openclaw - 💡(How to fix) Fix [Bug]: CLI probe commands (openclaw gateway status) create read-only device pairing record that blocks admin operations [1 comments, 2 participants]

Bug type

Behavior bug (incorrect output/state without crash)

Beta release blocker

Yes

Summary

Running CLI probe commands like openclaw gateway status or openclaw status creates a read-only (operator.read) device pairing record in devices/paired.json. This read-only record subsequently blocks any operations requiring operator.admin scope (such as openclaw nodes approve or sub-agent creation), causing a deadlock.

Steps to reproduce

1. Run openclaw gateway status when the CLI device is not paired
2. Attempt to create a subagent
3. CLI connects to Gateway WebSocket and triggers device pairing
4. Pairing is approved, but the CLI only declares operator.read scope
5. A read-only device record is written to devices/paired.json
6. Attempt any admin operation (e.g., openclaw nodes approve, create a sub-agent)
7. Result: gateway closed (1008): pairing required

Expected behavior

• CLI probe commands should either declare full operator scope, OR
• The Gateway should allow existing paired devices to upgrade their scope when needed, OR
• A scope-upgrade failure should provide clear error messages and unlock guidance

Actual behavior

The scope-upgrade reason in logs confirms: an existing device record lacks sufficient permissions, but the upgrade itself requires admin permissions that the existing record doesn't have → deadlock.

OpenClaw version

2026.4.10

Operating system

Windows 11

Install method

npm global

Model

qwen3.6-plus

Provider / routing chain

Additional provider/model setup details

No response

Logs, screenshots, and evidence

{
"cause": "pairing-required",
"reason": "scope-upgrade"
}

Impact and severity

Severity: High / Beta Release Blocker

This bug has a deceptive trigger but critical impact:

1. Invisible trigger: openclaw gateway status is a benign diagnostic command that users run routinely to check gateway health. There is zero indication that running it has any side effects.

2. Cascading failure: After the read-only pairing record is created, ALL subsequent admin operations fail:

   • Sub-agent creation (sessions_spawn)
   • openclaw nodes approve / openclaw nodes list
   • openclaw devices list
   • Any CLI command requiring operator.admin scope

3. Self-locking deadlock: Once the read-only record exists, the user cannot fix the problem through normal CLI workflows because the CLI itself lacks the admin permissions needed to approve a scope upgrade. Recovery requires manual file deletion (paired.json) + gateway restart — a workaround that no user would discover without seeing the source code or this issue.

4. Reproducible 100%: The bug is consistently reproducible on any fresh install where the CLI device has not yet been paired with full scope.

User experience impact: A user who runs openclaw gateway status to check things are working will silently poison their installation. Every subsequent command fails with an opaque "pairing required" error. This is likely the most confusing failure mode possible — the act of checking whether the system works breaks the system.

Additional information

openclaw gateway status (needs operator.read only) → creates read-only pairing record in paired.json → blocks new pairing requests with higher scopes → admin operations (sub-agent creation, nodes approve) fail with "pairing required" → cannot approve the new pairing because the CLI itself lacks admin permission → DEADLOCK