Gateway pairing scope deadlock: CLI cannot approve/reject auto-reissued over-scoped repair requests

[Vladyslav0808087]

Summary

The OpenClaw CLI is in a scope deadlock: the current paired CLI has only operator.read, the gateway keeps auto-reissuing a pending repair request for the full default operator bundle, and device.pair.approve / device.pair.reject both require scope the CLI does not have. There is no other paired device with admin-level scope available as a bootstrap path.

Environment

• Platform: darwin
• Client: cli (mode probe for paired entry, mode cli for pending request)
• Gateway: ws://127.0.0.1:18789, loopback bind
• Config: /Users/<redacted>/.openclaw/openclaw.json

What happened

• Current paired CLI device is valid with scope operator.read only.
• A pending repair request keeps appearing for the same CLI device, asking for the full default operator bundle: operator.admin, operator.read, operator.write, operator.approvals, operator.pairing, operator.talk.secrets.
• The pending request auto-reissues every few minutes (TTL ≈ 5 min based on PENDING_TTL_MS), so request IDs rotate.
• Any gateway control-plane call above operator.read fails with gateway closed (1008): pairing required. This includes cron management and ACP / sub-agent spawn.
• openclaw devices reject <id> itself fails with the same pairing required error, because device.pair.reject requires operator.pairing scope per the gateway method-scope map.

What I expected

One of:

• A way to reject or downgrade the repair request from the current paired CLI without already having operator.pairing.
• A supported bootstrap flow to request only the minimal scopes actually needed (e.g. operator.read + operator.admin for cron).
• A documented recovery path for this situation that does not require the very scope needed to approve or reject the repair.

What I verified

• Current paired CLI has only operator.read (confirmed in openclaw devices list --json and locally in ~/.openclaw/devices/paired.json).
• Pending request asks for the full bundle (confirmed in openclaw devices list --json and in ~/.openclaw/devices/pending.json).
• No other paired devices with admin-level scope exist.
• I did not edit local JSON manually to avoid corrupting paired state.
• I did not restart the gateway, since the deadlock is at the scope layer, not at the gateway lifecycle.

What is blocked

• cron management through the gateway.
• ACP / sub-agent spawn through the gateway.
• Any other gateway control-plane action requiring scope above operator.read.

Likely root cause (from reading the codebase)

The CLI default scope set appears to be hardcoded as CLI_DEFAULT_OPERATOR_SCOPES = [admin, read, write, approvals, pairing, talk.secrets]. Combined with the fact that approve/reject themselves require operator.pairing, a CLI that ends up in operator.read cannot self-service its way out without an external bootstrap path.

Questions

1. Is there a supported way to create a minimal-scope CLI repair / pairing request (for example only operator.read + operator.admin)?
2. If not, what is the intended bootstrap or recovery flow for a CLI stuck at operator.read with an auto-reissued over-scoped repair request?
3. Is there a way to override CLI_DEFAULT_OPERATOR_SCOPES in config for repair requests?

I can provide full CLI outputs and local JSON dumps on request, with secrets / device IDs redacted.

Thanks.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Summary
Keep open. Current main has partial pairing recovery fixes, but the core recovery contract is still unresolved: a read-only paired CLI still cannot reject through the gateway, approve remains dependent on exact current request IDs/local fallback state, and later duplicate reports were closed into this canonical open thread.

Reproducibility: yes. source-backed. A device-token session with only operator.read cannot call device.pair.reject because the global method-scope gate requires operator.pairing, and the approve path can still fail when the exact pending request is superseded before fallback sees it.

Next step
The remaining work is valid but security-sensitive pairing policy, so a maintainer should choose the recovery contract before any repair branch is queued.

Security
Needs attention: Pairing recovery is auth-sensitive because it changes who can clear or approve scope-upgrade requests.

Review details

Best possible solution:

Define a bounded pairing recovery contract for limited paired CLIs, then align gateway authorization, CLI local recovery behavior, public docs, and regression coverage around that contract.

Do we have a high-confidence way to reproduce the issue?

Yes, source-backed. A device-token session with only operator.read cannot call device.pair.reject because the global method-scope gate requires operator.pairing, and the approve path can still fail when the exact pending request is superseded before fallback sees it.

Is this the best way to solve the issue?

Unclear. The existing approve fallback and token-scope fixes are useful partial solutions, but maintainers still need to choose the supported recovery contract, such as same-device self-reject, local reject fallback, narrower repair requests, or another bootstrap path.

