fix(devices): refresh paired device last-seen metadata

[vyctorbrzezowski]

Summary

• Fixes paired_devices.createdAt / lastSeenAt are null — cannot identify stale paired clients #81169.
• Refreshes paired-device lastSeenAtMs and lastSeenReason when accepted device-token auth succeeds.
• Marks successful paired WebSocket reconnects as lastSeenReason: "connect" through the existing paired metadata update path.
• Preserves current main's paired-platform refresh behavior and does not change pairing approval, token verification, scopes, or config.

Real behavior proof

Behavior addressed: Accepted paired-device auth now refreshes device-level last-seen metadata so stale paired clients can be audited.

Real environment tested: Local OpenClaw source checkout at PR head on macOS, using isolated temporary pairing state from the focused Vitest/gateway harness.

Exact steps or command run after this patch: Ran the focused paired-device auth and gateway reconnect tests after applying the patch.

Evidence after fix: Terminal output from the focused tests:

$ node scripts/run-vitest.mjs src/infra/device-pairing.test.ts --reporter=verbose
✓ device token verification refreshes paired device last-seen metadata
Test Files  1 passed (1)
Tests  54 passed (54)

$ node scripts/run-vitest.mjs src/gateway/server.auth.control-ui.test.ts --reporter=verbose
✓ device token auth matrix
Test Files  1 passed (1)
Tests  29 passed (29)

Observed result after fix: The pairing test confirmed accepted device-token verification writes numeric lastSeenAtMs and lastSeenReason: "device-token-auth"; the gateway auth matrix confirmed a successful reconnect writes lastSeenReason: "connect" with numeric lastSeenAtMs.

What was not tested: No physical mobile client or installed user pairing state was used; the proof uses OpenClaw's isolated pairing and gateway harnesses.

Verification

• pnpm exec oxfmt --check --threads=1 src/infra/device-pairing.ts src/gateway/server/ws-connection/message-handler.ts src/infra/device-pairing.test.ts src/gateway/server.auth.control-ui.suite.ts
• git diff --check
• node scripts/run-vitest.mjs src/infra/device-pairing.test.ts --reporter=verbose
• node scripts/run-vitest.mjs src/gateway/server.auth.control-ui.test.ts --reporter=verbose
• pnpm check:changed
• .agents/skills/autoreview/scripts/autoreview --mode local (clean: no accepted/actionable findings)

[clawsweeper]

Codex review: needs real behavior proof before merge. Reviewed May 29, 2026, 12:55 AM ET / 04:55 UTC.

Summary
The PR updates accepted device-token verification and successful paired WebSocket reconnects to persist device-level lastSeenAtMs and lastSeenReason, with focused regression tests.

PR surface: Source +10, Tests +20. Total +30 across 4 files.

Reproducibility: yes. source-level: current main accepts device-token auth but only refreshes token lastUsedAtMs, and accepted paired reconnect metadata omits lastSeenAtMs/lastSeenReason even though those device-level fields and the update helper already exist.

Review metrics: none identified.

Merge readiness
Overall: 🦪 silver shellfish
Proof: 🦪 silver shellfish
Patch quality: 🦞 diamond lobster
Result: blocked until real behavior proof from a real setup is added.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P1] Add redacted real-environment proof from a local gateway/device-token reconnect or installed pairing state showing lastSeenAtMs and lastSeenReason updated after the patch.

Proof guidance:

• [P1] Needs real behavior proof before merge: The PR body supplies focused test-harness output only; before merge it needs redacted terminal output, logs, copied live output, linked artifact, or a short recording from a real local gateway/device-token reconnect or installed pairing state, then a PR-body update for re-review. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Risk before merge

• [P1] The PR body still provides only focused Vitest/gateway harness output; it does not yet show a real local gateway/device-token reconnect or installed pairing state updating paired-device metadata after the patch.

Maintainer options:

1. Decide the mitigation before merge
   Keep this focused implementation path, then merge after redacted real gateway/device-token reconnect or installed pairing proof confirms paired metadata updates in an actual setup.
2. Pause or close
   Do not merge this PR until maintainers decide whether the risk is worth taking.

Next step before merge

• [P1] No automated repair is appropriate because there is no blocking code finding; the remaining action is contributor or maintainer real-environment proof plus normal maintainer review.

Security
Cleared: No concrete security or supply-chain regression was found; the diff adds timestamp/reason writes after existing successful auth checks and does not change token validation, scopes, credentials, dependencies, workflows, or permissions.

Review details

Best possible solution:

Keep this focused implementation path, then merge after redacted real gateway/device-token reconnect or installed pairing proof confirms paired metadata updates in an actual setup.

Do we have a high-confidence way to reproduce the issue?

Yes, source-level: current main accepts device-token auth but only refreshes token lastUsedAtMs, and accepted paired reconnect metadata omits lastSeenAtMs/lastSeenReason even though those device-level fields and the update helper already exist.

