openclaw
diff --git a/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎extensions/device-pair/index.test.ts‎
Lines changed: 50 additions & 15 deletions b/‎extensions/device-pair/index.test.ts‎
Lines changed: 50 additions & 15 deletions
diff --git a/‎extensions/device-pair/index.ts‎
Lines changed: 9 additions & 2 deletions b/‎extensions/device-pair/index.ts‎
Lines changed: 9 additions & 2 deletions
diff --git a/‎extensions/device-pair/pair-command-auth.test.ts‎
Lines changed: 18 additions & 1 deletion b/‎extensions/device-pair/pair-command-auth.test.ts‎
Lines changed: 18 additions & 1 deletion
diff --git a/‎extensions/device-pair/pair-command-auth.ts‎
Lines changed: 22 additions & 5 deletions b/‎extensions/device-pair/pair-command-auth.ts‎
Lines changed: 22 additions & 5 deletions
@@ -10,6 +10,7 @@ Docs: https://docs.openclaw.ai
 
 ### Fixes
 
+- Gateway: require Talk secret authority before setup-code handoff can include Talk secrets.
 - Agents/commitments: serialize commitment store load-modify-save writes so concurrent heartbeat and CLI updates no longer lose dismissal, sent, or attempt state. (#81153) Thanks @ai-hpc.
 - Gateway/perf: tighten restart and startup benchmark failure handling so long profiling runs, failed probes, and fresh Linux runners no longer produce false passing or `n/a` results.
 - Checks: keep intentional Knip unused-file findings optional so full CI and sparse proof workspaces stay aligned.
 
@@ -89,6 +89,7 @@ type ApprovedPairingResult = Extract<
 >;
 type ApprovedPairingDevice = ApprovedPairingResult["device"];
 const INTERNAL_PAIRING_SCOPES = ["operator.write", "operator.pairing"];
+const INTERNAL_SETUP_SCOPES = [...INTERNAL_PAIRING_SCOPES, "operator.talk.secrets"];
 
 function createApi(params?: {
   config?: OpenClawPluginApi["config"];
@@ -286,7 +287,7 @@ describe("device-pair /pair qr", () => {
     const result = await command.handler(
       createCommandContext({
         channel: "webchat",
-        gatewayClientScopes: ["operator.write", "operator.pairing"],
+        gatewayClientScopes: INTERNAL_SETUP_SCOPES,
       }),
     );
     const payload = result as { text?: string; mediaUrl?: string; sensitiveMedia?: boolean };
@@ -342,6 +343,23 @@ describe("device-pair /pair qr", () => {
     });
   });
 
+  it("rejects qr setup for internal callers without Talk secret scope", async () => {
+    const command = registerPairCommand();
+    const result = await command.handler(
+      createCommandContext({
+        channel: "webchat",
+        args: "qr",
+        commandBody: "/pair qr",
+        gatewayClientScopes: INTERNAL_PAIRING_SCOPES,
+      }),
+    );
+
+    expect(pluginApiMocks.issueDeviceBootstrapToken).not.toHaveBeenCalled();
+    expect(result).toEqual({
+      text: "⚠️ Setup code handoff includes Talk secrets and requires operator.talk.secrets.",
+    });
+  });
+
   it("reissues the bootstrap token if webchat QR rendering fails before falling back", async () => {
     pluginApiMocks.issueDeviceBootstrapToken
       .mockResolvedValueOnce({
@@ -358,7 +376,7 @@ describe("device-pair /pair qr", () => {
     const result = await command.handler(
       createCommandContext({
         channel: "webchat",
-        gatewayClientScopes: ["operator.write", "operator.pairing"],
+        gatewayClientScopes: INTERNAL_SETUP_SCOPES,
       }),
     );
     const text = requireText(result);
@@ -478,7 +496,7 @@ describe("device-pair /pair qr", () => {
     const result = await command.handler(
       createCommandContext({
         ...testCase.ctx,
-        gatewayClientScopes: INTERNAL_PAIRING_SCOPES,
+        gatewayClientScopes: INTERNAL_SETUP_SCOPES,
       }),
     );
     const text = requireText(result);
@@ -538,7 +556,7 @@ describe("device-pair /pair qr", () => {
       createCommandContext({
         channel: "discord",
         senderId: "123",
-        gatewayClientScopes: INTERNAL_PAIRING_SCOPES,
+        gatewayClientScopes: INTERNAL_SETUP_SCOPES,
       }),
     );
     const text = requireText(result);
@@ -557,7 +575,7 @@ describe("device-pair /pair qr", () => {
       createCommandContext({
         channel: "msteams",
         senderId: "8:orgid:123",
-        gatewayClientScopes: INTERNAL_PAIRING_SCOPES,
+        gatewayClientScopes: INTERNAL_SETUP_SCOPES,
       }),
     );
     const text = requireText(result);
@@ -678,6 +696,23 @@ describe("device-pair /pair default setup code", () => {
     });
   });
 
+  it("rejects setup code issuance for internal callers without Talk secret scope", async () => {
+    const command = registerPairCommand();
+    const result = await command.handler(
+      createCommandContext({
+        channel: "webchat",
+        args: "",
+        commandBody: "/pair",
+        gatewayClientScopes: INTERNAL_PAIRING_SCOPES,
+      }),
+    );
+
+    expect(pluginApiMocks.issueDeviceBootstrapToken).not.toHaveBeenCalled();
+    expect(result).toEqual({
+      text: "⚠️ Setup code handoff includes Talk secrets and requires operator.talk.secrets.",
+    });
+  });
+
   it("fails closed for webchat setup code issuance when scopes are absent", async () => {
     const command = registerPairCommand();
     const result = await command.handler(
@@ -749,7 +784,7 @@ describe("device-pair /pair default setup code", () => {
         channel: "webchat",
         args: "",
         commandBody: "/pair",
-        gatewayClientScopes: ["operator.write", "operator.pairing"],
+        gatewayClientScopes: INTERNAL_SETUP_SCOPES,
       }),
     );
     const text = requireText(result);
@@ -769,7 +804,7 @@ describe("device-pair /pair default setup code", () => {
         channel: "webchat",
         args: "",
         commandBody: "/pair",
-        gatewayClientScopes: ["operator.write", "operator.pairing"],
+        gatewayClientScopes: INTERNAL_SETUP_SCOPES,
       }),
     );
     const text = requireText(result);
@@ -789,7 +824,7 @@ describe("device-pair /pair default setup code", () => {
         channel: "webchat",
         args: "",
         commandBody: "/pair",
-        gatewayClientScopes: ["operator.write", "operator.pairing"],
+        gatewayClientScopes: INTERNAL_SETUP_SCOPES,
       }),
     );
 
@@ -808,7 +843,7 @@ describe("device-pair /pair default setup code", () => {
         channel: "webchat",
         args: "",
         commandBody: "/pair",
-        gatewayClientScopes: ["operator.write", "operator.pairing"],
+        gatewayClientScopes: INTERNAL_SETUP_SCOPES,
       }),
     );
 
@@ -827,7 +862,7 @@ describe("device-pair /pair default setup code", () => {
         channel: "webchat",
         args: "",
         commandBody: "/pair",
-        gatewayClientScopes: ["operator.write", "operator.pairing"],
+        gatewayClientScopes: INTERNAL_SETUP_SCOPES,
       }),
     );
 
@@ -861,7 +896,7 @@ describe("device-pair /pair default setup code", () => {
         channel: "webchat",
         args: "",
         commandBody: "/pair",
-        gatewayClientScopes: ["operator.write", "operator.pairing"],
+        gatewayClientScopes: INTERNAL_SETUP_SCOPES,
       }),
     );
 
