Rate limit node pairing requests [AI]

[pgondhi987]

Summary

• Adds a gateway auth-rate-limit scope for node-role pairing requests created during WebSocket connect.
• Runs first-time node pairing requests through the existing serialized per-IP limiter before they enter the node-pairing storage lock.
• Returns the existing structured rate-limit connect error when a first-time node pairing bucket is exhausted.
• Preserves already paired node reconnects on their approved effective surface when only the fresh upgrade pairing request is throttled.
• Adds regression coverage for concurrent first-time node connects and paired-node upgrade reconnects under an exhausted bucket.

AI-assisted: yes.

Linked context

No public issue is linked in this PR body.

Real behavior proof (required for external PRs)

• Behavior or issue addressed: repeated first-time node connection attempts are throttled before they can queue node-pairing storage writes, while paired upgrade reconnects keep their approved surface.
• Real environment tested: local source checkout with the gateway WebSocket integration test harness, plus GitHub Actions PR CI pending on the latest head.
• Exact steps or command run after this patch: pnpm format -- src/gateway/node-connect-reconcile.ts src/gateway/node-connect-reconcile.test.ts src/gateway/server/ws-connection/message-handler.ts src/gateway/server.node-pairing-rate-limit.test.ts; node scripts/run-vitest.mjs src/gateway/node-connect-reconcile.test.ts src/gateway/server.node-pairing-rate-limit.test.ts src/gateway/server.preauth-bootstrap-token-rate-limit.test.ts src/gateway/auth-rate-limit.test.ts; node scripts/run-oxlint.mjs src/gateway/auth-rate-limit.ts src/gateway/node-connect-reconcile.ts src/gateway/node-connect-reconcile.test.ts src/gateway/server/ws-connection/message-handler.ts src/gateway/server.node-pairing-rate-limit.test.ts; git diff --check HEAD~1..HEAD.
• Evidence after fix: focused Vitest shard passed 12 files / 136 tests; review-pr wrapper tests passed on the same targeted files; autoreview passed clean on the current branch.
• Observed result after fix: with maxAttempts: 3, eight concurrent first-time node connects create three pending node-pairing requests and return five structured auth rate-limit responses; a paired node reconnecting with an upgraded capability declaration remains connected and does not create an extra pending request while the bucket is exhausted.
• What was not tested: external live non-loopback device traffic outside the local gateway test harness.
• Proof limitations or environment constraints: no external device or remote network environment was used; the gateway WebSocket harness exercises the real connect path in-process.
• Before evidence: the affected connect path called requestNodePairing directly without a node-pairing rate-limit scope.

Tests and validation

Commands run:

• pnpm format -- src/gateway/auth-rate-limit.ts src/gateway/server/ws-connection/message-handler.ts src/gateway/server.node-pairing-rate-limit.test.ts
• node scripts/run-vitest.mjs src/gateway/server.node-pairing-rate-limit.test.ts src/gateway/server.preauth-bootstrap-token-rate-limit.test.ts src/gateway/auth-rate-limit.test.ts
• node scripts/run-oxlint.mjs src/gateway/auth-rate-limit.ts src/gateway/server/ws-connection/message-handler.ts src/gateway/server.node-pairing-rate-limit.test.ts
• git diff --check
• pnpm format -- src/gateway/node-connect-reconcile.ts src/gateway/node-connect-reconcile.test.ts src/gateway/server/ws-connection/message-handler.ts src/gateway/server.node-pairing-rate-limit.test.ts
• node scripts/run-vitest.mjs src/gateway/node-connect-reconcile.test.ts src/gateway/server.node-pairing-rate-limit.test.ts src/gateway/server.preauth-bootstrap-token-rate-limit.test.ts src/gateway/auth-rate-limit.test.ts
• node scripts/run-oxlint.mjs src/gateway/auth-rate-limit.ts src/gateway/node-connect-reconcile.ts src/gateway/node-connect-reconcile.test.ts src/gateway/server/ws-connection/message-handler.ts src/gateway/server.node-pairing-rate-limit.test.ts
• git diff --check HEAD~1..HEAD
• scripts/pr review-tests 90147 src/gateway/node-connect-reconcile.test.ts src/gateway/server.node-pairing-rate-limit.test.ts src/gateway/server.preauth-bootstrap-token-rate-limit.test.ts src/gateway/auth-rate-limit.test.ts
• timeout 1800 .agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main

