Skip to main content

Approve & Go

This page shows you how to approve pending SLAW instances in the Botfather approval queue — and how to set up auto-approve rules so future enrollments go straight to active without manual review.

Prerequisites
  • Botfather is running and the admin UI is open at http://localhost:5174
  • At least one SLAW instance has been configured with botfather.url and is waiting for approval (see Enroll an Instance)

The approval queue

When a SLAW instance enrolls with your tower for the first time, it lands in the pending state in the approval queue. The instance's SLAW UI shows a blocking gate until an Operator approves or rejects it.

Navigate to Approvals & Admin in the Botfather UI to see the queue.

Each pending request shows:

  • Machine ID — a stable fingerprint of the physical machine
  • Hostname — the machine's hostname at enrollment time
  • Instance ID — the specific SLAW instance on that machine
  • Requested at — when the enrollment request arrived

Approving or rejecting an instance

Select a pending request and choose Approve or Reject.

  • Approve — the tower issues a per-instance API key. The instance polls, receives the key, transitions to active, and the SLAW gate lifts.
  • Reject — the instance stays gated. The instance's state shows rejected. The instance can retry by re-enrolling (the Operator can reconsider later).

Once an instance is active, its metadata starts syncing to the tower within a minute.

Revoking an active instance

To remove an instance's access from the tower, use the Revoke action on the instance's entry in the Fleet or Approvals & Admin screen.

Revocation invalidates the per-instance API key immediately. The instance transitions to revoked state — its SLAW UI shows the gate again (in enforce mode). If the instance attempts to re-enroll, it re-enters the approval queue as a new request.

Auto-approve rules

For predictable fleets — a CI pool, a team's dev machines, a standardised MDM rollout — approving every instance by hand does not scale. Auto-approve rules match incoming enrollment requests against a pattern; matching requests are approved instantly and the tower issues an API key without queuing.

How rules work

A rule has two fields:

FieldValuesWhat it matches
fieldhostname or machineIdWhich property of the enrolling instance to test
patternA glob stringSupports * as a wildcard; case-insensitive

Examples:

PatternFieldMatches
*-ENG-*hostnameAny host whose name contains -ENG-
*.corp.example.comhostnameAll machines on a corporate domain
mch_abc123machineIdOne specific machine by its stable ID

Rules are evaluated in order; the first match wins. If no rule matches, the instance lands in the pending queue for manual review.

Creating a rule in the UI

  1. Open Approvals & Admin in the Botfather UI.
  2. Scroll to Auto-approve rules and select Add rule.
  3. Choose hostname or machineId from the Field dropdown.
  4. Enter the glob pattern in the Pattern field.
  5. Save. The rule applies immediately to the next enrollment request.

Existing pending requests are not retroactively approved — use the approval queue for those.

Testing a rule before deploying

Before applying a broad pattern like *, test it against a known hostname or machine ID. The glob uses * as the only wildcard (it maps to .* in the underlying regex). ? is not a wildcard here — it matches a literal ? character.

A pattern of * matches everything. Use it only in a trusted private network where any machine that can reach the tower is allowed to join.

What happens after approval

Once active:

  • The instance syncs squad, agent, and cost metadata to the tower on a ~60-second heartbeat cycle.
  • The Fleet view shows the instance as online.
  • Budget limits set in the tower begin enforcing on the next heartbeat response.
  • If reportIssueTitles is enabled (the default), issue titles flow to the tower's issues view. Issue bodies and logs never leave the instance.

Verification

Confirm the instance came through cleanly:

  1. The instance shows active. In Approvals & Admin (or the instance's Fleet entry) its state reads active, not pending or rejected.
  2. It appears online in the Fleet view. Within about a minute of approval, the instance shows as online in Fleet View.
  3. Metadata is syncing. Squad and agent counts and cost tiles populate on the instance detail screen as the ~60-second heartbeat cycle runs. An instance that approved but never reports will flip to offline/stale — if that happens, check the SLAW side's gate state and botfather.url.
  4. The SLAW gate has lifted. On the instance machine, the SLAW UI no longer shows the blocking enrollment gate.

For an auto-approve rule, enroll one test instance that matches the pattern and confirm it reaches active without ever entering the pending queue.

Next steps

  • Fleet View — see every enrolled instance, its status, and its spend at a glance
  • Budgets & Limits — set fleet-wide cost and token caps that push down to enrolled instances
  • Alerts — configure notifications for offline instances, budget breaches, and spend spikes