gateway: ignore bearer-declared HTTP operator scopes

[jacobtomlinson]

Summary

• ignores x-openclaw-scopes for bearer-authenticated HTTP requests
• derives HTTP senderIsOwner from trusted admin scope instead of hardcoding owner access
• blocks bearer-authenticated /tools/invoke calls and updates the gateway HTTP regression coverage

Changes

• added trusted HTTP scope helpers so bearer requests cannot self-assert operator scopes
• switched the scoped HTTP endpoints to use the trusted-scope helper for method authorization
• updated OpenAI-compatible request handling to derive owner status from trusted scopes
• added regression tests for bearer-token scope suppression and /tools/invoke denial

Validation

• Ran pnpm test -- src/gateway/http-endpoint-helpers.test.ts src/gateway/openai-http.test.ts src/gateway/openai-http.message-channel.test.ts src/gateway/openresponses-http.test.ts src/gateway/models-http.test.ts src/gateway/sessions-history-http.test.ts src/gateway/tools-invoke-http.test.ts src/gateway/server.openai-compatible-http-write-scope-bypass.poc.test.ts
• Ran pnpm test -- src/gateway/http-utils.request-context.test.ts
• Ran pnpm build
• Ran pnpm check
• Ran local agentic review with claude -p "/review" and added direct unit coverage for the trusted HTTP scope helpers

Notes

• Residual risk or follow-up: the older http-auth-helpers scope parser remains in place because this fix stayed on the unrestricted HTTP utility path; the active HTTP endpoints now route through the trusted-scope helper added here.

[greptile-apps]

Greptile Summary

This PR closes a bearer-token scope-bypass: previously, HTTP clients authenticated with a gateway bearer token could self-assert operator scopes via the x-openclaw-scopes header, potentially granting themselves operator.write or even operator.admin access on the agent-command path. The fix introduces resolveTrustedHttpOperatorScopes (which returns an empty slice for any bearer request) and resolveHttpSenderIsOwner (which derives owner status from trusted scopes only), then wires them into all active HTTP endpoint scope-checks and the senderIsOwner field of agent command inputs — replacing the previous hard-coded senderIsOwner: true.

Key changes:

• New isGatewayBearerHttpRequest, resolveTrustedHttpOperatorScopes, and resolveHttpSenderIsOwner helpers in http-utils.ts; well-unit-tested in the request-context test file
• All scoped HTTP endpoints (http-endpoint-helpers, models-http, sessions-history-http) now route through the trusted-scope helper
• openai-http and openresponses-http derive senderIsOwner from trusted scopes rather than hardcoding true
• /tools/invoke explicitly rejects any request that arrives with a bearer token after the auth check
• PoC regression tests updated to assert 403 for the former bypass vectors; a new test covers bearer /tools/invoke denial
• E2E test suites switched from auth: { mode: \"token\" } to auth: { mode: \"none\" } and strip the Authorization header, reflecting that non-bearer HTTP paths are the intended surface under test

Two minor observations: resolveGatewayRequestedOperatorScopes in http-auth-helpers.ts is now exported dead code (acknowledged in the PR notes but worth removing to avoid future confusion), and the resolveHttpSenderIsOwner test suite could add one bearer-request case to pin the "bearer → always false" contract explicitly.

Confidence Score: 5/5

Safe to merge — all remaining findings are P2 style suggestions; the security fix is logically correct and well-covered by new and updated tests

The core invariant (bearer requests cannot self-assert scopes) is correct, consistently applied across every active HTTP endpoint, and directly exercised by the PoC regression tests. The two P2 findings (orphaned export and a missing bearer test case for resolveHttpSenderIsOwner) do not affect correctness or safety.

src/gateway/http-auth-helpers.ts — resolveGatewayRequestedOperatorScopes is now dead code and could be removed

