Surface pending scope upgrades in gateway auth errors

[obviyus]

Summary

When a paired read-only device reconnects asking for wider operator scopes, surface the real approval state instead of a generic pairing/auth failure.

Changes

• format pairing rejection details into actionable scope/role/metadata upgrade messages
• surface those messages in CLI/status/probe flows and show a dedicated pending-approval state in Control UI

Verification

• OPENCLAW_LOCAL_CHECK=0 pnpm test src/gateway/protocol/connect-error-details.test.ts src/gateway/probe.test.ts src/cli/daemon-cli/probe.test.ts src/commands/status.test.ts src/commands/status.command-sections.test.ts ui/src/ui/views/overview.node.test.ts ui/src/ui/views/overview.render.test.ts ui/src/ui/app-gateway.node.test.ts src/gateway/server.auth.control-ui.suite.ts
• pnpm build
• manual repro against a throwaway local gateway + live Control UI session

[greptile-apps]

Greptile Summary

This PR surfaces structured pairing-rejection details (scope/role/metadata upgrade reasons and requestId) across the gateway auth error path — replacing a single generic "gateway pairing required" message with actionable, reason-specific copy in the CLI status command, daemon probe, and Control UI overview view. The round-trip is: gateway emits structured ConnectPairingRequiredDetails → formatConnectPairingRequiredMessage encodes them into the human-readable error string → readConnectPairingRequiredMessage re-parses the string on the consumer side to drive UI branching. requestId values are validated against a strict allowlist regex at both encode and decode, so there is no injection risk in the constructed approve command.

Confidence Score: 5/5

Safe to merge — changes are additive, well-tested, and handle all existing pairing code paths correctly.

All findings are P2. The logic for the new resolvePairingHint/readConnectPairingRequiredMessage round-trip is correct and backward-compatible; existing shouldShowPairingHint callers are unaffected. requestId sanitisation is validated by a dedicated test. Coverage includes unit tests for all new branches plus integration tests for the UI rendering.

No files require special attention.

Prompt To Fix All With AI

This is a comment left during a code review.
Path: ui/src/ui/views/overview-hints.ts
Line: 45-60

Comment:
**Fallback `null` for unknown `reason` maps to `"pairing-required"`**

When `readConnectPairingRequiredMessage` returns a truthy object but `reason` is undefined (can happen if `resolvePairingRequiredReasonFromMessage` falls through its last `"pairing required"` branch and returns `"not-paired"`, or future server-sent reasons that don't match any known value), the ternary chain falls through to `"pairing-required"` — which is the correct safe default and matches the existing `PAIRING_HINT_COPY` entry. No action needed, but it's worth a comment that this is intentional, since the type `PairingHint["kind"]` doesn't include an explicit `null`/`unknown` arm.

How can I resolve this? If you propose a fix, please make it concise.

_{Reviews (1): Last reviewed commit: "fix(control-ui): show scope upgrade pend..." | Re-trigger Greptile}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 6b11d47f41

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ad7395687c

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 21dd622b8d

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 018dd966d8

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[obviyus]

Landed on main via rebase.

Source commit: 758ebe7
Merge commit: aff96ea

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 758ebe7fd6

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Detect pairing-pending from surfaced connect errors

This branch now prefers connectError, so pairing rejections can surface as messages like scope upgrade pending approval ... even when the close reason is generic (connect failed). However, probe capability classification still prioritizes close.reason in isPairingPendingProbeFailure, so these cases are reported as generic failures instead of pairing_pending, which suppresses pairing-specific recovery UX in probe/daemon status flows.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Preserve server text when pairing details are partial

This unconditional rewrite for PAIRING_REQUIRED drops the original server message and always formats from structured details; if reason/requestId are missing (both are optional in PairingConnectErrorDetails), the output collapses to a generic device pairing required. That loses actionable upgrade context from message text and can remove request-id guidance that callers parse from error strings.

Useful? React with 👍 / 👎.