Description
NemoClaw/OpenClaw appears to auto-pair the CLI device with a minimal operator.pairing scope. In that state, openclaw devices list --json works and shows the CLI under paired, but only with operator.pairing.
When openclaw agent runs, the CLI asks the gateway for broader operator scopes such as operator.read and operator.write. The gateway correctly creates a pending scope-upgrade request and rejects the connection until that upgrade is approved. However, trying to approve the request with openclaw devices approve fails because the approve command itself appears to connect using the broader unapproved scope set, causing the same scope upgrade pending approval error.
This creates a deadlock: the CLI has enough permission to see the pending request, but not enough to approve it, and the approval command cannot complete because it requires the very scope upgrade it is trying to approve.
The practical impact is that openclaw agent repeatedly falls back to embedded mode instead of using the gateway. In embedded mode, the gateway-managed tool surface is unavailable or reduced, and OpenShell shows no tool/network events. This makes tool-call failures look like tools are being swallowed, when the earlier failure is actually gateway device-auth scope approval.
Reproduction Steps
Repro Steps
-
Start from a NemoClaw/OpenClaw sandbox where the CLI has been auto-paired with only operator.pairing.
-
Run an agent turn inside the sandbox:
nemoclaw my-assistant connect
openclaw agent --agent main --session-id repro-scope-upgrade -m 'Reply exactly: OK'
-
Observe that the gateway connection fails and OpenClaw falls back to embedded mode:
gateway connect failed: GatewayClientRequestError: scope upgrade pending approval (requestId: ...)
EMBEDDED FALLBACK: Gateway agent failed; running embedded agent
-
List paired and pending devices from the host:
nemoclaw my-assistant exec -- sh -lc '. /tmp/nemoclaw-proxy-env.sh; openclaw devices list --json'
-
Observe that the CLI is paired with only operator.pairing, while a pending upgrade asks for broader operator scopes:
{
"pending": [
{
"clientId": "cli",
"clientMode": "cli",
"role": "operator",
"scopes": ["operator.write", "operator.pairing", "operator.read"]
}
],
"paired": [
{
"clientId": "cli",
"clientMode": "cli",
"role": "operator",
"scopes": ["operator.pairing"]
}
]
}
-
Attempt to approve the pending request:
nemoclaw my-assistant exec -- sh -lc '. /tmp/nemoclaw-proxy-env.sh; openclaw devices approve <requestId> --json'
-
Observe that approval fails with the same pending scope-upgrade error:
gateway connect failed: GatewayClientRequestError: scope upgrade pending approval (requestId: <same-id>)
Environment
OS: Ubuntu 24.04
Node.js: v22.22.1
Docker version 29.1.3, build f52814d
nemoclaw v0.0.53
Debug Output
Logs
Checklist
Description
NemoClaw/OpenClaw appears to auto-pair the CLI device with a minimal operator.pairing scope. In that state, openclaw devices list --json works and shows the CLI under paired, but only with operator.pairing.
When openclaw agent runs, the CLI asks the gateway for broader operator scopes such as operator.read and operator.write. The gateway correctly creates a pending scope-upgrade request and rejects the connection until that upgrade is approved. However, trying to approve the request with openclaw devices approve fails because the approve command itself appears to connect using the broader unapproved scope set, causing the same scope upgrade pending approval error.
This creates a deadlock: the CLI has enough permission to see the pending request, but not enough to approve it, and the approval command cannot complete because it requires the very scope upgrade it is trying to approve.
The practical impact is that openclaw agent repeatedly falls back to embedded mode instead of using the gateway. In embedded mode, the gateway-managed tool surface is unavailable or reduced, and OpenShell shows no tool/network events. This makes tool-call failures look like tools are being swallowed, when the earlier failure is actually gateway device-auth scope approval.
Reproduction Steps
Repro Steps
Start from a NemoClaw/OpenClaw sandbox where the CLI has been auto-paired with only
operator.pairing.Run an agent turn inside the sandbox:
nemoclaw my-assistant connect openclaw agent --agent main --session-id repro-scope-upgrade -m 'Reply exactly: OK'Observe that the gateway connection fails and OpenClaw falls back to embedded mode:
List paired and pending devices from the host:
Observe that the CLI is paired with only
operator.pairing, while a pending upgrade asks for broader operator scopes:{ "pending": [ { "clientId": "cli", "clientMode": "cli", "role": "operator", "scopes": ["operator.write", "operator.pairing", "operator.read"] } ], "paired": [ { "clientId": "cli", "clientMode": "cli", "role": "operator", "scopes": ["operator.pairing"] } ] }Attempt to approve the pending request:
Observe that approval fails with the same pending scope-upgrade error:
Environment
OS: Ubuntu 24.04
Node.js: v22.22.1
Docker version 29.1.3, build f52814d
nemoclaw v0.0.53
Debug Output
Logs
Checklist