openclaw
diff --git a/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎extensions/device-pair/index.test.ts‎
Lines changed: 131 additions & 30 deletions b/‎extensions/device-pair/index.test.ts‎
Lines changed: 131 additions & 30 deletions
diff --git a/‎extensions/device-pair/index.ts‎
Lines changed: 6 additions & 24 deletions b/‎extensions/device-pair/index.ts‎
Lines changed: 6 additions & 24 deletions
@@ -46,6 +46,7 @@ Docs: https://docs.openclaw.ai
 
 ### Fixes
 
+- fix(device-pair): require pairing scope for pair command [AI]. (#76377) Thanks @pgondhi987.
 - fix(qqbot): keep private commands off framework surface [AI]. (#77212) Thanks @pgondhi987.
 - Memory/wiki: preserve representation from both corpora in `corpus=all` searches while backfilling unused result capacity, so memory hits are not starved by numerically higher wiki integer scores. Fixes #77337. Thanks @hclsys.
 - Telegram: clean up tool-only draft previews after assistant message boundaries so transient `Surfacing...` tool-status bubbles do not linger when no matching final preview arrives. Thanks @BunsDev.
 
@@ -258,6 +258,7 @@ describe("device-pair /pair qr", () => {
 
   it("returns an inline QR image for webchat surfaces", async () => {
     const command = registerPairCommand();
+    expect(command.requiredScopes).toEqual(["operator.pairing"]);
     const result = await command.handler(
       createCommandContext({
         channel: "webchat",
@@ -296,7 +297,24 @@ describe("device-pair /pair qr", () => {
 
     expect(pluginApiMocks.issueDeviceBootstrapToken).not.toHaveBeenCalled();
     expect(result).toEqual({
-      text: "⚠️ This command requires operator.pairing for internal gateway callers.",
+      text: "⚠️ This command requires operator.pairing.",
+    });
+  });
+
+  it("rejects qr setup for non-gateway command surfaces without pairing scopes", async () => {
+    const command = registerPairCommand();
+    const result = await command.handler(
+      createCommandContext({
+        channel: "telegram",
+        args: "qr",
+        commandBody: "/pair qr",
+        gatewayClientScopes: undefined,
+      }),
+    );
+
+    expect(pluginApiMocks.issueDeviceBootstrapToken).not.toHaveBeenCalled();
+    expect(result).toEqual({
+      text: "⚠️ This command requires operator.pairing.",
     });
   });
 
@@ -433,7 +451,12 @@ describe("device-pair /pair qr", () => {
       runtime: createChannelRuntime(testCase.runtimeKey, testCase.sendKey, sendMessage),
     });
 
-    const result = await command.handler(createCommandContext(testCase.ctx));
+    const result = await command.handler(
+      createCommandContext({
+        ...testCase.ctx,
+        gatewayClientScopes: INTERNAL_PAIRING_SCOPES,
+      }),
+    );
     const text = requireText(result);
 
     expect(sendMessage).toHaveBeenCalledTimes(1);
@@ -479,6 +502,7 @@ describe("device-pair /pair qr", () => {
       createCommandContext({
         channel: "discord",
         senderId: "123",
+        gatewayClientScopes: INTERNAL_PAIRING_SCOPES,
       }),
     );
     const text = requireText(result);
@@ -497,6 +521,7 @@ describe("device-pair /pair qr", () => {
       createCommandContext({
         channel: "msteams",
         senderId: "8:orgid:123",
+        gatewayClientScopes: INTERNAL_PAIRING_SCOPES,
       }),
     );
     const text = requireText(result);
@@ -514,6 +539,7 @@ describe("device-pair /pair qr", () => {
         channel: "telegram",
         args: "cleanup",
         commandBody: "/pair cleanup",
+        gatewayClientScopes: INTERNAL_PAIRING_SCOPES,
       }),
     );
 
@@ -534,7 +560,7 @@ describe("device-pair /pair qr", () => {
 
     expect(pluginApiMocks.clearDeviceBootstrapTokens).not.toHaveBeenCalled();
     expect(result).toEqual({
-      text: "⚠️ This command requires operator.pairing for internal gateway callers.",
+      text: "⚠️ This command requires operator.pairing.",
     });
   });
 
@@ -551,7 +577,24 @@ describe("device-pair /pair qr", () => {
 
     expect(pluginApiMocks.clearDeviceBootstrapTokens).not.toHaveBeenCalled();
     expect(result).toEqual({
-      text: "⚠️ This command requires operator.pairing for internal gateway callers.",
+      text: "⚠️ This command requires operator.pairing.",
+    });
+  });
+
+  it("rejects status for non-gateway command surfaces without pairing scopes", async () => {
+    const command = registerPairCommand();
+    const result = await command.handler(
+      createCommandContext({
+        channel: "telegram",
+        args: "status",
+        commandBody: "/pair status",
+        gatewayClientScopes: undefined,
+      }),
+    );
+
+    expect(vi.mocked(listDevicePairing)).not.toHaveBeenCalled();
+    expect(result).toEqual({
+      text: "⚠️ This command requires operator.pairing.",
     });
   });
 });
@@ -578,7 +621,7 @@ describe("device-pair /pair default setup code", () => {
 
     expect(pluginApiMocks.issueDeviceBootstrapToken).not.toHaveBeenCalled();
     expect(result).toEqual({
-      text: "⚠️ This command requires operator.pairing for internal gateway callers.",
+      text: "⚠️ This command requires operator.pairing.",
     });
   });
 
