fix(cli): recover replaced device approvals

[hxy91819]

Summary

• Recover openclaw devices approve <requestId> when a local same-device repair request supersedes the request being approved.
• Require the replacement to match the original device identity, role/client metadata, and a compatible scope superset before approving it via local fallback.
• Add focused infra and CLI tests for devices-first requestId churn, cron-first progressive authority, replacement approval, fail-closed cases, and JSON/interactive output.

Verification

• pnpm test src/cli/devices-cli.test.ts src/infra/device-pairing-churn.test.ts
• git diff --check origin/main..HEAD

Real behavior proof

Behavior addressed: openclaw devices approve <requestId> no longer fails with an unclear unknown requestId when the same local CLI repair request has been superseded by a compatible replacement during the approval reconnect.

Real environment tested: Local source checkout on Linux after rebasing onto current origin/main; focused Vitest shards for CLI and infra pairing behavior.

Exact steps or command run after this patch: pnpm test src/cli/devices-cli.test.ts src/infra/device-pairing-churn.test.ts

Evidence after fix: Test output reported src/infra/device-pairing-churn.test.ts (2 tests) passed and src/cli/devices-cli.test.ts (43 tests) passed; git diff --check origin/main..HEAD produced no output.

Observed result after fix: same-device compatible replacement approvals use the replacement request ID, emit resolved metadata in JSON mode, print an interactive replacement notice, and fail closed for missing snapshots, incompatible scopes, cross-device replacements, public-key changes, role changes, metadata conflicts, remote --url, or missing pending requests.

What was not tested: Full packaged Docker/Crabbox smoke for the final branch; previous black-box validation was used to define the focused source-level regression coverage.

Refs: #74484

[clawsweeper]

Codex review: passed.

Latest ClawSweeper review: 2026-05-22 13:42 UTC / May 22, 2026, 9:42 AM ET.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The PR teaches openclaw devices approve <requestId> to approve a compatible same-device replacement request during local fallback and adds focused CLI, infra, and changelog coverage.

Reproducibility: yes. Source inspection shows current main rejects the gateway's replacement requestId as a fallback mismatch, and the PR adds focused infra and CLI tests for the churn path; I did not run tests because this review is read-only.

PR rating
Overall: 🐚 platinum hermit
Proof: 🌊 off-meta tidepool
Patch quality: 🐚 platinum hermit
Summary: Good normal PR quality: the implementation is focused with broad regression coverage, while auth-boundary owner review remains the main merge consideration.

Rank-up moves:

• Have an auth/CLI owner approve the replacement-request contract.
• Use final exact-head CI or automerge results as the merge gate.

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Not applicable: The external-contributor proof gate does not apply to this MEMBER PR; the body provides focused source-test/check proof rather than live packaged CLI proof.

Risk before merge

• The PR allows local fallback to approve a replacement request ID the operator did not type; the identity, public-key, role, metadata, and scope checks are strong, but this is still an authorization-boundary contract.
• The linked recovery issue remains broader than this PR and still covers reject, downgrade, and bootstrap recovery behavior.
• Verification in the PR body is focused source tests and git diff --check, not a packaged CLI/Gateway smoke on the exact branch.

Maintainer options:

1. Approve the bounded replacement contract (recommended)
   An auth/CLI owner can explicitly accept the same-device, same-public-key, exact-role, compatible-metadata, and scope-bounded replacement approval behavior before merge.
2. Require packaged CLI proof first
   Maintainers can ask for a packaged or live CLI/Gateway run showing the replacement approval path before continuing automerge.
3. Pause for the broader recovery design
   If approval, reject, downgrade, and bootstrap recovery must ship together, pause this PR and keep the linked issue as the canonical design thread.

Next step before merge
The remaining action is maintainer approval of an auth-boundary approval contract, not a narrow repair for a new fix PR.

Security
Cleared: No supply-chain issue was found; the auth-sensitive fallback change is bounded by explicit compatibility checks and tests but remains a merge-risk item for owner review.

Review details

Best possible solution:

Land this narrow approval-churn fix only after an auth/CLI owner accepts the replacement-request contract, while keeping #74484 open for the remaining recovery paths.

Do we have a high-confidence way to reproduce the issue?

Yes. Source inspection shows current main rejects the gateway's replacement requestId as a fallback mismatch, and the PR adds focused infra and CLI tests for the churn path; I did not run tests because this review is read-only.

Is this the best way to solve the issue?

Yes for the narrow approval-churn slice, pending owner acceptance. The fix is placed at the CLI fallback boundary and fails closed unless the replacement matches the original device identity, role, client metadata, and bounded scope contract.

