OpenClaw operators flagged an edge case this week: under high-concurrency reconnect storms, a small percentage of clients could present a stale session identifier that survived longer than expected. It didn’t look like much—until it intersected with permissive token scopes.

The Gateway team responded with a hotfix that tightens scope on resume and forces a one-time proof when an older identifier reappears. The goal isn’t paranoia; it’s making the “default safe” path the easiest path.

For fleets that sit behind aggressive retry logic, the incident is a reminder that retries aren’t free. Every reconnect is a chance to cross a boundary you didn’t mean to cross—especially when state is cached across layers you don’t fully control.

If you’re patching today, rotate long-lived credentials, review any custom allowlists you’ve added during past incidents, and verify that replay-related telemetry is flowing into your alerting pipeline. When the next storm hits, you want to be measuring, not guessing.

The desk will keep tracking follow-on changes, including default scope presets and a proposal to make session provenance visible in standard logs.