fix: preserve paired node reconnects

pgondhi987 · pgondhi987 · commit f40e41204d81 · 2026-06-04T03:54:58.000Z
diff --git a/src/gateway/node-connect-reconcile.test.ts b/src/gateway/node-connect-reconcile.test.ts
@@ -174,6 +174,29 @@ describe("reconcileNodePairingOnConnect", () => {
     expect(result.pendingPairing?.request.requestId).toBe("req-caps");
   });
 
+  it("preserves the approved surface when paired node upgrade pairing is throttled", async () => {
+    const requestPairing = vi.fn(async () => null);
+
+    const result = await reconcileNodePairingOnConnect({
+      cfg: {} as never,
+      connectParams: makeNodeConnectParams({
+        caps: ["camera", "screen"],
+        commands: [],
+      }),
+      pairedNode: makePairedNode({
+        caps: ["camera"],
+        commands: [],
+      }),
+      requestPairing,
+    });
+
+    expect(requestPairing).toHaveBeenCalledOnce();
+    expect(result.effectiveCaps).toEqual(["camera"]);
+    expect(result.effectiveCommands).toEqual([]);
+    expect(result.declaredCaps).toEqual(["camera", "screen"]);
+    expect(result.pendingPairing).toBeUndefined();
+  });
+
   it("requires a fresh pairing request when paired node permissions change", async () => {
     const requestPairing = makePendingPairingRequest("req-permissions");
 
diff --git a/src/gateway/node-connect-reconcile.ts b/src/gateway/node-connect-reconcile.ts
@@ -112,7 +112,7 @@ export async function reconcileNodePairingOnConnect(params: {
   connectParams: ConnectParams;
   pairedNode: NodePairingPairedNode | null;
   reportedClientIp?: string;
-  requestPairing: (input: NodePairingRequestInput) => Promise<RequestNodePairingResult>;
+  requestPairing: (input: NodePairingRequestInput) => Promise<RequestNodePairingResult | null>;
 }): Promise<NodeConnectPairingReconcileResult> {
   const nodeId = params.connectParams.device?.id ?? params.connectParams.client.id;
   const policyNode = {
@@ -142,6 +142,9 @@ export async function reconcileNodePairingOnConnect(params: {
         remoteIp: params.reportedClientIp,
       }),
     );
+    if (!pendingPairing) {
+      throw new Error("node pairing request required");
+    }
     return {
       nodeId,
       declaredCaps,
@@ -204,7 +207,7 @@ export async function reconcileNodePairingOnConnect(params: {
       effectiveCommands: effectiveApprovedDeclaredCommands,
       declaredPermissions,
       effectivePermissions: effectiveApprovedDeclaredPermissions,
-      pendingPairing,
+      ...(pendingPairing ? { pendingPairing } : {}),
     };
   }
 
diff --git a/src/gateway/server.node-pairing-rate-limit.test.ts b/src/gateway/server.node-pairing-rate-limit.test.ts
@@ -4,7 +4,8 @@ import path from "node:path";
 import { describe, expect, test } from "vitest";
 import { WebSocket } from "ws";
 import { ConnectErrorDetailCodes } from "../../packages/gateway-protocol/src/connect-error-details.js";
-import { listNodePairing } from "../infra/node-pairing.js";
+import { loadOrCreateDeviceIdentity } from "../infra/device-identity.js";
+import { approveNodePairing, listNodePairing, requestNodePairing } from "../infra/node-pairing.js";
 import { GATEWAY_CLIENT_MODES, GATEWAY_CLIENT_NAMES } from "../utils/message-channel.js";
 import {
   connectReq,
@@ -56,6 +57,21 @@ async function attemptNodePairing(port: number, identityPath: string) {
   }
 }
 
