[Bug]: sessions_spawn fails with missing scope operator.write despite full-scope operator token

[one-box-u]

Summary

sessions_spawn fails on OpenClaw 2026.5.4 with:

missing scope: operator.write

even after the local operator device token and paired-device state have been rotated/synced to include the full operator scope set.

A direct Gateway agent RPC using the same operator device token and the same full scopes succeeds, so the failure appears specific to the sessions_spawn -> spawnSubagentDirect -> callGateway(method="agent") path.

This looks related to earlier pairing required / scope-upgrade reports for internal gateway-client self-calls, but the current observable failure is missing scope: operator.write even when the stored token scopes are already correct.

Environment

• OpenClaw: 2026.5.4 (325df3e)
• OS: Linux x64
• Node: v22.22.2
• Gateway: local Gateway, token auth enabled
• Agent session: main agent session, sessions_spawn tool available
• Runtime/model details do not appear relevant; failure happens before the child agent turn starts

Related issues

Possibly related, but not identical:

• [Bug]: Internal gateway operations (cron, announce, sessions_spawn) fail with "pairing required" due to device scope enforcement on self-calls #21655 — Internal gateway operations (cron, announce, sessions_spawn) fail due to device scope enforcement on self-calls
• Sub-agent spawn fails with 'pairing required' after update to 2026.2.21-2 #23160 — Sub-agent spawn fails with pairing required after update
• [BUG] Sub-agent sessions_spawn fails with pairing required error #23187 — Sub-agent sessions_spawn fails with pairing required
• Bug: Subagent sessions fail with 'pairing required' error on loopback gateway #23661 — Subagent sessions fail with pairing required on loopback gateway
• Bug: Scope upgrade pending approval error after upgrade to 2026.4.21 #70687 — Scope upgrade pending approval after upgrade

The difference here is that the stored operator device token already has operator.write, and a direct agent RPC succeeds with that token, while the built-in sessions_spawn tool still fails.

Steps to reproduce

1. Run OpenClaw 2026.5.4 with a local Gateway using token auth.
2. Ensure sessions_spawn is available in the main agent session.
3. Confirm the paired operator device and local device-auth token include full scopes:

operator.admin
operator.approvals
operator.pairing
operator.read
operator.write
operator.talk.secrets

4. Call sessions_spawn from the main agent session with a minimal native subagent task:

{
  "runtime": "subagent",
  "mode": "run",
  "label": "subagent-smoke-test",
  "task": "Smoke test. Reply briefly. Do not use tools.",
  "timeoutSeconds": 120,
  "runTimeoutSeconds": 120
}

Actual behavior

sessions_spawn returns an error:

{
  "status": "error",
  "error": "missing scope: operator.write",
  "childSessionKey": "<redacted>",
  "runId": "<redacted>"
}

The child session key/run id are created, but the child run does not start successfully.

Expected behavior

sessions_spawn should start the subagent run when the local operator token has operator.write, or the internal Gateway call should use an auth path/scopes that satisfy the agent RPC requirement.

Diagnostics performed

1. Verified stored operator scopes

Both the paired-device state and the local operator device-auth token contain the full scope set:

operator.admin, operator.approvals, operator.pairing, operator.read, operator.talk.secrets, operator.write

The paired token and local cached token were also verified to be identical after manual rotation/sync.

No token, device id, user id, IP, or account/channel identifier is included here.

2. openclaw devices rotate via CLI was denied

Running the documented rotate command with full scopes was denied:

GatewayClientRequestError: device token rotation denied

From source inspection, this appears to happen because the CLI method call for device.token.rotate connects with the least-privilege method scope (operator.pairing), while rotating a token that includes operator.admin / operator.write / operator.approvals requires the caller connection itself to hold those scopes.

3. Direct full-scope WS device.token.rotate succeeded

Using a direct Gateway WebSocket client with the existing operator device token and explicit full scopes, device.token.rotate succeeded and returned a new full-scope operator token.

The local device-auth cache was then synced to the newly rotated token and verified against the paired-device state.

