diff --git a/AGENTS.md b/AGENTS.md
index 8ee83aa..fef0594 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -376,9 +376,47 @@ docker build -t registry.lan/openclaw:latest .
 **Problem**: Web UI shows "disconnected (1008): pairing required"
 
 **Solution**:
-1. Check logs for device IDs: `docker logs CONTAINER | grep pairing`
-2. Manually approve devices in paired.json
-3. Restart container
+1. Use the built-in CLI approver (recommended):
+
+```bash
+# approve newest pending request
+docker exec CONTAINER_NAME node dist/index.js devices approve --latest --token "$OPENCLAW_GATEWAY_TOKEN"
+
+# inspect current state
+docker exec CONTAINER_NAME node dist/index.js devices list --token "$OPENCLAW_GATEWAY_TOKEN"
+```
+
+2. If using Tailscale Serve, ensure Gateway auth/proxy settings are correct:
+
+```json
+{
+  "gateway": {
+    "bind": "loopback",
+    "tailscale": { "mode": "serve" },
+    "auth": { "allowTailscale": true },
+    "trustedProxies": ["127.0.0.1", "::1"]
+  }
+}
+```
+
+3. If error changes to `device token mismatch`, the browser usually has stale local state.
+   - Open the Control UI in an Incognito/Private window.
+   - Re-paste gateway token in settings, or open a tokenized URL from:
+
+```bash
+docker exec CONTAINER_NAME node dist/index.js dashboard --no-open
+```
+
+4. If needed, only clear pending requests (not full config):
+
+```bash
+docker exec CONTAINER_NAME sh -c 'echo {} > /home/node/.openclaw/devices/pending.json'
+```
+
+**Notes**:
+- Remote browsers (LAN/Tailscale) still require one-time device pairing.
+- Localhost (`127.0.0.1`) auto-approves.
+- Config edits trigger Gateway reload/restart automatically; container restart is usually unnecessary.
 
 ### Permission Denied Errors
 
diff --git a/docker-compose.yml b/docker-compose.yml
index 661d513..3d98d23 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,6 +1,20 @@
 version: "3.8"
 
 services:
+  openclaw-init-perms:
+    image: alpine:3.20
+    container_name: openclaw-init-perms
+    restart: "no"
+    command:
+      [
+        "sh",
+        "-c",
+        "mkdir -p /config /workspace && chown -R 1000:1000 /config /workspace && chmod 755 /config /workspace",
+      ]
+    volumes:
+      - openclaw-config:/config
+      - openclaw-workspace:/workspace
+
   openclaw-gateway:
     build:
       context: ./docker
@@ -10,6 +24,9 @@ services:
     image: openclaw:custom-arm64
     container_name: openclaw-gateway
     restart: unless-stopped
+    depends_on:
+      openclaw-init-perms:
+        condition: service_completed_successfully
     environment:
       HOME: /home/node
       TERM: xterm-256color