fix(security): limit auto-pair to one-shot with 180s timeout

[ericksoa]

Summary

Auto-pair in nemoclaw-start.sh unconditionally approved ALL pending device pairing requests for 10 minutes on every sandbox start. On headless/cloud installs where nobody is at the browser, this is an open window for unauthorized device pairing.

Addresses all three concerns from the PSIRT report:

1. Open approval window — Reduce timeout from 600s to 180s; after first approval, exit within 5s (one-shot)
2. No identity validation — Only approve devices with clientId == 'openclaw-control-ui' (the chat UI); reject all other pending requests immediately
3. Token persistence — Clear all paired devices on sandbox start (openclaw devices clear --yes), revoking stale tokens from previous sessions. Clear remaining pending requests on exit.

Test plan

• 219/219 tests pass
• Manual: nemoclaw onboard — verify chat UI auto-pairs within 180s window
• Manual: verify second device request after first approval is NOT auto-approved
• Manual: verify non-UI clientId requests are rejected
• Manual: verify paired devices from previous session are cleared on restart

Summary by CodeRabbit

• Chores
  • Auto-pair watcher now clears previously persisted device pairings at startup.
  • Polling validates pending entries and only accepts approvals from the designated UI client; other requests are rejected and skipped.
  • Reduced approval timeout from 600s to 180s, with a small dynamic extension when approvals are received.
  • On timeout, remaining pending requests are cleaned up and rejected.
  • Successful approvals log the approving client ID.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 734d9bf2-c9e1-4271-aa5a-3f37e197c3b4

📥 Commits

Reviewing files that changed from the base of the PR and between 1ef8f17 and ede8043.

📒 Files selected for processing (1)

• scripts/nemoclaw-start.sh

🚧 Files skipped from review as they are similar to previous changes (1)

• scripts/nemoclaw-start.sh

---

📝 Walkthrough

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically summarizes the main security-focused change: limiting auto-pair functionality to one-shot with a 180s timeout, which aligns with the primary objectives and file changes.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/auto-pair-one-shot

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@scripts/nemoclaw-start.sh`:
- Around line 109-110: APPROVED being cumulative lets subsequent polls reset
DEADLINE; change the logic so DEADLINE is set only once when approval first
occurs — e.g., detect the transition (previous_APPROVED == 0 and APPROVED >= 1)
or check a sentinel like DEADLINE is None/0 before assigning DEADLINE =
time.time() + 5; update the branch around APPROVED and DEADLINE to use that
one-shot guard so later polls cannot re-extend the deadline.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 479fe10e-eabb-4ce8-a9f1-4d01477eed3b

📥 Commits

Reviewing files that changed from the base of the PR and between 055e334 and 4352f8d.

📒 Files selected for processing (1)

• scripts/nemoclaw-start.sh

[coderabbitai]

♻️ Duplicate comments (1)

scripts/nemoclaw-start.sh (1)

120-121: ⚠️ Potential issue | 🔴 Critical

One-shot is still bypassable due cumulative deadline reset.

Line 120 checks cumulative APPROVED, so any later pending poll re-extends Line 121 to now + 5. Also, the current for device in pending loop can approve multiple UI requests in a single poll before the deadline shrinks. This still violates one-shot behavior.

🔧 Proposed fix (set deadline once, approve only first request)

 APPROVED = 0
+ONE_SHOT_DONE = False

 while time.time() < DEADLINE:
@@
     if pending:
         QUIET_POLLS = 0
+        if ONE_SHOT_DONE:
+            time.sleep(1)
+            continue
         for device in pending:
             if not isinstance(device, dict):
                 continue
             request_id = device.get('requestId')
             if not request_id:
                 continue
             client_id = device.get('clientId', '')
             if client_id != 'openclaw-control-ui':
                 print(f'[auto-pair] skipping non-UI device request={request_id} clientId={client_id!r}')
                 run('openclaw', 'devices', 'reject', request_id, '--json')
                 continue
             arc, aout, aerr = run('openclaw', 'devices', 'approve', request_id, '--json')
             if arc == 0:
                 APPROVED += 1
+                ONE_SHOT_DONE = True
+                DEADLINE = time.time() + 5
                 print(f'[auto-pair] approved request={request_id} clientId={client_id}')
+                break
             elif aout or aerr:
                 print(f'[auto-pair] approve failed request={request_id}: {(aerr or aout)[:400]}')
-        if APPROVED >= 1:
-            DEADLINE = time.time() + 5
         time.sleep(1)
         continue

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/nemoclaw-start.sh` around lines 120 - 121, The current logic resets
DEADLINE on every poll when APPROVED >= 1 and may approve multiple devices in
the "for device in pending" loop, breaking one-shot semantics; change it so
DEADLINE is set only once (e.g., only assign DEADLINE = time.time() + 5 when
DEADLINE is unset/zero) and ensure only the first pending request is approved
per poll by approving the first device and breaking out of the "for device in
pending" loop (or otherwise preventing further approvals) so that APPROVED
cannot be incremented again during the same deadline window.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@scripts/nemoclaw-start.sh`:
- Around line 120-121: The current logic resets DEADLINE on every poll when
APPROVED >= 1 and may approve multiple devices in the "for device in pending"
loop, breaking one-shot semantics; change it so DEADLINE is set only once (e.g.,
only assign DEADLINE = time.time() + 5 when DEADLINE is unset/zero) and ensure
only the first pending request is approved per poll by approving the first
device and breaking out of the "for device in pending" loop (or otherwise
preventing further approvals) so that APPROVED cannot be incremented again
during the same deadline window.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 38fc1241-af32-4fa4-8462-4eeab29f2dca

📥 Commits

Reviewing files that changed from the base of the PR and between 4352f8d and 1ef8f17.

📒 Files selected for processing (1)

• scripts/nemoclaw-start.sh