ",[189,553,554],{},"~/.config/grapes/config.toml",[205,556,560],{"className":557,"code":558,"language":559,"meta":210,"style":210},"language-toml shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","[defaults]\nidp = \"https://id.openape.at\"\n\n[agent]\nkey = \"~/.ssh/openclaw_agent\"\nemail = \"agent+openclaw@yourdomain.com\"\n","toml",[189,561,562,567,572,576,581,586],{"__ignoreMap":210},[214,563,564],{"class":216,"line":217},[214,565,566],{},"[defaults]\n",[214,568,569],{"class":216,"line":224},[214,570,571],{},"idp = \"https://id.openape.at\"\n",[214,573,574],{"class":216,"line":241},[214,575,245],{"emptyLinePlaceholder":244},[214,577,578],{"class":216,"line":248},[214,579,580],{},"[agent]\n",[214,582,583],{"class":216,"line":254},[214,584,585],{},"key = \"~/.ssh/openclaw_agent\"\n",[214,587,588],{"class":216,"line":266},[214,589,590],{},"email = \"agent+openclaw@yourdomain.com\"\n",[155,592,593],{},"Login and verify:",[205,595,597],{"className":207,"code":596,"language":209,"meta":210,"style":210},"grapes login\ngrapes whoami\n# → agent+openclaw@yourdomain.com (agent) via https://id.openape.at\n",[189,598,599,606,613],{"__ignoreMap":210},[214,600,601,603],{"class":216,"line":217},[214,602,341],{"class":227},[214,604,605],{"class":231}," login\n",[214,607,608,610],{"class":216,"line":224},[214,609,341],{"class":227},[214,611,612],{"class":231}," whoami\n",[214,614,615],{"class":216,"line":241},[214,616,617],{"class":220},"# → agent+openclaw@yourdomain.com (agent) via https://id.openape.at\n",[174,619,621],{"id":620},"step-4-install-shapes-adapters","Step 4: Install Shapes Adapters",[155,623,624],{},"Install the adapters for the CLIs your OpenClaw agent uses:",[205,626,628],{"className":207,"code":627,"language":209,"meta":210,"style":210},"# Browse available adapters\nshapes adapter search --remote\n\n# Install what you need\nshapes adapter install gh        # GitHub CLI\nshapes adapter install az        # Azure CLI\nshapes adapter install exo       # Exoscale CLI\nshapes adapter install o365mail  # Outlook Mail\nshapes adapter install ls        # ls\nshapes adapter install cat       # cat\nshapes adapter install chmod     # chmod\nshapes adapter install chown     # chown\n",[189,629,630,635,648,652,657,672,686,700,714,728,742,756],{"__ignoreMap":210},[214,631,632],{"class":216,"line":217},[214,633,634],{"class":220},"# Browse available adapters\n",[214,636,637,639,642,645],{"class":216,"line":224},[214,638,349],{"class":227},[214,640,641],{"class":231}," adapter",[214,643,644],{"class":231}," search",[214,646,647],{"class":231}," --remote\n",[214,649,650],{"class":216,"line":241},[214,651,245],{"emptyLinePlaceholder":244},[214,653,654],{"class":216,"line":248},[214,655,656],{"class":220},"# Install what you need\n",[214,658,659,661,663,666,669],{"class":216,"line":254},[214,660,349],{"class":227},[214,662,641],{"class":231},[214,664,665],{"class":231}," install",[214,667,668],{"class":231}," gh",[214,670,671],{"class":220},"        # GitHub CLI\n",[214,673,674,676,678,680,683],{"class":216,"line":266},[214,675,349],{"class":227},[214,677,641],{"class":231},[214,679,665],{"class":231},[214,681,682],{"class":231}," az",[214,684,685],{"class":220},"        # Azure CLI\n",[214,687,688,690,692,694,697],{"class":216,"line":271},[214,689,349],{"class":227},[214,691,641],{"class":231},[214,693,665],{"class":231},[214,695,696],{"class":231}," exo",[214,698,699],{"class":220},"       # Exoscale CLI\n",[214,701,702,704,706,708,711],{"class":216,"line":277},[214,703,349],{"class":227},[214,705,641],{"class":231},[214,707,665],{"class":231},[214,709,710],{"class":231}," o365mail",[214,712,713],{"class":220},"  # Outlook Mail\n",[214,715,716,718,720,722,725],{"class":216,"line":287},[214,717,349],{"class":227},[214,719,641],{"class":231},[214,721,665],{"class":231},[214,723,724],{"class":231}," ls",[214,726,727],{"class":220},"        # ls\n",[214,729,730,732,734,736,739],{"class":216,"line":299},[214,731,349],{"class":227},[214,733,641],{"class":231},[214,735,665],{"class":231},[214,737,738],{"class":231}," cat",[214,740,741],{"class":220},"       # cat\n",[214,743,744,746,748,750,753],{"class":216,"line":307},[214,745,349],{"class":227},[214,747,641],{"class":231},[214,749,665],{"class":231},[214,751,752],{"class":231}," chmod",[214,754,755],{"class":220},"     # chmod\n",[214,757,758,760,762,764,767],{"class":216,"line":319},[214,759,349],{"class":227},[214,761,641],{"class":231},[214,763,665],{"class":231},[214,765,766],{"class":231}," chown",[214,768,769],{"class":220},"     # chown\n",[155,771,772],{},"List installed adapters:",[205,774,776],{"className":207,"code":775,"language":209,"meta":210,"style":210},"shapes adapter list\n",[189,777,778],{"__ignoreMap":210},[214,779,780,782,784],{"class":216,"line":217},[214,781,349],{"class":227},[214,783,641],{"class":231},[214,785,786],{"class":231}," list\n",[174,788,790],{"id":789},"step-5-configure-escapes","Step 5: Configure escapes",[155,792,551,793,796],{},[189,794,795],{},"/etc/openape/config.toml"," (as root):",[205,798,800],{"className":557,"code":799,"language":559,"meta":210,"style":210},"audit_log = \"/var/log/openape/audit.log\"\n\n[security]\nallowed_issuers = [\"https://id.openape.at\"]\nallowed_approvers = [\"you@yourdomain.com\"]\nallowed_audiences = [\"escapes\"]\n",[189,801,802,807,811,816,821,826],{"__ignoreMap":210},[214,803,804],{"class":216,"line":217},[214,805,806],{},"audit_log = \"/var/log/openape/audit.log\"\n",[214,808,809],{"class":216,"line":224},[214,810,245],{"emptyLinePlaceholder":244},[214,812,813],{"class":216,"line":241},[214,814,815],{},"[security]\n",[214,817,818],{"class":216,"line":248},[214,819,820],{},"allowed_issuers = [\"https://id.openape.at\"]\n",[214,822,823],{"class":216,"line":254},[214,824,825],{},"allowed_approvers = [\"you@yourdomain.com\"]\n",[214,827,828],{"class":216,"line":266},[214,829,830],{},"allowed_audiences = [\"escapes\"]\n",[205,832,834],{"className":207,"code":833,"language":209,"meta":210,"style":210},"sudo mkdir -p /var/log/openape\nsudo chmod 755 /var/log/openape\n",[189,835,836,849],{"__ignoreMap":210},[214,837,838,840,843,846],{"class":216,"line":217},[214,839,322],{"class":227},[214,841,842],{"class":231}," mkdir",[214,844,845],{"class":231}," -p",[214,847,848],{"class":231}," /var/log/openape\n",[214,850,851,853,855,859],{"class":216,"line":224},[214,852,322],{"class":227},[214,854,752],{"class":231},[214,856,858],{"class":857},"sbssI"," 755",[214,860,848],{"class":231},[174,862,864],{"id":863},"step-6-test-the-flow","Step 6: Test the Flow",[866,867,869],"h3",{"id":868},"normal-operation-via-shapes","Normal operation (via shapes)",[205,871,873],{"className":207,"code":872,"language":209,"meta":210,"style":210},"# See what permissions a command needs\nshapes explain -- gh repo list myorg\n\n# Request grant and execute\nshapes request --approval once -- gh repo list myorg\n# → Waiting for approval...\n\n# In another terminal (as the approver):\ngrapes list --status pending\ngrapes approve \u003Cgrant-id>\n# → Command executes\n",[189,874,875,880,901,905,910,933,938,942,947,959,978],{"__ignoreMap":210},[214,876,877],{"class":216,"line":217},[214,878,879],{"class":220},"# See what permissions a command needs\n",[214,881,882,884,887,890,892,895,898],{"class":216,"line":224},[214,883,349],{"class":227},[214,885,886],{"class":231}," explain",[214,888,889],{"class":231}," --",[214,891,668],{"class":231},[214,893,894],{"class":231}," repo",[214,896,897],{"class":231}," list",[214,899,900],{"class":231}," myorg\n",[214,902,903],{"class":216,"line":241},[214,904,245],{"emptyLinePlaceholder":244},[214,906,907],{"class":216,"line":248},[214,908,909],{"class":220},"# Request grant and execute\n",[214,911,912,914,917,920,923,925,927,929,931],{"class":216,"line":254},[214,913,349],{"class":227},[214,915,916],{"class":231}," request",[214,918,919],{"class":231}," --approval",[214,921,922],{"class":231}," once",[214,924,889],{"class":231},[214,926,668],{"class":231},[214,928,894],{"class":231},[214,930,897],{"class":231},[214,932,900],{"class":231},[214,934,935],{"class":216,"line":266},[214,936,937],{"class":220},"# → Waiting for approval...\n",[214,939,940],{"class":216,"line":271},[214,941,245],{"emptyLinePlaceholder":244},[214,943,944],{"class":216,"line":277},[214,945,946],{"class":220},"# In another terminal (as the approver):\n",[214,948,949,951,953,956],{"class":216,"line":287},[214,950,341],{"class":227},[214,952,897],{"class":231},[214,954,955],{"class":231}," --status",[214,957,958],{"class":231}," pending\n",[214,960,961,963,966,969,972,975],{"class":216,"line":299},[214,962,341],{"class":227},[214,964,965],{"class":231}," approve",[214,967,968],{"class":398}," \u003C",[214,970,971],{"class":231},"grant-i",[214,973,974],{"class":425},"d",[214,976,977],{"class":398},">\n",[214,979,980],{"class":216,"line":307},[214,981,982],{"class":220},"# → Command executes\n",[866,984,986],{"id":985},"privilege-escalation-via-escapes","Privilege escalation (via escapes)",[205,988,990],{"className":207,"code":989,"language":209,"meta":210,"style":210},"# Request grant for a privileged command\ngrapes run escapes \"apt-get install -y curl\" --reason \"Install dependency for agent\"\n# → Waiting for approval...\n# → Approved → escapes executes with root privileges\n",[189,991,992,997,1024,1028],{"__ignoreMap":210},[214,993,994],{"class":216,"line":217},[214,995,996],{"class":220},"# Request grant for a privileged command\n",[214,998,999,1001,1004,1007,1009,1012,1014,1017,1019,1022],{"class":216,"line":224},[214,1000,341],{"class":227},[214,1002,1003],{"class":231}," run",[214,1005,1006],{"class":231}," escapes",[214,1008,434],{"class":398},[214,1010,1011],{"class":231},"apt-get install -y curl",[214,1013,440],{"class":398},[214,1015,1016],{"class":231}," --reason",[214,1018,434],{"class":398},[214,1020,1021],{"class":231},"Install dependency for