Label justifications:

• P2: This is a normal-priority CLI/device-pairing recovery fix with meaningful but bounded control-plane impact.
• merge-risk: 🚨 auth-provider: The diff changes which pairing request and scopes the CLI can approve during device auth recovery.
• merge-risk: 🚨 security-boundary: The local fallback can approve a different request ID than the operator typed, so the authorization contract needs owner acceptance.
• rating: 🐚 platinum hermit: Current PR rating is 🐚 platinum hermit because proof is 🌊 off-meta tidepool, patch quality is 🐚 platinum hermit, and Good normal PR quality: the implementation is focused with broad regression coverage, while auth-boundary owner review remains the main merge consideration.
• status: 🚀 automerge armed: This PR is in ClawSweeper's automerge lane. Not applicable: The external-contributor proof gate does not apply to this MEMBER PR; the body provides focused source-test/check proof rather than live packaged CLI proof.

What I checked:

• Live PR state: The live PR is open, non-draft, mergeable, authored by a MEMBER, and carries maintainer, clawsweeper:human-review, clawsweeper:automerge, merge-risk: 🚨 auth-provider, and merge-risk: 🚨 security-boundary labels. (1d2f2e9b2ffb)
• Current-main failure path: On current main, the CLI local fallback rejects a gateway-reported requestId that differs from the operator-supplied requestId, which is the requestId churn failure this PR targets. (src/cli/devices-cli.runtime.ts:249, 2890b1a24ab1)
• Approval authority contract: Current docs say device.pair.approve is reachable with operator.pairing, but approving operator device scopes is bounded by the scopes the caller holds or operator.admin; repair requests can inherit existing operator token scopes. Public docs: docs/gateway/operator-scopes.md. (docs/gateway/operator-scopes.md:53, 2890b1a24ab1)
• PR implementation: The PR checks same-device replacement identity, public key, exact role set, compatible client metadata, and scope coverage before approving the replacement request ID through the local admin fallback. (src/cli/devices-cli.runtime.ts:256, 1d2f2e9b2ffb)
• Regression coverage: The PR adds CLI tests for replacement approval, JSON resolved metadata, inherited scopes, and fail-closed cases for missing snapshots, incompatible scopes, different devices, public-key changes, role changes, and client metadata conflicts. (src/cli/devices-cli.test.ts:618, 1d2f2e9b2ffb)
• Infra churn model: The new infra test models a stale repair request being superseded by a reconnect request and verifies stale approval returns null while the replacement remains pending. (src/infra/device-pairing-churn.test.ts:58, 1d2f2e9b2ffb)

Likely related people:

• steipete: Current-main blame for the CLI fallback and device-pairing implementation points to c56067e, and GitHub path history shows repeated pairing/auth hardening commits such as c9053ff and 8bbb143. (role: recent area contributor; confidence: high; commits: c56067e34f, c9053ff20853, 8bbb143ab87e; files: src/cli/devices-cli.runtime.ts, src/infra/device-pairing.ts, src/gateway/server-methods/devices.ts)
• vincentkoc: Recent path history includes the lazy-load move for the devices runtime and a CLI device fallback-state guard on the affected CLI test/runtime surface. (role: recent CLI/gateway contributor; confidence: medium; commits: fe25ed214ef5, 01377ddbe284, e06782d5e747; files: src/cli/devices-cli.runtime.ts, src/cli/devices-cli.test.ts)
• eleqtrizit: Recent device pairing history includes bootstrap handoff scope bounds and paired-device pairing-action restrictions on the same authorization boundary. (role: auth-boundary contributor; confidence: medium; commits: b8372a714ccc, 5a12f30441d5, 7cda9df4cb27; files: src/infra/device-pairing.ts, src/gateway/server-methods/devices.ts)
• pgondhi987: Recent history includes setup-code approval and node device token management changes in the device pairing/authz surface. (role: device approval contributor; confidence: medium; commits: b17e77a22bf4, 189c91eae6e1, 1c85eff9b1e6; files: src/infra/device-pairing.ts, src/gateway/server-methods/devices.ts)
• obviyus: Path history shows prior work preserving local pairing fallback for upgrades, which is adjacent to this PR's fallback behavior. (role: local fallback contributor; confidence: medium; commits: 84f535c315da, 67d2026e22e9; files: src/cli/devices-cli.test.ts, src/cli/devices-cli.runtime.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 2890b1a24ab1.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 💎 rare Frosted Crabkin

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 💎 rare.
Trait: watches the merge queue.
Image traits: location proof lagoon; accessory review stamp; palette amber, ink, and glacier blue; mood bright-eyed; pose standing beside its cracked shell; shell frosted glass shell; lighting soft studio lighting; background delicate sparkle particles.
Share on X: post this hatch
Copy: My PR egg hatched a 💎 rare Frosted Crabkin in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[hxy91819]

/clawsweeper automerge

[clawsweeper]

🦞✅
ClawSweeper merged this PR after the passing review.

