openclaw status overview shows 'missing scope: operator.read' despite device having the scope

[quentinviac]

Environment

• OpenClaw: 2026.3.13 (61d171a)
• OS: macOS 26.3.1 (arm64)
• Node: 25.8.1
• Gateway: local loopback, port 18798

Issue

openclaw status overview line shows:

Gateway │ local · ws://127.0.0.1:18798 (local loopback) · unreachable (missing scope: operator.read)

However:

• openclaw status --deep shows Gateway │ reachable │ 2ms
• openclaw gateway probe shows Connect: ok (22ms) · RPC: limited - missing scope: operator.read
• openclaw doctor runs fine and connects to the gateway successfully
• The CLI device identity (a8cbec01...) is paired with full scopes including operator.read and operator.write
• ~/.openclaw/identity/device-auth.json confirms the operator token has operator.read in its scopes

Steps to reproduce

1. Pair CLI device with operator.read scope via openclaw devices rotate
2. Confirm scopes are present in devices list --json and device-auth.json
3. Run openclaw status — overview shows missing scope: operator.read
4. Run openclaw status --deep — deep probe shows gateway reachable
5. Run openclaw doctor — succeeds

Expected behavior

openclaw status overview should show reachable when the device has the required scopes.

Gateway probe output

Reachable: yes
Warning:
- Probe diagnostics are limited by gateway scopes (missing operator.read).
  Connection succeeded, but status details may be incomplete.
  Hint: pair device identity or use credentials with operator.read.

Local loopback ws://127.0.0.1:18798
  Connect: ok (22ms) · RPC: limited - missing scope: operator.read

Hypothesis

The overview probe in openclaw status may use a lighter auth path (shared token only) that doesn't complete the full device challenge handshake, whereas --deep and doctor do complete device auth and get the scopes.

[Ryce]

Classic auth identity drift. The device identity JSON says you have operator.read, devices list confirms it, doctor connects fine — but the gateway's runtime view disagrees.

The operator.read scope mismatch during probe is the tell: the CLI is presenting valid credentials, the gateway partially recognizes them (connection succeeds), but the authorization layer doesn't grant the full scope. That's credential drift — the token is real but its effective permissions don't match what's stored.

Three things can cause this:

1. Token was rotated but the device cache wasn't refreshed
2. Gateway reloaded config but the auth session state didn't re-evaluate
3. Scope inheritance changed between versions (see [Bug]: Regression in 2026.3.13: ACP bridge and CLI device flows fail after upgrade #48002's 2026.3.13 regression)

The --deep flag working while overview doesn't suggests the probe path bypasses the normal scope check, which means the overview is showing you a more honest view of what the gateway actually thinks your permissions are.

This is exactly the pattern keepmyclaw.com tracks — when the stored identity says one thing but the runtime gateway state says another. A config snapshot would show whether your device scopes actually loaded into the running gateway or got silently dropped.

[tyler6204]

Resolved by #50101, merge commit: 7b61ca1. Thanks for the report!