Skip to content

Stable v2026.3.13-1 still reports false missing scope: operator.read for local loopback probes #49730

Open
Open
Stable v2026.3.13-1 still reports false missing scope: operator.read for local loopback probes#49730
@wufunc

Description

@wufunc
wufunc
opened on Mar 18, 2026

Summary

The latest stable tag v2026.3.13-1 still reproduces a false-negative gateway diagnostic on local authenticated loopback probes:

  • openclaw gateway probe
  • openclaw status --json

Both can degrade to missing scope: operator.read even when the local loopback gateway is healthy and direct gateway RPC calls succeed.

main already appears to contain the fix in commit 4ab016a9bd (fix: preserve loopback gateway scopes for local auth), but that fix is not present in v2026.3.13-1.

Why this is confusing

From the operator side, the system looks broken because the user-visible diagnostic says the gateway is degraded / unreachable-ish, while the actual gateway and agent turns are fine.

In my local repro:

  • openclaw gateway call status --json succeeded
  • openclaw agent --agent main --message 'Reply with exactly OK.' --thinking xhigh --json succeeded
  • but openclaw gateway probe and openclaw status --json reported missing scope: operator.read

Source / release relationship

What I verified locally from the repo:

  • main contains commit 4ab016a9bd fix: preserve loopback gateway scopes for local auth
  • v2026.3.13-1 does not contain that commit
  • v2026.3.13-1:src/gateway/probe.ts still has the older unconditional loopback device-identity disable path
  • closed PR fix(gateway): include device identity in probe clients #48617 describes the same fix path and was later marked superseded by the upstream commit above

Repro on stable v2026.3.13-1

Environment:

  • macOS 14.8.3 (arm64)
  • OpenClaw 2026.3.13 installed from package manager
  • gateway.mode=local
  • gateway.bind=loopback
  • token auth enabled
  • paired operator device present

Steps:

  1. Start / keep a healthy local loopback gateway.
  2. Ensure local token auth is enabled and the device is paired.
  3. Run openclaw gateway probe.
  4. Run openclaw status --json.
  5. Compare that with openclaw gateway call status --json or a real openclaw agent ... turn.

Actual:

  • probe/status path can report missing scope: operator.read

Expected:

  • local authenticated loopback probes should stay device-bound and report the gateway as reachable / RPC: ok

Request

Please confirm that the next stable release includes 4ab016a9bd, or otherwise track a backport/re-release path for users still on v2026.3.13-1.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions