fix(security): harden auto-pair with one-shot exit and shorter timeout

[cjagwani]

Summary

Fixes #1310 — after a fresh nemoclaw onboard, openclaw tui fails with "Pairing required" because the auto-pair watcher either doesn't approve in time or leaves stale tokens from previous sessions.

Supersedes #690 (closed), incorporating cv's review feedback.

Changes to start_auto_pair() in scripts/nemoclaw-start.sh:

• Timeout 600s → 180s — shrinks the open approval window
• Clear stale tokens on start — openclaw devices clear --yes before polling, preventing "Token Mismatch" errors from previous sessions (reported by rp-tn in [NemoClaw][All Platforms] after onboarded, openclaw tui shows "Pairing required. Run openclaw devices list, approve your request ID, then reconnect." #1310)
• One-shot exit — after the first successful approval, set deadline to now+5s and break out of the inner loop. The APPROVED == 1 guard ensures the deadline is only set once (addresses cv's review on fix(security): limit auto-pair to one-shot with 180s timeout #690)
• Explicitly reject non-allowlisted clients — openclaw devices reject instead of silently skipping
• Clear pending on timeout — openclaw devices clear --pending --yes in the else clause

Not changed: The clientId allowlist comment was updated to correctly frame it as defense-in-depth, not a security boundary (per cv's review). Real identity validation would need gateway-side changes.

Test plan

• nemoclaw-start.test.js — 31/31 pass
• shellcheck passes
• Manual: nemoclaw onboard with defaults → nemoclaw <sandbox> connect → openclaw tui → verify chat works without manual device approval
• Manual: verify second device request after first approval is NOT auto-approved
• Manual: verify stale tokens from previous session don't cause "Token Mismatch" errors on restart

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Improved device auto-pairing workflow with faster processing and enhanced cleanup procedures.
  • Strengthened request validation by explicitly rejecting non-conforming device requests.
  • Optimized timeout handling to prevent unnecessary pending requests from accumulating.

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

Modified the auto-pair watcher embedded in nemoclaw-start.sh to clear stale device tokens on startup, explicitly reject non-matching device requests during polling, shorten the approval window from 600 to 180 seconds, terminate approval loops after the first success, and clear pending requests on timeout instead of only logging the timeout.

Changes

Cohort / File(s)	Summary
Auto-pair Watcher Logic scripts/nemoclaw-start.sh	Enhanced device token lifecycle management with explicit rejection of non-allowlisted requests, shortened approval windows, early loop termination after first approval, and proactive cleanup of pending requests on timeout.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 Hoppy hops through the pairing dance,
Clears old tokens with a second glance,
Rejects the strangers, approves the true,
Then bounds away—approval's through!
✨ No more waiting, swift and fleet,

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main security-focused changes: hardening auto-pair with one-shot exit and shorter timeout to prevent stale tokens and unnecessary approvals.
Linked Issues check	✅ Passed	The PR implements all key requirements from issue #1310: reduces timeout window, clears stale tokens at start, rejects non-allowlisted clients, exits after first approval, and clears pending on timeout.
Out of Scope Changes check	✅ Passed	All changes are focused on hardening the auto-pair mechanism within scripts/nemoclaw-start.sh and directly address the pairing failure symptoms described in issue #1310.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/auto-pair-one-shot-timeout

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cjagwani]

Closing — this hardens the auto-pair mechanism but doesn't address the root cause of why pairing fails on fresh onboard. Will reopen with a proper fix after investigating.