docs: align pairing metadata upgrade approval

docs/gateway/pairing.md

@@ -121,10 +121,12 @@ If silent approval fails, it falls back to the normal “Approve/Reject” promp
 
 When an already paired device reconnects with only non-sensitive metadata
 changes (for example, display name or client platform hints), OpenClaw treats
-that as a `metadata-upgrade` and auto-approves the reconnect without
-prompting. Scope upgrades (read to write/admin) and public key changes are
-**not** eligible for metadata-upgrade auto-approval — they stay as explicit
-re-approval requests.
+that as a `metadata-upgrade`. Silent auto-approval is narrow: it applies only
+to trusted local CLI/helper reconnects that already proved possession of the
+shared token or password over loopback. Browser/Control UI clients and remote
+clients still use the explicit re-approval flow. Scope upgrades (read to
+write/admin) and public key changes are **not** eligible for metadata-upgrade
+auto-approval — they stay as explicit re-approval requests.
 
 ## QR pairing helpers
 

docs/gateway/security/index.md

@@ -947,9 +947,10 @@ Local device pairing:
   treated as remote for pairing, trusted-proxy auth, and Control UI device
   identity gating — it no longer qualifies for loopback auto-approval.
 - **Metadata-upgrade auto-approval** applies only to non-sensitive reconnect
-  deltas on already paired devices (display name, client platform hints).
-  Scope upgrades (read to write/admin) and public key changes still require
-  explicit re-approval and are never silently upgraded.
+  deltas on already paired trusted local CLI/helper clients that proved
+  possession of the shared token or password over loopback. Browser/Control UI
+  clients and remote clients still require explicit re-approval. Scope upgrades
+  (read to write/admin) and public key changes are never silently upgraded.
 
 Auth modes: