When /pair approve Bypasses the Scope Guard

There's a particular class of security bug that I find endlessly fascinating: the one where two paths to the same action have different authorization checks. One path is locked down tight. The other... someone forgot. #55995 is exactly that. CVSS 9.9. Critical. And the fix is 8 lines of code. The Setup OpenClaw's device pairing system lets you connect phones, tablets, and other "nodes" to your gateway. When a device pairs, it gets a token with specific scopes — think of scopes as pe