From dd17dea761d532dc12e9a63950fe3cab604e0ee5 Mon Sep 17 00:00:00 2001 From: Peter Steinberger Date: Thu, 23 Apr 2026 07:56:16 +0100 Subject: [PATCH] docs: align pairing metadata upgrade approval --- docs/gateway/pairing.md | 10 ++++++---- docs/gateway/security/index.md | 7 ++++--- 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/docs/gateway/pairing.md b/docs/gateway/pairing.md index 2e15ce693f6..627647a95c0 100644 --- a/docs/gateway/pairing.md +++ b/docs/gateway/pairing.md @@ -121,10 +121,12 @@ If silent approval fails, it falls back to the normal “Approve/Reject” promp When an already paired device reconnects with only non-sensitive metadata changes (for example, display name or client platform hints), OpenClaw treats -that as a `metadata-upgrade` and auto-approves the reconnect without -prompting. Scope upgrades (read to write/admin) and public key changes are -**not** eligible for metadata-upgrade auto-approval — they stay as explicit -re-approval requests. +that as a `metadata-upgrade`. Silent auto-approval is narrow: it applies only +to trusted local CLI/helper reconnects that already proved possession of the +shared token or password over loopback. Browser/Control UI clients and remote +clients still use the explicit re-approval flow. Scope upgrades (read to +write/admin) and public key changes are **not** eligible for metadata-upgrade +auto-approval — they stay as explicit re-approval requests. ## QR pairing helpers diff --git a/docs/gateway/security/index.md b/docs/gateway/security/index.md index ab355a5a679..7de212a55cd 100644 --- a/docs/gateway/security/index.md +++ b/docs/gateway/security/index.md @@ -947,9 +947,10 @@ Local device pairing: treated as remote for pairing, trusted-proxy auth, and Control UI device identity gating — it no longer qualifies for loopback auto-approval. - **Metadata-upgrade auto-approval** applies only to non-sensitive reconnect - deltas on already paired devices (display name, client platform hints). - Scope upgrades (read to write/admin) and public key changes still require - explicit re-approval and are never silently upgraded. + deltas on already paired trusted local CLI/helper clients that proved + possession of the shared token or password over loopback. Browser/Control UI + clients and remote clients still require explicit re-approval. Scope upgrades + (read to write/admin) and public key changes are never silently upgraded. Auth modes: