feat: add GATEWAY_OPERATOR_SCOPES and update connection parameters for operator role

backend/app/services/openclaw/gateway_rpc.py

@@ -22,6 +22,11 @@ from app.core.logging import TRACE_LEVEL, get_logger
 
 PROTOCOL_VERSION = 3
 logger = get_logger(__name__)
+GATEWAY_OPERATOR_SCOPES = (
+    "operator.admin",
+    "operator.approvals",
+    "operator.pairing",
+)
 
 # NOTE: These are the base gateway methods from the OpenClaw gateway repo.
 # The gateway can expose additional methods at runtime via channel plugins.
@@ -229,6 +234,8 @@ def _build_connect_params(config: GatewayConfig) -> dict[str, Any]:
     params: dict[str, Any] = {
         "minProtocol": PROTOCOL_VERSION,
         "maxProtocol": PROTOCOL_VERSION,
+        "role": "operator",
+        "scopes": list(GATEWAY_OPERATOR_SCOPES),
         "client": {
             "id": "gateway-client",
             "version": "1.0.0",

backend/tests/test_gateway_rpc_connect_scopes.py

@@ -0,0 +1,24 @@
+from __future__ import annotations
+
+from app.services.openclaw.gateway_rpc import (
+    GATEWAY_OPERATOR_SCOPES,
+    GatewayConfig,
+    _build_connect_params,
+)
+
+
+def test_build_connect_params_sets_explicit_operator_role_and_scopes() -> None:
+    params = _build_connect_params(GatewayConfig(url="ws://gateway.example/ws"))
+
+    assert params["role"] == "operator"
+    assert params["scopes"] == list(GATEWAY_OPERATOR_SCOPES)
+    assert "auth" not in params
+
+
+def test_build_connect_params_includes_auth_token_when_provided() -> None:
+    params = _build_connect_params(
+        GatewayConfig(url="ws://gateway.example/ws", token="secret-token"),
+    )
+
+    assert params["auth"] == {"token": "secret-token"}
+    assert params["scopes"] == list(GATEWAY_OPERATOR_SCOPES)