🐛 Bug: Missing scope operator.read after upgrade to 2026.3.13

Description

After upgrading to OpenClaw 2026.3.13, the Control UI cannot read Gateway status and consistently shows the error: missing scope: operator.read.

Environment

Steps to Reproduce

1. Upgrade to OpenClaw 2026.3.13
2. Start Gateway (LaunchAgent running normally)
3. Open Control UI (http://127.0.0.1:18789/)
4. Try to view Gateway status

Actual Behavior

openclaw status shows:
Gateway: local · ws://127.0.0.1:18789 (local loopback) · unreachable (missing scope: operator.read)

Gateway logs show multiple errors:

⇄ res ✗ status 0ms errorCode=INVALID_REQUEST errorMessage=missing scope: operator.read
⇄ res ✗ system-presence 0ms errorCode=INVALID_REQUEST errorMessage=missing scope: operator.read
⇄ res ✗ config.get 0ms errorCode=INVALID_REQUEST errorMessage=missing scope: operator.read

Control UI also shows connection failure with warnings:

origin-mismatch
reason="origin not allowed"
open the Control UI from the gateway host or allow it in gateway.controlUi.allowedOrigins

Expected Behavior

Control UI should successfully connect to Gateway and read status information.

Current Gateway Configuration

{
  "gateway": {
    "port": 18789,
    "mode": "local",
    "bind": "loopback",
    "trustedProxies": ["127.0.0.1", "::1", "localhost"],
    "controlUi": {
      "allowedOrigins": ["http://127.0.0.1:18789", "http://localhost:18789"]
    },
    "auth": {
      "mode": "token",
      "token": "12e55090eda2a6b8f7fc802b4d03c7bec97079cefce06619"
    },
    "tailscale": {
      "mode": "off",
      "resetOnExit": false
    },
    "nodes": {
      "allowCommands": ["*"],
      "denyCommands": [
        "camera.snap",
        "camera.clip",
        "screen.record",
        "contacts.add",
        "calendar.add",
        "reminders.add",
        "sms.send"
      ]
    }
  }
}

Attempted Fixes (All Failed)

1. Added trustedProxies configuration
2. Added controlUi.allowedOrigins configuration
3. Added nodes.allowCommands
4. Restarted Gateway with openclaw gateway restart

Additional Information

• Agent works completely normally (all skills functional)
• This issue does not affect main functionality
• Only affects openclaw status command showing Gateway details
• Control UI cannot connect

Console Output

openclaw status
-> Gateway: local · ws://127.0.0.1:18789 (local loopback) · unreachable (missing scope: operator.read)

openclaw gateway status
-> Runtime: running (pid 15575)
-> RPC probe: ok
-> Listening: 127.0.0.1:18789