Regression coverage added: src/gateway/server.node-pairing-rate-limit.test.ts covers concurrent first-time node-pairing attempts and paired reconnect upgrades through the real WebSocket connect path; src/gateway/node-connect-reconcile.test.ts covers preserving the approved effective surface when a paired upgrade request is throttled.

What failed before this fix: the node connect path had no node-pairing limiter before requestNodePairing entered the shared storage lock.

Risk checklist

Did user-visible behavior change? (Yes/No)

Yes. Repeated first-time node pairing attempts from the same rate-limit identity can now receive the existing structured rate-limit connect error when the configured bucket is exhausted. Paired reconnects keep their approved surface when only the fresh upgrade request is throttled.

Did config, environment, or migration behavior change? (Yes/No)

No. This reuses the existing gateway auth rate-limit configuration and defaults.

Did security, auth, secrets, network, or tool execution behavior change? (Yes/No)

Yes. This changes the gateway security/auth boundary for node-role pairing requests by adding per-IP throttling before node-pairing storage writes.

What is the highest-risk area?

Unusually low gateway.auth.rateLimit settings can throttle rapid first-time node onboarding from the same rate-limit identity.

How is that risk mitigated?

The bucket uses the existing gateway rate-limit configuration, loopback exemption behavior, browser-origin limiter selection, and serialized attempt helper already used by auth-sensitive connect paths. Existing paired reconnects keep their approved surface if an upgrade pairing request is throttled.

Current review state

What is the next action?

Wait for GitHub Actions CI and fresh bot review on the latest head.

What is still waiting on author, maintainer, CI, or external proof?

GitHub Actions CI is pending on the latest pushed head; external live non-loopback proof was not run.

Which bot or reviewer comments were addressed?

Addressed ClawSweeper feedback to preserve paired reconnects on their approved surface when node-pairing request throttling trips.

[clawsweeper]

Codex review: needs real behavior proof before merge. Reviewed June 4, 2026, 12:11 AM ET / 04:11 UTC.

Summary
The branch adds a node-pairing auth-rate-limit scope, wraps WebSocket node-pairing request creation in serialized rate-limit checks, preserves paired reconnects when upgrade pairing is throttled, and adds gateway regression tests.

PR surface: Source +72, Tests +186. Total +258 across 5 files.

Reproducibility: no. high-confidence live reproduction is present. Source inspection shows current main enters requestNodePairing directly, and the PR adds harness coverage for the claimed burst and paired-reconnect paths, but no external non-loopback run was provided.

Review metrics: 1 noteworthy metric.

• Existing config semantics widened: 1 changed surface. The PR reuses gateway.auth.rateLimit for node-pairing request creation, so existing operator thresholds can affect onboarding rather than only failed auth.

Merge readiness
Overall: 🧂 unranked krab
Proof: 🧂 unranked krab
Patch quality: 🦐 gold shrimp
Result: blocked until real behavior proof from a real setup is added.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P1] Add redacted real gateway proof from a non-loopback node-pairing scenario; terminal output, copied live output, logs, or a recording with diagnostics are acceptable after redacting private details.
• Get explicit gateway/security owner approval for the broadened auth-rate-limit semantics, or revise the patch so existing failed-auth tuning is preserved by default.

