fix(gateway): decouple backend RPC from CLI pairing

2026-05-06 15:10:52 +00:00 · 2026-04-25 23:22:08 +01:00
parent 91adb69c57
commit e640c0a95f
7 changed files with 175 additions and 12 deletions
--- a/docs/gateway/protocol.md
+++ b/docs/gateway/protocol.md
@@ -110,6 +110,14 @@ permissions:
 }
 ```

+Trusted same-process backend clients (`client.id: "gateway-client"`,
+`client.mode: "backend"`) may omit `device` on direct loopback connections when
+they authenticate with the shared gateway token/password. This path is reserved
+for internal control-plane RPCs and keeps stale CLI/device pairing baselines from
+blocking local backend work such as subagent session updates. Remote clients,
+browser-origin clients, node clients, and explicit device-token/device-identity
+clients still use the normal pairing and scope-upgrade checks.
+
 When a device token is issued, `hello-ok` also includes:

 ```json