docs: refresh exec host and elevated refs

docs/gateway/sandbox-vs-tool-policy-vs-elevated.md

@@ -11,7 +11,7 @@ OpenClaw has three related (but different) controls:
 
 1. **Sandbox** (`agents.defaults.sandbox.*` / `agents.list[].sandbox.*`) decides **where tools run** (Docker vs host).
 2. **Tool policy** (`tools.*`, `tools.sandbox.tools.*`, `agents.list[].tools.*`) decides **which tools are available/allowed**.
-3. **Elevated** (`tools.elevated.*`, `agents.list[].tools.elevated.*`) is an **exec-only escape hatch** to run on the host when you’re sandboxed.
+3. **Elevated** (`tools.elevated.*`, `agents.list[].tools.elevated.*`) is an **exec-only escape hatch** to run outside the sandbox when you’re sandboxed (`gateway` by default, or `node` when the exec target is configured to `node`).
 
 ## Quick debug
 
@@ -99,10 +99,11 @@ Available groups:
 
 Elevated does **not** grant extra tools; it only affects `exec`.
 
-- If you’re sandboxed, `/elevated on` (or `exec` with `elevated: true`) runs on the host (approvals may still apply).
+- If you’re sandboxed, `/elevated on` (or `exec` with `elevated: true`) runs outside the sandbox (approvals may still apply).
 - Use `/elevated full` to skip exec approvals for the session.
 - If you’re already running direct, elevated is effectively a no-op (still gated).
 - Elevated is **not** skill-scoped and does **not** override tool allow/deny.
+- Elevated does not grant arbitrary cross-host overrides from `host=auto`; it follows the normal exec target rules and only preserves `node` when the configured/session target is already `node`.
 - `/exec` is separate from elevated. It only adjusts per-session exec defaults for authorized senders.
 
 Gates:

docs/nodes/index.md

@@ -164,7 +164,7 @@ Or per session:
 Once set, any `exec` call with `host=node` runs on the node host (subject to the
 node allowlist/approvals).
 
-`host=auto` will not silently hop to the node just because a tool call requests it. If you want node exec, set `tools.exec.host=node` or `/exec host=node ...` explicitly.
+`host=auto` will not implicitly choose the node on its own, but an explicit per-call `host=node` request is allowed from `auto`. If you want node exec to be the default for the session, set `tools.exec.host=node` or `/exec host=node ...` explicitly.
 
 Related:
 

docs/tools/elevated.md

@@ -1,5 +1,5 @@
 ---
-summary: "Elevated exec mode: run commands on the gateway host from a sandboxed agent"
+summary: "Elevated exec mode: run commands outside the sandbox from a sandboxed agent"
 read_when:
   - Adjusting elevated mode defaults, allowlists, or slash command behavior
   - Understanding how sandboxed agents can access the host
@@ -10,7 +10,7 @@ title: "Elevated Mode"
 
 When an agent runs inside a sandbox, its `exec` commands are confined to the
 sandbox environment. **Elevated mode** lets the agent break out and run commands
-on the gateway host instead, with configurable approval gates.
+outside the sandbox instead, with configurable approval gates.
 
 <Info>
   Elevated mode only changes behavior when the agent is **sandboxed**. For
@@ -21,12 +21,12 @@ on the gateway host instead, with configurable approval gates.
 
 Control elevated mode per-session with slash commands:
 
-| Directive        | What it does                                        |
-| ---------------- | --------------------------------------------------- |
-| `/elevated on`   | Run on the gateway host, keep exec approvals        |
-| `/elevated ask`  | Same as `on` (alias)                                |
-| `/elevated full` | Run on the gateway host **and** skip exec approvals |
-| `/elevated off`  | Return to sandbox-confined execution                |
+| Directive        | What it does                                                           |
+| ---------------- | ---------------------------------------------------------------------- |
+| `/elevated on`   | Run outside the sandbox on the configured host path, keep approvals    |
+| `/elevated ask`  | Same as `on` (alias)                                                   |
+| `/elevated full` | Run outside the sandbox on the configured host path and skip approvals |
+| `/elevated off`  | Return to sandbox-confined execution                                   |
 
 Also available as `/elev on|off|ask|full`.
 