Proof guidance:

• [P1] Needs real behavior proof before merge: The PR body provides focused Vitest/gateway harness output and explicitly says external live non-loopback device traffic was not tested. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Risk before merge

• [P1] Existing deployments with tight gateway.auth.rateLimit settings can now reject legitimate first-time node onboarding from the same client IP or NAT even though the shared gateway auth succeeded.
• [P1] The PR changes a gateway auth/security boundary and carries the protected maintainer label, so the fail-closed pairing policy needs explicit gateway/security owner judgment before merge.
• [P1] The contributor proof is still local gateway harness output; external live non-loopback node-pairing behavior was explicitly not tested.

Maintainer options:

1. Align contract before merge (recommended)
   Update or narrow the implementation so operators can understand and safely upgrade the changed gateway.auth.rateLimit semantics for node onboarding, then add the corresponding proof.
2. Accept as intentional hardening
   A gateway/security owner may decide that reusing the existing auth-rate-limit bucket is the desired fail-closed policy and explicitly accept the onboarding compatibility risk.
3. Pause for live proof
   Keep the PR paused until a redacted non-loopback node-pairing run demonstrates the changed connect behavior outside the in-process test harness.

Next step before merge

• [P1] Human review is needed because the blockers are contributor real-environment proof and a gateway auth-rate-limit compatibility decision, not a narrow automation repair.

Security
Cleared: No concrete credential handling, secret exposure, supply-chain, or security-boundary weakening was found; the remaining auth-boundary concern is tracked as compatibility and availability risk.

Review findings

• [P1] Align the rate-limit contract before throttling pairing — src/gateway/server/ws-connection/message-handler.ts:228

Review details

Best possible solution:

Land node-pairing throttling only after the auth-rate-limit contract is explicitly approved and documented or adjusted, paired-reconnect compatibility remains covered, and redacted non-loopback gateway proof is added.

Do we have a high-confidence way to reproduce the issue?

No high-confidence live reproduction is present. Source inspection shows current main enters requestNodePairing directly, and the PR adds harness coverage for the claimed burst and paired-reconnect paths, but no external non-loopback run was provided.

Is this the best way to solve the issue?

Unclear as merge-ready. Throttling before the node-pairing storage lock is the right layer for the pressure point, but reusing the documented failed-auth limiter for successful pairing requests needs owner approval, documentation, or a safer contract before it is the best fix.

Full review comments:

• [P1] Align the rate-limit contract before throttling pairing — src/gateway/server/ws-connection/message-handler.ts:228
  This records successful node-pairing request creation against gateway.auth.rateLimit, but current docs/types define that setting as failed-auth throttling. Existing deployments with tight buckets can now reject first-time node onboarding from the same IP/NAT even though auth succeeded; please either make node-pairing throttling an explicitly approved/documented contract with upgrade proof or preserve the existing failed-auth semantics by default.
  Confidence: 0.86

Overall correctness: patch is incorrect
Overall confidence: 0.86

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 7b02080fa179.

Label changes

Label changes:

• add status: 🛠️ actively grinding: The PR author has acted after the latest ClawSweeper review and work remains. Needs real behavior proof before merge: The PR body provides focused Vitest/gateway harness output and explicitly says external live non-loopback device traffic was not tested. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.
• remove status: 📣 needs proof: Current PR status label is status: 🛠️ actively grinding.

Label justifications:

• P2: This is a bounded gateway hardening/compatibility change with real user impact but no evidence of an emergency outage or data loss.
• merge-risk: 🚨 compatibility: The diff broadens the documented failed-auth rate-limit setting to throttle successful node-pairing request creation during upgrade.
• merge-risk: 🚨 availability: Low existing buckets can make legitimate first-time node onboarding fail closed from a shared rate-limit identity.
• rating: 🧂 unranked krab: Overall readiness is 🧂 unranked krab; proof is 🧂 unranked krab and patch quality is 🦐 gold shrimp.
• status: 🛠️ actively grinding: The PR author has acted after the latest ClawSweeper review and work remains. Needs real behavior proof before merge: The PR body provides focused Vitest/gateway harness output and explicitly says external live non-loopback device traffic was not tested. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Evidence reviewed

