nyrn
/
openclaw
mirror of https://github.com/openclaw/openclaw.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
8,120 Commits 750 Branches 79 Tags 3.2 GiB
Commit Graph

57 Commits

Author SHA1 Message Date
Peter Steinberger 0f8f0fb9d7 docs: clarify command authorization for exec directives 2026-01-26 22:18:41 +00:00
Peter Steinberger 820ab8765a docs: clarify exec defaults 2026-01-26 21:37:56 +00:00
Peter Steinberger 1371e95e57 docs: clarify onboarding + credentials 2026-01-26 20:26:30 +00:00
Peter Steinberger 320b45c051 docs: note sandbox opt-in in gateway security 2026-01-26 20:13:10 +00:00
Peter Steinberger e6bdffe568 feat: add control ui device auth bypass 2026-01-26 17:40:28 +00:00
Peter Steinberger ded366d9ab docs: expand security guidance for prompt injection and browser control 2026-01-26 15:20:14 +00:00
Jamieson O'Reilly a1f9825d63
security: add mDNS discovery config to reduce information disclosure (#1882) 
* security: add mDNS discovery config to reduce information disclosure

mDNS broadcasts can expose sensitive operational details like filesystem
paths (cliPath) and SSH availability (sshPort) to anyone on the local
network. This information aids reconnaissance and should be minimized
for gateways exposed beyond trusted networks.

Changes:
- Add discovery.mdns.enabled config option to disable mDNS entirely
- Add discovery.mdns.minimal option to omit cliPath/sshPort from TXT records
- Update security docs with operational security guidance

Minimal mode still broadcasts enough for device discovery (role, gatewayPort,
transport) while omitting details that help map the host environment.
Apps that need CLI path can fetch it via the authenticated WebSocket.

* fix: default mDNS discovery mode to minimal (#1882) (thanks @orlyjamie)

---------

Co-authored-by: theonejvo <orlyjamie@users.noreply.github.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
 2026-01-26 13:32:11 +00:00
Peter Steinberger c4a80f4edb fix: require gateway auth by default 2026-01-26 12:56:33 +00:00
Peter Steinberger fd9be79be1 fix: harden tailscale serve auth 2026-01-26 12:49:19 +00:00
Jamieson O'Reilly 6aec34bc60
fix(gateway): prevent auth bypass when behind unconfigured reverse proxy (#1795) 
* fix(gateway): prevent auth bypass when behind unconfigured reverse proxy

When proxy headers (X-Forwarded-For, X-Real-IP) are present but
gateway.trustedProxies is not configured, the gateway now treats
connections as non-local. This prevents a scenario where all proxied
requests appear to come from localhost and receive automatic trust.

Previously, running behind nginx/Caddy without configuring trustedProxies
would cause isLocalClient=true for all external connections, potentially
bypassing authentication and auto-approving device pairing.

The gateway now logs a warning when this condition is detected, guiding
operators to configure trustedProxies for proper client IP detection.

Also adds documentation for reverse proxy security configuration.

* fix: harden reverse proxy auth (#1795) (thanks @orlyjamie)

---------

Co-authored-by: orlyjamie <orlyjamie@users.noreply.github.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
 2026-01-25 15:08:03 +00:00
Peter Steinberger 8f3da653b0 fix: allow control ui token auth without pairing 2026-01-25 12:47:17 +00:00
Peter Steinberger 629ce4454d docs: add tips + clawd-to-clawd faq 2026-01-25 04:04:18 +00:00
Peter Steinberger e6e71457e0 fix: honor trusted proxy client IPs (PR #1654) 
Thanks @ndbroadbent.