@@ -890,7 +925,7 @@ describe("device-pair /pair default setup code", () => {
         channel: "webchat",
         args: "",
         commandBody: "/pair",
-        gatewayClientScopes: ["operator.write", "operator.pairing"],
+        gatewayClientScopes: INTERNAL_SETUP_SCOPES,
       }),
     );
     const text = requireText(result);
@@ -910,7 +945,7 @@ describe("device-pair /pair default setup code", () => {
         channel: "webchat",
         args: "",
         commandBody: "/pair",
-        gatewayClientScopes: ["operator.write", "operator.pairing"],
+        gatewayClientScopes: INTERNAL_SETUP_SCOPES,
       }),
     );
 
@@ -940,7 +975,7 @@ describe("device-pair /pair default setup code", () => {
         channel: "webchat",
         args: "",
         commandBody: "/pair",
-        gatewayClientScopes: ["operator.write", "operator.pairing"],
+        gatewayClientScopes: INTERNAL_SETUP_SCOPES,
       }),
     );
 
@@ -967,7 +1002,7 @@ describe("device-pair /pair default setup code", () => {
         channel: "webchat",
         args: "",
         commandBody: "/pair",
-        gatewayClientScopes: ["operator.write", "operator.pairing"],
+        gatewayClientScopes: INTERNAL_SETUP_SCOPES,
       }),
     );
 
 
@@ -672,8 +672,11 @@ export default definePluginEntry({
         const gatewayClientScopes = Array.isArray(ctx.gatewayClientScopes)
           ? ctx.gatewayClientScopes
           : undefined;
-        const { buildMissingPairingScopeReply, resolvePairingCommandAuthState } =
-          await loadPairCommandAuthModule();
+        const {
+          buildMissingPairingScopeReply,
+          buildMissingSetupHandoffScopeReply,
+          resolvePairingCommandAuthState,
+        } = await loadPairCommandAuthModule();
         const authState = resolvePairingCommandAuthState({
           channel: ctx.channel,
           gatewayClientScopes,
@@ -742,6 +745,10 @@ export default definePluginEntry({
           };
         }
 
+        if (authState.isMissingSetupHandoffPrivilege) {
+          return buildMissingSetupHandoffScopeReply();
+        }
+
         const authLabelResult = resolveAuthLabel(api.config);
         if (authLabelResult.error) {
           return { text: `Error: ${authLabelResult.error}` };
 
@@ -11,6 +11,7 @@ describe("device-pair pairing command auth", () => {
     ).toEqual({
       isInternalGatewayCaller: false,
       isMissingPairingPrivilege: true,
+      isMissingSetupHandoffPrivilege: true,
       approvalCallerScopes: undefined,
     });
   });
@@ -25,6 +26,7 @@ describe("device-pair pairing command auth", () => {
     ).toEqual({
       isInternalGatewayCaller: false,
       isMissingPairingPrivilege: false,
+      isMissingSetupHandoffPrivilege: false,
       approvalCallerScopes: ["operator.pairing"],
     });
   });
@@ -38,11 +40,12 @@ describe("device-pair pairing command auth", () => {
     ).toEqual({
       isInternalGatewayCaller: true,
       isMissingPairingPrivilege: true,
+      isMissingSetupHandoffPrivilege: true,
       approvalCallerScopes: [],
     });
   });
 
