fix: request full operator scopes for OpenClaw v2026.2.14 compatibility

[robbyczgw-cla]

Problem

After updating OpenClaw to v2026.2.14, WebClaw fails to load sessions and models:

[models] Error fetching models: Error: missing scope: operator.read

Fixes #30

Root Cause

OpenClaw v2026.2.14 enforces scope checks on API methods. The gateway clears all requested scopes to [] for clients without device auth.

Fix

Request all three operator scopes in buildConnectParams:

- scopes: ['operator.admin'],
+ scopes: ['operator.read', 'operator.write', 'operator.admin'],

Important: This PR alone is not enough

Users also need to add to their OpenClaw config:

{
  "gateway": {
    "controlUi": {
      "dangerouslyDisableDeviceAuth": true
    }
  }
}

This tells the gateway to preserve scopes for token-authenticated clients without device identity. Without this config, the gateway clears scopes regardless of what the client requests.

Update (v2026.2.15): OpenClaw #17682 fixed the gateway to properly handle this for dangerouslyDisableDeviceAuth mode. Both steps (this PR + config flag) are needed.

Long-term solution

Implement Device Auth (Ed25519 keypair signing) in WebClaw — this eliminates the need for dangerouslyDisableDeviceAuth. Successfully implemented and tested in OpenCami.

Local Validation

• Tested with OpenClaw v2026.2.14 and v2026.2.15
• Sessions, models, and chat all work with both steps applied

AI-assisted (Claude). Reviewed and tested by human.

[robbyczgw-cla]

Superseded by #32 which implements proper Device Auth — eliminates the need for both the scope workaround and dangerouslyDisableDeviceAuth.