4. sessions_spawn still failed after successful rotation/sync

After rotation and local cache sync, the same sessions_spawn smoke test still returned:

missing scope: operator.write

5. Direct Gateway agent RPC succeeds with same token/scopes

As a control test, a direct Gateway WebSocket client was created using the same operator device token and the same full scope list, then called the agent RPC directly with a minimal message and a fresh session key.

That direct agent call succeeded and returned a run id:

{
  "ok": true,
  "runId": "<redacted>"
}

This strongly suggests the Gateway agent RPC and the operator token are valid, and the failure is in the built-in sessions_spawn path rather than in Gateway auth generally.

Source-level hypothesis

From the installed build:

• sessions_spawn calls spawnSubagentDirect(...)
• spawnSubagentDirect(...) eventually calls callSubagentGateway({ method: "agent", ... })
• agent is classified as requiring operator.write
• callGateway(...) defaults to backend gateway-client behavior and least-privilege/shared-auth handling unless explicit scopes/device auth are supplied

The observed behavior is consistent with the internal callGateway(method="agent") path connecting without an effective operator.write scope, even though the local operator device token has it.

In this environment, direct WS with explicit device token + full scopes works; built-in sessions_spawn does not.

Impact

High for multi-agent workflows: native subagent delegation is blocked even though the operator token and Gateway are otherwise functional.

This prevents using subagents for task decomposition, review, and execution isolation.

Privacy note

All device IDs, session keys, run IDs, IP addresses, tokens, token hashes, user/account IDs, and channel identifiers have been redacted or omitted intentionally.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve. Reviewed May 31, 2026, 1:05 AM ET / 05:05 UTC.

Summary
Codex review failed: codex execution failed.

Reproducibility: unclear. The review failed before ClawSweeper could establish a reproduction path.

Ways to help us reproduce this

• Add a screenshot or short recording showing the behavior.
• Include the exact command, prompt, or workflow that triggered it.
• Add expected vs actual behavior.

Next step
Review did not complete, so no work-lane recommendation was made.

Review details

Best possible solution:

Retry the Codex review after fixing the execution failure.

Do we have a high-confidence way to reproduce the issue?

Unclear. The review failed before ClawSweeper could establish a reproduction path.

Is this the best way to solve the issue?

Unclear. Retry the review first so ClawSweeper can evaluate the actual issue and fix direction.

AGENTS.md: unclear because the file could not be read completely.

Remaining risk / open question:

• No close action taken because the review did not complete.

Codex review notes: model gpt-5.5, reasoning high; reviewed against e1a98171417c.

Label changes

Label changes:

• add issue-rating: 🦪 silver shellfish: Current issue advisory state selects this label.
• add clawsweeper:needs-info: Current issue advisory state selects this label.

Evidence reviewed

What I checked:

• failure reason: codex execution failed.
• codex failure detail: Codex review failed for this issue with exit 1.
• codex stdout: Per-item Codex failure; continuing with the rest of the shard.

Likely related people:

• unknown: Codex failed before it could trace repository history. (role: review did not complete; confidence: low)

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[one-box-u]

I re-ran a focused live reproduction after the Codex review, following the suggested boundary: native sessions_spawn -> callGateway(method="agent") under token auth, plus a direct Gateway agent control using the local full-scope operator device token.

All sensitive values below are redacted/omitted: token, token hash, device id, user id, account/channel/chat ids, IPs, session keys, run ids, and local workspace paths.

OpenClaw issue #77807 live reproduction log

Timestamp

2026-05-05T21:21:29+08:00

Host/runtime environment

• OS: Linux 6.8.0-101-generic x86_64
• Node: v22.22.2
• npm: 10.9.7
• OpenClaw CLI: OpenClaw 2026.5.4 (325df3e)
• CWD:

Gateway/service status (sanitized)

Service: systemd user (disabled)
File logs: /tmp/openclaw/openclaw-2026-05-05.log

Config (cli): ~/.openclaw/openclaw.json
Config (service): ~/.openclaw/openclaw.json

Gateway: bind=tailnet (), port=18789 (env/config)
Probe target: ws://
Dashboard: http:///

Runtime: unknown (systemctl --user unavailable: Failed to connect to bus: No medium found)
Connectivity probe: ok
Capability: admin-capable

systemd user services unavailable.
systemd user services are unavailable; install/enable systemd or run the gateway under your supervisor.
On a headless server (SSH/no desktop session): run sudo loginctl enable-linger $(whoami) to persist your systemd user session across logins.
Also ensure XDG_RUNTIME_DIR is set: export XDG_RUNTIME_DIR=/run/user/$(id -u), then retry.
If you're in a container, run the gateway in the foreground instead of openclaw gateway.

Listening: ,
Troubles: run openclaw status
Troubleshooting: https://docs.openclaw.ai/troubleshooting

Installed package metadata

• openclaw/package.json: name=openclaw version=2026.5.4 commit=n/a

Device/operator scope verification (sanitized)

• local device-auth present: true
• local device-auth scopes: operator.admin, operator.approvals, operator.pairing, operator.read, operator.talk.secrets, operator.write
• sensitive fields redacted: token/deviceId/userId/sessionKey/runId/ip/account/channel

Test A: native sessions_spawn tool live reproduction

Tool input parameters

{
  "runtime": "subagent",
  "mode": "run",
  "label": "issue-77807-live-repro-2026-05-05",
  "task": "Issue #77807 live reproduction smoke test. Please reply exactly one line: SUBAGENT_LIVE_REPRO_OK. Do not use external tools.",
  "runTimeoutSeconds": 120,
  "timeoutSeconds": 120,
  "lightContext": true
}

Actual result

{
  "status": "error",
  "error": "missing scope: operator.write",
  "childSessionKey": "<redacted-session-key>",
  "runId": "<redacted-run-id>"
}

Observation

The native sessions_spawn tool still creates/returns a child session key and run id, but the child run fails before producing the requested SUBAGENT_LIVE_REPRO_OK output. The visible failure remains exactly missing scope: operator.write.

Test B: direct Gateway agent RPC control using local full-scope operator device token

Purpose

Control test for the Gateway method itself. This bypasses the sessions_spawn tool and calls Gateway agent directly using the local operator device-auth token with the stored scope list.

Sanitized result

{
  "ok": true,
  "startedAt": "2026-05-05T13:32:30.967Z",
  "finishedAt": "2026-05-05T13:32:31.427Z",
  "connection": {
    "url": "ws://<redacted-ip>",
    "auth": "operator device-auth token loaded from local store and sent as deviceToken (<redacted>)",
    "requestedScopes": [
      "operator.admin",
      "operator.approvals",
      "operator.pairing",
      "operator.read",
      "operator.talk.secrets",
      "operator.write"
    ],
    "clientName": "gateway-client",
    "clientDisplayName": "issue-77807-live-repro-control",
    "mode": "backend",
    "role": "operator",
    "protocol": {
      "minProtocol": 3,
      "maxProtocol": 3
    }
  },
  "request": {
    "method": "agent",
    "params": {
      "sessionKey": "<redacted-session-key>",
      "message": "Issue #77807 direct Gateway agent RPC control. Reply exactly: DIRECT_AGENT_RPC_OK",
      "idempotencyKey": "<redacted-uuid>",
      "timeout": 60,
      "lane": "subagent",
      "extraSystemPrompt": "Minimal control test. Do not use tools."
    }
  },
  "result": {
    "runId": "<redacted-run-id>",
    "status": "accepted",
    "acceptedAt": 1777987951419
  },
  "sensitive": "token/deviceId/userId/sessionKey/runId/ip/account/channel redacted"
}

Conclusion

This live environment still reproduces the failure requested in the review:

• Native sessions_spawn(runtime="subagent") fails with missing scope: operator.write.
• The local operator device-auth store contains operator.write and the full operator scope set shown above.
• A direct Gateway agent RPC control, using the local operator device token as deviceToken and the same stored scopes, succeeds immediately with status: "accepted".

