[Bug]: Regression in 2026.3.13: ACP bridge and CLI device flows fail after upgrade

[millfields99]

Bug type

Regression (worked before, now fails)

Summary

Summary

After upgrading OpenClaw from 2026.3.8 to 2026.3.13, several CLI/gateway handshake paths regressed in my environment.

The regression was confirmed by rollback:

• 2026.3.8: works
• 2026.3.13: broken
• rollback to 2026.3.8: works again

Environment

• OpenClaw versions tested:
• working: 2026.3.8
• broken: 2026.3.13
• OS: Linux
• Gateway mode: local
• Bind: loopback
• Tailscale serve enabled
• ACP enabled
• Main workflow depends on ACP bridge + normal CLI/gateway device paths

What broke on 2026.3.13

These worked before the upgrade and failed after:

• openclaw devices list timed out before hello
• openclaw gateway probe timed out
• pairing/probe-style paths failed
• ACP path was broken end-to-end during the regression window

There also appeared to be CLI auth/identity handling issues during loopback CLI calls, where calls seemed to downgrade into a missing scope/state path (operator.read was involved during investigation).

What still worked / partial observations

• The gateway daemon itself stayed healthy
• The issue looked narrower than a total gateway failure
• openclaw status was later made to work during investigation, but other probe/pair/device paths still failed on 2026.3.13

Rollback result

After rolling back to 2026.3.8 and refreshing the systemd gateway service:

Working again:

• openclaw status
• openclaw devices list
• openclaw acp -v
• ACP end-to-end workflow

Verified ACP recovery with real workflow:

• one-shot ACP test succeeded
• persistent ACP session test succeeded
• turn 1: “Remember the word ORBIT” -> stored
• turn 2 on same session -> “ORBIT”
  This strongly suggests a regression in 2026.3.13 rather than an environment-only issue.

Additional note

openclaw gateway probe still times out on 2026.3.8 as well, so that specific probe timeout may be a separate older issue.

Expected behavior

Upgrading from 2026.3.8 to 2026.3.13 should not break:

• ACP bridge/session routing
• normal CLI device/pair/probe handshake paths
• loopback CLI identity/scope attachment

Actual behavior

2026.3.13 introduced handshake/path regressions severe enough that I had to roll back to 2026.3.8.

Steps to reproduce

Upgrading OpenClaw from 2026.3.8 to 2026.3.13

Expected behavior

Normal clean upgrade. ACP functioning

Actual behavior

No ACP

OpenClaw version

2026.3.13

Operating system

Linux

Install method

npm

Model

openai-codex/gpt-5.4

Provider / routing chain

openclaw

Config file / key location

No response

Additional provider/model setup details

No response

Logs, screenshots, and evidence

Impact and severity

No response

Additional information

No response

[Ryce]

This is a nasty one. Rollback confirmed working → broken → working again is clean evidence of a regression window.

The part that should concern people: during the 2026.3.13 window, your ACP bridge was dead end-to-end. If you'd had active agent sessions, scheduled tasks, or cron jobs running during the upgrade, that state is gone. The gateway daemon stayed healthy but the handshake layer between CLI and gateway silently failed — which means any in-flight work just evaporated without a crash log.

This is the exact scenario backup snapshots are built for. If you had a pre-upgrade snapshot, you could at least know what state your agents were in when things broke, and restore config/identity without the 'what changed between versions' detective work.

For anyone else hitting this: the scope appearing during investigation suggests the auth layer also degraded — device identity was partially recognized but not fully authorized. That's a silent failure mode that's worse than a hard crash because your tools report 'limited' instead of 'broken'.

@ keepmyclaw.com — backup snapshots capture gateway state before upgrades so you can diff exactly what changed. If you'd had one from before the 2026.3.8→2026.3.13 upgrade, the investigation would've taken minutes instead of a full rollback cycle.

[steipete]

Closing this as implemented after Codex review.

Current main already contains fixes and regression coverage for the reported loopback CLI/gateway handshake failures: authenticated local probes keep device identity bound again, shared-secret HTTP compat requests restore default operator scopes instead of collapsing into missing operator.read, and openclaw devices has loopback local-pairing fallback coverage. The same implementation is present in the shipped v2026.4.22 tree.

What I checked:

• Loopback authenticated probes stay device-bound: src/gateway/probe.ts:148 keeps device identity enabled for authenticated loopback probes so read/detail RPCs are not scope-limited by shared-auth hardening. (src/gateway/probe.ts:148, 00bd2cf7a376)
• Probe regression is covered by tests: src/gateway/probe.test.ts:183 verifies authenticated lightweight loopback probes keep device identity enabled, and src/gateway/probe.auth.integration.test.ts:29 verifies local authenticated probes can still fetch health, status, and configSnapshot. (src/gateway/probe.auth.integration.test.ts:29, 00bd2cf7a376)
• Shared-secret compat HTTP restores operator scopes: src/gateway/http-utils.ts:232 returns the full default operator scope set for shared-secret compat requests, and src/gateway/http-utils.request-context.test.ts:128 asserts bearer auth no longer degrades to a narrower/missing operator.read path. (src/gateway/http-utils.ts:232, 00bd2cf7a376)
• openclaw devices has loopback fallback for pairing-required/scope-upgrade failures: src/cli/devices-cli.ts:122 falls back to local pairing data on local loopback pairing-required failures, and src/cli/devices-cli.test.ts:449 covers both pairing-required and scope-upgrade fallback cases for devices list/devices approve. (src/cli/devices-cli.ts:122, 00bd2cf7a376)
• Shipped docs describe the repaired degraded-scope behavior: docs/cli/gateway.md:225 documents capability/read-probe handling, including scope-limited operator.read detail probes being treated as degraded rather than total failure. (docs/cli/gateway.md:225, 00bd2cf7a376)

So I’m closing this as already implemented rather than keeping a duplicate issue open.

Review notes: reviewed against d38ed0831d73; fix evidence: release v2026.4.22, commit 00bd2cf7a376.