开启 elevated 后仍报 permission denied 的最小排障手册

• Gateway config can be edited and restarted safely.
• Your sender account is expected to be in elevated allowlist.

1. Run a baseline check: openclaw gateway status and confirm gateway is healthy before changing permissions.
2. Set session-level elevated mode explicitly (/elevated ask or /elevated full) and verify it is acknowledged in the same session.
3. Validate allowlist + provider mapping: ensure tools.elevated.allowFrom.<provider> includes your account and no per-agent override blocks it.
4. Re-run the failing command from workspace path first; only then test host paths requiring elevated host execution.
5. If still denied, inspect ask/security policy to confirm command is blocked by policy rather than missing elevated.

• /elevated on|ask does not force full security override; command can still be denied by policy.
• Avoid testing with sensitive root paths first; verify with harmless commands before high-risk operations.

This tip is aggregated from community/public sources and preserved with attribution.