PR surface:

Source +72, Tests +186. Total +258 across 5 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	3	82	10	+72
Tests	2	186	0	+186
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	5	268	10	+258

What I checked:

• Repository policy read: The root AGENTS.md and scoped src/gateway/AGENTS.md were read fully; the applicable guidance treats gateway auth/config/fail-closed behavior as compatibility-sensitive and asks gateway tests to reuse suite-level servers where possible. (AGENTS.md:1, 7b02080fa179)
• Current main lacks the limiter: On current main, node-role WebSocket connect calls reconcileNodePairingOnConnect with requestPairing wired directly to requestNodePairing, so first-time node pairing enters the pairing storage path without a node-pairing rate-limit scope. (src/gateway/server/ws-connection/message-handler.ts:1588, 7b02080fa179)
• PR records node-pairing attempts against auth rate limit: The PR adds requestNodePairingFromConnect and calls recordFailure after requestNodePairing succeeds, so successful pairing request creation now consumes the existing gateway auth rate-limit bucket for the new node-pairing scope. (src/gateway/server/ws-connection/message-handler.ts:228, f40e41204d81)
• Documented contract is failed-auth throttling: The public gateway configuration reference describes gateway.auth.rateLimit as an optional failed-auth limiter, with shared-secret and device-token scopes tracked independently; the PR changes behavior without updating that contract. Public docs: docs/gateway/configuration-reference.md. (docs/gateway/configuration-reference.md:572, 7b02080fa179)
• Type-level contract also says failed attempts: GatewayAuthConfig and GatewayAuthRateLimitConfig comments describe the setting as failed authentication attempt limiting, so existing operators can reasonably tune it for failed auth rather than successful node onboarding bursts. (src/config/types.gateway.ts:198, 7b02080fa179)
• Regression coverage is focused but harness-only: The PR adds gateway tests for concurrent first-time node pairing and paired-node upgrade reconnects, but the PR body says no external live non-loopback device traffic was tested. (src/gateway/server.node-pairing-rate-limit.test.ts:75, f40e41204d81)

Likely related people:

• Peter Steinberger: Recent current-main history and blame show work across gateway auth, rate-limit serialization, node-pairing reconciliation, and the WebSocket message handler. (role: recent area contributor; confidence: high; commits: ad958fd97aab, 032dbf0ec6cd, db0cea5689ac; files: src/gateway/server/ws-connection/message-handler.ts, src/gateway/auth-rate-limit.ts, src/gateway/server/ws-connection/auth-context.ts)
• Harald Buerbaumer: git history shows commit 30b6ecc adding gateway auth rate limiting and brute-force protection, the config surface this PR reuses. (role: introduced auth rate-limit surface; confidence: medium; commits: 30b6eccae5af; files: src/gateway/auth-rate-limit.ts)
• Agustin Rivera: git history shows commit a383878 requiring re-pairing for node reconnect command upgrades, which is directly adjacent to the paired reconnect behavior this PR preserves. (role: adjacent node-pairing behavior contributor; confidence: medium; commits: a383878e97b7; files: src/gateway/node-connect-reconcile.ts, src/infra/node-pairing.ts)
• pgondhi987: Beyond authoring this PR, current-main history shows prior merged work in the same WebSocket auth/session path for shared-token/password session invalidation. (role: recent adjacent gateway auth contributor; confidence: medium; commits: 5880ec17b18c; files: src/gateway/server/ws-connection/message-handler.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[pgondhi987]

@clawsweeper re-review

Updated the PR after the prior review:

• Preserved paired-node reconnects on the already approved surface when only the fresh upgrade pairing request is throttled.
• Added regression coverage for that paired reconnect path plus the first-time node-pairing burst path.
• Updated the PR body with the current validation commands and observed results.