Security concerns:

• [medium] Constrain same-device pairing recovery — src/gateway/server-methods.ts:185
  Any exception around the method-scope gate must be limited to the caller's own pending repair request and must not permit cross-device rejection, approval, or scope widening without an explicitly trusted path.
  Confidence: 0.9

Acceptance criteria:

• node scripts/run-vitest.mjs run src/cli/devices-cli.test.ts src/gateway/server-methods/devices.test.ts src/gateway/server.device-pair-approve-authz.test.ts src/infra/device-pairing.test.ts
• node scripts/run-vitest.mjs run src/gateway/server.silent-scope-upgrade-reconnect.poc.test.ts
• node scripts/crabbox-wrapper.mjs run ... --shell -- "pnpm check:changed"

What I checked:

• Live issue context keeps this canonical: Live GitHub data shows this issue is still open, the reporter explicitly confirmed recovery remains fragile, and later unknown requestId reports were closed as duplicates of this canonical pairing-recovery thread.
• Opener identity: By: Vladyslav0808087 (@Vladyslav0808087, account created 2021-06-12) | OpenClaw: 0 PRs, 1 issue, 0 commits/12mo | GitHub public: 0 commits, 0 PRs, 1 issue, 0 reviews/12mo.
• Pairing methods still require pairing scope before handlers run: handleGatewayRequest authorizes the method before dispatch, and core descriptors classify both device.pair.approve and device.pair.reject as operator.pairing; a session with only operator.read is stopped before handler-local same-device checks can help. (src/gateway/server-methods.ts:185, ba8a6499f02f)
• Reject has a self-device guard but no read-only pre-auth path: The reject handler restricts non-admin device-token sessions to their own pending request, but that logic is inside the handler and the CLI reject command still calls device.pair.reject directly with no local fallback. (src/gateway/server-methods/devices.ts:301, ba8a6499f02f)
• Approve fallback is partial and exact-request dependent: The devices CLI has a loopback local fallback for approve, but it refuses mismatched gateway/local request IDs and returns unknown requestId when the local pending entry has already been superseded. (src/cli/devices-cli.runtime.ts:220, ba8a6499f02f)
• Pending request replacement remains a real source path: Pairing reconciliation deletes older pending requests for the same device when building a replacement, and approval returns null when the supplied request ID is no longer present, which maps to the observed unknown requestId behavior. (src/infra/pairing-files.ts:63, ba8a6499f02f)

Likely related people:

• steipete: Authored and merged the token-scope preservation fix and recent diagnostic probe pairing changes adjacent to this recovery path. (role: recent pairing/token contributor; confidence: high; commits: c9053ff20853, 8d08e86f42ac; files: src/infra/device-pairing.ts, src/infra/device-pairing.test.ts, docs/cli/devices.md)
• eleqtrizit: Authored the self-only paired-device pairing action guard and bootstrap handoff scope-bound work that shape the relevant authority boundary. (role: pairing approval-boundary contributor; confidence: high; commits: 5a12f30441d5, b8372a714ccc; files: src/gateway/server-methods/devices.ts, src/gateway/server.device-pair-approve-authz.test.ts, src/infra/device-pairing.ts)
• shakkernerd: Introduced the devices list/approve local pairing fallback that is the current partial recovery path discussed by this issue. (role: local fallback introducer; confidence: medium; commits: aa3c8f732b72, 99db4c7903d5; files: src/cli/devices-cli.ts, src/cli/devices-cli.test.ts, src/infra/device-pairing.ts)
• vincentkoc: Authored the fallback state guard that prevents local approve/list fallback from acting on a different local pairing store or stale request. (role: recent devices CLI fallback contributor; confidence: medium; commits: 01377ddbe284; files: src/cli/devices-cli.ts, src/cli/devices-cli.test.ts)

Remaining risk / open question:

• No live reproduction was run against the reporter's exact paired state; this review is source-backed plus related-report-backed.
• Any read-scoped recovery exception must avoid cross-device rejection, approval, or scope widening without a trusted local path.
• The open overlapping PR is conflicted/not merge-ready and does not by itself resolve the canonical recovery policy.

Codex review notes: model gpt-5.5, reasoning high; reviewed against ba8a6499f02f.

[Vladyslav0808087]

Thanks, this matches what I was seeing locally.

A few concrete confirmations from my side:

• This is not just a devices reject ergonomics issue for me, it is currently a real recovery deadlock.
• My currently paired CLI only has operator.read.
• The pending repair request keeps reappearing with the broad default operator bundle.
• Because of that, gateway control-plane work is blocked in practice, including cron management and ACP/sub-agent spawn, not just pairing cleanup.
• I have intentionally not approved the broad repair request just to get unstuck.

So the maintainer-level question is really:

1. What is the preferred recovery path today for a CLI stuck at operator.read with an auto-reissued over-scoped repair request?
2. Is there already a supported way to request a narrower repair scope bundle for the CLI?
3. If not, would you prefer the intended fix to be:
   • local self-reject fallback for pending repair requests,
   • support for narrower repair-scope requests,
   • or a different bootstrap/recovery flow entirely?

I’m happy to test a maintainer-recommended path, but for now I’ve left the system in the blocked state rather than widening scopes without clear guidance.

