fix(gateway): gate talk secret bootstrap handoff

[ngutman]

Summary

• Add operator.talk.secrets to the bounded setup-code/bootstrap operator handoff scope list.
• Require callers that mint setup-code/QR handoff tokens to also hold Talk secret authority, while preserving owner-channel setup flows.
• Update bootstrap, device-pairing, setup-code, control-UI, protocol, QR docs, and changelog coverage for the handoff contract.

Verification

• node scripts/run-vitest.mjs extensions/device-pair/pair-command-auth.test.ts extensions/device-pair/index.test.ts src/shared/device-bootstrap-profile.test.ts src/infra/device-bootstrap.test.ts src/infra/device-pairing.test.ts src/pairing/setup-code.test.ts src/gateway/server.auth.control-ui.test.ts
• node scripts/run-tsgo.mjs -p tsconfig.core.json --incremental --tsBuildInfoFile .artifacts/tsgo-cache/core.tsbuildinfo
• CODEX_REVIEW_AUTO_TESTS=0 ~/.pi/agent/skills/codex-review/scripts/codex-review --mode branch

Real behavior proof

Behavior addressed: trusted setup-code/bootstrap handoff can carry operator.talk.secrets for native Talk config reads, but /pair setup/QR issuance from scoped gateway callers now requires Talk secret authority.

Real environment tested: local Codex worktree /Users/guti/.codex/worktrees/7eff/copy-1.

Exact steps or command run after this patch: node scripts/run-vitest.mjs extensions/device-pair/pair-command-auth.test.ts extensions/device-pair/index.test.ts src/shared/device-bootstrap-profile.test.ts src/infra/device-bootstrap.test.ts src/infra/device-pairing.test.ts src/pairing/setup-code.test.ts src/gateway/server.auth.control-ui.test.ts; node scripts/run-tsgo.mjs -p tsconfig.core.json --incremental --tsBuildInfoFile .artifacts/tsgo-cache/core.tsbuildinfo; CODEX_REVIEW_AUTO_TESTS=0 ~/.pi/agent/skills/codex-review/scripts/codex-review --mode branch.

Evidence after fix: focused Vitest passed 7 files / 196 tests; tsgo produced no diagnostics; Codex review reported codex-review clean: no accepted/actionable findings reported.

Observed result after fix: setup-code/QR issuance tests reject scoped gateway callers missing operator.talk.secrets, and current bootstrap handoff includes Talk secret scope without granting admin or pairing scopes.

What was not tested: full release/packaging lanes and live mobile app pairing were not run.

[clawsweeper]

Codex review: found issues before merge. Reviewed May 25, 2026, 2:59 AM ET / 06:59 UTC.

Summary
The PR adds operator.talk.secrets to setup-code/bootstrap operator handoff, gates setup-code/QR issuance on Talk secret authority, and updates gateway/device-pair tests plus selected protocol docs.

PR surface: Source +50, Tests +86, Docs +4. Total +140 across 14 files.

Reproducibility: yes. from source inspection: current main's bootstrap handoff excludes operator.talk.secrets, while talk.config with includeSecrets requires that scope. I did not run a live native pairing path in this read-only review.

Review metrics: 2 noteworthy metrics.

• Bootstrap auth surface: 1 scope added, 1 setup issuance gate added, 1 retry guard changed. The PR changes the central setup-code/bootstrap authorization contract, which needs owner review beyond green focused tests.
• PR surface: 14 files changed, +217/-77. The patch spans gateway runtime, bundled device-pair behavior, tests, docs, and changelog rather than a single isolated helper.

Merge readiness
Overall: 🦐 gold shrimp
Proof: 🌊 off-meta tidepool
Patch quality: 🦐 gold shrimp
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Resolve the dirty merge state against current main.
• Update the remaining pairing/setup docs that still describe the old or node-only setup-code behavior.
• Get explicit gateway/auth owner acceptance for the expanded Talk-secret bootstrap handoff.

Risk before merge

• The branch is currently mergeable_state: dirty, so it needs conflict resolution against current main before landing.
• Merging expands the trusted setup-code/bootstrap operator handoff so a bootstrap client can read Talk configuration secrets without a separate approved operator pairing flow.
• Scoped gateway callers that could previously mint QR/setup-code tokens with pairing authority now also need operator.talk.secrets or operator.admin, which can break existing internal setup flows until their scopes are updated.
• Related user-facing pairing docs still describe the old operator handoff scope set, which is risky for a security-boundary change.
• The PR body reports focused local tests and typecheck, but not full release/packaging lanes or live native mobile pairing.

Maintainer options:

1. Rebase, Align Docs, And Approve Boundary (recommended)
   Resolve the dirty merge state, update the remaining pairing/setup docs, and record maintainer acceptance that setup-code bootstrap may carry Talk secret authority.
2. Require Live Native Pairing Proof
   Ask for a real native or protocol-level setup-code pairing proof showing Talk config secrets work while admin and pairing scopes remain denied.
3. Keep Talk Secrets Out Of Bootstrap
   If maintainers decide bootstrap should not carry Talk secrets, pause or close this PR and solve native Talk config reads through a separate approved token or pairing flow.

Next step before merge
The remaining blockers are maintainer-owned: conflict resolution, security-boundary approval, and a small docs fix before merge.

Security
Needs attention: The diff intentionally expands a secrets-bearing bootstrap authorization boundary and needs explicit maintainer acceptance before merge.

Review findings

• [P2] Keep pairing docs aligned with the new scope — docs/gateway/protocol.md:173-174

Review details

Best possible solution:

Resolve the dirty merge state, align all pairing/setup docs, and land only after gateway/auth owners accept the expanded trusted bootstrap secret boundary.

Do we have a high-confidence way to reproduce the issue?

Yes, from source inspection: current main's bootstrap handoff excludes operator.talk.secrets, while talk.config with includeSecrets requires that scope. I did not run a live native pairing path in this read-only review.

Is this the best way to solve the issue?

Not yet: the implementation shape is focused, but the branch still needs docs alignment, conflict resolution, and explicit acceptance of the expanded secret-bearing bootstrap boundary.

Full review comments:

• [P2] Keep pairing docs aligned with the new scope — docs/gateway/protocol.md:173-174
  This section now documents that setup-code handoff includes operator.talk.secrets, but docs/channels/pairing.md still says the handed-off operator token is limited to approvals/read/write, and related FAQ/Telegram snippets still describe node-only setup. Please update the remaining user-facing pairing docs so the security boundary is described consistently.
  Confidence: 0.88

Overall correctness: patch is incorrect
Overall confidence: 0.84

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 6709f4efe56c.

Label changes

Label justifications:

• P2: This is a bounded gateway/auth improvement with limited surface but real compatibility and security-boundary implications.
• merge-risk: 🚨 compatibility: Changing the setup-code/bootstrap profile and issuance requirements can affect in-flight setup codes and scoped gateway callers during upgrades.
• merge-risk: 🚨 auth-provider: The PR changes which operator scopes are minted and required through setup-code/bootstrap device-token flows.
• merge-risk: 🚨 security-boundary: The added handoff scope lets trusted bootstrap clients read Talk configuration secrets.
• rating: 🦐 gold shrimp: Overall readiness is 🦐 gold shrimp; proof is 🌊 off-meta tidepool and patch quality is 🦐 gold shrimp.
• status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Not applicable: The external-contributor proof gate does not apply to this maintainer-labeled MEMBER PR; the body includes focused terminal proof, but no live mobile pairing proof.

Evidence reviewed

PR surface:

Source +50, Tests +86, Docs +4. Total +140 across 14 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	5	92	42	+50
Tests	6	115	29	+86
Docs	3	10	6	+4
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	14	217	77	+140

Security concerns:

• [medium] Approve expanded Talk secrets handoff — src/shared/device-bootstrap-profile.ts:16
  Adding operator.talk.secrets to the setup-code/bootstrap handoff lets trusted bootstrap clients read Talk secret configuration without a separate operator pairing flow; this may be correct, but it is a security-boundary decision.
  Confidence: 0.86

What I checked:

• Repository policy read: Read the full root AGENTS.md plus scoped docs, extensions, gateway, and gateway protocol guides; auth/session/security-boundary changes are compatibility-sensitive review surfaces. (AGENTS.md:1, 6709f4efe56c)
• Live PR metadata: GitHub API reports the PR open, author association MEMBER, maintainer label present, head c66f3e3, 14 changed files, and mergeable_state: dirty. (c66f3e3af152)
• Current main bootstrap scope: Current main's setup-code handoff allowlist includes approvals/read/write but not operator.talk.secrets, so the requested change is not already implemented on main. (src/shared/device-bootstrap-profile.ts:13, 6709f4efe56c)
• Talk secret contract: talk.config rejects includeSecrets unless the client can read Talk secrets, which explains the source-level failure mode for bootstrap operators without that scope. (src/gateway/server-methods/talk.ts:516, 6709f4efe56c)
• PR handoff expansion: The PR head adds operator.talk.secrets to the central bootstrap handoff operator scope list. (src/shared/device-bootstrap-profile.ts:16, c66f3e3af152)
• PR issuance gate: The PR head requires internal setup handoff callers to hold operator.talk.secrets or operator.admin before issuing setup-code/QR handoff tokens. (extensions/device-pair/pair-command-auth.ts:27, c66f3e3af152)

Likely related people:

• ngutman: History for the bootstrap profile path includes the recent QR bootstrap operator handoff restore, and this PR continues that same gateway/device-pair flow. (role: prior QR/bootstrap handoff contributor and current PR author; confidence: high; commits: 94d8391c0323, a9140abea6d4, c66f3e3af152; files: src/shared/device-bootstrap-profile.ts, src/gateway/server/ws-connection/message-handler.ts, extensions/device-pair/index.ts)
• steipete: GitHub history shows central bootstrap profile refactors and multiple Talk/gateway config changes in the same authorization boundary. (role: recent gateway/bootstrap and Talk area contributor; confidence: high; commits: 6686f1cb2ce3, 7d22a16adb21, f1636d5e2831; files: src/shared/device-bootstrap-profile.ts, src/gateway/server/ws-connection/message-handler.ts, src/gateway/server-methods/talk.ts)
• pgondhi987: Recent history on the device-pair auth helper introduced pairing-scope enforcement for the /pair command, adjacent to the new Talk-secret setup handoff gate. (role: pairing authorization contributor; confidence: medium; commits: 37c0520a0b9c, b17e77a22bf4; files: extensions/device-pair/pair-command-auth.ts, src/shared/device-bootstrap-profile.ts)
• eleqtrizit: The GitHub path history for the bootstrap profile includes the commit that bounded bootstrap handoff scopes, which is the policy surface this PR expands. (role: bounded bootstrap handoff scope contributor; confidence: medium; commits: b8372a714ccc; files: src/shared/device-bootstrap-profile.ts, src/gateway/server/ws-connection/message-handler.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[clawsweeper]

ClawSweeper PR egg

🔥 Warming up: real-behavior proof passed; findings, security review, or rank-up moves are still in progress.

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[ngutman]

Merged via squash.

• Prepared head SHA: 9247cdab05aea1d909a9757915adb94b895a9691
• Merge commit: c791e4242bc84cd962ca4766cd4431920c730e1b

Thanks @ngutman!