惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
Tenable Blog
月光博客
月光博客
雷峰网
雷峰网
WordPress大学
WordPress大学
博客园 - 司徒正美
Last Week in AI
Last Week in AI
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
V
Visual Studio Blog
H
Help Net Security
Engineering at Meta
Engineering at Meta
Google DeepMind News
Google DeepMind News
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
S
Security @ Cisco Blogs
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
爱范儿
爱范儿
W
WeLiveSecurity
J
Java Code Geeks
Forbes - Security
Forbes - Security
H
Hacker News: Front Page
T
Threatpost
The Cloudflare Blog
C
Cyber Attacks, Cyber Crime and Cyber Security
N
Netflix TechBlog - Medium
Latest news
Latest news
V2EX - 技术
V2EX - 技术
小众软件
小众软件
T
The Blog of Author Tim Ferriss
A
Arctic Wolf
B
Blog RSS Feed
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
I
InfoQ
C
Check Point Blog
N
News | PayPal Newsroom
Cyberwarzone
Cyberwarzone
V
V2EX
TaoSecurity Blog
TaoSecurity Blog
P
Privacy & Cybersecurity Law Blog
Microsoft Security Blog
Microsoft Security Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
D
DataBreaches.Net
F
Fortinet All Blogs
阮一峰的网络日志
阮一峰的网络日志
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
IT之家
IT之家
K
Kaspersky official blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Google DeepMind News
Google DeepMind News
C
CXSECURITY Database RSS Feed - CXSecurity.com
www.infosecurity-magazine.com
www.infosecurity-magazine.com

