From 4db7d49c450068eee48d93075f766cea43cf2018 Mon Sep 17 00:00:00 2001 From: "openclaw-docs-sync[bot]" Date: Sat, 25 Apr 2026 23:28:58 +0000 Subject: [PATCH] chore(sync): mirror docs from openclaw/openclaw@41b27024bbfc4e42654845c9fc7058ef528dd461 --- .openclaw-sync/source.json | 4 ++-- docs/gateway/protocol.md | 6 ++++-- docs/tools/subagents.md | 8 ++++++++ 3 files changed, 14 insertions(+), 4 deletions(-) diff --git a/.openclaw-sync/source.json b/.openclaw-sync/source.json index 9769b074e..f292d3768 100644 --- a/.openclaw-sync/source.json +++ b/.openclaw-sync/source.json @@ -1,5 +1,5 @@ { "repository": "openclaw/openclaw", - "sha": "c2ea0ce5a9e532cada41bf67381cbb963d3f9378", - "syncedAt": "2026-04-25T23:12:37.392Z" + "sha": "41b27024bbfc4e42654845c9fc7058ef528dd461", + "syncedAt": "2026-04-25T23:27:30.433Z" } diff --git a/docs/gateway/protocol.md b/docs/gateway/protocol.md index 6d0b4d106..47a95f474 100644 --- a/docs/gateway/protocol.md +++ b/docs/gateway/protocol.md @@ -577,11 +577,13 @@ rather than the pre-handshake defaults. trusted shared-secret helper flows. - Same-host tailnet or LAN connects are still treated as remote for pairing and require approval. -- All WS clients must include `device` identity during `connect` (operator + node). - Control UI can omit it only in these modes: +- WS clients normally include `device` identity during `connect` (operator + + node). The only device-less operator exceptions are explicit trust paths: - `gateway.controlUi.allowInsecureAuth=true` for localhost-only insecure HTTP compatibility. - successful `gateway.auth.mode: "trusted-proxy"` operator Control UI auth. - `gateway.controlUi.dangerouslyDisableDeviceAuth=true` (break-glass, severe security downgrade). + - direct-loopback `gateway-client` backend RPCs authenticated with the shared + gateway token/password. - All connections must sign the server-provided `connect.challenge` nonce. ### Device auth migration diagnostics diff --git a/docs/tools/subagents.md b/docs/tools/subagents.md index 520871aea..899be1c9d 100644 --- a/docs/tools/subagents.md +++ b/docs/tools/subagents.md @@ -383,6 +383,14 @@ child session is marked `abortedLastRun: true`. Those restart-aborted child sessions remain recoverable through the sub-agent orphan recovery flow, which sends a synthetic resume message before clearing the aborted marker. +If a sub-agent spawn fails with Gateway `PAIRING_REQUIRED` / `scope-upgrade`, +check the RPC caller before editing pairing state. Internal `sessions_spawn` +coordination should connect as `client.id: "gateway-client"` with +`client.mode: "backend"` over direct loopback shared-token/password auth; that +path does not depend on the CLI's paired-device scope baseline. Remote callers, +explicit `deviceIdentity`, explicit device-token paths, and browser/node clients +still need normal device approval for scope upgrades. + ## Stopping - Sending `/stop` in the requester chat aborts the requester session and stops any active sub-agent runs spawned from it, cascading to nested children.