[Bug]: v2026.3.31 breaks exec on local loopback setups

[clumsyzombie]

Bug type

Regression (worked before, now fails)

Beta release blocker

No

Summary

After upgrading to v2026.3.31, all exec calls fail with:
"gateway closed (1008): pairing required"

This affects even basic commands like openclaw --version. The exec
tool cannot authenticate to the gateway on local loopback (ws://127.0.0.1:18789).

Gateway token auth IS configured (gateway.auth.mode: "token"), but
the exec tool apparently cannot use it — every exec call registers
and fails immediately.

Expected behavior

exec should work on local loopback with token auth (worked in v2026.3.28)

Version

• OpenClaw: 2026.3.31
• Node: v24.14.1
• OS: WSL2 (linux 6.6.87.2-microsoft-standard-WSL2)
• Gateway: local loopback, auth token configured

Workaround

Downgrade to v2026.3.28

Steps to reproduce

1. Have gateway running with auth.token configured + bind=loopback
2. Upgrade to v2026.3.31
3. Attempt any exec call (CLI or agent tool)

Expected behavior

exec should work on local loopback with token auth (worked in v2026.3.28)

Actual behavior

Workaround
Downgrade to v2026.3.28

OpenClaw version

2026.3.31

Operating system

WSL2 (linux 6.6.87.2-microsoft-standard-WSL2)

Install method

No response

Model

minimax2.7

Provider / routing chain

local loopback, auth token configured

Additional provider/model setup details

No response

Logs, screenshots, and evidence

Impact and severity

No response

Additional information

No response

[openperf]

Dug into this one pretty deeply — it's actually two things conspiring together.

The root cause was introduced in v2026.3.31 with the new listEffectivePairedDeviceRoles function (src/infra/device-pairing.ts). When a device gets paired, it starts with an empty tokens map ({}). The function checks if (device.tokens) to decide whether to use the new token-based role system or fall back to the legacy device.roles / device.role fields. The issue is that {} is truthy in JavaScript, so the function happily enters the token path, calls listActiveTokenRoles({}), gets back undefined (no entries to iterate), and then undefined ?? [] gives us [] — an empty role set. The legacy role fields are never consulted.

So from the gateway's perspective, your already-paired device suddenly has zero effective roles.

The second half is a pre-existing blind spot that was exposed by the above: since the requested role (e.g. node) isn't in the effective roles (which is empty), the gateway triggers a role-upgrade pairing request. Normally for local loopback clients, shouldAllowSilentLocalPairing (src/gateway/server/ws-connection/handshake-auth-helpers.ts) would auto-approve this silently — but it only ever knew about not-paired and scope-upgrade as valid reasons. role-upgrade was never in the list. This was never a problem before v2026.3.31 because the old code path never produced an empty role set for a paired device, so the role-upgrade branch was simply unreachable. Now it is, and the gateway falls through to the interactive pairing path, which for a headless exec tool means → close(1008) "pairing required". Game over.

The fix (PR #59092):

1. listEffectivePairedDeviceRoles now distinguishes between "tokens map exists but is empty" (fresh pair, fall back to legacy roles) and "tokens map has entries but they're all revoked" (intentional revocation, keep returning []). This preserves the security invariant that revoking tokens actually removes access.

2. shouldAllowSilentLocalPairing now accepts role-upgrade as a valid reason for local clients, so loopback connections can seamlessly pick up new roles without manual intervention. Remote clients are unaffected.

Both changes are narrowly scoped — no touching of the general auth flow, bootstrap tokens, or scope-upgrade logic (which is separately force-set to silent: false in requirePairing anyway).

Your workaround of downgrading to v2026.3.28 makes perfect sense btw — that version didn't have listEffectivePairedDeviceRoles at all, so the legacy role fields were always used directly.

[clumsyzombie]

Dug into this one pretty deeply — it's actually two things conspiring together.

The root cause was introduced in v2026.3.31 with the new listEffectivePairedDeviceRoles function (src/infra/device-pairing.ts). When a device gets paired, it starts with an empty tokens map ({}). The function checks if (device.tokens) to decide whether to use the new token-based role system or fall back to the legacy device.roles / device.role fields. The issue is that {} is truthy in JavaScript, so the function happily enters the token path, calls listActiveTokenRoles({}), gets back undefined (no entries to iterate), and then undefined ?? [] gives us [] — an empty role set. The legacy role fields are never consulted.

So from the gateway's perspective, your already-paired device suddenly has zero effective roles.

The second half is a pre-existing blind spot that was exposed by the above: since the requested role (e.g. node) isn't in the effective roles (which is empty), the gateway triggers a role-upgrade pairing request. Normally for local loopback clients, shouldAllowSilentLocalPairing (src/gateway/server/ws-connection/handshake-auth-helpers.ts) would auto-approve this silently — but it only ever knew about not-paired and scope-upgrade as valid reasons. role-upgrade was never in the list. This was never a problem before v2026.3.31 because the old code path never produced an empty role set for a paired device, so the role-upgrade branch was simply unreachable. Now it is, and the gateway falls through to the interactive pairing path, which for a headless exec tool means → close(1008) "pairing required". Game over.

The fix (PR #59092):

1. listEffectivePairedDeviceRoles now distinguishes between "tokens map exists but is empty" (fresh pair, fall back to legacy roles) and "tokens map has entries but they're all revoked" (intentional revocation, keep returning []). This preserves the security invariant that revoking tokens actually removes access.
2. shouldAllowSilentLocalPairing now accepts role-upgrade as a valid reason for local clients, so loopback connections can seamlessly pick up new roles without manual intervention. Remote clients are unaffected.

Both changes are narrowly scoped — no touching of the general auth flow, bootstrap tokens, or scope-upgrade logic (which is separately force-set to silent: false in requirePairing anyway).

Your workaround of downgrading to v2026.3.28 makes perfect sense btw — that version didn't have listEffectivePairedDeviceRoles at all, so the legacy role fields were always used directly.

So i would assume this might be addressed in another update and skip 2026.3.31 or should I upgrade back to 2026.3.31 and is there another fix I should do? Sorry didn't understand.