Recent Commits to openclaw:main

test: merge chat side-result checks · openclaw/openclaw@ddd2c2a test: merge cron history checks · openclaw/openclaw@f7eb746 test: merge responsive navigation shell checks · openclaw/openclaw@c2e4b47 docs(changelog): add codex oauth fixes · openclaw/openclaw@628e6cd test: merge navigation routing cases · openclaw/openclaw@5d8cecb Tests: mock channel registry bundled fallback · openclaw/openclaw@2b08233 Secrets: avoid broad web search discovery for single plugin config · openclaw/openclaw@a464f59 test: merge config view browser checks · openclaw/openclaw@20cf511 fix(status): align oauth health with runtime · openclaw/openclaw@eed7116 feat: add macOS screen snapshots for monitor preview (#67954) thanks … · openclaw/openclaw@f377db1 fix: report shared auth scopes in hello-ok (#67810) thanks @BunsDev · openclaw/openclaw@0b6c39b Auto-reply: avoid eager bundled route fallback · openclaw/openclaw@3ea1bf4 Tests: narrow session binding contract setup · openclaw/openclaw@54e4e16 fix(macOS): enable undo/redo in webchat composer text input (#34962) · openclaw/openclaw@00951dc Tests: speed up channel setup promotion · openclaw/openclaw@82b529a Docs: refresh agent instructions · openclaw/openclaw@5775fe2 fix(auth): serialize OAuth refresh across agents to fix #26322 (#67876) · openclaw/openclaw@8e79080 test: allow ollama public surface boundary test · openclaw/openclaw@7d4f1a6 Docs: add test performance guardrails · openclaw/openclaw@89706d3 Tests: restore context-engine usage proof · openclaw/openclaw@e4c4f95 Tests: slim context engine runtime coverage · openclaw/openclaw@74c198f ci: retry failed custom checkouts · openclaw/openclaw@0ee5baf test: trim duplicate provider auth onboarding cases · openclaw/openclaw@1ffc02e matrix: fix sessions_spawn --thread subagent session spawning (#67643) · openclaw/openclaw@1ce2596 test: reduce auth choice fixture churn · openclaw/openclaw@857b9cd test: mock health status config boundaries · openclaw/openclaw@9d5ab4a test: mock onboard config io boundary · openclaw/openclaw@299694d test: mock legacy state plugin boundaries · openclaw/openclaw@2713089 test: mock channel install boundaries · openclaw/openclaw@b945248 test: mock doctor preview channel boundaries · openclaw/openclaw@b1a3ad4 test: trim doctor command hotspots · openclaw/openclaw@c66f16a test: isolate agent auth and spawn hotspots · openclaw/openclaw@9285935 test: stabilize MCP startup disposal race · openclaw/openclaw@dd9d2eb test: merge browser contract server suites · openclaw/openclaw@5817a76 test: narrow ollama provider discovery setup · openclaw/openclaw@a0d9598 build: declare qa-lab aimock runtime dependency · openclaw/openclaw@24431e5 test: speed up safe-bins exec harness · openclaw/openclaw@ee856ab test: preserve tool helpers in embedded runner mocks · openclaw/openclaw@acd86a0 refactor: move memory embeddings into provider plugins · openclaw/openclaw@77e6e4c test: reuse system-run temp fixtures · openclaw/openclaw@7e9ff0f test: trim hotspot wait overhead · openclaw/openclaw@12a59b0 Check: avoid duplicate boundary prep · openclaw/openclaw@baf11b8 test: reduce hotspot fixture overhead · openclaw/openclaw@3a59edd feat(ui): overhaul settings and slash command UX (#67819) thanks @Bun… · openclaw/openclaw@2cfb660 QA Matrix: exit cleanly on failure · openclaw/openclaw@42805d2 QA Matrix: isolate scenario coverage · openclaw/openclaw@7e659e1 Matrix: refresh crypto bootstrap state · openclaw/openclaw@94081d8 QA Lab: add provider registry · openclaw/openclaw@bb7e982 Matrix: add plugin changelog · openclaw/openclaw@4acab55 test: trim more hotspot overhead · openclaw/openclaw@f485311 test: trim remaining hotspot tests · openclaw/openclaw@6ba8626 test: narrow hotspot mocks · openclaw/openclaw@dbc8179 test: isolate gemini embedding request helpers · openclaw/openclaw@cd330f5 test: trim memory and mcp hotspots · openclaw/openclaw@fd48dfa test: slim provider registry mocks · openclaw/openclaw@2e08c77 test: harden Parallels update smoke · openclaw/openclaw@1a98090 feat: default Anthropic to Opus 4.7 · openclaw/openclaw@628b454 fix: harden node-host shell payload mutability checks · openclaw/openclaw@75c551e fix: land node-host approval binding for native binaries (#66731) (th… · openclaw/openclaw@29919bb CI: add daily schedule to CodeQL workflow (#67645) · openclaw/openclaw@69d25f5 fix(gateway): capture config hash after plugin auto-enable to prevent… · openclaw/openclaw@8c11210 fix: repair sanitized replay tool results before send (#67620) (thank… · openclaw/openclaw@c3c7a99 fix: restrict HTML timeout short-circuit to transient statuses · openclaw/openclaw@de129a6 fix: keep TUI watchdog bound to active run (#67401) (thanks @xantorres) · openclaw/openclaw@3525273 Gateway/skills: dedupe skills prefix-match + drop dead fallback on log · openclaw/openclaw@d7f489f Extensions/lmstudio: back off inference preload after consecutive fai… · openclaw/openclaw@b555214 TUI/streaming: add watchdog that resets the activity indicator after … · openclaw/openclaw@f44ab20 Agents/tool-loop: enable unknown-tool stream guard by default · openclaw/openclaw@36ed367 Gateway/skills: invalidate session skills snapshot on config write · openclaw/openclaw@b23d59a fix: classify HTML provider error pages correctly (#67642) (thanks @s… · openclaw/openclaw@e588e90 fix(skills): remove unused model-usage import (#67641) · openclaw/openclaw@55f05df docs(changelog): credit codex fix superseded PRs · openclaw/openclaw@e485f24 fix(openai-codex): normalize stale transport metadata in resolution a… · openclaw/openclaw@90801ba CI: pin Docker-related GitHub Actions (#67632) · openclaw/openclaw@f697b01 Android: modernize WebView and discovery API usage (#67627) · openclaw/openclaw@44a6e50 fix(deps): bump hono to 4.12.14 and @hono/node-server to 1.19.14 (GHS… · openclaw/openclaw@fbccc18 fix(deps): bump dompurify to 3.4.0 (#67614) · openclaw/openclaw@2c2dc00 CI: add explicit permissions to all workflow jobs (fixes code-scannin… · openclaw/openclaw@01b7516 fix: register bundled TTS providers and route overrides correctly (#6… · openclaw/openclaw@6ea3cdd fix: align host tilde paths with OS home (#62804) (thanks @stainlu) · openclaw/openclaw@ecfaf64 fix: flush creds queue before reconnect socket open (#67464) (thanks … · openclaw/openclaw@405c63f fix: strip standalone <function> tool call tags from visible text (#6… · openclaw/openclaw@78df859 fix(agents): preserve cli session metadata before transcript persist … · openclaw/openclaw@898fd04 docs(changelog): move cli transcript entry · openclaw/openclaw@c1817c6 fix(agents): normalize cli transcript api field · openclaw/openclaw@3a3fae0 docs(changelog): note cli transcript persistence · openclaw/openclaw@6c343f1 fix(agents): persist cli transcript turns · openclaw/openclaw@b8ef507 fix(msteams): harden security-sensitive flows (#65841) · openclaw/openclaw@c56b56e [Dashboard] Fix exec approval modal overflow for long command content… · openclaw/openclaw@053c5b0 Docs: remove QA changelog entry · openclaw/openclaw@7fd5771 QA: fix private runtime source loading (#67428) · openclaw/openclaw@d5933af docs(gateway): correct protocol.md schema path, hello-ok example, aut… · openclaw/openclaw@489404d CI: pin Node 22 runners to 22.18.0 · openclaw/openclaw@4ffa621 models.authStatus: normalize provider ids + tighten env-backed escape… · openclaw/openclaw@f2fdb9d Update CHANGELOG.md · openclaw/openclaw@7694a92 test(parallels): clean up npm update guard jobs · openclaw/openclaw@045ea7b Plugins: prefer scanDir override paths · openclaw/openclaw@b2974da fix(dreaming): default storage.mode to "separate" so phase blocks sto… · openclaw/openclaw@8c392f0 fix(memory-core): skip dreaming transcript ingestion via session stor… · openclaw/openclaw@a1b01f0 fix: dedupe replayed exec.finished node events (#67281) · openclaw/openclaw@5dcf526
fix: repair iOS LAN pairing · openclaw/openclaw@36df0d9
BunsDev · 2026-05-06 · via Recent Commits to openclaw:main
Original file line numberDiff line numberDiff line change