@@ -595,7 +638,7 @@ describe("device-pair /pair default setup code", () => {
 
     expect(pluginApiMocks.issueDeviceBootstrapToken).not.toHaveBeenCalled();
     expect(result).toEqual({
-      text: "⚠️ This command requires operator.pairing for internal gateway callers.",
+      text: "⚠️ This command requires operator.pairing.",
     });
   });
 
@@ -612,10 +655,44 @@ describe("device-pair /pair default setup code", () => {
 
     expect(pluginApiMocks.issueDeviceBootstrapToken).not.toHaveBeenCalled();
     expect(result).toEqual({
-      text: "⚠️ This command requires operator.pairing for internal gateway callers.",
+      text: "⚠️ This command requires operator.pairing.",
     });
   });
 
+  it("fails closed for non-gateway setup code issuance when scopes are absent", async () => {
+    const command = registerPairCommand();
+    const result = await command.handler(
+      createCommandContext({
+        channel: "telegram",
+        args: "",
+        commandBody: "/pair",
+        gatewayClientScopes: undefined,
+      }),
+    );
+
+    expect(pluginApiMocks.issueDeviceBootstrapToken).not.toHaveBeenCalled();
+    expect(result).toEqual({
+      text: "⚠️ This command requires operator.pairing.",
+    });
+  });
+
+  it("allows command owners to issue setup codes from non-gateway command surfaces", async () => {
+    const command = registerPairCommand();
+    const result = await command.handler(
+      createCommandContext({
+        channel: "telegram",
+        args: "",
+        commandBody: "/pair",
+        gatewayClientScopes: undefined,
+        senderIsOwner: true,
+      }),
+    );
+    const text = requireText(result);
+
+    expect(pluginApiMocks.issueDeviceBootstrapToken).toHaveBeenCalledTimes(1);
+    expect(text).toContain("Pairing setup code generated.");
+  });
+
   it("normalizes secure bare publicUrl host ports before issuing setup codes", async () => {
     const command = registerPairCommand({
       config: {
@@ -909,7 +986,7 @@ describe("device-pair /pair approve", () => {
 
     expect(vi.mocked(approveDevicePairing)).not.toHaveBeenCalled();
     expect(result).toEqual({
-      text: "⚠️ This command requires operator.pairing for internal gateway callers.",
+      text: "⚠️ This command requires operator.pairing.",
     });
   });
 
@@ -924,7 +1001,24 @@ describe("device-pair /pair approve", () => {
     expect(result).toEqual({ text: "✅ Paired Victim Phone (ios)." });
   });
 
-  it("does not force an empty caller scope context for external approvals", async () => {
+  it("rejects non-gateway approvals without pairing scopes", async () => {
+    const command = registerPairCommand();
+    const result = await command.handler(
+      createCommandContext({
+        channel: "telegram",
+        args: "approve latest",
+        commandBody: "/pair approve latest",
+        gatewayClientScopes: undefined,
+      }),
+    );
+
+    expect(vi.mocked(approveDevicePairing)).not.toHaveBeenCalled();
+    expect(result).toEqual({
+      text: "⚠️ This command requires operator.pairing.",
+    });
+  });
+
+  it("allows command owners to approve from non-gateway command surfaces", async () => {
     mockPendingPairingList();
     vi.mocked(approveDevicePairing).mockResolvedValueOnce(makeApprovedPairingResult());
 
@@ -935,10 +1029,32 @@ describe("device-pair /pair approve", () => {
         args: "approve latest",
         commandBody: "/pair approve latest",
         gatewayClientScopes: undefined,
+        senderIsOwner: true,
       }),
     );
 
-    expect(vi.mocked(approveDevicePairing)).toHaveBeenCalledWith("req-1");
+    expect(vi.mocked(approveDevicePairing)).toHaveBeenCalledWith("req-1", {
+      callerScopes: ["operator.pairing"],
+    });
+    expect(result).toEqual({ text: "✅ Paired Victim Phone (ios)." });
+  });
+
+  it("preserves gateway caller scopes for command-owner approvals", async () => {
+    mockPendingPairingList();
+    vi.mocked(approveDevicePairing).mockResolvedValueOnce(makeApprovedPairingResult());
+
+    const command = registerPairCommand();
+    const result = await command.handler(
+      createCommandContext({
+        channel: "telegram",
+        args: "approve latest",
+        commandBody: "/pair approve latest",
+        gatewayClientScopes: INTERNAL_PAIRING_SCOPES,
+        senderIsOwner: true,
+      }),
+    );
+
+    expectApproveCalledWithInternalPairingScopes();
     expect(result).toEqual({ text: "✅ Paired Victim Phone (ios)." });
   });
 
