fix(gateway): share approval runtime socket token

[fuller-stack-dev]

Summary

• Use the existing exec-approvals.json socket token as the approval-runtime token when it exists, so Docker/CLI/separate-process approval clients sharing OPENCLAW_HOME can authenticate as the local approval runtime.
• Keep the process-local random token as the fallback when no shared socket token exists, without creating exec-approvals.json just to read a token.
• Keep approvalRuntimeToken attached only for generated local gateway URL sources, including the existing gateway.mode=remote with missing gateway.remote.url fallback-local path.
• Omit approvalRuntimeToken for env, explicit, and configured remote URL sources even when the host is loopback; those approval calls use stable requester device identity instead.

Scope split

• Split out from fix: repair local approval resolution #86771.
• This PR is only shared approval-runtime token selection for Docker/CLI/separate-process approval clients sharing OpenClaw state.
• It does not include stale Discord button UX or the approval.routeNotice.send gateway method.

Real behavior proof

Behavior addressed: A separate approval-runtime process sharing OPENCLAW_HOME can authenticate with the existing exec-approvals.json socket token and resolve a requester-bound approval. Env/configured remote gateway URL sources omit approvalRuntimeToken and cannot resolve requester-bound approvals without normal owner visibility/runtime authority. Env-selected approval request/wait calls keep requester identity. Remote mode without gateway.remote.url keeps the existing fallback-local approval-runtime behavior.

Real environment tested: Current PR head a89cfa1c4234771e0336fa2b5722f20b1f3ed43b was tested on Blacksmith Testbox through Crabbox, provider blacksmith-testbox, id tbx_01ktkpn7ebxk5nr9tz74qwe5vc, Actions run 27140908325. Earlier live two-process smoke proof covered the shared-OPENCLAW_HOME runtime handoff on head 1ef8400457; the current-head delta is the fallback-local target classification fix and its focused regression proof.

Exact steps or command run after this patch: node scripts/crabbox-wrapper.mjs run --provider blacksmith-testbox --blacksmith-org openclaw --blacksmith-workflow .github/workflows/ci-check-testbox.yml --blacksmith-job check --blacksmith-ref main --idle-timeout 90m --ttl 240m --timing-json -- corepack pnpm test src/agents/tools/gateway.test.ts src/gateway/operator-approval-runtime-token.test.ts src/gateway/operator-approvals-client.test.ts src/gateway/server/ws-connection/message-handler.post-connect-health.test.ts -- --reporter=dot

Evidence after fix:

provider=blacksmith-testbox id=tbx_01ktkpn7ebxk5nr9tz74qwe5vc sync=delegated auth=blacksmith
GitHub Actions run: https://github.com/openclaw/openclaw/actions/runs/27140908325
[test] starting test/vitest/vitest.gateway.config.ts
Test Files 11 passed (11)
Tests 113 passed (113)
[test] starting test/vitest/vitest.agents.config.ts
Test Files 1 passed (1)
Tests 29 passed (29)
[test] passed 2 Vitest shards in 17.12s
blacksmith run summary sync=delegated command=1m5.014s total=1m15.223s exit=0

Observed result after fix: The current-head focused proof covers shared-token derivation, approval-client token omission/preservation rules, server-side remote locality rejection, and the agent-tool fallback-local regression. The new regression asserts gateway.mode=remote without gateway.remote.url keeps approvalRuntimeToken and does not switch to requester deviceIdentity.

What was not tested: No Docker Compose smoke was run. The earlier live two-process smoke used two Node processes on one host sharing OPENCLAW_HOME; the current-head proof reran the affected gateway and agent shards on Testbox after the fallback-local fix.

Tests and validation

• node scripts/run-vitest.mjs src/agents/tools/gateway.test.ts --reporter=dot — passed; 1 file, 29 tests.
• node_modules/.bin/oxfmt --check src/agents/tools/gateway.ts src/agents/tools/gateway.test.ts — passed.
• git diff --check — passed.
• Testbox-through-Crabbox focused proof above — passed; 2 shards, 142 tests.
• .agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main — clean; no accepted/actionable findings.

Risk checklist

Did user-visible behavior change? Yes

Did config, environment, or migration behavior change? No

Did security, auth, secrets, network, or tool execution behavior change? Yes

Highest-risk area: approval-runtime authentication for local approval clients sharing OpenClaw state.