Important Files Changed

Filename	Overview
src/gateway/http-utils.ts	Adds isGatewayBearerHttpRequest, resolveTrustedHttpOperatorScopes, and resolveHttpSenderIsOwner helpers; the core security fix that prevents bearer clients from self-asserting operator scopes
src/gateway/http-endpoint-helpers.ts	Swaps resolveGatewayRequestedOperatorScopes for resolveTrustedHttpOperatorScopes; bearer requests now always get empty scopes and are rejected at the scope check
src/gateway/tools-invoke-http.ts	Adds an explicit bearer-token block after the auth pass, preventing any bearer-authenticated client from invoking tools over HTTP regardless of scope headers
src/gateway/openai-http.ts	Replaces hardcoded senderIsOwner: true with resolveHttpSenderIsOwner(req); bearer callers now correctly receive senderIsOwner: false
src/gateway/openresponses-http.ts	Same senderIsOwner fix as openai-http.ts applied to both the create-response and re-run-response paths
src/gateway/server.openai-compatible-http-write-scope-bypass.poc.test.ts	PoC tests updated to expect 403 instead of 200 for bearer scope self-assertion, and a new test added for /tools/invoke denial; regression coverage is thorough
src/gateway/http-auth-helpers.ts	resolveGatewayRequestedOperatorScopes is now exported dead code; all active callers have been migrated to the new trusted helper in http-utils.ts

Comments Outside Diff (1)

1. src/gateway/http-auth-helpers.ts, line 33-42 (link)

   Exported dead code remains after migration

   resolveGatewayRequestedOperatorScopes is now fully orphaned — no file in the repository imports it since all active call sites have been migrated to resolveTrustedHttpOperatorScopes. The PR notes acknowledge this as a known residual, but the exported function is a confusion risk: future contributors may not realise the safe version lives in http-utils.ts and could accidentally reach for this one instead. Consider removing it (or, if kept for a future-use reason, adding a @deprecated JSDoc pointing to the replacement).

   Prompt To Fix With AI

   This is a comment left during a code review.
   Path: src/gateway/http-auth-helpers.ts
   Line: 33-42
   
   Comment:
   **Exported dead code remains after migration**
   
   `resolveGatewayRequestedOperatorScopes` is now fully orphaned — no file in the repository imports it since all active call sites have been migrated to `resolveTrustedHttpOperatorScopes`. The PR notes acknowledge this as a known residual, but the exported function is a confusion risk: future contributors may not realise the safe version lives in `http-utils.ts` and could accidentally reach for this one instead. Consider removing it (or, if kept for a future-use reason, adding a `@deprecated` JSDoc pointing to the replacement).
   
   How can I resolve this? If you propose a fix, please make it concise.

Prompt To Fix All With AI

This is a comment left during a code review.
Path: src/gateway/http-auth-helpers.ts
Line: 33-42

Comment:
**Exported dead code remains after migration**

`resolveGatewayRequestedOperatorScopes` is now fully orphaned — no file in the repository imports it since all active call sites have been migrated to `resolveTrustedHttpOperatorScopes`. The PR notes acknowledge this as a known residual, but the exported function is a confusion risk: future contributors may not realise the safe version lives in `http-utils.ts` and could accidentally reach for this one instead. Consider removing it (or, if kept for a future-use reason, adding a `@deprecated` JSDoc pointing to the replacement).

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: src/gateway/http-utils.request-context.test.ts
Line: 77-83

Comment:
**`resolveHttpSenderIsOwner` bearer case not tested**

The current suite tests two non-bearer scenarios (with `operator.admin` → `true`, with `operator.write` → `false`), but there is no assertion that a bearer-authenticated request with `operator.admin` in the scope header still returns `false`. Given that the suppression of self-asserted scopes for bearer requests is the core security invariant being added here, a dedicated test case would pin the contract explicitly:

```typescript
it("returns false for bearer requests even with operator.admin in headers", () => {
  expect(
    resolveHttpSenderIsOwner(
      createReq({
        authorization: "Bearer secret",
        "x-openclaw-scopes": "operator.admin",
      }),
    ),
  ).toBe(false);
});
```

`resolveTrustedHttpOperatorScopes` does cover this for the scope-stripping behaviour, but `resolveHttpSenderIsOwner` is the direct API that downstream callers use.