This keeps pointing at the native sessions_spawn -> spawnSubagentDirect -> callGateway(method="agent") path losing or not selecting an effective operator.write scope, rather than the Gateway agent method or the stored operator token being invalid in this environment.

[one-box-u]

Follow-up from a live local hotfix / validation pass on OpenClaw 2026.5.6 (c97b9f7).

All sensitive environment-specific values are intentionally omitted/redacted: tokens, token hashes, device IDs, user/account/channel/chat IDs, IP addresses, session keys, run IDs, and local workspace paths.

Additional finding: two failures can be stacked

I hit two separate issues while re-testing native sessions_spawn:

1. Transport / loopback endpoint issue

   • With gateway.bind=tailnet, the Gateway was reachable on the tailnet-bound interface, but there was no listener on the loopback Gateway port.
   • Some local control paths, including native sessions_spawn / CLI Gateway calls, still attempted the local loopback target.
   • Result before restoring a loopback endpoint: gateway closed (1006 abnormal closure) and some CLI status calls could hang until timeout.
   • Adding a local loopback TCP proxy to the tailnet-bound Gateway endpoint removed the 1006 failure.

2. Authorization issue after transport was fixed

   • Once the loopback endpoint existed again, sessions_spawn progressed further and failed with the original issue error: missing scope: operator.write.
   • The local operator device was already paired/approved with full operator scopes, including operator.write and operator.admin.

Local hotfix that made native sessions_spawn work

This was applied as a local hotfix to compiled runtime output, not as a proper source PR.

The key behavior change was in the Gateway client call path:

• spawnSubagentDirect calls the Gateway agent method.
• That call has least-privilege scopes such as operator.write.
• The internal Gateway client had logic to omit device identity for backend/shared-auth loopback calls.
• In the failing path, the decision helper was checking opts.scopes, but the actual scopes were being carried as the local scopes argument inside the Gateway call execution function.
• Therefore the helper could decide to omit device identity even though the call was explicitly scoped to operator.write.

The local fix was to make the device-identity omission check consider the actual resolved scopes, and to pass those scopes into the helper.

Conceptually:

function shouldOmitDeviceIdentityForGatewayCall(params) {
  const requestedScopes = Array.isArray(params.scopes)
    ? params.scopes.filter((scope) => typeof scope === "string" && scope.trim())
    : Array.isArray(params.opts.scopes)
      ? params.opts.scopes.filter((scope) => typeof scope === "string" && scope.trim())
      : [];

  // If this internal control-plane call explicitly asks for operator scopes
  // such as operator.write, keep device identity attached so the approved
  // full-scope device-token path can be used.
  if (requestedScopes.length > 0) return false;

  // Existing shared-auth loopback omission logic follows...
}

And at the call site, pass scopes into resolveDeviceIdentityForGatewayCall(...).

This changed the failing internal agent call from a shared-auth/no-device-identity path into a path that includes device identity and can use the already-approved full-scope operator device token.

Validation after the local hotfix

After restarting Gateway and keeping a stable loopback endpoint:

• Gateway status probe: OK.
• Loopback Gateway endpoint: OK.
• Single native sessions_spawn(runtime="subagent", mode="run"): returned accepted, then completed successfully.
• Parallel smoke test: 4 simple native subagent tasks were started concurrently.
  • All 4 returned accepted.
  • All 4 reached done.
  • No active subagents were left behind.
  • Completion times were roughly 6–11 seconds in this environment.

Interpretation

This makes the original hypothesis stronger:

• The missing scope: operator.write failure is not because the operator device lacks the scope.
• It can happen because the native sessions_spawn -> Gateway agent path can omit device identity on a backend/shared-auth loopback connection even when the actual call is explicitly scoped to operator.write.
• Once device identity is preserved for explicitly scoped internal Gateway calls, native sessions_spawn works again.

The loopback proxy was only needed to repair the stacked gateway.bind=tailnet / local loopback transport problem. It did not by itself fix missing scope: operator.write; the scope failure remained until the device-identity omission behavior was changed.

[openclaw-barnacle]

This issue has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.