agent",[214,1023,534],{"class":398},[214,1025,1026],{"class":216,"line":241},[214,1027,937],{"class":220},[214,1029,1030],{"class":216,"line":248},[214,1031,1032],{"class":220},"# → Approved → escapes executes with root privileges\n",[174,1034,1036],{"id":1035},"how-it-works-with-openclaw","How It Works with OpenClaw",[155,1038,1039],{},"Once configured, OpenClaw's agent operations flow through the gatekeeping trinity:",[205,1041,1046],{"className":1042,"code":1044,"language":1045},[1043],"language-text","OpenClaw Agent\n     │\n     ├─ Normal CLI commands ──→ shapes ──→ grant check ──→ execute\n     │                           │\n     │                           └─ Shapes Registry defines\n     │                              which CLIs are available\n     │\n     └─ Privileged actions ───→ grapes ──→ grant request\n                                  │           │\n                                  │           └─ Human approves\n                                  │\n                                  └─→ escapes ──→ execute as root\n","text",[189,1047,1044],{"__ignoreMap":210},[179,1049,1050,1057,1063,1072],{},[182,1051,1052,1056],{},[1053,1054,1055],"strong",{},"Every"," CLI execution goes through shapes — no blanket access",[182,1058,1059,1062],{},[1053,1060,1061],{},"Privileged"," operations require explicit escapes escalation",[182,1064,1065,1068,1069],{},[1053,1066,1067],{},"All"," actions are audited in ",[189,1070,1071],{},"/var/log/openape/audit.log",[182,1073,1074],{},"The human approver sees exactly what the agent wants to do before approving",[1076,1077,1078],"style",{},"html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .sHwdD, html code.shiki .sHwdD{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#546E7A;--shiki-default-font-style:italic;--shiki-dark:#676E95;--shiki-dark-font-style:italic}html pre.shiki code .sBMFI, html code.shiki .sBMFI{--shiki-light:#E2931D;--shiki-default:#FFCB6B;--shiki-dark:#FFCB6B}html pre.shiki code .sfazB, html code.shiki .sfazB{--shiki-light:#91B859;--shiki-default:#C3E88D;--shiki-dark:#C3E88D}html pre.shiki code .s2Zo4, html code.shiki .s2Zo4{--shiki-light:#6182B8;--shiki-default:#82AAFF;--shiki-dark:#82AAFF}html pre.shiki code .sMK4o, html code.shiki .sMK4o{--shiki-light:#39ADB5;--shiki-default:#89DDFF;--shiki-dark:#89DDFF}html pre.shiki code .sTEyZ, html code.shiki .sTEyZ{--shiki-light:#90A4AE;--shiki-default:#EEFFFF;--shiki-dark:#BABED8}html pre.shiki code .sbssI, html code.shiki .sbssI{--shiki-light:#F76D47;--shiki-default:#F78C6C;--shiki-dark:#F78C6C}",{"title":210,"searchDepth":241,"depth":224,"links":1080},[1081,1082,1083,1084,1085,1086,1087,1091],{"id":176,"depth":224,"text":177},{"id":202,"depth":224,"text":203},{"id":361,"depth":224,"text":362},{"id":547,"depth":224,"text":548},{"id":620,"depth":224,"text":621},{"id":789,"depth":224,"text":790},{"id":863,"depth":224,"text":864,"children":1088},[1089,1090],{"id":868,"depth":241,"text":869},{"id":985,"depth":241,"text":986},{"id":1035,"depth":224,"text":1036},"Set up OpenApe agent gatekeeping for AI agents like OpenClaw.","md",null,{},{"title":12,"description":1092},"rk-ql14gJN1lliVdTqI5kZsI5UZjpFLGrrSkSyvs4Jg",[1099,1101],{"title":10,"path":6,"stem":7,"description":1100,"children":-1},"What is OpenApe and why does it exist?",{"title":16,"path":17,"stem":18,"description":1102,"children":-1},"Add OpenApe authentication to your app in 3 steps.",1774221116104]