fix(scripts): allow CLI clients in auto-pair watcher

[stevenrick]

Summary

The auto-pair watcher in nemoclaw-start.sh rejects CLI device-pairing requests, making the OpenClaw gateway unreachable for all openclaw CLI commands inside the sandbox (channels, status, tui, devices, etc.). Adding 'cli' to ALLOWED_MODES fixes this.

Related Issue

Fixes #1310

Related: #1310

Changes

• Add 'cli' to ALLOWED_MODES in the auto-pair watcher embedded in scripts/nemoclaw-start.sh

Type of Change

• Code change for a new feature, bug fix, or refactor.
• Code change with doc updates.
• Doc only. Prose changes without code sample modifications.
• Doc only. Includes code sample changes.

Testing

Tested on a Brev instance with a fresh nemoclaw onboard:

Before: openclaw channels status → gateway connect failed: GatewayClientRequestError: pairing required

After: openclaw channels status → Gateway reachable.

openclaw devices list --json confirms the CLI client is paired with full operator scopes. The existing security comment notes this allowlist is "defense-in-depth, not a trust boundary" — the sandbox user can already execute openclaw agent --local without gateway access.

• npx prek run --all-files passes (or equivalently make check).
• npm test passes.
• make docs builds without warnings. (for doc-only changes)

Checklist

General

• I have read and followed the contributing guide.
• I have read and followed the style guide. (for doc-only changes)

Code Changes

• Formatters applied — npx prek run --all-files auto-fixes formatting (or make format for targeted runs).
• Tests added or updated for new or changed behavior.
• No secrets, API keys, or credentials committed.
• Doc pages updated for any user-facing behavior changes (new commands, changed defaults, new features, bug fixes that contradict existing docs).

---

Signed-off-by: Steven Rick srick@nvidia.com

Summary by CodeRabbit

• New Features
  • Expanded device support to include CLI mode in auto-pairing functionality.

[coderabbitai]

📝 Walkthrough

Walkthrough

The auto-pair watcher's client-mode allowlist is expanded to accept both 'webchat' and 'cli' client modes, replacing the single-mode condition. All other control flow, security checks, and validation logic remain unchanged.

Changes

Cohort / File(s)	Summary
Client-mode allowlist expansion scripts/nemoclaw-start.sh	Expanded client-mode condition from exclusively accepting clientMode == 'webchat' to also approving clientMode == 'cli', enabling CLI clients to pass the auto-pair watcher validation.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

A CLI hops in through the gate,
Where webchat once stood tall and great—
Now both modes dance in harmony,
The watcher smiles, "You're welcome, see?" 🐰✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely describes the main change: allowing CLI clients in the auto-pair watcher functionality.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[ericksoa]

Superseded by PR #1081, which cherry picked this into the overall fix on messaging. Thanks for the contribution @stevenrick !