fix: address remaining review feedback

- Use base-path-relative manifest URL (no leading slash) so PWA works
  under non-root base paths
- Classify push.web.* methods in WRITE_SCOPE so they work for operator
  sessions without admin scope
- Refresh webPushPermission in the finally block of handleWebPushSubscribe
  so denied permission is immediately reflected in the UI

src/gateway/method-scopes.ts

@@ -146,6 +146,10 @@ const METHOD_SCOPE_GROUPS: Record<OperatorScope, readonly string[]> = {
     "doctor.memory.repairDreamingArtifacts",
     "doctor.memory.dedupeDreamDiary",
     "push.test",
+    "push.web.vapidPublicKey",
+    "push.web.subscribe",
+    "push.web.unsubscribe",
+    "push.web.test",
     "node.pending.enqueue",
   ],
   [ADMIN_SCOPE]: [

ui/src/ui/app.ts

@@ -984,6 +984,10 @@ export class OpenClawApp extends LitElement {
       this.lastError = String(err);
     } finally {
       this.webPushLoading = false;
+      // Always refresh permission state — catches denied prompts too.
+      if ("Notification" in window) {
+        this.webPushPermission = Notification.permission;
+      }
     }
   }