Description

After updating to OpenClaw v2026.3.13, openclaw status reports Gateway as unreachable with error missing scope: operator.read, but openclaw gateway probe shows the Gateway is actually reachable and functional.

Environment

• OpenClaw Version: 2026.3.13
• OS: macOS 26.3.1 (arm64)
• Node: 25.8.1
• Gateway Mode: local (loopback)

Symptoms

openclaw status
# Shows: Gateway · unreachable (missing scope: operator.read)

openclaw gateway probe
# Shows: Reachable: yes, Connect: ok (9ms)
# Warning: missing scope: operator.read

Diagnosis

1. Gateway is running normally (PID active, RPC probe: ok)
2. WebSocket connection succeeds (9ms latency)
3. Device auth token exists at ~/.openclaw/identity/device-auth.json
4. Operator token scopes are: operator.admin, operator.approvals, operator.pairing
5. Missing scope: operator.read

Attempts to Fix

1. Gateway restart: No change
2. Delete device-auth.json + restart: New token generated but still missing operator.read scope

Expected Behavior

• openclaw status should show Gateway as reachable
• Operator token should include operator.read scope by default, OR
• Gateway should grant operator.read scope during device pairing

Actual Behavior

• Gateway connection works but status shows unreachable
• Device auth token lacks operator.read scope
• Warning message: "Hint: pair device identity or use credentials with operator.read"

Impact

• Functionality: No impact - Gateway and agents work normally
• Monitoring: openclaw status shows false unreachable warning
• Alternative: Use openclaw gateway status for accurate status

Request

Please clarify:

1. Is operator.read a new required scope in v2026.3.13?
2. How should device pairing grant this scope?
3. Is this a bug in token generation or scope validation?

Logs

// device-auth.json operator token
{
  "scopes": [
    "operator.admin",
    "operator.approvals",
    "operator.pairing"
  ]
}

// openclaw gateway probe output
Reachable: yes
Connect: ok (9ms) · RPC: limited - missing scope: operator.read