[Bug] 2026.2.19 upgrade breaks tool connections — missing operator.write and operator.read scopes on existing paired devices

[mariovallereyes]

Summary

After upgrading from 2026.2.15 to 2026.2.19 (or 2026.2.19-2 npm), all gateway tool connections enter an infinite pairing loop with error:

\
gateway closed (1008): pairing required
\\

Agents are unable to spawn subagents, list sessions, or use any gateway-dependent tools. The gateway itself runs fine and Telegram/channel connections work — only tool-level gateway calls fail.

---

Root Cause

The 2026.2.19 security hardening introduced two new scopes: \operator.write\ and \operator.read. Existing paired devices only carry the legacy scope set:

\
operator.admin, operator.approvals, operator.pairing
\\

When a tool call requires \operator.write\ or \operator.read, the gateway issues a scope-upgrade warning and rejects the connection with \1008: pairing required. The client then re-initiates a repair request, which gets approved — but the cycle repeats for the next required scope, creating an infinite loop.

Gateway log evidence:
\
[gateway] security audit: device access upgrade requested reason=scope-upgrade
device=
scopesFrom=operator.admin,operator.approvals,operator.pairing
scopesTo=operator.write
code=1008 reason=pairing required

[gateway] security audit: device access upgrade requested reason=scope-upgrade
scopesFrom=operator.admin,operator.approvals,operator.pairing,operator.write
scopesTo=operator.read
code=1008 reason=pairing required
\\

---

Affected Versions

• From: 2026.2.15
• To: 2026.2.19, 2026.2.19-1, 2026.2.19-2
• Also present in: 2026.2.21 (no fix shipped yet)
• Platform: Windows (confirmed), likely all platforms

---

Reproduction Steps

1. Have OpenClaw running on 2026.2.15 with paired devices
2. Update to 2026.2.19+ via npm (
   pm install -g openclaw)
3. Gateway restarts
4. Any agent tool call that uses gateway (sessions_list, sessions_spawn, etc.) fails with \1008: pairing required\
5. Approving the repair request loops back to step 4 with the next missing scope

---

Workaround (Manual Fix)

Run for each paired device (CLI + Control UI):

\\�ash

Find device IDs

openclaw devices list --json

Rotate token with full scope set

openclaw devices rotate
--device
--role operator
--scope operator.admin
--scope operator.approvals
--scope operator.pairing
--scope operator.write
--scope operator.read
\\

Repeat for all paired devices. No restart required after rotation.

---

Expected Behavior

When upgrading, openclaw doctor --fix (or the update process itself) should detect devices missing the new scopes and auto-rotate their tokens with the full current scope set. Users should not need to manually rotate tokens after a routine update.

---

Environment

• OS: Windows 11
• Node: v23.7.0
• OpenClaw before: 2026.2.15
• OpenClaw after: 2026.2.19-2
• Install method: npm global (
  pm install -g openclaw)
• Gateway mode: local, loopback, token auth

[mariovallereyes]

This also applies for release/version 2026.2.21

[vignesh07]

Thanks for the clear report and logs @mariovallereyes — super helpful.

We’ve merged a fix that restores backward-compatible scope behavior for legacy paired devices so upgrades no longer get stuck in the 1008 pairing loop when operator.read/operator.write are introduced.

Fix: #23125

[mariovallereyes]

You guys are great! Thanks for the quick turnaround

[vignesh07]

@mariovallereyes please reopen and tag me if this hasn't fixed your issue. Thanks for the detailed report!

[scarlettdetekelala]

Additional finding: devices rotate does not update device-level scopes

The workaround in the issue (openclaw devices rotate --device <id> --scope ...) updates the token scopes but does not update the device-level scopes array in ~/.openclaw/devices/paired.json.

The gateway appears to validate against the device-level scopes, not the token scopes, so the rotate alone still results in 1008: pairing required.

What worked:

1. Run devices rotate as documented (this updates token scopes)
2. Manually patch ~/.openclaw/devices/paired.json to add operator.read and operator.write to each device's scopes array
3. Restart gateway (openclaw gateway restart)

# After rotate, patch the device store directly:
node -e "
const fs = require('fs');
const p = require('os').homedir() + '/.openclaw/devices/paired.json';
const d = JSON.parse(fs.readFileSync(p));
const full = ['operator.admin','operator.approvals','operator.pairing','operator.read','operator.write'];
for (const dev of Object.values(d)) dev.scopes = full;
fs.writeFileSync(p, JSON.stringify(d, null, 2));
console.log('Patched', Object.keys(d).length, 'devices');
"
openclaw gateway restart

Environment: macOS (Darwin arm64), OpenClaw 2026.2.21-2, Node v24.13.0