-  it("accepts pairing and admin scopes for internal callers", () => {
+  it("tracks pairing and setup-handoff privileges independently for internal callers", () => {
     expect(
       resolvePairingCommandAuthState({
         channel: "webchat",
@@ -51,8 +54,20 @@ describe("device-pair pairing command auth", () => {
     ).toEqual({
       isInternalGatewayCaller: true,
       isMissingPairingPrivilege: false,
+      isMissingSetupHandoffPrivilege: true,
       approvalCallerScopes: ["operator.write", "operator.pairing"],
     });
+    expect(
+      resolvePairingCommandAuthState({
+        channel: "webchat",
+        gatewayClientScopes: ["operator.write", "operator.pairing", "operator.talk.secrets"],
+      }),
+    ).toEqual({
+      isInternalGatewayCaller: true,
+      isMissingPairingPrivilege: false,
+      isMissingSetupHandoffPrivilege: false,
+      approvalCallerScopes: ["operator.write", "operator.pairing", "operator.talk.secrets"],
+    });
     expect(
       resolvePairingCommandAuthState({
         channel: "webchat",
@@ -61,6 +76,7 @@ describe("device-pair pairing command auth", () => {
     ).toEqual({
       isInternalGatewayCaller: true,
       isMissingPairingPrivilege: false,
+      isMissingSetupHandoffPrivilege: false,
       approvalCallerScopes: ["operator.admin"],
     });
   });
@@ -75,6 +91,7 @@ describe("device-pair pairing command auth", () => {
     ).toEqual({
       isInternalGatewayCaller: true,
       isMissingPairingPrivilege: false,
+      isMissingSetupHandoffPrivilege: true,
       approvalCallerScopes: ["operator.write", "operator.pairing"],
     });
   });
 
@@ -7,15 +7,27 @@ type PairingCommandAuthParams = {
 type PairingCommandAuthState = {
   isInternalGatewayCaller: boolean;
   isMissingPairingPrivilege: boolean;
+  isMissingSetupHandoffPrivilege: boolean;
   approvalCallerScopes?: readonly string[];
 };
 
 const COMMAND_OWNER_PAIRING_SCOPES = ["operator.pairing"] as const;
+const PAIRING_SCOPE = "operator.pairing";
+const ADMIN_SCOPE = "operator.admin";
+const TALK_SECRETS_SCOPE = "operator.talk.secrets";
 
 function isInternalGatewayPairingCaller(params: PairingCommandAuthParams): boolean {
   return params.channel === "webchat" || Array.isArray(params.gatewayClientScopes);
 }
 
+function hasPairingPrivilege(scopes: readonly string[]): boolean {
+  return scopes.includes(PAIRING_SCOPE) || scopes.includes(ADMIN_SCOPE);
+}
+
+function hasSetupHandoffPrivilege(scopes: readonly string[]): boolean {
+  return scopes.includes(TALK_SECRETS_SCOPE) || scopes.includes(ADMIN_SCOPE);
+}
+
 export function resolvePairingCommandAuthState(
   params: PairingCommandAuthParams,
 ): PairingCommandAuthState {
@@ -24,13 +36,10 @@ export function resolvePairingCommandAuthState(
     const approvalCallerScopes = Array.isArray(params.gatewayClientScopes)
       ? params.gatewayClientScopes
       : [];
-    const isMissingPairingPrivilege =
-      !approvalCallerScopes.includes("operator.pairing") &&
-      !approvalCallerScopes.includes("operator.admin");
-
     return {
       isInternalGatewayCaller,
-      isMissingPairingPrivilege,
+      isMissingPairingPrivilege: !hasPairingPrivilege(approvalCallerScopes),
+      isMissingSetupHandoffPrivilege: !hasSetupHandoffPrivilege(approvalCallerScopes),
       approvalCallerScopes,
     };
   }
@@ -39,13 +48,15 @@ export function resolvePairingCommandAuthState(
     return {
       isInternalGatewayCaller,
       isMissingPairingPrivilege: false,
+      isMissingSetupHandoffPrivilege: false,
       approvalCallerScopes: COMMAND_OWNER_PAIRING_SCOPES,
     };
   }
 
   return {
     isInternalGatewayCaller,
     isMissingPairingPrivilege: true,
+    isMissingSetupHandoffPrivilege: true,
     approvalCallerScopes: undefined,
   };
 }
@@ -55,3 +66,9 @@ export function buildMissingPairingScopeReply(): { text: string } {
     text: "⚠️ This command requires operator.pairing.",
   };
 }
+
+export function buildMissingSetupHandoffScopeReply(): { text: string } {
+  return {
+    text: "⚠️ Setup code handoff includes Talk secrets and requires operator.talk.secrets.",
+  };
+}