@@ -957,7 +1073,7 @@ describe("device-pair /pair approve", () => {
 
     expect(vi.mocked(approveDevicePairing)).not.toHaveBeenCalled();
     expect(result).toEqual({
-      text: "⚠️ This command requires operator.pairing for internal gateway callers.",
+      text: "⚠️ This command requires operator.pairing.",
     });
   });
 
@@ -978,36 +1094,21 @@ describe("device-pair /pair approve", () => {
     });
   });
 
-  it("preserves approvals for non-gateway command surfaces", async () => {
+  it("approves from command surfaces that carry pairing scopes", async () => {
     mockPendingPairingList();
-    vi.mocked(approveDevicePairing).mockResolvedValueOnce(
-      makeApprovedPairingResult({
-        device: {
-          scopes: ["operator.admin"],
-          approvedScopes: ["operator.admin"],
-          tokens: {
-            operator: {
-              token: "token-1",
-              role: "operator",
-              scopes: ["operator.admin"],
-              createdAtMs: Date.now(),
-            },
-          },
-        },
-      }),
-    );
+    vi.mocked(approveDevicePairing).mockResolvedValueOnce(makeApprovedPairingResult());
 
     const command = registerPairCommand();
     const result = await command.handler(
       createCommandContext({
         channel: "telegram",
         args: "approve latest",
         commandBody: "/pair approve latest",
-        gatewayClientScopes: undefined,
+        gatewayClientScopes: INTERNAL_PAIRING_SCOPES,
       }),
     );
 
-    expect(vi.mocked(approveDevicePairing)).toHaveBeenCalledWith("req-1");
+    expectApproveCalledWithInternalPairingScopes();
     expect(result).toEqual({ text: "✅ Paired Victim Phone (ios)." });
   });
 });
@@ -579,20 +579,6 @@ function resolveQrReplyTarget(ctx: QrCommandContext): string {
   );
 }
 
-const PAIR_SETUP_NON_ISSUING_ACTIONS = new Set([
-  "approve",
-  "cleanup",
-  "clear",
-  "notify",
-  "pending",
-  "revoke",
-  "status",
-]);
-
-function issuesPairSetupCode(action: string): boolean {
-  return !action || action === "qr" || !PAIR_SETUP_NON_ISSUING_ACTIONS.has(action);
-}
-
 async function issueSetupPayload(url: string): Promise<SetupPayload> {
   const { issueDeviceBootstrapToken, PAIRING_SETUP_BOOTSTRAP_PROFILE } =
     await loadDevicePairApiModule();
@@ -661,6 +647,7 @@ export default definePluginEntry({
       name: "pair",
       description: "Generate setup codes and approve device pairing requests.",
       acceptsArgs: true,
+      requiredScopes: ["operator.pairing"],
       handler: async (ctx) => {
         const args = normalizeOptionalString(ctx.args) ?? "";
         const tokens = args.split(/\s+/).filter(Boolean);
@@ -673,13 +660,18 @@ export default definePluginEntry({
         const authState = resolvePairingCommandAuthState({
           channel: ctx.channel,
           gatewayClientScopes,
+          senderIsOwner: ctx.senderIsOwner,
         });
         api.logger.info?.(
           `device-pair: /pair invoked channel=${ctx.channel} sender=${ctx.senderId ?? "unknown"} action=${
             action || "new"
           }`,
         );
 
+        if (authState.isMissingPairingPrivilege) {
+          return buildMissingPairingScopeReply();
+        }
+
         if (action === "status" || action === "pending") {
           const [{ listDevicePairing }, { formatPendingRequests }] = await Promise.all([
             loadDevicePairApiModule(),
@@ -700,9 +692,6 @@ export default definePluginEntry({
         }
 
         if (action === "approve") {
-          if (authState.isMissingInternalPairingPrivilege) {
-            return buildMissingPairingScopeReply();
-          }
           const [
             { listDevicePairing },
             { approvePendingPairingRequest, selectPendingApprovalRequest },
@@ -726,9 +715,6 @@ export default definePluginEntry({
         }
 
         if (action === "cleanup" || action === "clear" || action === "revoke") {
-          if (authState.isMissingInternalPairingPrivilege) {
-            return buildMissingPairingScopeReply();
-          }
           const { clearDeviceBootstrapTokens } = await loadDevicePairApiModule();
           const cleared = await clearDeviceBootstrapTokens();
           return {
@@ -743,10 +729,6 @@ export default definePluginEntry({
         if (authLabelResult.error) {
           return { text: `Error: ${authLabelResult.error}` };
         }
-        if (issuesPairSetupCode(action) && authState.isMissingInternalPairingPrivilege) {
-          return buildMissingPairingScopeReply();
-        }
-
         const urlResult = await resolveMobilePairingGatewayUrl(api);
         if (!urlResult.url) {
           return { text: `Error: ${urlResult.error ?? "Gateway URL unavailable."}` };