`openclaw status` shows "unreachable (missing scope: operator.read)" for working local gateway

[gamer-mitsuha]

Summary

openclaw status reports the local gateway as unreachable (missing scope: operator.read), even though the gateway is fully functional (sessions work, channels connected, openclaw gateway status shows "Connect: ok · RPC: limited").

Environment

• OpenClaw: git HEAD @ 3f434080
• OS: macOS (arm64)
• Gateway auth mode: token (plain string configured in gateway.auth.token)
• Gateway bind: loopback (127.0.0.1)

Root Cause Analysis

Two issues combine to produce this behavior:

1. CLI probe scopes are stripped for device-less token-auth connections

In src/gateway/server/ws-connection/message-handler.ts, around L537:

if (!device && (!isControlUi || decision.kind !== "allow")) {
    clearUnboundScopes();
}

The CLI probe (src/gateway/probe.ts) intentionally disables device identity for loopback connections:

const disableDeviceIdentity = (() => {
    try {
      return isLoopbackHost(new URL(opts.url).hostname);
    } catch {
      return false;
    }
})();
// ...
deviceIdentity: disableDeviceIdentity ? null : undefined,

So the probe connects with scopes: ["operator.read"] and valid token auth. The gateway:

1. Validates the token → sharedAuthOk = true
2. evaluateMissingDeviceIdentity() returns { kind: "allow" } (operator + sharedAuthOk)
3. Connection is accepted ✅
4. But clearUnboundScopes() strips ["operator.read"] → scopes become [] ❌

The subsequent RPC calls (health, status, config.get, system-presence) all require operator.read scope and fail with "missing scope: operator.read".

This was likely introduced by commit 7dc447f79 ("fix(gateway): strip unbound scopes for shared-auth connects") which correctly prevents unauthenticated clients from self-declaring scopes, but over-broadly applies to authenticated operator clients on loopback.

2. openclaw status and openclaw gateway status use different reachability checks

Command	Check	Result
status (status.scan.ts L234)	gatewayProbe?.ok === true	false (RPC failed) → "unreachable"
gateway status (gateway-status/helpers.ts)	isProbeReachable(probe) = ok || isScopeLimitedProbeFailure(probe)	true → "RPC: limited"

gateway status correctly recognizes the scope-limited state, while status treats any ok !== true as unreachable.

Expected Behavior

openclaw status should show the gateway as reachable when token auth succeeds on loopback, even without device identity. The probe should retain its declared scopes when shared auth (token/password) validates successfully.

Suggested Fix

Option A (recommended): In the scope-clearing logic, preserve scopes when sharedAuthOk === true and the evaluateMissingDeviceIdentity decision is "allow":

if (!device && (!isControlUi || decision.kind !== "allow") && !sharedAuthOk) {
    clearUnboundScopes();
}

Option B (incremental): Update status.scan.ts to use isProbeReachable() instead of probe.ok for consistency with gateway status:

const gatewayReachable = isProbeReachable(gatewayProbe);

Option B is a workaround; Option A fixes the root cause.

Reproduction

# With gateway.auth.mode = "token" and a plain token configured:
openclaw status          # Shows "unreachable (missing scope: operator.read)"
openclaw gateway status  # Shows "Connect: ok (Xms) · RPC: limited - missing scope: operator.read"
# Meanwhile, actual gateway functionality (chat, channels, cron) works fine.

[burninganus]

It's not a purely cosmetic bug, though.
Some CLI commands fail, for example:

openclaw devices list

gateway connect failed: Error: gateway closed (1000):
◇
[openclaw] Failed to start CLI: Error: gateway closed (1000 normal closure): no close reason
Gateway target: ws://127.0.0.1:18789
Source: local loopback

Makes pairing a new device impossible.

The token auth bug has been migrating and evolving from version to version for about a month now.

openclaw doctor can't catch it
openclaw gateway status shows that everything is OK
openclaw status shows unreachable (missing scope: operator.read)

[dengdingchang]

same issue here, anyone help?

[steipete]

Closing this as implemented after Codex review.

Current main already keeps local authenticated gateway probes and direct gateway calls device-bound, which addresses the reported operator.read loss behind openclaw status showing the local gateway as unreachable.

What I checked:

• Probe keeps authenticated loopback connections device-bound: probeGateway() now loads device identity for loopback probes when token/password auth is present, with an inline comment explaining this avoids shared-auth scope stripping on read/detail RPCs. (src/gateway/probe.ts:148, 0e7250f37bf3)
• Integration test proves local authenticated probe retains detail RPCs: Gateway integration test verifies a loopback token-auth probe succeeds and returns health, status, and configSnapshot instead of failing with missing operator.read. (src/gateway/probe.auth.integration.test.ts:29, 0e7250f37bf3)
• Direct CLI gateway calls use the same device-bound behavior: callGateway() also loads device identity for shared-auth local calls so operator-scoped RPCs such as status remain available. (src/gateway/call.ts:196, 0e7250f37bf3)
• Unit tests cover token-auth loopback and fallback behavior: Unit tests assert token-auth loopback probes/calls include device identity, and that restricted environments fall back without crashing. This matches the intended fix path for the reported token-auth local gateway case. (src/gateway/probe.test.ts:129, 0e7250f37bf3)
• Released snapshot already contains the fixed probe behavior: The latest release tag in this checkout already has the same authenticated-loopback device-identity logic in src/gateway/probe.ts, so the fix is shipped, not just present on unreleased main. (src/gateway/probe.ts:148, 00bd2cf7a376)

So I’m closing this as already implemented rather than keeping a duplicate issue open.

Review notes: reviewed against 0e7250f37bf3; fix evidence: release v2026.4.22, commit 00bd2cf7a376.