@@ -102,6 +102,7 @@ Docs: https://docs.openclaw.ai

102102

### Fixes

103103
104104

- Slack: preserve Socket Mode SDK error context and structured Slack API fields in reconnect logs, so startup failures no longer collapse to a bare `unknown error`.

105+

- iOS pairing: allow setup-code and manual `ws://` connects for private LAN and `.local` gateways while keeping Tailscale/public routes on `wss://`, and prefer explicit gateway passwords over stale bootstrap tokens in mixed-auth reconnects. Fixes #47887; carries forward #65185. Thanks @draix and @BunsDev.

105106

- Plugins/diagnostics: make source-only TypeScript package warnings actionable by explaining that missing compiled runtime output is a publisher packaging issue and pointing users to update/reinstall or disable/uninstall the plugin. Fixes #77835. Thanks @googlerest.

106107

- TUI: skip the generic CLI respawn wrapper for interactive launches, exit cleanly on terminal loss, and refuse to restore heartbeat sessions as the remembered chat session, preventing stale heartbeat history and orphaned `openclaw-tui` processes on first boot. Thanks @vincentkoc.

107108

- Doctor/sessions: move heartbeat-poisoned default main session store entries to recovery keys and clear stale TUI restore pointers, so `doctor --fix` can repair instances already stuck on `agent:main:main` heartbeat history. Thanks @vincentkoc.

Original file line numberDiff line numberDiff line change

@@ -689,7 +689,7 @@ final class GatewayConnectionController {

689689

}

690690
691691

private func shouldRequireTLS(host: String) -> Bool {

692-

!Self.isLoopbackHost(host)

692+

!LoopbackHost.isLocalNetworkHost(host)

693693

}

694694
695695

private func shouldForceTLS(host: String) -> Bool {

@@ -698,51 +698,6 @@ final class GatewayConnectionController {

698698

return trimmed.hasSuffix(".ts.net") || trimmed.hasSuffix(".ts.net.")

699699

}

700700
701-

private static func isLoopbackHost(_ rawHost: String) -> Bool {

702-

var host = rawHost.trimmingCharacters(in: .whitespacesAndNewlines).lowercased()

703-

guard !host.isEmpty else { return false }

704-
705-

if host.hasPrefix("[") && host.hasSuffix("]") {

706-

host.removeFirst()

707-

host.removeLast()

708-

}

709-

if host.hasSuffix(".") {

710-

host.removeLast()

711-

}

712-

if let zoneIndex = host.firstIndex(of: "%") {

713-

host = String(host[..<zoneIndex])

714-

}

715-

if host.isEmpty { return false }

716-
717-

if host == "localhost" || host == "0.0.0.0" || host == "::" {

718-

return true

719-

}

720-

return Self.isLoopbackIPv4(host) || Self.isLoopbackIPv6(host)

721-

}

722-
723-

private static func isLoopbackIPv4(_ host: String) -> Bool {

724-

var addr = in_addr()

725-

let parsed = host.withCString { inet_pton(AF_INET, $0, &addr) == 1 }

726-

guard parsed else { return false }

727-

let value = UInt32(bigEndian: addr.s_addr)

728-

let firstOctet = UInt8((value >> 24) & 0xFF)

729-

return firstOctet == 127

730-

}

731-
732-

private static func isLoopbackIPv6(_ host: String) -> Bool {

733-

var addr = in6_addr()

734-

let parsed = host.withCString { inet_pton(AF_INET6, $0, &addr) == 1 }

735-

guard parsed else { return false }

736-

return withUnsafeBytes(of: &addr) { rawBytes in

737-

let bytes = rawBytes.bindMemory(to: UInt8.self)

738-

let isV6Loopback = bytes[0..<15].allSatisfy { $0 == 0 } && bytes[15] == 1

739-

if isV6Loopback { return true }

740-
741-

let isMappedV4 = bytes[0..<10].allSatisfy { $0 == 0 } && bytes[10] == 0xFF && bytes[11] == 0xFF

742-

return isMappedV4 && bytes[12] == 127

743-

}

744-

}

745-
746701

private func manualStableID(host: String, port: Int) -> String {

747702

"manual|\(host.lowercased())|\(port)"

748703

}

Original file line numberDiff line numberDiff line change

@@ -101,6 +101,20 @@ private func agentAction(

101101

#expect(DeepLinkParser.parse(url) == nil)

102102

}

103103
104+

@Test func parseGatewayLinkAllowsPrivateLanWs() {

105+

let url = URL(

106+

string: "openclaw://gateway?host=openclaw.local&port=18789&tls=0&token=abc")!

107+

#expect(

108+

DeepLinkParser.parse(url) == .gateway(

109+

.init(

110+

host: "openclaw.local",

111+

port: 18789,

112+

tls: false,

113+

bootstrapToken: nil,

114+

token: "abc",

115+

password: nil)))

116+

}

117+
104118

@Test func parseGatewayLinkRejectsInsecurePrefixBypassHost() {

105119

let url = URL(

106120

string: "openclaw://gateway?host=127.attacker.example&port=18789&tls=0&token=abc")!

@@ -162,6 +176,25 @@ private func agentAction(

162176

password: nil))

163177

}

164178
179+

@Test func parseGatewaySetupCodeAllowsPrivateLanWs() {

180+

let payload = #"{"url":"ws://openclaw.local:18789","bootstrapToken":"tok"}"#

181+

let link = GatewayConnectDeepLink.fromSetupCode(setupCode(from: payload))

182+
183+

#expect(link == .init(

184+

host: "openclaw.local",

185+

port: 18789,

186+

tls: false,

187+

bootstrapToken: "tok",

188+

token: nil,

189+

password: nil))

190+

}

191+
192+

@Test func parseGatewaySetupCodeRejectsTailnetPlaintextWs() {

193+

let payload = #"{"url":"ws://gateway.tailnet.ts.net:18789","bootstrapToken":"tok"}"#

194+

let link = GatewayConnectDeepLink.fromSetupCode(setupCode(from: payload))

195+

#expect(link == nil)

196+

}

197+
165198

@Test func parseGatewaySetupInputParsesFullCopiedSetupMessage() {

166199

let payload = #"{"url":"wss://gateway.example.com","bootstrapToken":"tok"}"#

167200

let link = GatewayConnectDeepLink.fromSetupInput("""

Original file line numberDiff line numberDiff line change

@@ -107,8 +107,9 @@ import Testing

107107

let controller = makeController()

108108
109109

#expect(controller._test_resolveManualUseTLS(host: "gateway.example.com", useTLS: false) == true)

110-

#expect(controller._test_resolveManualUseTLS(host: "openclaw.local", useTLS: false) == true)

111110

#expect(controller._test_resolveManualUseTLS(host: "127.attacker.example", useTLS: false) == true)

111+

#expect(controller._test_resolveManualUseTLS(host: "gateway.ts.net", useTLS: false) == true)

112+

#expect(controller._test_resolveManualUseTLS(host: "100.64.0.9", useTLS: false) == true)

112113
113114

#expect(controller._test_resolveManualUseTLS(host: "localhost", useTLS: false) == false)