Source: clawsweeper[bot]
Feedback: structured ClawSweeper verdict: pass (sha=1d2f2e9b2ffb8b2a866785d120ca6c61b2a8ac06)
Merge status: merged by ClawSweeper automerge
Merged at: 2026-05-22T13:44:16Z
Merge commit: 6ea907cec1b3

What merged:

• The PR teaches openclaw devices approve <requestId> to approve a compatible same-device replacement request during local fallback and adds focused CLI, infra, and changelog coverage.
• Reproducibility: yes. Source inspection shows current main rejects the gateway's replacement requestId as a ... adds focused infra and CLI tests for the churn path; I did not run tests because this review is read-only.

Automerge notes:

• PR branch already contained follow-up commit before automerge: docs: note device approval recovery

The automerge loop is complete.

Automerge progress:

• 2026-05-22 13:13:10 UTC review queued 55ea1462c645 (queued)

• 2026-05-22 13:20:10 UTC review passed 55ea1462c645 (structured ClawSweeper verdict: pass (sha=55ea1462c6455ffd7e5178742a201f8abd033...)

• 2026-05-22 13:04:56 UTC repair queued 55ea1462c645 (autonomous) Run: https://github.com/openclaw/clawsweeper/actions/runs/26289474922

• 2026-05-22 13:07:29 UTC repair started (running) in 1s Run: https://github.com/openclaw/clawsweeper/actions/runs/26289474922 automerge-openclaw-openclaw-85342

• 2026-05-22 13:07:44 UTC validation plan (passed) in 16s Run: https://github.com/openclaw/clawsweeper/actions/runs/26289474922 pnpm check:changed; pnpm lint; pnpm check:test-types

• 2026-05-22 13:07:53 UTC Codex write preflight (passed) in 26s Run: https://github.com/openclaw/clawsweeper/actions/runs/26289474922 danger-full-access

• 2026-05-22 13:24:55 UTC Codex edit 1 1d2f2e9b2ffb (complete) in 17m 27s Run: https://github.com/openclaw/clawsweeper/actions/runs/26289474922 exit 0

• 2026-05-22 13:28:23 UTC validation and review 1 1d2f2e9b2ffb (complete) in 20m 55s Run: https://github.com/openclaw/clawsweeper/actions/runs/26289474922 already-current

• 2026-05-22 13:28:28 UTC repair completed 1d2f2e9b2ffb (branch updated) in 21m Run: https://github.com/openclaw/clawsweeper/actions/runs/26289474922 initial automerge rebase is delegated to Codex repair

• 2026-05-22 13:28:28 UTC review queued 1d2f2e9b2ffb (after repair)

• 2026-05-22 13:38:31 UTC automerge wait 1d2f2e9b2ffb (waiting) in 31m 3s Run: https://github.com/openclaw/clawsweeper/actions/runs/26289474922 waiting for exact-head ClawSweeper review pass

• 2026-05-22 13:36:48 UTC review queued 1d2f2e9b2ffb (queued)

• 2026-05-22 13:38:33 UTC repair finished 1d2f2e9b2ffb (pushed) in 31m 5s Run: https://github.com/openclaw/clawsweeper/actions/runs/26289474922 repair_contributor_branch

• 2026-05-22 13:43:42 UTC review passed 1d2f2e9b2ffb (structured ClawSweeper verdict: pass (sha=1d2f2e9b2ffb8b2a866785d120ca6c61b2a8a...)

• 2026-05-22 13:44:19 UTC merged 1d2f2e9b2ffb (merged by ClawSweeper automerge)

[clawsweeper]

🦞✅
ClawSweeper is pausing this repair loop for human review.

Source: clawsweeper[bot]
Reason: The remaining action is maintainer/automerge handling for an auth-boundary approval contract, not a narrow repair for a new fix PR.; Cleared: No supply-chain issue was found; the auth-sensitive fallback change is bounded by compatibility checks and tests but remains a merge-risk item for owner review. (sha=1d2f2e9b2ffb8b2a866785d120ca6c61b2a8ac06)

Why human review is needed:
ClawSweeper found a blocker that should be resolved or accepted by a maintainer before the repair or automerge loop continues.

What the maintainer can do as a next step:
If the maintainer accepts the current risk and wants ClawSweeper to continue merge gates, comment @clawsweeper approve. If more work is needed, resolve the blocker first, then comment @clawsweeper automerge to re-review and continue. If automation should stay paused, leave clawsweeper:human-review in place or comment @clawsweeper stop.

I added clawsweeper:human-review and left the final call with a maintainer.