Is this the best way to solve the issue?

Yes for the central timestamp bug: the PR uses existing paired-device metadata persistence after successful auth/reconnect without changing pairing approval, token verification, scopes, config, or protocol. The later TTL cleanup/read-retry ideas from the linked discussion would be separate follow-up work if maintainers want them.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 59cec74d89ff.

Label changes

Label justifications:

• P2: This is a normal-priority gateway/device-pairing audit bugfix with limited blast radius and no emergency data-loss, security-bypass, or crash-loop signal.
• rating: 🦪 silver shellfish: Overall readiness is 🦪 silver shellfish; proof is 🦪 silver shellfish and patch quality is 🦞 diamond lobster.
• status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs real behavior proof before merge: The PR body supplies focused test-harness output only; before merge it needs redacted terminal output, logs, copied live output, linked artifact, or a short recording from a real local gateway/device-token reconnect or installed pairing state, then a PR-body update for re-review. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Evidence reviewed

PR surface:

Source +10, Tests +20. Total +30 across 4 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	3	12	2	+10
Tests	1	20	0	+20
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	4	32	2	+30

What I checked:

• Root repository policy read: The full root AGENTS.md was read; its OpenClaw review guidance affected the proof gate, gateway/auth compatibility review, and read-only validation approach. (AGENTS.md:1, 59cec74d89ff)
• Scoped gateway policy read: The touched gateway runtime/test path is under src/gateway/AGENTS.md, which guided review of gateway hot-path tests and runtime boundaries. (src/gateway/AGENTS.md:1, 59cec74d89ff)
• Current main has the durable metadata fields: PairedDevice already includes optional lastSeenAtMs and lastSeenReason, and updatePairedDeviceMetadata already persists those fields, so the PR uses an existing state surface rather than adding config or schema policy. (src/infra/device-pairing.ts:83, 59cec74d89ff)
• Current main misses the token-auth refresh: On current main, accepted verifyDeviceToken updates entry.lastUsedAtMs and persists the device without refreshing device-level lastSeenAtMs or lastSeenReason. (src/infra/device-pairing.ts:979, 59cec74d89ff)
• Current main misses the reconnect refresh: The accepted paired reconnect path builds clientAccessMetadata from display name and remote IP only before persisting through updatePairedDeviceMetadata. (src/gateway/server/ws-connection/message-handler.ts:1116, 59cec74d89ff)
• PR updates token-auth metadata after successful checks: At the PR head, verifyDeviceToken captures one timestamp, updates token lastUsedAtMs, then writes device-level lastSeenAtMs and lastSeenReason: "device-token-auth" only after token, issuer, and scope checks pass. (src/infra/device-pairing.ts:979, 447e069dec29)

Likely related people:

• steipete: Peter Steinberger authored the commits that unified device auth and pairing and added device-token auth/devices CLI, and git shortlog shows the largest contribution count across the central device-pairing and gateway auth files. (role: feature owner and heavy area contributor; confidence: high; commits: 73e9e787b4df, d88b239d3c8a; files: src/infra/device-pairing.ts, src/gateway/server/ws-connection/message-handler.ts, src/gateway/server-methods/devices.ts)
• ngutman: Nimrod Gutman authored the background alive beacon fix that added durable last-seen handling in node catalog/server-node-events and touched src/infra/device-pairing.ts. (role: adjacent durable presence contributor; confidence: medium; commits: b328c6611527, f3c304917acb; files: src/gateway/server-node-events.ts, src/gateway/node-catalog.ts, src/infra/device-pairing.ts)
• Val Alexander: Recent merged gateway auth work touched the same WebSocket auth path and control-ui auth suite around device-token/shared-auth behavior. (role: recent gateway auth contributor; confidence: medium; commits: 0b6c39be1875, be7a415eb096; files: src/gateway/server/ws-connection/message-handler.ts, src/gateway/server.auth.control-ui.suite.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[openclaw-barnacle]

This pull request has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

[clawsweeper]

ClawSweeper PR egg: ✨ hatched 🥚 common Pearl Clawlet. Rarity: 🥚 common. Trait: sleeps inside passing CI.

Details

Share on X: post this hatch
Copy: My PR egg hatched a 🥚 common Pearl Clawlet in ClawSweeper.
Hatchability:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

About:

• Eggs appear after real-behavior proof passes. They are collectible flavor only.
• Review momentum changes the shell state: follow-up work warms it, re-review makes it wobble, and a clean final review lets it hatch.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[steipete]

Thanks @vyctorbrzezowski. I landed this fix through the maintainer follow-up PR #88607 so we could include the first silent auto-approved connect path and centralize approved paired-device record construction.

Landed commit: 703fae1

Your original device-token and reconnect fix was preserved and credited in the landed squash commit.