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26929899219
• Updated: 2026-06-04T04:11:55.185Z

[pgondhi987]

Verification before merge:

Behavior addressed: First-time node-role WebSocket pairing requests are rate-limited before entering shared node-pairing storage, while already paired node upgrade reconnects keep their approved surface when fresh pairing is throttled.

Real environment tested: Local source checkout with gateway WebSocket integration tests; GitHub Actions PR CI on head f40e412. No external live non-loopback device environment was used.

Exact steps or command run after this patch:

• pnpm format -- src/gateway/node-connect-reconcile.ts src/gateway/node-connect-reconcile.test.ts src/gateway/server/ws-connection/message-handler.ts src/gateway/server.node-pairing-rate-limit.test.ts
• node scripts/run-vitest.mjs src/gateway/node-connect-reconcile.test.ts src/gateway/server.node-pairing-rate-limit.test.ts src/gateway/server.preauth-bootstrap-token-rate-limit.test.ts src/gateway/auth-rate-limit.test.ts
• node scripts/run-oxlint.mjs src/gateway/auth-rate-limit.ts src/gateway/node-connect-reconcile.ts src/gateway/node-connect-reconcile.test.ts src/gateway/server/ws-connection/message-handler.ts src/gateway/server.node-pairing-rate-limit.test.ts
• git diff --check HEAD~1..HEAD
• scripts/pr review-tests 90147 src/gateway/node-connect-reconcile.test.ts src/gateway/server.node-pairing-rate-limit.test.ts src/gateway/server.preauth-bootstrap-token-rate-limit.test.ts src/gateway/auth-rate-limit.test.ts
• timeout 1800 .agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main
• auto-pr.sh issue 721 --run-stage ghsa_dry_run
• auto-pr.sh issue 721 --run-stage ghsa_real_gate

Evidence after fix:

• Focused Vitest passed 12 files / 136 tests, including first-time burst throttling and paired upgrade reconnect preservation.
• review-pr: passed on f40e412; READY FOR /prepare-pr; 0 findings; artifacts validated.
• autoreview: passed on f40e412; no accepted/actionable findings.
• GHSA dry-run: passed on f40e412; HARDEN / SOLVES / BC PASS.
• GHSA real gate: passed on f40e412.
• CI: gh pr checks reported 164 check rows, no non-pass buckets, and only pass/skipping/neutral outcomes.

Observed result after fix: Repeated first-time node pairing attempts from the same rate-limit key are rejected before queueing node-pairing storage work, and paired upgrade reconnects continue on the already approved effective surface.

What was not tested: External live non-loopback node/device traffic outside the local gateway WebSocket test harness.

Regression Risk:
Low to medium. This is gateway availability hardening within OpenClaw's local-first, trusted-operator model rather than a new multi-tenant auth boundary. It reuses existing gateway.auth.rateLimit semantics under a dedicated node-pairing scope; no auth credentials, approval scopes, sandboxing, storage schema, provider/plugin/channel behavior, migrations, or persisted secrets change. The main compatibility risk is tight custom rate-limit settings throttling rapid first-time node onboarding; paired reconnects are specifically preserved by the revised fix and tests.

Best fix verdict: Best/appropriate. The gateway connect layer owns the client rate-limit key, so gating before requestNodePairing() avoids shared-lock contention without changing the pairing store API or protocol surface. The main alternative, changing the storage lock itself, would be broader and would not distinguish first-time unpaired abuse from paired reconnect compatibility.

User behavior change:
Before, repeated first-time node-role connects could all reach node-pairing state writes. After, repeated attempts from the same rate-limit identity can receive the existing structured rate-limit connect error before storage work. Already paired nodes keep their approved surface when only an upgrade pairing request is throttled. Config schema, CLI, protocol shape, persisted state, provider/plugin/channel behavior, auth credentials, and approval scopes are unchanged.