#22253: fix: auto-approve local loopback pairing for role/scope upgrades
gateway
size: XS
Cluster:
Device Pairing and Gateway Fixes
Local loopback connections (127.0.0.1) now auto-approve device pairing for all upgrade reasons (not-paired, role-upgrade, scope-upgrade), instead of only auto-approving for 'not-paired'.\n\nThis fixes sessions_spawn failing with 'gateway closed (1008): pairing required' when spawning subagents, because subagents connect via loopback and may request scopes/roles beyond what the device was originally paired with.\n\nFixes #12210\nFixes #21445
<!-- greptile_comment -->
<h3>Greptile Summary</h3>
This PR extends auto-approval of device pairing for loopback connections (127.0.0.1) to include role and scope upgrades, not just initial pairing. Previously, only `not-paired` requests were auto-approved for local clients, but `role-upgrade` and `scope-upgrade` still required manual approval, causing subagent spawning to fail with "pairing required" errors.
<h3>Confidence Score: 5/5</h3>
- This PR is safe to merge with minimal risk - it's a focused security policy adjustment for trusted loopback connections
- The change is minimal (one line), well-scoped, and logically sound. It removes an unnecessary restriction where local loopback connections (already authenticated and trusted) still required manual pairing approval for role/scope upgrades. The security boundary is maintained since `isLocalClient` validates the connection originates from 127.0.0.1, and authentication is still required before reaching this code path
- No files require special attention
<sub>Last reviewed commit: 8e1e789</sub>
<!-- greptile_other_comments_section -->
<sub>(2/5) Greptile learns from your feedback when you react with thumbs up/down!</sub>
<!-- /greptile_comment -->
Most Similar PRs
#22794: fix: allow local clients to auto-pair without manual approval
by Matrix-Meta · 2026-02-21
90.0%
#23708: fix(gateway): auto-approve scope upgrades for loopback clients
by widingmarcus-cyber · 2026-02-22
88.2%
#23690: fix(gateway): subagent sessions fail with pairing required on loopb...
by yinghaosang · 2026-02-22
88.1%
#22712: fix(gateway): auto-approve all device pairing for localhost connect...
by NewdlDewdl · 2026-02-21
84.8%
#22365: fix(gateway): auto-approve loopback scope upgrades
by AIflow-Labs · 2026-02-21
83.9%
#17425: fix(gateway): auto-approve scope/role upgrades for already-paired d...
by sauerdaniel · 2026-02-15
83.7%
#22280: fix(gateway): silently auto-approve local paired-device scope upgrades
by abhishekp76 · 2026-02-21
83.6%
#22587: fix(gateway): silently auto-approve local paired-device scope upgrades
by abhishekp76 · 2026-02-21
83.2%
#21664: fix(gateway): require re-pairing for legacy devices that lack scope...
by AI-Reviewer-QS · 2026-02-20
81.6%
#21666: fix(gateway): restrict auto-paired device scopes to safe defaults
by AI-Reviewer-QS · 2026-02-20
81.1%