fix(pairing): preserve narrowed token scopes on upgrade

[steipete]

Summary

• Problem: approving a pairing scope upgrade could mint the role token with the whole approved baseline.
• Why it matters: deliberately down-scoped existing tokens could silently regain old approved scopes during an unrelated upgrade.
• What changed: token scope resolution now merges the existing token scopes with only the newly requested delta.
• What did NOT change: approved device baseline scopes are still updated with the full approved set.

Verification

• git diff --check origin/main..HEAD
• pnpm test src/infra/device-pairing.test.ts — 48 passed
• node -e 'console.log(process.platform, process.version)' — darwin v25.9.0

Real behavior proof

• Behavior or issue addressed: pairing scope upgrades preserve deliberately narrowed role-token scopes.
• Real environment tested: local macOS checkout running pairing token logic against the real repository code.
• Exact steps or command run after this patch: pnpm test src/infra/device-pairing.test.ts
• Evidence after fix: terminal output: Test Files 1 passed (1); Tests 48 passed (48)
• Observed result after fix: a down-scoped operator token gains only the newly requested delta and does not regain omitted approved scopes.
• What was not tested: a physical mobile/device pairing flow.

Security Impact

• New permissions/capabilities? No
• Secrets/tokens handling changed? Yes — minted role-token scopes are narrowed to existing token scopes plus newly requested deltas.
• New/changed network calls? No
• Command/tool execution surface changed? No
• Data access scope changed? Yes — prevents unintended token scope widening.

Risks and Mitigations

• Risk: users expecting approved baseline to rehydrate token scopes need an explicit rotation path.
  • Mitigation: preserving a deliberately narrowed token is safer for an upgrade approval; approved baseline remains recorded separately.

Linked Issue

Closes #79246

[clawsweeper]

Codex review: needs real behavior proof before merge.

Summary
The branch changes device-pairing approval to mint role tokens from existing token scopes plus newly requested scope deltas, adds two regression tests, and adds a changelog fix entry.

Reproducibility: yes. from source inspection, though not from a live run in this review. Current main returns only pending scopes for non-empty approvals, matching the related report's observed token-scope replacement path.

Real behavior proof
Needs real behavior proof before merge: The PR body provides regression tests and a generic Node runtime command, but no terminal output, logs, screenshot, recording, or artifact showing the after-fix gateway/device pairing behavior. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, ask a maintainer to comment @clawsweeper re-review.

Next step before merge
Human maintainer review is needed because the PR has a protected maintainer label, mock-only real behavior proof, and failing auth/proof checks; no narrow automated repair finding was identified.

Security
Cleared: The diff narrows minted role-token scope resolution and adds tests/changelog only; it does not add dependencies, scripts, CI permissions, network calls, or broader secret access.

Review details

Best possible solution:

Land the narrow generic device-pairing fix after real gateway or device-pairing proof and green auth-node checks confirm that narrowed tokens stay narrowed while newly approved scope deltas are appended.

Do we have a high-confidence way to reproduce the issue?

Yes from source inspection, though not from a live run in this review. Current main returns only pending scopes for non-empty approvals, matching the related report's observed token-scope replacement path.

Is this the best way to solve the issue?

Yes, the PR direction is the narrowest maintainable fix because it changes generic paired-device token scope resolution instead of adding an MCP-specific bypass. Merge should wait for real behavior proof and failed-check review.

Acceptance criteria:

• git diff --check origin/main..HEAD
• pnpm test src/infra/device-pairing.test.ts
• Inspect failing check runs for head 39273ee, especially checks-node-agentic-control-plane-auth-node and Real behavior proof.

What I checked:

• Current main source path: resolveApprovedTokenScopes currently returns only the role-scoped pending request scopes whenever a pending request has non-empty scopes, which can replace existing token scopes during an upgrade. (src/infra/device-pairing.ts:440, df069f7b0222)
• PR diff scope: The PR changes that helper to compute a pending scope delta against the existing approved baseline and merge it with the existing token scopes. (src/infra/device-pairing.ts:437, 39273eee5892)
• Regression coverage added: The PR adds tests for normal scope upgrades preserving prior scopes and for down-scoped tokens not regaining omitted approved scopes. (src/infra/device-pairing.test.ts:334, 39273eee5892)
• Existing token down-scope contract: Current tests already cover deliberate token down-scoping while preserving the approved baseline, so the PR is consistent with established behavior. (src/infra/device-pairing.test.ts:642, df069f7b0222)
• Docs contract: The devices docs say already-paired devices asking for broader scopes create a pending upgrade request and token rotation stays within the approved pairing contract. Public docs: docs/cli/devices.md. (docs/cli/devices.md:62, df069f7b0222)
• Related report context: The open related report at [Bug]: CLI device pairing: scope upgrades trigger infinite request loop; token rotation drops prior scopes #78727 describes the same token-scope replacement symptom with runtime logs and paired-state snippets.

Likely related people:

• @steipete: Recent GitHub file history shows repeated device-pairing and token-scope hardening work in the affected files, including deliberate token scope containment and pairing state repair work; this author also has prior merged history in the path, not only this PR. (role: recent maintainer and adjacent owner; confidence: high; commits: 8bbb143ab87e, 205d8d4994, b660493e54; files: src/infra/device-pairing.ts, src/infra/device-pairing.test.ts)
• @obviyus: Commit 403e0e6 introduced resolveApprovedTokenScopes and the requested-scope-first token minting path now being adjusted. (role: introduced affected helper behavior; confidence: high; commits: 403e0e65210f; files: src/infra/device-pairing.ts, src/infra/device-pairing.test.ts)
• @pgondhi987: Prior work moved approval authorization to validate caller scopes against resolved token scopes in the same helper path. (role: adjacent prior contributor; confidence: medium; commits: 189c91eae6e1; files: src/infra/device-pairing.ts, src/infra/device-pairing.test.ts)
• @eleqtrizit: Recent bootstrap handoff scope bounding touched the same device-pairing security surface and tests. (role: adjacent security maintainer; confidence: medium; commits: b8372a714ccc; files: src/infra/device-pairing.ts, src/infra/device-pairing.test.ts, src/infra/device-bootstrap.ts)

Remaining risk / open question:

• The PR head currently has failing Real behavior proof, checks-node-agentic-control-plane-auth-node, and aggregate checks-node-core check runs; the auth-node failure needs maintainer inspection before merge.
• The PR body says a physical mobile/device pairing flow was not tested, and the posted proof does not show an after-fix gateway/device pairing or MCP scope-upgrade flow.

Codex review notes: model gpt-5.5, reasoning high; reviewed against df069f7b0222.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ac45a8e524

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Ignore revoked token scopes when computing upgrade scopes

When approving a scope-bearing repair/upgrade, this branch treats any existing token as a merge base, including entries with revokedAtMs set. In that case, approving a narrow new request can silently reintroduce previously revoked scopes because mergeScopes(params.existingToken?.scopes, requestedScopeDelta) reuses the revoked scope list. This only occurs when the device has a revoked token record and then submits another pairing request, but in that flow it can undo revocation intent and mint a broader token than requested.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: bf4e1aa44a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Exclude revoked scopes when merging upgrade token scopes

When an upgrade request is approved for a device whose existing role token is marked revoked (revokedAtMs set), this merge still uses existingToken.scopes as input, so previously revoked scopes are reintroduced into the newly minted token. In the upgrade flow this can silently undo a prior revocation/down-scope decision and grant a broader token than the current request intended; revoked tokens should be treated as having no reusable scope base here.

Useful? React with 👍 / 👎.