[Bug]: HTTP /v1/chat/completions returns 'missing scope: operator.write' with --auth none (v2026.3.28)

### Bug type

Regression (worked before, now fails)

### Beta release blocker

No

### Summary

The HTTP endpoint `/v1/chat/completions` returns `403 missing scope: operator.write` even when the gateway is started with `--auth none`. The scope enforcement appears to be hardcoded in the HTTP handler and ignores the auth mode setting.

### Steps to reproduce

## Environment

- OpenClaw version: 2026.3.28 (f9b1079)
- OS: macOS 26.3 (arm64)
- Node: 22.22.0
- Gateway: loopback bind, Tailscale Serve as reverse proxy

## Steps to Reproduce

1. Configure gateway with `--auth none`:
   ```
   openclaw gateway install --force --auth none
   ```
2. Verify config:
   ```json
   "gateway": {
     "auth": { "mode": "none" }
   }
   ```
3. Verify plist has `--auth none` in ProgramArguments
4. Verify gateway is running:
   ```
   openclaw gateway status
   # Runtime: running, RPC probe: ok
   ```
5. Send a request locally:
   ```bash
   curl -X POST http://127.0.0.1:18789/v1/chat/completions \
     -H "Content-Type: application/json" \
     -d '{"model":"openclaw:main","messages":[{"role":"user","content":"ping"}]}'
   ```

### Expected behavior

## Expected Behavior

With `--auth none`, the request should be processed without any auth or scope checks.


### Actual behavior


## Actual Behavior

```json
{"ok":false,"error":{"type":"forbidden","message":"missing scope: operator.write"}}
```

HTTP 403 is returned regardless of:
- Auth mode (`none`, `token`)
- Bearer token presence
- `x-openclaw-scopes: operator.read operator.write` header
- Local vs remote (Tailscale) access

### OpenClaw version

2026.3.28

### Operating system

macOS 26.3 (arm64)

### Install method

_No response_

### Model

NA

### Provider / routing chain

NA

### Additional provider/model setup details

_No response_

### Logs, screenshots, and evidence

```shell

```

### Impact and severity

_No response_

### Additional information


- This worked on a previous version (pre-2026.3.28)
- The gateway log shows successful RPC connections but HTTP endpoints always reject with scope error
- Related: PR #57596 was supposed to "restore default operator scopes for bearer-authenticated requests that omit x-openclaw-scopes" but the fix does not appear to be effective
- Related issues: #48113, #17408


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[Bug]: HTTP /v1/chat/completions returns 'missing scope: operator.write' with --auth none (v2026.3.28) #58357

Bug type

Beta release blocker

Summary

Steps to reproduce

Environment

Steps to Reproduce

Expected behavior

Expected Behavior

Actual behavior

Actual Behavior

OpenClaw version

Operating system

Install method

Model

Provider / routing chain

Additional provider/model setup details

Logs, screenshots, and evidence

Impact and severity

Additional information

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Uh oh!

[Bug]: HTTP /v1/chat/completions returns 'missing scope: operator.write' with --auth none (v2026.3.28) #58357

Description

Bug type

Beta release blocker

Summary

Steps to reproduce

Environment

Steps to Reproduce

Expected behavior

Expected Behavior

Actual behavior

Actual Behavior

OpenClaw version

Operating system

Install method

Model

Provider / routing chain

Additional provider/model setup details

Logs, screenshots, and evidence

Impact and severity

Additional information

Metadata

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue actions