openclaw logs --follow registers as paired device, rewrites paired.json

[bottenbenny]

Bug Description

openclaw logs --follow connects through the gateway websocket layer and registers as a full paired device, causing paired.json rewrites and contributing to file read race conditions.

Steps to Reproduce

1. Check paired.json state: stat ~/.openclaw/devices/paired.json
2. Note the inode and modify timestamp
3. Run openclaw logs --follow
4. Check paired.json again: stat ~/.openclaw/devices/paired.json
5. Observe inode changed (temp-file + rename write pattern)

Expected Behavior

openclaw logs --follow should behave like a passive log reader (tail -F), not as a full gateway client. It should:

• NOT register in paired.json
• NOT trigger device state updates
• Use a lightweight "observer" mode with read-only access to logs

Actual Behavior

• openclaw logs --follow registers as a device with clientMode: cli and operator.write scope
• Every connection triggers a paired.json rewrite (inode change observed)
• Contributes to file read races when other components read during rewrite
• Has operator.write scope despite being a log reader

Environment

• OpenClaw version: 2026.5.12
• OS: Ubuntu 24.04.4 LTS
• paired.json entries: 4 (2 stale, 36-47 days old)

Related Issues

• paired_devices.createdAt / lastSeenAt are null — cannot identify stale paired clients #81169 — paired.json stale entry accumulation and read races
• [Bug]: Gateway data loss: Silent read error on paired.json leads to overwrite of all pairings #71873 — Silent read error on paired.json (same underlying fragility)

Recommendation

Add a CLI "observer" mode that:

1. Connects to gateway websocket for log streaming
2. Does NOT write to paired.json
3. Does NOT participate in device/session activity
4. Has minimal scope (read-only log access)

Or alternatively: make openclaw logs --follow use direct file tailing instead of websocket connection.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
Keep open: current main still routes openclaw logs --follow through the CLI Gateway RPC path with a device identity, and the Gateway pairing path can auto-approve/persist CLI devices plus rewrite existing paired-device metadata on reconnect. The one nuance is that current main classifies logs.tail as operator.read, so the reported operator.write detail needs runtime confirmation, but the paired-state mutation concern is source-reproducible.

Reproducibility: yes. at source level: current main routes openclaw logs --follow through CLI Gateway RPC with a device identity, and the Gateway pairing path can auto-approve/persist or metadata-update paired CLI devices. I did not live-run the command because the reported reproduction intentionally rewrites local pairing state.

Next step
This needs maintainer review of the logs/auth boundary before a safe automated repair can choose a path.

Review details

Best possible solution:

Make openclaw logs --follow use a non-mutating read-only path that preserves remote log access while proving paired.json is not created, paired, or rewritten for log-only polling.

Do we have a high-confidence way to reproduce the issue?

Yes, at source level: current main routes openclaw logs --follow through CLI Gateway RPC with a device identity, and the Gateway pairing path can auto-approve/persist or metadata-update paired CLI devices. I did not live-run the command because the reported reproduction intentionally rewrites local pairing state.

Is this the best way to solve the issue?

Unclear. The requested observer mode is plausible, but the safest fix may be direct local file tailing for implicit local use plus a carefully scoped remote read-only Gateway path; maintainers should pick the auth boundary before a repair PR.

Label justifications:

• P2: The report describes a valid logs/pairing side effect with limited surface but real operational impact on paired-device state and race amplification.
• impact:data-loss: The issue centers on unnecessary rewrites of paired.json, a persisted pairing-state file involved in related read/write race reports.
• impact:auth-provider: The behavior is tied to Gateway device identity, operator scopes, and paired-device authentication state.

Acceptance criteria:

• node scripts/run-vitest.mjs src/cli/logs-cli.test.ts
• node scripts/run-vitest.mjs src/gateway/server.auth.control-ui.suite.ts src/gateway/server/ws-connection/handshake-auth-helpers.test.ts
• Add a targeted regression that runs the logs-tail Gateway call against a temp state dir and asserts devices/paired.json is not created or rewritten for log-only polling.

What I checked:

• Issue report and related context: The reporter observed on OpenClaw 2026.5.12 that openclaw logs --follow changed the inode/mtime of ~/.openclaw/devices/paired.json, and linked related open reports about paired-device state churn and JSON read races.
• Logs CLI uses Gateway RPC for each tail fetch: fetchLogs calls callGatewayFromCli("logs.tail", ...), and the follow loop repeatedly calls fetchLogs before sleeping for the configured interval. (src/cli/logs-cli.ts:77, 27c7e1e07bcb)
• CLI Gateway calls default to CLI identity and mode: callGatewayFromCliRuntime passes no device-identity override by default and sets clientName to cli and mode to cli, so the logs command enters the normal CLI Gateway-client path. (src/cli/gateway-rpc.runtime.ts:29, 27c7e1e07bcb)
• Gateway call path attaches a device identity for CLI callers: executeGatewayRequestWithScopes creates a GatewayClient and resolves a local device identity when opts.deviceIdentity is undefined; the CLI special case resolves least-privilege scopes, which currently makes logs.tail operator.read rather than operator.write. (src/gateway/call.ts:690, 27c7e1e07bcb)
• Gateway pairing path can persist a CLI device: For a presented device identity, the handshake requests device pairing and auto-approves silent local pairing; persistState writes paired.json for paired-device updates. (src/gateway/server/ws-connection/message-handler.ts:1079, 27c7e1e07bcb)
• Existing paired devices are rewritten on reconnect: After a paired device reconnects, the handler calls updatePairedDeviceMetadata; that helper writes the paired-device state back to paired.json even for metadata-only updates. (src/gateway/server/ws-connection/message-handler.ts:1313, 27c7e1e07bcb)

Likely related people:

• Peter Steinberger: History shows Peter introduced the logs CLI in d1ceb3aa60b09c916b974238083044f661228ab9 and later changed Docker CLI pairing locality in 40da986b21127bcfc485cfe314b3da711ffc17cc, both central to this behavior. (role: logs CLI introducer and pairing locality contributor; confidence: high; commits: d1ceb3aa60b0, 40da986b2112; files: src/cli/logs-cli.ts, src/gateway/server/ws-connection/handshake-auth-helpers.ts, src/gateway/server.auth.control-ui.suite.ts)
• Colin: Current-main blame for the logs CLI, Gateway call wrapper, device-pairing implementation, and much of the WebSocket handshake path points to the grafted 6e8029407919405b125d93dc1cae1e4e74e0ba86 snapshot. (role: current-main gateway/logs area contributor; confidence: medium; commits: 6e8029407919; files: src/cli/logs-cli.ts, src/gateway/call.ts, src/gateway/server/ws-connection/message-handler.ts)
• Nimrod Gutman: Recent current-main work in a7ab09fa4e79fdbaa6359d2b05e8038db810cf47 changed the paired-device metadata refresh path that now writes during reconnects. (role: recent gateway pairing metadata contributor; confidence: medium; commits: a7ab09fa4e79; files: src/gateway/server/ws-connection/message-handler.ts, src/gateway/server/ws-connection/message-handler.post-connect-health.test.ts)

Remaining risk / open question:

• I did not run openclaw logs --follow because the reported reproduction mutates local paired-device state; the source path and existing tests are strong enough to keep this open.
• The fix touches the Gateway auth/pairing boundary: maintainers should choose between direct local file tailing, a non-pairing observer/client mode, or reusing the local backend shared-auth no-pairing path before implementation.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 27c7e1e07bcb.

[bottenbenny]

Quick question: Is openclaw logs --follow registering as a paired device (and rewriting paired.json) intentional behavior?

Context: We've observed that running openclaw logs --follow causes paired.json to be rewritten (inode changes, file size increases from 2.3KB to 4.6KB), which contributes to race-condition read errors in other gateway clients. If this is by design, would a --no-register flag be feasible? If it's a bug, we can provide a detailed reproduction script.

Thanks!