gateway.auth.mode=none breaks internal RPC probe with 1008 device identity required

[xiew4589-lang]

Summary

When gateway.auth.mode is set to none, the Gateway's own internal RPC probe fails with:

gateway closed (1008): device identity required
RPC probe: failed

This causes a cascading failure chain:

1. All exec approval followup dispatches timeout after 60s
2. Frontend detects seq-gap → triggers websocket reconnect
3. Reconnect pulls history from server, which may not have persisted the streaming assistant reply yet
4. The reply appears to the user then disappears ("flash then vanish")

Expected behavior

auth.mode=none should still allow the Gateway's own internal RPC probe and followup dispatch to function, since these are internal operations that don't need external authentication.

Actual behavior

Internal RPC probe is rejected with 1008: device identity required, making the entire followup pipeline non-functional.

Workaround

Set gateway.auth.mode to token (which auto-generates a token). This immediately resolves the issue.

Environment

• OpenClaw version: 2026.4.14
• OS: macOS (Darwin 25.4.0, arm64)
• Node: v25.5.0
• Gateway: loopback binding (127.0.0.1:18789)

Logs

exec approval followup dispatch failed: gateway timeout after 60000ms
Gateway: unreachable (gateway closed (1008): device identity required)

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Summary
Keep open. Current main still has the reported no-auth Gateway probe gap: local probe auth resolves empty, the probe does not send a fresh device identity, method: "none" is not treated as shared auth, and the missing-device path still closes with 1008: device identity required.

Reproducibility: yes. Source inspection gives a high-confidence path: gateway.auth.mode="none" gives the probe no shared credential, first-time probes send no cached device identity, and the WebSocket missing-device branch closes with 1008.

Next step
This is a valid current bug, but the repair changes Gateway auth/device-identity policy and overlaps #69066 and #75781, so a Gateway/secops owner should choose the seam before automation writes a fix.

Security
Needs attention: This is Gateway-auth-sensitive even without a PR diff, so the repair needs maintainer/secops review before implementation.

Review details

Best possible solution:

Add a narrowly scoped internal service identity path, or an equivalently constrained loopback-only Gateway-owned caller exception, for probe/followup/backend RPC clients while keeping device identity fail-closed for remote, browser-origin, node-role, and ordinary operator clients.

Do we have a high-confidence way to reproduce the issue?

Yes. Source inspection gives a high-confidence path: gateway.auth.mode="none" gives the probe no shared credential, first-time probes send no cached device identity, and the WebSocket missing-device branch closes with 1008.

Is this the best way to solve the issue?

No current fix is present on main. The token-mode workaround is operationally valid, but the maintainable fix should be internal-only service identity or a tightly scoped Gateway-owned caller path rather than widening no-auth behavior globally.

Security concerns:

• [medium] Keep any no-auth bypass internal-only — src/gateway/server/ws-connection/auth-context.ts:114
  The current boundary intentionally excludes method: "none" from sharedAuthOk; changing that globally would allow device-less non-Control-UI operator clients to skip pairing.
  Confidence: 0.88

Acceptance criteria:

• pnpm test src/gateway/probe.test.ts src/gateway/server/ws-connection/connect-policy.test.ts src/gateway/server/ws-connection/auth-context.state.test.ts
• pnpm test src/gateway/operator-approvals-client.test.ts src/gateway/gateway-cli-backend.connect.test.ts

What I checked:

• probe-auth-none-resolves-empty: Local probe auth resolution returns no token or password when gateway.auth.mode is none, leaving the probe without a shared credential. (src/gateway/auth-surface-resolution.ts:78, ae87f7800b2a)
• probe-omits-first-time-device-identity: probeGateway only attaches a device identity when an existing cached operator device token exists, so first-time diagnostics can connect without auth and without device identity. (src/gateway/probe.ts:175, ae87f7800b2a)
• auth-none-not-shared-auth: sharedAuthOk is computed from token/password shared auth or trusted-proxy auth; method: "none" is not included. (src/gateway/server/ws-connection/auth-context.ts:114, ae87f7800b2a)
• missing-device-rejects: A device-less non-Control-UI operator client without shared auth falls through to reject-device-required. (src/gateway/server/ws-connection/connect-policy.ts:143, ae87f7800b2a)
• close-path-matches-report: The WebSocket handler sends device identity required and closes with code 1008 for that rejection path. (src/gateway/server/ws-connection/message-handler.ts:714, ae87f7800b2a)
• current-tests-scope-auth-none-bypass: Current tests explicitly scope auth.mode=none pairing skip to operator Control UI only, leaving non-Control-UI operator clients outside the bypass. (src/gateway/server/ws-connection/connect-policy.test.ts:230, ae87f7800b2a)

Likely related people:

• openclaw/openclaw-secops: Gateway auth and secret-related paths are explicitly owned by this team, and the remaining fix changes the device-identity/auth boundary. (role: CODEOWNERS reviewer; confidence: high; files: .github/CODEOWNERS, src/gateway/server/ws-connection/auth-context.ts, src/gateway/server/ws-connection/connect-policy.ts)
• Peter Steinberger: Local history shows Peter authored recent refactors around central connect and trusted-proxy Control UI policy in the affected Gateway WebSocket auth area. (role: recent gateway auth and pairing maintainer; confidence: medium; commits: 51149fcaf15a, 0cc3e8137c3c; files: src/gateway/server/ws-connection/connect-policy.ts, src/gateway/role-policy.ts)
• Andrew Demczuk: Andrew authored the prior auth.mode=none Control UI pairing-skip change adjacent to this no-auth/backend pairing decision. (role: nearby no-auth pairing contributor; confidence: medium; commits: 26e0a3ee9a6b; files: src/gateway/server/ws-connection/connect-policy.ts)
• jetd1: Opened [RFC] Separate internal service identity from user auth in OpenClaw gateway #69066, the linked RFC that names this issue and proposes separating internal service identity from user auth. (role: adjacent design owner; confidence: medium; files: src/gateway/auth.ts, src/gateway/server/ws-connection/auth-context.ts, src/gateway/server/ws-connection/connect-policy.ts)

Remaining risk / open question:

• A broad fix that treats method: "none" as shared auth globally could let ordinary device-less non-Control-UI clients bypass pairing.
• The durable repair overlaps the open [RFC] Separate internal service identity from user auth in OpenClaw gateway #69066 service-identity design and should be sequenced with Gateway auth/security owners.

Codex review notes: model gpt-5.5, reasoning high; reviewed against ae87f7800b2a.