openclaw

Author	SHA1	Message	Date
Sid	e1e715c53d	fix(gateway): skip device pairing for local backend self-connections (#30801 ) * fix(gateway): skip device pairing for local backend self-connections When gateway.tls is enabled, sessions_spawn (and other internal callGateway operations) creates a new WebSocket to the gateway. The gateway treated this self-connection like any external client and enforced device pairing, rejecting it with "pairing required" (close code 1008). This made sub-agent spawning impossible when TLS was enabled in Docker with bind: "lan". Skip pairing for connections that are gateway-client self-connections from localhost with valid shared auth (token/password). These are internal backend calls (e.g. sessions_spawn, subagent-announce) that already have valid credentials and connect from the same host. Closes #30740 * gateway: tighten backend self-pair bypass guard * tests: cover backend self-pairing local-vs-remote auth path * changelog: add gateway tls pairing fix credit --------- Co-authored-by: Vincent Koc <vincentkoc@ieee.org>	2026-03-01 21:46:33 -08:00
Vincent Koc	cb9374a2a1	Gateway: improve device-auth v2 migration diagnostics (#28305 ) * Gateway: add device-auth detail code resolver * Gateway: emit specific device-auth detail codes * Gateway tests: cover nonce and signature detail codes * Docs: add gateway device-auth migration diagnostics * Docs: add device-auth v2 troubleshooting signatures	2026-02-26 21:05:43 -08:00
Peter Steinberger	96aad965ab	fix: land NO_REPLY announce suppression and auth scope assertions Landed follow-up for #27535 and aligned shared-auth gateway expectations after #27498. Co-authored-by: kevinWangSheng <118158941+kevinWangSheng@users.noreply.github.com>	2026-02-26 13:40:58 +00:00
Peter Steinberger	7d8aeaaf06	fix(gateway): pin paired reconnect metadata for node policy	2026-02-26 14:11:04 +01:00
Peter Steinberger	0cc3e8137c	refactor(gateway): centralize trusted-proxy control-ui bypass policy	2026-02-26 02:26:52 +01:00
Peter Steinberger	ec45c317f5	fix(gateway): block trusted-proxy control-ui node bypass	2026-02-26 01:54:19 +01:00
Peter Steinberger	20c2db2103	refactor(gateway): split browser auth hardening paths	2026-02-26 01:37:00 +01:00
Peter Steinberger	c736f11a16	fix(gateway): harden browser websocket auth chain	2026-02-26 01:22:49 +01:00
Peter Steinberger	8d1481cb4a	fix(gateway): require pairing for unpaired operator device auth	2026-02-26 00:52:50 +01:00
Peter Steinberger	f58c1ef34e	test(gateway): speed up contract and polling suites	2026-02-24 00:31:58 +00:00
Peter Steinberger	f52a0228ca	test: optimize auth and audit test runtime	2026-02-23 23:31:52 +00:00
Peter Steinberger	ca761d6225	test: consolidate gateway auth test scenarios	2026-02-23 21:57:17 +00:00
Peter Steinberger	9165bd7f37	fix(gateway): auto-approve loopback scope upgrades Co-authored-by: Marcus Widing <245375637+widingmarcus-cyber@users.noreply.github.com>	2026-02-22 22:11:50 +01:00
Peter Steinberger	bbdfba5694	fix: harden connect auth flow and exec policy diagnostics	2026-02-22 20:22:00 +01:00
Peter Steinberger	0c1f491a02	fix(gateway): clarify pairing and node auth guidance	2026-02-22 19:50:29 +01:00
Peter Steinberger	b13bba9c35	fix(gateway): skip operator pairing on valid shared auth	2026-02-22 19:25:50 +01:00
Peter Steinberger	66529c7aa5	refactor(gateway): unify auth credential resolution	2026-02-22 18:23:13 +01:00
Peter Steinberger	adfbbcf1f6	chore: merge origin/main into main	2026-02-22 13:42:52 +00:00
Peter Steinberger	aa14835607	test: reclassify gateway local suites from e2e	2026-02-22 11:48:46 +00:00
Peter Steinberger	37e5f077b8	test: move gateway server coverage to e2e	2026-01-23 18:34:33 +00:00
Peter Steinberger	60a60779d7	test: streamline slow suites	2026-01-23 07:26:19 +00:00
Peter Steinberger	c7ca312f97	test(gateway): consolidate server suites for speed	2026-01-23 06:22:09 +00:00
Peter Steinberger	59a8eecd7e	test: speed up test suite	2026-01-23 02:22:02 +00:00
Peter Steinberger	f76e3c1419	fix: enforce secure control ui auth	2026-01-21 23:58:42 +00:00
Peter Steinberger	28e547f120	fix: stabilize ci	2026-01-21 22:59:11 +00:00
Peter Steinberger	b48d5d96d3	test: cover scope upgrade flow	2026-01-20 13:04:19 +00:00
Peter Steinberger	dfbf6ac263	feat: enforce device-bound connect challenge	2026-01-20 13:04:19 +00:00
Peter Steinberger	74757cd5af	fix: stabilize gateway defaults	2026-01-20 11:11:26 +00:00
Peter Steinberger	cf04b0e3bf	fix: align gateway presence + config defaults tests (#1208 ) (thanks @24601)	2026-01-20 10:45:59 +00:00
Peter Steinberger	d88b239d3c	feat: add device token auth and devices cli	2026-01-20 10:30:53 +00:00
Peter Steinberger	9dbc1435a6	fix: enforce ws3 roles + node allowlist	2026-01-20 09:24:01 +00:00
Peter Steinberger	3690be9419	test: stabilize gateway windows sigterm	2026-01-19 16:16:13 +00:00
Peter Steinberger	d3b15c6afa	ci: stabilize vitest runs	2026-01-18 06:58:54 +00:00
Peter Steinberger	1a0d1cb7b2	test: stabilize gateway ports and timers	2026-01-18 05:44:22 +00:00
Peter Steinberger	016693a1f5	fix: abort embedded prompts on cancel	2026-01-18 05:18:10 +00:00
Peter Steinberger	c379191f80	chore: migrate to oxlint and oxfmt Co-authored-by: Christoph Nakazawa <christoph.pojer@gmail.com>	2026-01-14 15:02:19 +00:00
Peter Steinberger	58a12a757e	fix(sandbox): avoid sandboxing main DM sessions	2026-01-12 01:24:44 +00:00
Peter Steinberger	32df2ef7bd	fix: stabilize invalid-connect handshake response	2026-01-12 00:19:47 +00:00
Peter Steinberger	4b51c96e4e	fix: apply model extra params without overwriting stream (#732 ) (thanks @peschee)	2026-01-12 00:03:48 +00:00
Peter Steinberger	55e55c8825	fix: preserve handshake close code and test truncation	2026-01-11 23:57:37 +00:00
Peter Steinberger	146f7ab433	fix: surface handshake reasons	2026-01-11 23:46:20 +00:00
Peter Steinberger	246adaa119	chore: rename project to clawdbot	2026-01-04 14:38:51 +00:00
Peter Steinberger	cdfbd6e7eb	test(gateway): align config constants in auth test	2026-01-03 19:37:09 +01:00
Peter Steinberger	6ae51ae3de	refactor: split gateway server helpers and tests	2026-01-03 17:34:52 +01:00

44 Commits