[Repo Assist] improve(policy): default exec rules now match commands with or without args

[github-actions]

🤖 This PR was created by Repo Assist, an automated AI assistant.

Summary

Default exec-approval patterns like "ipconfig *" required at least one argument (the space forces a match against ^ipconfig\ .*$), so running plain ipconfig — the most common usage — was unexpectedly denied on a fresh install.

Root Cause

Patterns with " *" (space then wildcard) anchor to the with-args form:

• "ipconfig *" → regex ^ipconfig\ .*$ — requires a trailing space and at least one character
• "ipconfig" alone → no match → denied

Fix

Remove the space before the wildcard: "ipconfig *" → "ipconfig*". The pattern ^ipconfig.*$ now matches both ipconfig (no args) and ipconfig /all (with args).

Changed patterns: dir *, ipconfig *, ping *, cat *, type *

Intentionally unchanged: echo * — bare echo with no args is not a meaningful diagnostic; the existing test asserts result.MatchedPattern == "echo *" and remains correct.

Impact

• Only affects new users on first run (before any settings.json exists)
• Existing installs with a saved settings.json are unaffected
• No security concern: these are explicitly whitelisted read-only diagnostic commands. The dangerous-fragment validator in SystemCapability.cs independently blocks any wildcard pattern that would expand to a dangerous command.

Test Status

✅ New 7-case [Theory] test: DefaultPolicy_AllowsCommonDiagCommandsWithAndWithoutArgs
Cases: ipconfig, ipconfig /all, ping 8.8.8.8, dir, dir C:\, cat README.md, type README.md

✅ Full OpenClaw.Shared.Tests — all pass
✅ Full OpenClaw.Tray.Tests — all pass

Generated by 🌈 Repo Assist, see workflow run. Learn more.

To install this agentic workflow, run

gh aw add githubnext/agentics/workflows/repo-assist.md@97143ac59cb3a13ef2a77581f929f06719c7402a