Limit paired-device pairing actions to the caller device

[eleqtrizit]

Summary

• limit paired-device pairing visibility and approvals to the caller device for non-admin device sessions
• preserve the existing global pairing behavior for admin and non-device operator sessions

Changes

• scope device.pair.list results to the connected device when the caller is a non-admin paired-device session
• reject cross-device device.pair.approve requests from non-admin paired-device sessions before approval is applied
• add regression coverage for self-only list visibility, cross-device approval denial, and the existing scope-ceiling approval guard

Validation

• Ran corepack pnpm test src/gateway/server-methods/devices.test.ts src/gateway/server.device-pair-approve-authz.test.ts
• Ran corepack pnpm check:changed
• Attempted claude -p "/review", but it timed out twice without returning output in this environment

Notes

• Residual risk or follow-up: this change intentionally preserves current global pairing visibility for admin and non-device operator sessions to avoid broad compatibility changes

[greptile-apps]

Greptile Summary

This PR closes two lateral-movement gaps in the paired-device authorization model: non-admin device sessions can no longer see or act on other devices' pairing requests. device.pair.list is scoped to the caller's own device, and device.pair.approve/device.pair.reject reject cross-device requests before hitting infra. Existing admin and shared-auth (non-device-token) sessions are unaffected.

Confidence Score: 5/5

Safe to merge — the new guards are correctly scoped, the scope-ceiling check in approveDevicePairing still applies after the ownership check, and the TOCTOU window is benign (handled by the existing !approved path).

All findings are P2 or observational. The authorization logic is sound, device IDs are cryptographically verified at handshake time, and the test coverage spans unit tests for all new branches plus integration tests for the key attack scenarios.

No files require special attention.

_{Reviews (3): Last reviewed commit: "fix(pairing): close device authz review ..." | Re-trigger Greptile}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 55391acdf7

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Already looking forward to the next diff.

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[eleqtrizit]

@codex review

[eleqtrizit]

@greptile review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. 👍

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".