gateway probe drops loopback device identity and can falsely report missing operator.read

[Brafton-Sales]

Summary

Local loopback gateway probe / status can falsely report missing scope: operator.read even when the CLI device is already paired with operator.read and operator.write.

The immediate cause is that the probe client disables device identity on loopback connects, which makes the gateway clear requested scopes for the unbound connection. After fixing that, the current probe path can still time out because it tries to fetch four detail RPCs on the same probe connection.

Repro

Environment where I hit this:

• OpenClaw 2026.3.13
• gateway auth mode: token
• local loopback gateway at ws://127.0.0.1:18789
• CLI device already paired with operator.admin, operator.approvals, operator.pairing, operator.read, operator.write

Steps:

1. Run a local token-auth gateway with a paired CLI device.
2. Run openclaw gateway probe --json or openclaw status --json.
3. Observe degraded output like missing scope: operator.read even though the paired device token includes that scope.

Root cause

In src/gateway/probe.ts, loopback probes explicitly pass deviceIdentity: null:

const disableDeviceIdentity = (() => {
  try {
    return isLoopbackHost(new URL(opts.url).hostname);
  } catch {
    return false;
  }
})();

// ...
deviceIdentity: disableDeviceIdentity ? null : undefined,

On the server side, unbound connections have their requested scopes cleared in the WS handshake path. That means the loopback probe successfully connects, but its requested operator.read scope is stripped before detail RPC runs. The result is a false degraded warning.

Follow-on issue after fixing device identity

Once I removed the forced null device identity on loopback probes, the false scope warning disappeared, but the probe then became timeout-prone because it does:

• health
• status
• system-presence
• config.get

in one probe session.

On my machine, a single status RPC was enough for the probe/status surfaces, but the full four-call detail path could push the probe past its 3s budget.

Tested fix

I validated this source patch locally:

• keep device identity enabled for loopback probes
• fetch only status for probe details

Changed files:

• src/gateway/probe.ts
• src/gateway/probe.test.ts
• docs/cli/gateway.md

Focused tests passed:

corepack pnpm exec vitest run src/gateway/probe.test.ts
corepack pnpm exec vitest run src/commands/gateway-status.test.ts src/commands/status.scan.test.ts

Result after patch

Before:

• openclaw gateway probe --json => degraded: true, missing scope: operator.read
• openclaw status --json => gateway.reachable: false, error: "missing scope: operator.read"

After:

• openclaw gateway probe --json => ok: true, degraded: false, rpcOk: true
• openclaw status --json => gateway.reachable: true, error: null
• openclaw gateway status => RPC probe: ok

Suggested direction

At minimum, loopback probes should not force deviceIdentity: null.

For the detail path, I think there are two viable fixes:

1. keep the minimal status-only probe detail path, or
2. keep richer detail fetches but make them budget-aware instead of firing four probe RPCs in one short probe window.

The first option is the smallest reliable fix and matches the current status consumers well.

[xiaoliuzhuan]

I can reproduce and confirm the same root cause on macOS as well, and I have one extra data point that may matter for the fix direction.

Environment:

• OpenClaw 2026.3.14
• macOS 26.3.1
• local LaunchAgent gateway on ws://127.0.0.1:18789
• gateway.auth.mode=token
• CLI device already paired with operator.admin, operator.approvals, operator.pairing, operator.read, operator.write

What I see on the same machine:

1. Default loopback probe stays scope-limited:

openclaw gateway probe

Reachable: yes
Local loopback ws://127.0.0.1:18789
  Connect: ok (...) · RPC: limited - missing scope: operator.read

2. An explicit local alias probe succeeds with full RPC on the same gateway:

OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1 \
openclaw gateway probe --url ws://openclaw.local:18789

URL (explicit) ws://openclaw.local:18789
  Connect: ok (...) · RPC: ok
  Gateway: ... · app 2026.3.14

Local loopback ws://127.0.0.1:18789
  Connect: ok (...) · RPC: limited - missing scope: operator.read

openclaw.local resolves to 127.0.0.1 on this machine, so this looks like strong evidence that the scope loss is tied specifically to the loopback branch in probe.ts nulling deviceIdentity, not to missing device scopes or a bad paired token.

I also verified locally that the CLI identity still has the expected scopes in both:

• ~/.openclaw/identity/device-auth.json
• openclaw devices list --json

One caution before simply removing the loopback deviceIdentity: null guard:

Once probe/status attaches a device identity, the WS handshake path is no longer strictly read-only. In src/gateway/server/ws-connection/message-handler.ts, a connect can still hit:

• requestDevicePairing
• approveDevicePairing for silent local pairing
• updatePairedDeviceMetadata
• ensureDeviceToken

That means "make loopback probe use device auth again" is probably correct for diagnostics, but it may also reintroduce side effects on probe/status connects when the local device is unpaired, has pinned metadata drift, or requests a scope/role upgrade.

So I think the bug report is real, but the safest upstream fix might be one of:

1. Re-enable device identity for loopback probes only when the connect path can be guaranteed side-effect-free for probe clients.
2. Add an explicit opt-in "full local diagnostics" mode for CLI status/probe.
3. Add a server-side read-only diagnostics/auth path that allows operator.read detail RPCs without pairing/metadata mutation.

If it helps, I can turn this into a focused PR once there is agreement on which behavior is preferred.