Bug: Scope upgrade pending approval error after upgrade to 2026.4.21

[superzmenai01]

Bug Report: Scope Upgrade Pending Approval Error After Upgrade to 2026.4.21

Summary

After upgrading OpenClaw from 2026.4.15 to 2026.4.21, spawn subagent and native approval operations fail with "scope upgrade pending approval" error.

Environment

• OpenClaw Version: 2026.4.21
• Node Version: v25.9.0
• Platform: macOS (Darwin)
• Deployment: Homebrew installation
• Gateway Port: 18789

Problem Description

After performing openclaw update on April 23, 2026 at 09:50 (HKT), the following operations began failing:

1. Spawning subagents via sessions_spawn
2. Native Telegram approval handler

Error message:

Gateway closed (1008): pairing required: device is asking for more scopes than currently approved

Log entries show:

{"subsystem":"telegram/native-approvals"} connect error: scope upgrade pending approval
{"subsystem":"gateway/channels/telegram"} failed to start native approval handler

Timeline

• 09:50 - OpenClaw upgraded 2026.4.15 → 2026.4.21
• 09:52 - First scope upgrade error logged (2 minutes after upgrade)
• Scope errors continue on every spawn attempt

Root Cause

Device scopes in paired.json were reset to only ['operator.read'] after upgrade, but new version requires additional scopes:

• operator.approvals
• operator.admin
• operator.read
• operator.write
• operator.pairing
• operator.talk.secrets

Workaround

Manually editing ~/.openclaw/devices/paired.json to add all required scopes to the affected device entry, then setting file to readonly (chmod 444) to prevent Gateway from overwriting.

Expected Behavior

1. Device scopes should persist across version upgrades
2. Or user should be prompted to approve new scopes before operations fail

Additional Context

• This is a fresh install/upgrade scenario, not a fresh setup
• Previously working normally on 2026.4.15
• Error occurs on all spawn operations, not just Telegram

Reproduction Steps

1. Have OpenClaw 2026.4.15 or earlier running normally
2. Perform openclaw update to upgrade to 2026.4.21
3. Attempt to spawn a subagent
4. Observe "scope upgrade pending approval" error

[helderbarboza]

I've had the same problem, these solved:
openclaw devices list
openclaw devices approve <request_UUID>

[superzmenai01]

Update: Bug Still Exists in 2026.4.23

Tested on 2026-04-25 (HKT):

1. Upgraded from 2026.4.21 → 2026.4.23

2. Before any fix: Spawn subagent immediately failed with:

3. Scopes were reset to only ['operator.read'] after upgrade

4. Manual fix still required: Editing paired.json and setting chmod 444 to prevent overwriting

Conclusion: The scope reset bug is NOT fixed in 2026.4.23. Users still need to manually restore scopes after each upgrade.

Environment:

• OpenClaw: 2026.4.23
• Platform: macOS (Darwin)
• Node: v25.9.0

[clawsweeper]

Closing this as implemented after Codex automated review.

Current main implements the safe recovery path for this report: broader operator scopes now become explicit pending scope-upgrade requests with request IDs, local openclaw devices can list/approve those requests without manually editing paired.json, direct loopback backend RPCs no longer get trapped behind stale read-only CLI paired-device baselines, and approved scope baselines are persisted separately from token scopes. The manual scope-upgrade approval remains intentional; silent widening to admin/approvals scopes would be the wrong security behavior.

Best possible solution:

Close as implemented on main. Keep the current security model: do not silently widen existing devices to operator.admin/operator.approvals; use the explicit pending scope-upgrade flow, openclaw devices list, and openclaw devices approve <requestId>. Any remaining UX polish should be a narrower follow-up about where to surface pending approval prompts, not this upgrade-reset bug.

What I checked:

• Scope-upgrade handshakes now return actionable details: The gateway builds PAIRING_REQUIRED details for scope upgrades including requestId, requested role/scopes, approved scopes, and the remediation hint to review and approve the pending upgrade; close reasons include the request ID when available. (src/gateway/protocol/connect-error-details.ts:57, c74fb781943f)
• Gateway creates explicit pending upgrade requests: When an already-paired device asks for broader scopes, the connection path detects the scope mismatch, creates a pending pairing request with the requested role/scopes, broadcasts it, and returns structured pairing-required details instead of overwriting the paired record. (src/gateway/server/ws-connection/message-handler.ts:971, c74fb781943f)
• Approved scope baseline persists across approval: approveDevicePairing merges existing approved scopes with the pending request scopes, writes both scopes and approvedScopes, and rotates/creates the role token from that approved baseline rather than dropping back to read-only. (src/infra/device-pairing.ts:616, c74fb781943f)
• Manual paired.json editing is no longer the recovery path: The devices CLI falls back to local pairing state on loopback pairing-required/scope-upgrade failures, and local approval uses an explicit admin approval path. This covers the issue comment workaround (openclaw devices list / openclaw devices approve <request_UUID>) without chmod or hand-editing state files. (src/cli/devices-cli.ts:122, c74fb781943f)
• Subagent/internal backend calls are covered: Gateway calls from direct loopback backend clients with shared auth omit device identity, avoiding stale read-only CLI paired-device baselines; the regression test proves an admin-scoped backend call succeeds while the stored paired device remains read-only. (src/gateway/call.ts:209, c74fb781943f)
• User-facing docs explain exact upgrade approval: The devices docs say pending output shows requested access next to current approved access, explain that broader scopes/roles create pending upgrade requests, and require approving the exact request ID after review. Public docs: docs/cli/devices.md. (docs/cli/devices.md:24, c74fb781943f)

So I’m closing this as already implemented rather than keeping a duplicate issue open.

Codex Review notes: model gpt-5.5, reasoning high; reviewed against c74fb781943f; fix evidence: commit c74fb781943f.

[prtags]

Related work from PRtags group rare-impala-09en

Title: telegram: native approvals pairing and scope-upgrade loops

Number	Title
#63381	[Bug]: Telegram native approvals auto-enables on 2026.4.8 and spams "too many failed authentication attempts" in a retry loop
#65690	native-approvals subsystem fails with 'pairing required' loop after 2026.4.8 upgrade (Telegram channel)
#68254	[Bug]: Internal "Telegram Native Approvals" handler cannot be paired in Docker loopback-only deployment (2026.4.14)
#68634	[Bug]: CLI commands repeatedly trigger scope-upgrade requests + Telegram Native Approvals fails with pairing required, generating persistent pending approvals
#68739	Telegram native approvals still start with execApprovals.enabled=false, then loop on pairing required (scope-upgrade)
#69214	[Bug]: Gateway client gets stuck in scope-upgrade repair loop for Telegram Native Approvals
#70687*	Bug: Scope upgrade pending approval error after upgrade to 2026.4.21

* This issue