fix(security): limit auto-pair to one-shot with 180s timeout

[ericksoa]

Summary

Auto-pair in nemoclaw-start.sh unconditionally approved ALL pending device pairing requests for 10 minutes on every sandbox start. On headless/cloud installs where nobody is at the browser, this is an open window for unauthorized device pairing.

Addresses all three concerns from the PSIRT report:

1. Open approval window — Reduce timeout from 600s to 180s; after first approval, exit within 5s (one-shot)
2. No identity validation — Only approve devices with clientId == 'openclaw-control-ui' (the chat UI); reject all other pending requests immediately
3. Token persistence — Clear all paired devices on sandbox start (openclaw devices clear --yes), revoking stale tokens from previous sessions. Clear remaining pending requests on exit.

Test plan

• 219/219 tests pass
• Manual: nemoclaw onboard — verify chat UI auto-pairs within 180s window
• Manual: verify second device request after first approval is NOT auto-approved
• Manual: verify non-UI clientId requests are rejected
• Manual: verify paired devices from previous session are cleared on restart

Summary by CodeRabbit

• Chores
  • Clears previously persisted device pairings at startup.
  • Polling now validates pending entries and only accepts approvals from the designated UI client; other requests are skipped and rejected.
  • Reduced approval timeout from 600s to 180s, with a brief extension after an approval is received.
  • On timeout, remaining pending requests are cleaned up and rejected.
  • Successful approvals record the approving client ID.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 696118fe-1b2c-4bfa-9e28-36112a95e2a9

📥 Commits

Reviewing files that changed from the base of the PR and between ede8043 and ccdd7c3.

📒 Files selected for processing (1)

• scripts/nemoclaw-start.sh

🚧 Files skipped from review as they are similar to previous changes (1)

• scripts/nemoclaw-start.sh

---

📝 Walkthrough

Walkthrough

📝 Walkthrough

The embedded Python watcher in scripts/nemoclaw-start.sh tightens the approval polling window (600s → 180s), clears persisted device tokens at start, skips/explicitly rejects non-UI client requests, ignores non-dict pending entries, and on timeout rejects remaining pending requests before exiting.

Changes

Cohort / File(s)

Summary

Startup watcher script scripts/nemoclaw-start.sh

Shortened approval polling deadline (600s → 180s); clear persisted device tokens on start (openclaw devices clear --yes); process pending approvals only while not approved; ignore non-dict pending entries; read requestId via device.get('requestId'); skip/log/reject pending requests whose clientId ≠ openclaw-control-ui using openclaw devices reject <id> --json; on timeout reject remaining pendings with openclaw devices clear --pending --yes.

Sequence Diagram(s)

sequenceDiagram
    participant Watcher as Watcher (start_auto_pair)
    participant CLI as openclaw CLI
    participant DeviceSvc as Devices Service

    Watcher->>CLI: clear persisted tokens (`devices clear --yes`)
    loop Polling (until APPROVED or DEADLINE)
        CLI->>DeviceSvc: list pending requests (`devices list --pending --json`)
        DeviceSvc-->>CLI: pending list (array)
        CLI-->>Watcher: pending list (returned)
        alt entry is dict and clientId == openclaw-control-ui
            Watcher->>CLI: accept request (`devices accept <requestId> --json`)
            CLI->>DeviceSvc: accept request
            DeviceSvc-->>CLI: success
            CLI-->>Watcher: success -> increment APPROVED
        else entry is dict and clientId != openclaw-control-ui
            Watcher->>CLI: reject request (`devices reject <requestId> --json`)
            CLI->>DeviceSvc: reject request
            DeviceSvc-->>CLI: success
            CLI-->>Watcher: logged, APPROVED unchanged
        else non-dict entry
            Watcher-->>Watcher: ignore entry
        end
    end
    alt timeout reached and APPROVED == 0
        Watcher->>CLI: clear pending (`devices clear --pending --yes`)
        CLI->>DeviceSvc: clear pending
    end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

"I watched the tokens tumble and spin,
Cleared old crumbs so new hops begin.
Only the UI may nibble my treat,
Others get bounced with a polite little beat.
Hooray — one hop, one approved seat!" — 🐇

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main security-focused changes: reducing the auto-pair timeout from 600s to 180s and implementing one-shot approval behavior.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/auto-pair-one-shot

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@scripts/nemoclaw-start.sh`:
- Around line 109-110: APPROVED being cumulative lets subsequent polls reset
DEADLINE; change the logic so DEADLINE is set only once when approval first
occurs — e.g., detect the transition (previous_APPROVED == 0 and APPROVED >= 1)
or check a sentinel like DEADLINE is None/0 before assigning DEADLINE =
time.time() + 5; update the branch around APPROVED and DEADLINE to use that
one-shot guard so later polls cannot re-extend the deadline.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 479fe10e-eabb-4ce8-a9f1-4d01477eed3b

📥 Commits

Reviewing files that changed from the base of the PR and between 055e334 and 4352f8d.

📒 Files selected for processing (1)

• scripts/nemoclaw-start.sh

[coderabbitai]

♻️ Duplicate comments (1)

scripts/nemoclaw-start.sh (1)

120-121: ⚠️ Potential issue | 🔴 Critical

One-shot is still bypassable due cumulative deadline reset.

Line 120 checks cumulative APPROVED, so any later pending poll re-extends Line 121 to now + 5. Also, the current for device in pending loop can approve multiple UI requests in a single poll before the deadline shrinks. This still violates one-shot behavior.

🔧 Proposed fix (set deadline once, approve only first request)

 APPROVED = 0
+ONE_SHOT_DONE = False

 while time.time() < DEADLINE:
@@
     if pending:
         QUIET_POLLS = 0
+        if ONE_SHOT_DONE:
+            time.sleep(1)
+            continue
         for device in pending:
             if not isinstance(device, dict):
                 continue
             request_id = device.get('requestId')
             if not request_id:
                 continue
             client_id = device.get('clientId', '')
             if client_id != 'openclaw-control-ui':
                 print(f'[auto-pair] skipping non-UI device request={request_id} clientId={client_id!r}')
                 run('openclaw', 'devices', 'reject', request_id, '--json')
                 continue
             arc, aout, aerr = run('openclaw', 'devices', 'approve', request_id, '--json')
             if arc == 0:
                 APPROVED += 1
+                ONE_SHOT_DONE = True
+                DEADLINE = time.time() + 5
                 print(f'[auto-pair] approved request={request_id} clientId={client_id}')
+                break
             elif aout or aerr:
                 print(f'[auto-pair] approve failed request={request_id}: {(aerr or aout)[:400]}')
-        if APPROVED >= 1:
-            DEADLINE = time.time() + 5
         time.sleep(1)
         continue

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/nemoclaw-start.sh` around lines 120 - 121, The current logic resets
DEADLINE on every poll when APPROVED >= 1 and may approve multiple devices in
the "for device in pending" loop, breaking one-shot semantics; change it so
DEADLINE is set only once (e.g., only assign DEADLINE = time.time() + 5 when
DEADLINE is unset/zero) and ensure only the first pending request is approved
per poll by approving the first device and breaking out of the "for device in
pending" loop (or otherwise preventing further approvals) so that APPROVED
cannot be incremented again during the same deadline window.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@scripts/nemoclaw-start.sh`:
- Around line 120-121: The current logic resets DEADLINE on every poll when
APPROVED >= 1 and may approve multiple devices in the "for device in pending"
loop, breaking one-shot semantics; change it so DEADLINE is set only once (e.g.,
only assign DEADLINE = time.time() + 5 when DEADLINE is unset/zero) and ensure
only the first pending request is approved per poll by approving the first
device and breaking out of the "for device in pending" loop (or otherwise
preventing further approvals) so that APPROVED cannot be incremented again
during the same deadline window.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 38fc1241-af32-4fa4-8462-4eeab29f2dca

📥 Commits

Reviewing files that changed from the base of the PR and between 4352f8d and 1ef8f17.

📒 Files selected for processing (1)

• scripts/nemoclaw-start.sh

[cv]

clientId is client-supplied and spoofable

The timeout reduction (600s→180s), one-shot exit, and token cleanup on start/exit shrink the attack window. However, the clientId validation — framed as one of the three PSIRT mitigations — does not hold up.

The gateway's device pairing flow:

1. Client opens a WebSocket and sends a connect frame with client.id set to any value from the protocol's union type
2. The gateway stores connectParams.client.id verbatim into the pending pairing request
3. openclaw devices list --json returns that value as-is

There is no server-side validation that the connecting client is the control UI. Any WebSocket client that can reach the gateway can send "openclaw-control-ui" as its client.id and pass this check. The union type in frames.d.ts is a compile-time constraint — it doesn't enforce anything at the protocol level.

The check on line 111 filters out accidental pairing from other legitimate tools (CLI, probes, etc.) but provides no resistance against the intentional attacker scenario described in the PSIRT report.

Recommendations

1. Merge the timeout, one-shot, and cleanup changes as-is
2. Reframe the clientId check in the PR description and code comment as a convenience filter / defense-in-depth, not a security boundary. The PR description currently says "Only approve devices with clientId == 'openclaw-control-ui'; reject all other pending requests immediately" — this overstates what the check achieves
3. If the PSIRT report requires actual identity validation, that needs to happen in the openclaw gateway itself (e.g., origin validation, signed client assertions, or server-side client registration) — it can't be solved in this script
4. The for device in pending loop can approve multiple UI requests in a single poll before APPROVED is checked — add a break after the first successful approval to tighten one-shot semantics