From b8fea43bf2c1afb5018e6be4a7c154dfdd3b36ba Mon Sep 17 00:00:00 2001 From: hcl Date: Wed, 1 Apr 2026 09:09:05 +0800 Subject: [PATCH] fix(gateway): return default scopes when trusted HTTP request has no scope header (#58603) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit resolveTrustedHttpOperatorScopes() returns [] when the x-openclaw-scopes header is absent, even for trusted requests (--auth none). This causes 403 "missing scope: operator.write" on /v1/chat/completions. Root cause: src/gateway/http-utils.ts:138-140. PR #57783 (f0af18672) replaced the old resolveGatewayRequestedOperatorScopes which had an explicit fallback to CLI_DEFAULT_OPERATOR_SCOPES when no header was present. The new function treats absent header the same as empty header — both return []. Fix: distinguish absent header (undefined → return defaults) from empty header ("" → return []). Trusted clients without an explicit scope header get the default operator scopes, matching pre-#57783 behavior. Closes #58357 Signed-off-by: HCL Co-authored-by: Claude Opus 4.6 --- src/gateway/http-utils.ts | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/gateway/http-utils.ts b/src/gateway/http-utils.ts index a9783d550e2..bf55d6163c3 100644 --- a/src/gateway/http-utils.ts +++ b/src/gateway/http-utils.ts @@ -135,7 +135,13 @@ export function resolveTrustedHttpOperatorScopes( return []; } - const raw = getHeader(req, "x-openclaw-scopes")?.trim(); + const headerValue = getHeader(req, "x-openclaw-scopes"); + if (headerValue === undefined) { + // No scope header present — trusted clients without an explicit header + // get the default operator scopes (matching pre-#57783 behavior). + return [...CLI_DEFAULT_OPERATOR_SCOPES]; + } + const raw = headerValue.trim(); if (!raw) { return []; }