Mitigation: Shared-token selection only reads an existing socket token; it does not create the shared file. The approval client attaches the runtime token only for generated local/fallback gateway URL sources; env, explicit, and configured remote URL sources omit it. Env-selected and configured-remote approval calls use stable requester device identity instead of runtime authority, and fail before opening a gateway connection if that identity cannot be loaded.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 8, 2026, 9:41 AM ET / 13:41 UTC.

Summary
The PR derives local approval-runtime auth from an existing exec-approvals socket token, restricts runtime-token attachment to generated local/fallback gateway sources, uses requester device identity for remote approval calls, and adds gateway/agent regression tests.

PR surface: Source +89, Tests +330. Total +419 across 8 files.

Reproducibility: yes. from source inspection: current main only creates a process-local random approval-runtime token, so a separate process sharing OPENCLAW_HOME cannot derive the same token. I did not run a live repro in this read-only review.

Review metrics: none identified.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🐚 platinum hermit
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P2] Maintainers should explicitly accept or reject the shared exec-approvals-token runtime-authority model before merge.
• Run an exact Docker/shared-volume smoke only if the team wants deployment-topology proof beyond the Testbox and earlier two-process evidence.

Risk before merge

• [P1] Merging intentionally broadens approval-runtime authority from same-process memory to local or separate processes that can read the existing exec-approvals socket token and connect through an accepted local gateway path.
• [P1] Env-selected and configured-remote approval RPCs now depend on a stable persisted device identity; read-only, damaged, or invalid state directories can fail before opening the gateway connection.
• [P1] The current-head proof covers Testbox gateway/agent shards and earlier two-process shared-home smoke, but it does not include an exact Docker Compose/shared-volume smoke for the deployment class named in the PR body.

Maintainer options:

1. Accept the guarded shared-runtime boundary (recommended)
   If maintainers agree that local readers of the existing exec-approvals socket token may act as the approval runtime, merge after normal branch and CI gates stay green.
2. Require exact Docker shared-volume proof
   Ask for one Docker or equivalent shared-OPENCLAW_HOME smoke if maintainers need proof of the named deployment topology before accepting the boundary.
3. Pause if the trust model is too broad
   If shared exec-approvals token possession is not an acceptable runtime-authority signal, pause this PR and redesign the local approval-runtime credential contract.

Next step before merge

• No automated repair is needed; the remaining action is maintainer acceptance of the security-boundary and compatibility tradeoff plus normal merge gates.

Security
Cleared: No concrete security defect was found in the diff; the remaining security question is the intentional local shared-token boundary decision.

Review details

Best possible solution:

Land this only after maintainers accept the shared local-token trust boundary and compatibility behavior, keeping runtime authority limited to generated local/fallback gateway sources with the current regression coverage.

Do we have a high-confidence way to reproduce the issue?

Yes, from source inspection: current main only creates a process-local random approval-runtime token, so a separate process sharing OPENCLAW_HOME cannot derive the same token. I did not run a live repro in this read-only review.

Is this the best way to solve the issue?

Yes, this looks like the best bounded implementation if maintainers accept the trust model: the PR derives a scoped token instead of sending the raw socket token, rejects remote locality on the server, and keeps env/configured remote paths on requester identity.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 9a82b60024b5.

Label changes

Label changes:

• add proof: sufficient: Contributor real behavior proof is sufficient. The PR body supplies current-head Testbox-through-Crabbox terminal proof for a89cfa1 and documents the earlier two-process shared-home smoke.
• add rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🐚 platinum hermit and patch quality is 🐚 platinum hermit.
• add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (terminal): The PR body supplies current-head Testbox-through-Crabbox terminal proof for a89cfa1 and documents the earlier two-process shared-home smoke.
• remove rating: 🧂 unranked krab: Current PR rating is rating: 🐚 platinum hermit, so this older rating label is no longer current.
• remove status: 📣 needs proof: Current PR status label is status: 👀 ready for maintainer look.

Label justifications:

• P2: The PR fixes a bounded gateway approval workflow, but it changes security-sensitive runtime auth behavior rather than an urgent broken core runtime.
• merge-risk: 🚨 compatibility: Remote/env approval calls can now fail early when a stable persisted requester device identity cannot be loaded.
• merge-risk: 🚨 security-boundary: The PR deliberately expands approval-runtime authority to local/separate processes that can read the existing exec-approvals socket token.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🐚 platinum hermit and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (terminal): The PR body supplies current-head Testbox-through-Crabbox terminal proof for a89cfa1 and documents the earlier two-process shared-home smoke.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body supplies current-head Testbox-through-Crabbox terminal proof for a89cfa1 and documents the earlier two-process shared-home smoke.

