fix(gateway): return default scopes when trusted HTTP request has no scope header (#58603)

resolveTrustedHttpOperatorScopes() returns [] when the x-openclaw-scopes header is absent, even for trusted requests (--auth none). This causes 403 "missing scope: operator.write" on /v1/chat/completions. Root cause: src/gateway/http-utils.ts:138-140. PR #57783 (f0af18672) replaced the old resolveGatewayRequestedOperatorScopes which had an explicit fallback to CLI_DEFAULT_OPERATOR_SCOPES when no header was present. The new function treats absent header the same as empty header — both return []. Fix: distinguish absent header (undefined → return defaults) from empty header ("" → return []). Trusted clients without an explicit scope header get the default operator scopes, matching pre-#57783 behavior. Closes #58357 Signed-off-by: HCL <chenglunhu@gmail.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-01 09:09:05 +08:00 · 2026-04-01 09:09:05 +08:00 · b8fea43bf2
parent 5b8f0cf1d5
commit b8fea43bf2
1 changed files with 7 additions and 1 deletions
--- a/src/gateway/http-utils.ts
+++ b/src/gateway/http-utils.ts
@ -135,7 +135,13 @@ export function resolveTrustedHttpOperatorScopes(
    return [];
  }

-  const raw = getHeader(req, "x-openclaw-scopes")?.trim();
+  const headerValue = getHeader(req, "x-openclaw-scopes");
+  if (headerValue === undefined) {
+    // No scope header present — trusted clients without an explicit header
+    // get the default operator scopes (matching pre-#57783 behavior).
+    return [...CLI_DEFAULT_OPERATOR_SCOPES];
+  }
+  const raw = headerValue.trim();
  if (!raw) {
    return [];
  }