fix(kiloclaw): approve gateway-client devices locally

[joshavant]

Summary

• Route KiloClaw gateway-client auto-approval through a local OpenClaw pairing helper instead of openclaw devices approve, avoiding the gateway-RPC deadlock when gateway-client is blocked by scope-upgrade.
• Keep preventative scope widening and move existing gateway-client paired-device remediation before doctor/onboard so stale volumes are repaired earlier in bootstrap.
• Add bounded retry/backoff for gateway-client auto-approval and a fail-open timeout for openclaw doctor on existing configs.

Verification

The local helper was smoke-tested against a temporary OpenClaw 2026.4.15 state directory to confirm it approves a gateway-client operator request and writes full approved/token scopes.

Visual Changes

N/A

Reviewer Notes

The helper intentionally locates OpenClaw's hashed device-pairing-*.js dist chunk and verifies it exports a function named approveDevicePairing; the Docker build includes a smoke check so OpenClaw packaging drift fails image build instead of silently disabling recovery. The doctor timeout is fail-open only for existing configs; first-boot onboard behavior remains fatal.

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Files Reviewed (4 files)

• services/kiloclaw/controller/src/bootstrap.test.ts
• services/kiloclaw/controller/src/bootstrap.ts
• services/kiloclaw/controller/src/pairing-cache.test.ts
• services/kiloclaw/controller/src/pairing-cache.ts

---

_{Reviewed by gpt-5.5-2026-04-23 · 1,113,219 tokens}