Co-authored-by: Nathan Broadbent <git@ndbroadbent.com>
 2026-01-25 01:52:19 +00:00
Peter Steinberger 9ae03b92bb docs: clarify prompt injection guidance 2026-01-22 04:19:33 +00:00
Peter Steinberger f76e3c1419 fix: enforce secure control ui auth 2026-01-21 23:58:42 +00:00
Peter Steinberger b5fd66c92d fix: add explicit tailnet gateway bind 2026-01-21 20:36:09 +00:00
Peter Steinberger e5ea8a0d22 docs: add network hub + pairing locality 2026-01-21 00:14:14 +00:00
Peter Steinberger 51dfd6efdb fix: tighten small-model audit guardrails 2026-01-20 23:52:26 +00:00
Peter Steinberger 06c17a333e docs: update protocol + security notes 2026-01-20 13:04:20 +00:00
Peter Steinberger 6f5205d826 docs: elevate security audit callout 2026-01-18 23:37:14 +00:00
Peter Steinberger ae0b4c4990 feat: add exec host routing + node daemon 2026-01-18 07:46:00 +00:00
Peter Steinberger e71fa4a145 docs: note session log disk access 2026-01-17 19:30:46 +00:00
Ruby 0cd24137e8
feat: add session.identityLinks for cross-platform DM session linking (#1033) 
Co-authored-by: Shadow <shadow@clawd.bot>
 2026-01-16 14:23:22 -06:00
Peter Steinberger d0c986c4f0 feat: warn on weak model tiers 2026-01-16 09:34:37 +00:00
Ubuntu ca9688b5cc feat(session): add dmScope for multi-user DM isolation 
Co-authored-by: Alphonse-arianee <Alphonse-arianee@users.noreply.github.com>
 2026-01-16 04:13:10 +00:00
Peter Steinberger b2b331230b feat: mac node exec policy + remote skills hot reload 2026-01-16 03:45:06 +00:00
Peter Steinberger ca1902fb4e feat(security): expand audit and safe --fix 2026-01-15 05:31:43 +00:00
Peter Steinberger 0e76d21f11 docs(security): mention audit --fix 2026-01-15 05:03:13 +00:00
Peter Steinberger ef78b198cb feat: add Chrome extension browser relay 2026-01-15 04:52:28 +00:00
hyaxia f3c9252840 Security: add detect-secrets scan 2026-01-15 03:14:43 +00:00
Peter Steinberger c2a4f256c8 feat: add security audit + onboarding checkpoint 2026-01-15 01:25:11 +00:00
Peter Steinberger 3eb48cbea7 docs: complete channels rename sweep 2026-01-13 08:40:39 +00:00
Peter Steinberger 90342a4f3a refactor!: rename chat providers to channels 2026-01-13 08:40:39 +00:00
Peter Steinberger b70298fbca fix: document Tailscale Serve auth headers (#823) (thanks @roshanasingh4) 2026-01-13 04:37:04 +00:00
Peter Steinberger 98e75fce17 test: align group policy defaults 2026-01-12 08:45:57 +00:00
Peter Steinberger 006e1352d8 fix: harden msteams group access 2026-01-12 08:32:08 +00:00
Peter Steinberger 8b4bdaa8a4 feat: add apply_patch tool (exec-gated) 2026-01-12 03:42:56 +00:00
Peter Steinberger 98337a14b3 fix: rename bash tool to exec (#748) (thanks @myfunc) 2026-01-12 02:49:55 +00:00
Peter Steinberger cf0c72a557 feat: add plugin architecture 2026-01-11 12:11:12 +00:00
Peter Steinberger fe46a2663b docs: clarify browser allowlist defaults and risks 2026-01-11 02:00:30 +01:00
Peter Steinberger b0b4b33b6b fix: update gateway auth docs and clients 2026-01-11 01:51:24 +01:00
Peter Steinberger 81f9093c3c fix(pairing): accept positional provider args 2026-01-10 16:36:43 +01:00
Peter Steinberger cdb915d527 chore: normalize Clawdbot naming 2026-01-10 05:14:09 +01:00
Peter Steinberger bd10f3d3f1 feat: allow session_status in sandbox 2026-01-09 23:41:57 +00:00
Peter Steinberger 88cbe2d275 fix: cap pairing requests and suppress outbound pairing replies 2026-01-09 22:58:18 +00:00
Peter Steinberger 5fa26bfec7 feat: add per-agent elevated controls 2026-01-09 20:42:19 +00:00
Peter Steinberger 7b81d97ec2 feat: wire multi-agent config and routing 
Co-authored-by: Mark Pors <1078320+pors@users.noreply.github.com>
 2026-01-09 12:48:42 +00:00
Peter Steinberger 14096fb629 docs: add model allowlist + reasoning safety notes 2026-01-09 02:07:33 +01:00
Peter Steinberger 014667e00b fix: tighten group elevated targeting 2026-01-08 22:57:18 +01:00
Peter Steinberger 884e734809 feat(doctor): audit config + state permissions 2026-01-08 21:51:34 +01:00