Evidence reviewed

PR surface:

Source +89, Tests +330. Total +419 across 8 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	4	138	49	+89
Tests	4	337	7	+330
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	8	475	56	+419

What I checked:

• Repository policy read: Root AGENTS.md and scoped src/agents, src/agents/tools, and src/gateway AGENTS.md were read; gateway auth, fallback behavior, and security-boundary guidance affected the merge-risk review. (AGENTS.md:14, 9a82b60024b5)
• Current main behavior: Current main's approval-runtime token is module-local random process state, so a separate process sharing OPENCLAW_HOME cannot derive the same runtime token from source alone. (src/gateway/operator-approval-runtime-token.ts:10, 9a82b60024b5)
• Shared-token implementation: The PR reads the existing exec-approvals socket token, derives an HMAC-scoped approval runtime token, and keeps a process-local fallback when no shared token exists. (src/gateway/operator-approval-runtime-token.ts:16, a89cfa1c4234)
• Agent gateway boundary: The PR classifies env-selected and configured-remote approval calls as remote, withholds approvalRuntimeToken outside local targets, and supplies persisted requester device identity for remote approval methods. (src/agents/tools/gateway.ts:111, a89cfa1c4234)
• Server-side remote rejection: The PR prevents a valid approvalRuntimeToken from marking remote websocket clients as the trusted approval runtime. (src/gateway/server/ws-connection/message-handler.ts:1727, a89cfa1c4234)
• Regression coverage: PR tests cover shared-token derivation, env/configured remote token omission, remote device identity failures, fallback-local token preservation, and remote-client runtime-token rejection. (src/agents/tools/gateway.test.ts:367, a89cfa1c4234)

Likely related people:

• shakkernerd: Member review identified the env-loopback and fallback-local boundary issues, and the latest PR commits implement the security-boundary and fallback-local fixes. (role: recent reviewer and follow-up owner; confidence: high; commits: 21dd6fa8405c, 42ae60579493, a89cfa1c4234; files: src/agents/tools/gateway.ts, src/gateway/server/ws-connection/message-handler.ts, src/gateway/operator-approvals-client.ts)
• fuller-stack-dev: The merged local approval-resolution PR split this shared-token follow-up out, and the first two commits on this PR implement the shared-token and env-gating direction. (role: related feature contributor; confidence: high; commits: 13cfb77c10f9, 963e312fef9c, add6518cf24b; files: src/gateway/operator-approvals-client.ts, src/gateway/operator-approval-runtime-token.ts, src/agents/tools/gateway.ts)
• steipete: History across the touched gateway files shows heavy prior work on gateway auth, pairing locality, and approval gateway setup, making this a useful routing candidate for the boundary decision. (role: adjacent gateway auth owner; confidence: medium; commits: 1df78202b967, 1ab37d7a124e, bb01e49192d3; files: src/gateway/operator-approvals-client.ts, src/gateway/server/ws-connection/message-handler.ts, src/agents/tools/gateway.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[clawsweeper]

ClawSweeper PR egg

🔥 Warming up: real-behavior proof passed; findings, security review, or rank-up moves are still in progress.

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[fuller-stack-dev]

Refreshed the PR body with current-head proof for a395cede70. The new proof covers a real two-process shared-OPENCLAW_HOME approval-runtime smoke, plus env override and configured remote loopback rejection for requester-bound approvals.

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26490892934
• Updated: 2026-05-27T04:40:00.733Z

[shakkernerd]

Addressed the fallback-local ClawSweeper finding in a89cfa1c4234771e0336fa2b5722f20b1f3ed43b.

What changed:

• gateway.mode=remote without gateway.remote.url now stays on the existing fallback-local approval-runtime path.
• Env-selected gateway URLs still remain token-ineligible, including loopback URLs.
• Added a regression test proving fallback-local approval calls keep approvalRuntimeToken and do not switch to requester deviceIdentity.

Verification:

• node scripts/run-vitest.mjs src/agents/tools/gateway.test.ts --reporter=dot — passed; 29 tests.
• node_modules/.bin/oxfmt --check src/agents/tools/gateway.ts src/agents/tools/gateway.test.ts — passed.
• git diff --check — passed.
• Testbox-through-Crabbox tbx_01ktkpn7ebxk5nr9tz74qwe5vc, Actions run 27140908325: focused gateway/agent shards passed, 142 tests.
• .agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main — clean; no accepted/actionable findings.

Updated the PR body with current-head proof.

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27141203667
• Updated: 2026-06-08T13:42:44.116Z