+async function approveNodeIdentity(params: { identityPath: string; caps: string[] }) {
+  const identity = loadOrCreateDeviceIdentity(params.identityPath);
+  const request = await requestNodePairing({
+    nodeId: identity.deviceId,
+    platform: NODE_CLIENT.platform,
+    deviceFamily: NODE_CLIENT.deviceFamily,
+    caps: params.caps,
+  });
+  const approved = await approveNodePairing(request.request.requestId, {
+    callerScopes: ["operator.pairing"],
+  });
+  expect(approved && !("status" in approved)).toBe(true);
+  return identity;
+}
+
 describe("node pairing rate limit", () => {
   test("limits concurrent first-time node pairing requests before the pairing lock", async () => {
     testState.gatewayAuth = {
@@ -91,4 +107,57 @@ describe("node pairing rate limit", () => {
       expect((await listNodePairing()).pending).toHaveLength(3);
     });
   });
+
+  test("keeps paired reconnects on the approved surface when upgrade pairing is limited", async () => {
+    testState.gatewayAuth = {
+      mode: "token",
+      token: "secret",
+      rateLimit: {
+        maxAttempts: 3,
+        windowMs: 60_000,
+        lockoutMs: 60_000,
+        exemptLoopback: false,
+      },
+    };
+    await withGatewayServer(async ({ port }) => {
+      const identityPrefix = path.join(
+        os.tmpdir(),
+        `openclaw-node-pairing-upgrade-${randomUUID()}`,
+      );
+      const pairedIdentityPath = `${identityPrefix}-paired.json`;
+      await approveNodeIdentity({ identityPath: pairedIdentityPath, caps: ["camera"] });
+
+      const firstTimeResponses = await Promise.all(
+        Array.from(
+          { length: 3 },
+          async (_, index) => await attemptNodePairing(port, `${identityPrefix}-${index}.json`),
+        ),
+      );
+      expect(firstTimeResponses.filter((res) => res.ok)).toHaveLength(3);
+
+      const ws = await openWs(port);
+      try {
+        const reconnect = await connectReq(ws, {
+          token: "secret",
+          role: "node",
+          scopes: [],
+          client: NODE_CLIENT,
+          caps: ["camera", "screen"],
+          deviceIdentityPath: pairedIdentityPath,
+        });
+        expect(reconnect.ok).toBe(true);
+      } finally {
+        ws.close();
+        await new Promise<void>((resolve) => {
+          if (ws.readyState === WebSocket.CLOSED) {
+            resolve();
+            return;
+          }
+          ws.once("close", () => resolve());
+        });
+      }
+
+      expect((await listNodePairing()).pending).toHaveLength(3);
+    });
+  });
 });
diff --git a/src/gateway/server/ws-connection/message-handler.ts b/src/gateway/server/ws-connection/message-handler.ts
@@ -1614,18 +1614,31 @@ export function attachGatewayWsMessageHandler(params: GatewayWsMessageHandlerPar
         }
         if (role === "node") {
           let reconciliation: Awaited<ReturnType<typeof reconcileNodePairingOnConnect>>;
+          const pairedNode = await getPairedNode(
+            connectParams.device?.id ?? connectParams.client.id,
+          );
           try {
             reconciliation = await reconcileNodePairingOnConnect({
               cfg: getRuntimeConfig(),
               connectParams,
-              pairedNode: await getPairedNode(connectParams.device?.id ?? connectParams.client.id),
+              pairedNode,
               reportedClientIp,
-              requestPairing: async (input) =>
-                await requestNodePairingFromConnect({
-                  input,
-                  rateLimiter: authRateLimiter,
-                  clientIp: browserRateLimitClientIp,
-                }),
+              requestPairing: async (input) => {
+                try {
+                  return await requestNodePairingFromConnect({
+                    input,
+                    rateLimiter: authRateLimiter,
+                    clientIp: browserRateLimitClientIp,
+                  });
+                } catch (error) {
+                  if (error instanceof NodePairingRateLimitError && pairedNode) {
+                    // Paired upgrade reconnects can keep their approved surface;
+                    // only the fresh pending request is throttled here.
+                    return null;
+                  }
+                  throw error;
+                }
+              },
             });
           } catch (error) {
             if (error instanceof NodePairingRateLimitError) {
