Skip to content

[Bug]: "openclaw status" reports gateway as "unreachable" when probe lacks operator.read scope (cosmetic, gateway fully functional) #45908

Open
Open
[Bug]: "openclaw status" reports gateway as "unreachable" when probe lacks operator.read scope (cosmetic, gateway fully functional)#45908
#48950 (+3)
@openclawace

Description

@openclawace
openclawace
opened on Mar 14, 2026

Summary

openclaw status and openclaw gateway probe report the gateway as "unreachable (missing scope: operator.read)" even though the gateway is fully functional — all channels connected, sessions active, Control UI working, crons running.

This is a cosmetic/diagnostic issue: the probe connection path does not authenticate with full device credentials, so it receives limited scopes and cannot call config.get for status details.

Steps to reproduce

  1. Clean install or upgrade to 2026.3.13
  2. Gateway running with gateway.auth.mode: "token", gateway.bind: "loopback"
  3. Device properly paired with full scopes (operator.read, operator.write, operator.admin, etc.) — confirmed in both ~/.openclaw/devices/paired.json and ~/.openclaw/identity/device-auth.json
  4. Run openclaw status or openclaw gateway probe

Expected behavior

Gateway reported as reachable (since it is — everything works).

Actual behavior

Gateway │ local · ws://127.0.0.1:18789 (local loopback) · unreachable (missing scope: operator.read)

openclaw gateway probe --json shows:

{
  "connect": {
    "ok": true,
    "rpcOk": false,
    "scopeLimited": true,
    "error": "missing scope: operator.read"
  }
}

Gateway logs show the probe connects as mode: "probe", version: "dev" and does NOT send device auth credentials:

{"cause":"device-required","handshake":"failed","client":"cli","mode":"probe","version":"dev"}
closed before connect code=1008 reason=connect failed

Root cause analysis

The probe connection is a lightweight check that connects without full device credentials. The gateway rejects the RPC call (config.get) due to missing operator.read scope. The openclaw status display then renders this as "unreachable" — which is misleading since the gateway is fully operational.

The 2026.3.13 fix (#22582) correctly added operator.read and operator.write to default operator connect scope bundles for CLI/Control UI/macOS clients, but the probe code path appears to be separate and was not updated.

Impact

  • Functional impact: None — gateway works perfectly
  • User confusion: High — "unreachable" in openclaw status causes unnecessary troubleshooting
  • The troubleshooting docs do note that RPC: limited - missing scope: operator.read is "degraded diagnostics, not a connect failure" but the status display does not reflect this distinction

Suggested fix

Either:

  1. Have the probe authenticate with device credentials (so it gets proper scopes), OR
  2. Change the status display to show "reachable (diagnostics limited)" instead of "unreachable" when the probe connects successfully but lacks operator.read

OpenClaw version

2026.3.13

Operating system

macOS 26.3.1 (arm64) — Mac mini

Install method

npm global (pnpm)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions