Bug type
Behavior bug (incorrect output/state without crash)
Summary
Even after rotating operator tokens to include operator.read/operator.write and re-authenticating Control UI, diagnostics still report:
openclaw status --all => unreachable (missing scope: operator.read)openclaw security audit --deep => gateway.probe_failed (missing scope: operator.read)
However, direct RPC with an explicit token succeeds:
openclaw gateway call status --url ws://127.0.0.1:18789 --token <rotated-token> => success
This suggests an inconsistency in diagnostics/probe auth resolution, rather than a real gateway auth failure.
Steps to reproduce
1) Check baseline
openclaw status --all
openclaw security audit --deep
Observed:
Gateway ... unreachable (missing scope: operator.read)gateway.probe_failed ... missing scope: operator.read
2) Inspect paired device scopes
openclaw devices list --json
Observed initially: some openclaw-control-ui devices had only:
operator.admin, operator.approvals, operator.pairing
3) Rotate tokens with explicit read/write scopes
openclaw devices rotate --device <deviceId> --role operator \
--scope operator.read --scope operator.write \
--scope operator.admin --scope operator.approvals --scope operator.pairing
Run for relevant openclaw-control-ui device IDs.
4) Update gateway token and re-login in Control UI
openclaw config set gateway.auth.token <new-token>
Then log in manually in Control UI using the new token.
5) Re-run diagnostics
openclaw status --all
openclaw security audit --deep
Still reports missing operator.read.
6) Compare with explicit direct RPC
openclaw gateway call status --url ws://127.0.0.1:18789 --token <new-token>
Observed: successful status payload.
Expected behavior
After rotating/using a token with operator.read, diagnostics should show reachable/ok for detailed probe RPCs.
Actual behavior
Diagnostics continue to report missing operator.read, even though scopes are present and direct RPC succeeds.
OpenClaw version
2026.3.13
Operating system
Linux 6.8.0-101-generic x64
Install method
No response
Model
CLI
Provider / routing chain
CLI ->gateway
Config file / key location
No response
Additional provider/model setup details
No response
Logs, screenshots, and evidence
Impact and severity
No response
Additional information
No response
Bug type
Behavior bug (incorrect output/state without crash)
Summary
Even after rotating operator tokens to include
operator.read/operator.writeand re-authenticating Control UI, diagnostics still report:openclaw status --all=>unreachable (missing scope: operator.read)openclaw security audit --deep=>gateway.probe_failed (missing scope: operator.read)However, direct RPC with an explicit token succeeds:
openclaw gateway call status --url ws://127.0.0.1:18789 --token <rotated-token>=> successThis suggests an inconsistency in diagnostics/probe auth resolution, rather than a real gateway auth failure.
Steps to reproduce
1) Check baseline
Observed:
Gateway ... unreachable (missing scope: operator.read)gateway.probe_failed ... missing scope: operator.read2) Inspect paired device scopes
Observed initially: some
openclaw-control-uidevices had only:operator.admin,operator.approvals,operator.pairing3) Rotate tokens with explicit read/write scopes
Run for relevant
openclaw-control-uidevice IDs.4) Update gateway token and re-login in Control UI
Then log in manually in Control UI using the new token.
5) Re-run diagnostics
Still reports missing
operator.read.6) Compare with explicit direct RPC
Observed: successful
statuspayload.Expected behavior
After rotating/using a token with
operator.read, diagnostics should show reachable/ok for detailed probe RPCs.Actual behavior
Diagnostics continue to report missing
operator.read, even though scopes are present and direct RPC succeeds.OpenClaw version
2026.3.13
Operating system
Linux 6.8.0-101-generic x64
Install method
No response
Model
CLI
Provider / routing chain
CLI ->gateway
Config file / key location
No response
Additional provider/model setup details
No response
Logs, screenshots, and evidence
Impact and severity
No response
Additional information
No response