Summary

After upgrading from 2026.2.15 to 2026.2.19 (or 2026.2.19-2 npm), all gateway tool connections enter an infinite pairing loop with error:

\
gateway closed (1008): pairing required
\\

Agents are unable to spawn subagents, list sessions, or use any gateway-dependent tools. The gateway itself runs fine and Telegram/channel connections work — only tool-level gateway calls fail.

Root Cause

The 2026.2.19 security hardening introduced two new scopes: \operator.write\ and \operator.read. Existing paired devices only carry the legacy scope set:

\
operator.admin, operator.approvals, operator.pairing
\\

When a tool call requires \operator.write\ or \operator.read, the gateway issues a scope-upgrade warning and rejects the connection with \1008: pairing required. The client then re-initiates a repair request, which gets approved — but the cycle repeats for the next required scope, creating an infinite loop.

Gateway log evidence:
\
[gateway] security audit: device access upgrade requested reason=scope-upgrade
device=
scopesFrom=operator.admin,operator.approvals,operator.pairing
scopesTo=operator.write
code=1008 reason=pairing required

[gateway] security audit: device access upgrade requested reason=scope-upgrade
scopesFrom=operator.admin,operator.approvals,operator.pairing,operator.write
scopesTo=operator.read
code=1008 reason=pairing required
\\

Affected Versions

• From: 2026.2.15
• To: 2026.2.19, 2026.2.19-1, 2026.2.19-2
• Also present in: 2026.2.21 (no fix shipped yet)
• Platform: Windows (confirmed), likely all platforms

Reproduction Steps

1. Have OpenClaw running on 2026.2.15 with paired devices
2. Update to 2026.2.19+ via npm (
   pm install -g openclaw)
3. Gateway restarts
4. Any agent tool call that uses gateway (sessions_list, sessions_spawn, etc.) fails with \1008: pairing required\
5. Approving the repair request loops back to step 4 with the next missing scope

Workaround (Manual Fix)

Run for each paired device (CLI + Control UI):

\\�ash

Find device IDs

openclaw devices list --json

Rotate token with full scope set

openclaw devices rotate
--device
--role operator
--scope operator.admin
--scope operator.approvals
--scope operator.pairing
--scope operator.write
--scope operator.read
\\

Repeat for all paired devices. No restart required after rotation.

Expected Behavior

When upgrading, openclaw doctor --fix (or the update process itself) should detect devices missing the new scopes and auto-rotate their tokens with the full current scope set. Users should not need to manually rotate tokens after a routine update.

Environment

• OS: Windows 11
• Node: v23.7.0
• OpenClaw before: 2026.2.15
• OpenClaw after: 2026.2.19-2
• Install method: npm global (
  pm install -g openclaw)
• Gateway mode: local, loopback, token auth