Add per-agent `publicMode` configuration that suppresses local runtime
details (hostname, OS, architecture, workspace paths, skills snapshot)
from the system prompt when serving public-facing agents via the HTTP API.
- New `publicMode?: boolean` field in agent config schema
- `resolveAgentPublicMode()` in agent-scope for config lookup
- System prompt emits `"Runtime: public-facing agent"` instead of
host/OS/arch details when publicMode is active
- Skills snapshot suppressed for publicMode agents
- New `X-OpenClaw-Sender-Is-Owner` HTTP header for both chat completions
and OpenResponses endpoints, replacing the hardcoded `senderIsOwner: true`
- For publicMode agents, missing header defaults to non-owner semantics;
for normal agents, missing header defaults to owner semantics
- `resolveIngressSenderIsOwner()` utility in http-utils
- Documentation updates for security boundary, header usage, and config
- Tests for system prompt suppression, param redaction, and header parsing
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feat(gateway): add auth rate-limiting & brute-force protection
Add a per-IP sliding-window rate limiter to Gateway authentication
endpoints (HTTP, WebSocket upgrade, and WS message-level auth).
When gateway.auth.rateLimit is configured, failed auth attempts are
tracked per client IP. Once the threshold is exceeded within the
sliding window, further attempts are blocked with HTTP 429 + Retry-After
until the lockout period expires. Loopback addresses are exempt by
default so local CLI sessions are never locked out.
The limiter is only created when explicitly configured (undefined
otherwise), keeping the feature fully opt-in and backward-compatible.
* fix(gateway): isolate auth rate-limit scopes and normalize 429 responses
---------
Co-authored-by: buerbaumer <buerbaumer@users.noreply.github.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
