paired_devices.createdAt / lastSeenAt are null — cannot identify stale paired clients

[deminson]

Observed

In a fresh-ish OpenClaw deployment (running `2026.5.2`), `~/.openclaw/devices/paired.json` shows every entry with `createdAt: null` and `lastSeenAt: null`:

```json
[
{ "clientId": "cli", "role": "operator", "createdAt": null, "lastSeenAt": null },
{ "clientId": "gateway-client", "role": "operator", "createdAt": null, "lastSeenAt": null },
... (9 more gateway-client entries, all null)
]
```

Why this matters operationally

Without timestamps, an operator cannot tell stale devices apart from active ones. Standard hygiene (revoke devices not seen in N days) is impossible. The file accumulates entries indefinitely.

Expected

`createdAt` populated on first pair; `lastSeenAt` updated on each accepted authentication (or on a periodic basis if precise per-request tracking is too costly).

Workaround

We've started maintaining a manual log alongside `paired.json` (`docs/openclaw/paired-devices-log.md` in our repo) — every pairing requires the operator to append a one-line entry. Brittle (relies on operator discipline) but produces a usable audit trail until this is fixed upstream.

Environment

• OpenClaw `2026.5.2` (Linux x86, Docker image `ghcr.io/openclaw/openclaw`)
• 10 paired entries accumulated over months of operation
• Pairing flow used: standard `openclaw` CLI pairing + gateway-sidecar startup pairing

Happy to capture more diagnostic info if helpful.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Summary
Keep open: current main still leaves ordinary paired-client authentication and reconnects without durable device-level last-seen updates, and the linked fixing PR at #81189 is still open and unmerged.

Reproducibility: yes. Source inspection gives a high-confidence path: pair a device, authenticate or reconnect with an accepted device token, and current main updates token lastUsedAtMs or access metadata without refreshing device-level lastSeenAtMs.

Next step
A linked open fix PR already targets this issue, so a separate ClawSweeper repair job would duplicate the maintainer review path.

Review details

Best possible solution:

Review and land or close #81189; the desired end state is to refresh lastSeenAtMs/lastSeenReason on successful paired auth or reconnect without changing pairing policy or reviving legacy field names.

Do we have a high-confidence way to reproduce the issue?

Yes. Source inspection gives a high-confidence path: pair a device, authenticate or reconnect with an accepted device token, and current main updates token lastUsedAtMs or access metadata without refreshing device-level lastSeenAtMs.

Is this the best way to solve the issue?

Yes. The narrowest maintainable fix is to use the existing paired-device metadata seam after successful auth or reconnect, with focused regression coverage and no schema/config change.

What I checked:

• Issue report and linked fix PR: The reporter described OpenClaw 2026.5.2 paired-device entries with null timestamp fields, and GitHub shows an open closing PR at fix(devices): refresh paired device last-seen metadata #81189 that targets the same stale-client audit problem.
• Current paired-device contract already has timestamp fields: Current main defines PairedDevice.createdAtMs, approvedAtMs, optional lastSeenAtMs, optional lastSeenReason, and allows last-seen fields in metadata patches. (src/infra/device-pairing.ts:78, 80ca48418a21)
• Approval writes creation time but not last-seen time: approveDevicePairing creates paired records with createdAtMs and approvedAtMs, but does not initialize lastSeenAtMs for the newly approved paired device. (src/infra/device-pairing.ts:687, 80ca48418a21)
• Accepted token auth does not update device last-seen: After successful device-token verification, verifyDeviceToken updates only entry.lastUsedAtMs and writes the token back; it does not update device.lastSeenAtMs or lastSeenReason. (src/infra/device-pairing.ts:939, 80ca48418a21)
• Paired websocket reconnect omits last-seen metadata: The reconnect metadata patch contains display name and IP only, and the accepted reconnect path persists that patch without last-seen fields. (src/gateway/server/ws-connection/message-handler.ts:989, 80ca48418a21)
• Existing last-seen persistence seam is used elsewhere: Node presence alive events already call updatePairedDeviceMetadata with lastSeenAtMs and lastSeenReason, showing the durable metadata seam exists and is not wired to ordinary accepted auth. (src/gateway/server-node-events.ts:856, 80ca48418a21)

Likely related people:

• pgondhi987: Recent merged work touched src/infra/device-pairing.ts, the gateway websocket connection path, and approval/auth metadata around device pairing. (role: recent area contributor; confidence: high; commits: b17e77a22bf4, 386d321634b3; files: src/infra/device-pairing.ts, src/gateway/server/ws-connection/message-handler.ts, src/gateway/server.auth.control-ui.suite.ts)
• steipete: Recent history includes device-pairing changes, reconnect metadata pinning, and the background presence beacon work that established the durable last-seen path. (role: recent area contributor; confidence: medium; commits: bdba90a20b2b; files: src/infra/device-pairing.ts, src/gateway/server/ws-connection/message-handler.ts, src/gateway/server-node-events.ts)
• ngutman: The authenticated iOS background presence beacon commit is co-authored by this handle and overlaps the existing lastSeenAtMs/lastSeenReason persistence path. (role: adjacent durable presence contributor; confidence: medium; commits: bdba90a20b2b; files: src/gateway/server-node-events.ts, src/infra/device-pairing.ts, docs/platforms/ios.md)

Remaining risk / open question:

• I did not run tests or a live pairing flow because this review was read-only and those commands can write artifacts.
• The reporter's sample uses legacy-looking createdAt/lastSeenAt names and an array shape, while current main uses the createdAtMs/lastSeenAtMs contract.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 80ca48418a21.

[bottenbenny]

Additional Empirical Data — paired.json Rewrite Behavior and Performance Impact

We investigated paired.json rewrites as part of a performance/root-cause analysis and found strong correlation with gateway sluggishness. Adding our findings here since they directly relate to the stale-device identification problem.

Environment

• OpenClaw 2026.4.23 (Ubuntu 24.04, laptop hardware)
• 4 paired entries in ~/.openclaw/devices/paired.json
• File size: ~4.6KB

Finding 1: paired.json Is Rewritten on Every Gateway Client Activity

With only Discord + one SSH terminal + tail -F on log file (no Control UI, no openclaw logs --follow):

• stat showed stable timestamps and inode

After opening openclaw logs --follow:

• stat showed inode changed (1469992 → 1470003)
• Modify timestamp jumped from 15:05:28 to 15:12:44

This indicates temp-file + rename write pattern, triggered by openclaw logs --follow registering as a gateway client.

Finding 2: File Read Race Condition

Observed errors:

JsonFileReadError: Failed to read JSON file: /home/simon/.openclaw/devices/paired.json
Error: File changed during read

Sequence:

1. Gateway/client rewrites paired.json (temp + rename)
2. Another component reads during the rename window
3. JSON read fails
4. Websocket/gateway reconnect occurs (gateway closed (1000))

Finding 3: Stale Entries Accumulate

Current paired.json breakdown:

Entry	Platform	Client	lastUsedAtMs	Age
a386...	linux	cli	1776527407387	~30 days ago
f139...	MacIntel	control-ui	1779046427714	~2 hours ago (active)
a3c3...	MacIntel	control-ui	1774974983869	~47 days ago (stale)
ac71...	MacIntel	control-ui	1775935715913	~36 days ago (stale)

50% of entries are stale with no cleanup mechanism.

Root Cause Connection

The createdAt: null / lastSeenAt: null bug reported in this issue prevents the gateway from:

1. Identifying which entries are stale
2. Cleaning up old entries automatically
3. Reducing paired.json rewrite frequency (fewer entries = faster writes)
4. Avoiding read races (smaller file = faster reads)

Performance Impact

• paired.json rewrites contribute to event loop delay (eventLoopDelayMaxMs=2875.2 observed)
• Read races cause gateway closed (1000) reconnects
• Each reconnect may trigger another paired.json rewrite → amplification loop
• Context overflow (200+ messages) + auto-compaction + client churn = severe sluggishness

Recommendations

1. Fix timestamps (this issue) — populate createdAt and lastSeenAt so stale detection works
2. Add TTL cleanup — auto-remove entries with lastSeenAt > 30 days (or make configurable)
3. Separate CLI observer mode — openclaw logs --follow should not register as a full paired device
4. Atomic read retry — JSON reads should retry (max 3x, 50ms backoff) on File changed during read
5. Proactive compaction — compact Discord sessions at 150 messages, not 200+

Related Issues

• [Bug]: Gateway data loss: Silent read error on paired.json leads to overwrite of all pairings #71873 — Silent read error on paired.json leads to overwrite of all pairings (CLOSED, but same underlying fragility)
• Restart sentinel delayed by 12+ hours after gateway update #83547 — Restart sentinel delayed by 12+ hours (gateway process churn related)

---

Reported by: Shweta (agent) on behalf of Simon (operator)

[steipete]

Fixed on main by #88607, landed as 703fae1.

The landed fix refreshes durable paired-device last-seen metadata for accepted device-token auth, paired reconnects, and first silent auto-approved connects. Focused proof: device pairing tests passed 57/57 and gateway auth tests passed 31/31 on the landed branch before merge.