Bug

When gateway.controlUi.dangerouslyDisableDeviceAuth: true is set, the dashboard connects successfully but cannot perform any operations because all scopes are stripped to [], resulting in "missing scope: operator.read" errors.

Root cause

In the gateway WebSocket handshake (gateway-cli-*.js), when dangerouslyDisableDeviceAuth is true, device is set to null. This triggers the if (!device) branch which unconditionally clears scopes:

if (!device) {
    if (scopes.length > 0) {
        scopes = [];
        connectParams.scopes = scopes;
    }

This should respect allowControlUiBypass:

if (scopes.length > 0 && !allowControlUiBypass) {

Related issue: device_token_mismatch on local connections

The reason dangerouslyDisableDeviceAuth was needed in the first place: fresh local browser connections to the dashboard fail with device_token_mismatch. The gateway validates the gateway auth token as a device-specific token and rejects it before reaching the auto-pair flow.

Flow:

1. Dashboard connects with gateway auth token + fresh device identity (Ed25519 keypair)
2. authorizeGatewayConnect validates the gateway token ✅
3. But then the code at if (!authOk && connectParams.auth?.token && device) calls verifyDeviceToken using the gateway token as if it were a device token
4. This fails → device_token_mismatch
5. Connection rejected before reaching the requirePairing flow that would auto-approve local clients

Environment

• OpenClaw 2026.2.14 (c1feda1)
• macOS (arm64), Node v24.6.0
• Loopback-only gateway (127.0.0.1:18789)
• Fresh install, fresh browsers (Safari + Chrome both affected)

Workaround

1. Set gateway.controlUi.dangerouslyDisableDeviceAuth: true
2. Patch scope stripping: change if (scopes.length > 0) to if (scopes.length > 0 && !allowControlUiBypass) in the !device branch