@@ -69,9 +69,10 @@ Send `/elevated` with no argument to see the current level.
 
   </Step>
 
-  <Step title="Commands run on the host">
-    With elevated active, `exec` calls route to the gateway host instead of the
-    sandbox. In `full` mode, exec approvals are skipped. In `on`/`ask` mode,
+  <Step title="Commands run outside the sandbox">
+    With elevated active, `exec` calls leave the sandbox. The effective host is
+    `gateway` by default, or `node` when the configured/session exec target is
+    `node`. In `full` mode, exec approvals are skipped. In `on`/`ask` mode,
     configured approval rules still apply.
   </Step>
 </Steps>
@@ -104,6 +105,7 @@ Allowlist entry formats:
 ## What elevated does not control
 
 - **Tool policy**: if `exec` is denied by tool policy, elevated cannot override it
+- **Host selection policy**: elevated does not turn `auto` into a free cross-host override. It uses the configured/session exec target rules, choosing `node` only when the target is already `node`.
 - **Separate from `/exec`**: the `/exec` directive adjusts per-session exec defaults for authorized senders and does not require elevated mode
 
 ## Related

docs/tools/exec-approvals.md

@@ -108,7 +108,7 @@ Important distinction:
 
 - `tools.exec.host=auto` chooses where exec runs: sandbox when available, otherwise gateway.
 - YOLO chooses how host exec is approved: `security=full` plus `ask=off`.
-- `auto` does not let a tool call override a sandboxed session to `gateway` or `node`. If you want a different host, set `tools.exec.host` or use `/exec host=...` explicitly.
+- `auto` does not make gateway routing a free override from a sandboxed session. A per-call `host=node` request is allowed from `auto`, and `host=gateway` is only allowed from `auto` when no sandbox runtime is active. If you want a stable non-auto default, set `tools.exec.host` or use `/exec host=...` explicitly.
 
 If you want a more conservative setup, tighten either layer back to `allowlist` / `on-miss`
 or `deny`.

docs/tools/exec.md

@@ -25,14 +25,14 @@ Background sessions are scoped per agent; `process` only sees sessions from the
 - `security` (`deny | allowlist | full`): enforcement mode for `gateway`/`node`
 - `ask` (`off | on-miss | always`): approval prompts for `gateway`/`node`
 - `node` (string): node id/name for `host=node`
-- `elevated` (bool): request elevated mode (gateway host); `security=full` is only forced when elevated resolves to `full`
+- `elevated` (bool): request elevated mode (escape the sandbox onto the configured host path); `security=full` is only forced when elevated resolves to `full`
 
 Notes:
 
 - `host` defaults to `auto`: sandbox when sandbox runtime is active for the session, otherwise gateway.
-- `auto` is only the default routing strategy. It is not a wildcard override that lets a tool call jump from sandbox to gateway or node.
+- `auto` is the default routing strategy, not a wildcard. Per-call `host=node` is allowed from `auto`; per-call `host=gateway` is only allowed when no sandbox runtime is active.
 - With no extra config, `host=auto` still "just works": no sandbox means it resolves to `gateway`; a live sandbox means it stays in the sandbox.
-- `elevated` forces `host=gateway`; it is only available when elevated access is enabled for the current session/provider.
+- `elevated` escapes the sandbox onto the configured host path: `gateway` by default, or `node` when `tools.exec.host=node` (or the session default is `host=node`). It is only available when elevated access is enabled for the current session/provider.
 - `gateway`/`node` approvals are controlled by `~/.openclaw/exec-approvals.json`.
 - `node` requires a paired node (companion app or headless node host).
 - If multiple nodes are available, set `exec.node` or `tools.exec.node` to select one.