[Vladyslav0808087]

For now, is the maintainer-recommended practical workaround to temporarily accept the broad repair request, then reduce/re-pair scopes afterward if supported?

I’m trying to avoid manual JSON edits or any undocumented local state changes unless that is the intended recovery path.

[Vladyslav0808087]

Quick status update from my side:

I was able to recover the stuck CLI today, and the deadlock appears resolved in practice on this machine.

What finally happened:

• Repeated openclaw devices approve <current-pending-id> attempts eventually succeeded through the local fallback path.
• Before success, request IDs kept rotating due to the short-lived pending repair request behavior.
• On the successful attempt, the CLI printed the usual pairing required gateway failure first, then Direct scope access failed; using local fallback., and then approved the pending request.

Current state after recovery:

• ~/.openclaw/devices/pending.json is now empty.
• ~/.openclaw/devices/paired.json now shows the paired entry as:
  • clientId: cli
  • clientMode: cli
  • scopes: operator.read, operator.admin, operator.write, operator.approvals, operator.pairing, operator.talk.secrets
• openclaw devices list --json works.
• openclaw cron list --json works.
• openclaw cron create ... --json works.
• openclaw cron delete <jobId> works.

So from a user-impact perspective, the previously blocked control-plane operations are now working again on this installation.

That said, I still think the underlying issue report is valid:

• the recovery path was fragile,
• pending request IDs rotated while trying to approve,
• some attempts failed with unknown requestId even while using the current visible pending request,
• and the behavior was not predictable enough to be a comfortable or clearly supported recovery flow.

So I’d treat this as “recovered in practice, but the recovery UX/path still seems flaky and worth fixing/documenting.”

If helpful, I can also provide the exact before/after paired/pending JSON shapes I observed locally.

[Vladyslav0808087]

Small clarification so this does not get misread as a close request:

I am not suggesting this issue should be closed just because I managed to recover one local installation.

My intended signal is:

• the original bug report was real,
• the control-plane deadlock had real user impact,
• the eventual recovery path was still flaky / timing-sensitive,
• and the current behavior still does not feel like a robust or clearly supported recovery flow.

So from my perspective, this should stay open until maintainers are satisfied that:

1. the supported recovery path is deterministic,
2. rotating pending request IDs do not create this confusing approve/retry behavior,
3. and the recovery flow is documented clearly enough that users do not have to "win the race" against request churn.

[Vladyslav0808087]

Quick update from my side:

I noticed 2bade04 ("feat(gateway): include operator.admin + operator.pairing in bootstrap") and PR #75820 are addressing this surface — thanks. Confirming I haven't pulled either yet (still on 2026.4.15, npm global) and won't, until they're in a tagged release.

While waiting, I tested the approve-fallback path Codex pointed to. It does not unblock my situation in practice. Specifically:

1. CLI runs openclaw devices approve <id> with the request id read from ~/.openclaw/devices/pending.json.
2. Direct gateway path returns pairing required (expected).
3. Local fallback fires, but the request id passed in is already gone from pending.json by the time fallback looks it up — fallback prints unknown requestId and exits with code 1.
4. After exit, pending.json contains a brand-new request with a different id and the full default operator bundle restored.

This holds even when reading the id and running approve in the same shell block (sub-second gap). The new id appears at every approve attempt, suggesting a connect-time regeneration of the pending request, not just TTL-based refresh.

So for users in my state (paired backend with operator.read, no other admin device, repair request auto-reissued on every CLI connect), the existing approve-fallback codepath is effectively unreachable. PR #75820 may already cover this — happy to retest once it ships.

Keeping the issue open per Codex's note. No action needed from me right now.

[Vladyslav0808087]

Quick follow-up from the same machine after leaving it in real use for a while.

The practical control-plane situation is now better than when I left the last update:

• cron is not just theoretically reachable, it is working in day-to-day use on this installation.
• I now have multiple real cron jobs active and running successfully through the gateway, including repeated isolated-session jobs.
• A concrete example now working in practice is a SenyaWiki automation loop:
  • every-4-hours inbox scan job
  • weekly wiki health-check job
  • weekly digest job
• So from the user side, the earlier cron-blocked state is no longer the current state on this machine.

I still do not think this issue should be closed yet.

Why I still consider the issue valid:

• the original deadlock was real,
• recovery was still fragile and timing-sensitive,
• getting from operator.read-only state back to a healthy control-plane did not feel deterministic enough,
• and I still do not have high confidence that another user in the same starting state would know the intended supported recovery path.

So my current user-level summary is:

• current local state: recovered enough that cron-based gateway control-plane work is functioning normally,
• issue status: still valid as a recovery UX / determinism problem.

I have not yet re-run a fresh ACP-specific smoke test after this longer cron recovery period, so I am intentionally not over-claiming beyond the cron/control-plane side.