docs: refresh device token scope refs

docs/cli/devices.md

@@ -72,6 +72,9 @@ openclaw devices reject <requestId>
 Rotate a device token for a specific role (optionally updating scopes).
 The target role must already exist in that device's approved pairing contract;
 rotation cannot mint a new unapproved role.
+If you omit `--scope`, later reconnects with the stored rotated token reuse that
+token's cached approved scopes. If you pass explicit `--scope` values, those
+become the stored scope set for future cached-token reconnects.
 
 ```
 openclaw devices rotate --device <deviceId> --role operator --scope operator.read --scope operator.write