How can I resolve this? If you propose a fix, please make it concise.

_{Reviews (1): Last reviewed commit: "gateway: ignore bearer-declared HTTP ope..." | Re-trigger Greptile}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1363658b53

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[jacobtomlinson]

Follow-up on review feedback: I addressed the direct bearer-owner/bearer-guard suggestions in code and tests, and pushed commit 20f5bd6671 to key the new HTTP bearer restrictions to the gateway auth mode rather than raw header presence. I intentionally left the older resolveGatewayRequestedOperatorScopes export in http-auth-helpers.ts untouched for this PR because that file is on the repo's security-owned auth surface; all active HTTP callers in this patch route through the new trusted-scope helper instead.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 20f5bd6671

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 12c41ea24e

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: cec05db8c3

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[aisle-research-bot]

🔒 Aisle Security Analysis

We found 1 potential security issue(s) in this PR:

#	Severity	Title
1	🟠 High	Privilege escalation via client-controlled x-openclaw-scopes header when using trusted-proxy auth

1. 🟠 Privilege escalation via client-controlled x-openclaw-scopes header when using trusted-proxy auth

Property	Value
Severity	High
CWE	CWE-269
Location	src/gateway/http-utils.ts:73-121

Description

resolveTrustedHttpOperatorScopes() trusts the raw x-openclaw-scopes header whenever the request is not authenticated via shared-secret bearer auth (token/password). In authorizeGatewayHttpRequestOrReply(), any request authenticated via the trusted-proxy method is explicitly marked trustDeclaredOperatorScopes: true.

This enables privilege escalation if the reverse proxy does not reliably strip/overwrite x-openclaw-scopes from downstream clients (a common default):

• Input: x-openclaw-scopes header is fully client-controllable when forwarded by a proxy.
• Trust decision: trustDeclaredOperatorScopes is set to true for trusted-proxy auth.
• Sink/impact: the resulting scopes are used for authorization checks (e.g., authorizeOperatorScopesForMethod(...)), and resolveHttpSenderIsOwner() treats operator.admin as owner/admin.

Vulnerable code:

return {
  authMethod: authResult.method,
  trustDeclaredOperatorScopes: !usesSharedSecretGatewayMethod(authResult.method),
};

const raw = getHeader(req, "x-openclaw-scopes")?.trim();
...
return raw.split(",").map(...);

If an attacker can reach the gateway through a configured trusted proxy, they may be able to add x-openclaw-scopes: operator.admin (or operator.write) and gain elevated access on HTTP endpoints guarded by these scopes.

Recommendation

Do not accept operator scopes directly from an untrusted, forwardable client header.

Recommended fixes (choose one):

1. Derive scopes server-side from the authenticated identity (authResult.user) and a configured allowlist/role mapping.

2. If scopes must come from a proxy, use a proxy-only header and enforce overwrite/strip semantics:

   • Rename to something like x-openclaw-internal-scopes
   • In authorizeTrustedProxy, reject requests where this header is present from downstream unless an additional proxy attestation is present (e.g., mTLS, signed JWT claim, or a dedicated shared secret between proxy and gateway)
   • Or set trustDeclaredOperatorScopes to false even for trusted-proxy, and instead pass trusted scopes as part of the auth result.

Example (derive from auth result rather than request headers):

​// In authorizeGatewayHttpRequestOrReply
return {
  authMethod: authResult.method,
  trustDeclaredOperatorScopes: false,
  operatorScopes: authResult.ok ? resolveScopesForUser(authResult.user) : [],
};

​// And remove use of x-openclaw-scopes for authorization decisions.

At minimum, ensure the edge proxy explicitly strips x-openclaw-scopes from incoming requests and only injects it for authenticated users, but prefer an application-level fix to avoid relying on proxy configuration.

---

Analyzed PR: #57783 at commit a2074b1

_{Last updated on: 2026-03-30T16:44:48Z}

Latest run failed. Keeping previous successful results. Trace ID: 019d3f896455ba33661af839e1216af4.

_{Last updated on: 2026-03-30T18:20:21Z}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5f595821a1

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".