114115

#expect(controller._test_resolveManualUseTLS(host: "127.0.0.1", useTLS: false) == false)

@@ -118,6 +119,17 @@ import Testing

118119

#expect(controller._test_resolveManualUseTLS(host: "0.0.0.0", useTLS: false) == false)

119120

}

120121
122+

@Test @MainActor func manualConnectionsAllowPrivateLanPlaintext() async {

123+

let controller = makeController()

124+
125+

#expect(controller._test_resolveManualUseTLS(host: "openclaw.local", useTLS: false) == false)

126+

#expect(controller._test_resolveManualUseTLS(host: "192.168.1.20", useTLS: false) == false)

127+

#expect(controller._test_resolveManualUseTLS(host: "10.0.0.5", useTLS: false) == false)

128+

#expect(controller._test_resolveManualUseTLS(host: "172.16.1.5", useTLS: false) == false)

129+

#expect(controller._test_resolveManualUseTLS(host: "169.254.1.5", useTLS: false) == false)

130+

#expect(controller._test_resolveManualUseTLS(host: "fd00::1", useTLS: false) == false)

131+

}

132+
121133

@Test @MainActor func manualDefaultPortUses443OnlyForTailnetTLSHosts() async {

122134

let controller = makeController()

123135
Original file line numberDiff line numberDiff line change

@@ -116,7 +116,7 @@ public struct GatewayConnectDeepLink: Codable, Sendable, Equatable {

116116

return nil

117117

}

118118

let tls = payload.tls ?? true

119-

if !tls, !LoopbackHost.isLoopbackHost(host) {

119+

if !tls, !LoopbackHost.isLocalNetworkHost(host) {

120120

return nil

121121

}

122122

return GatewayConnectDeepLink(

@@ -143,7 +143,7 @@ public struct GatewayConnectDeepLink: Codable, Sendable, Equatable {

143143

return nil

144144

}

145145

let tls = scheme == "wss" || scheme == "https"

146-

if !tls, !LoopbackHost.isLoopbackHost(hostname) {

146+

if !tls, !LoopbackHost.isLocalNetworkHost(hostname) {

147147

return nil

148148

}

149149

return GatewayConnectDeepLink(

@@ -254,7 +254,7 @@ public enum DeepLinkParser {

254254

}

255255

let port = query["port"].flatMap { Int($0) } ?? 18789

256256

let tls = (query["tls"] as NSString?)?.boolValue ?? false

257-

if !tls, !LoopbackHost.isLoopbackHost(hostParam) {

257+

if !tls, !LoopbackHost.isLocalNetworkHost(hostParam) {

258258

return nil

259259

}

260260

return .gateway(

Original file line numberDiff line numberDiff line change

@@ -522,7 +522,8 @@ public actor GatewayChannelActor {

522522

(includeDeviceIdentity && explicitPassword == nil && explicitBootstrapToken == nil

523523

? storedToken

524524

: nil)

525-

let authBootstrapToken = authToken == nil ? explicitBootstrapToken : nil

525+

let authBootstrapToken =

526+

authToken == nil && explicitPassword == nil ? explicitBootstrapToken : nil

526527

let authDeviceToken = shouldUseDeviceRetryToken ? storedToken : nil

527528

let authSource: GatewayAuthSource = if authDeviceToken != nil || (explicitToken == nil && authToken != nil) {

528529

.deviceToken

Original file line numberDiff line numberDiff line change

@@ -41,16 +41,32 @@ public enum LoopbackHost {

4141

}

4242
4343

public static func isLocalNetworkHost(_ rawHost: String) -> Bool {

44-

let host = rawHost.trimmingCharacters(in: .whitespacesAndNewlines).lowercased()

44+

let host = self.normalizedHost(rawHost)

4545

guard !host.isEmpty else { return false }

4646

if self.isLoopbackHost(host) { return true }

4747

if host.hasSuffix(".local") { return true }

48-

if host.hasSuffix(".ts.net") { return true }

49-

if host.hasSuffix(".tailscale.net") { return true }

50-

// Allow MagicDNS / LAN hostnames like "peters-mac-studio-1".

51-

if !host.contains("."), !host.contains(":") { return true }

52-

guard let ipv4 = self.parseIPv4(host) else { return false }

53-

return self.isLocalNetworkIPv4(ipv4)

48+

if let ipv4 = self.parseIPv4(host) {

49+

return self.isLocalNetworkIPv4(ipv4)

50+

}

51+

guard let ipv6 = IPv6Address(host) else { return false }

52+

let bytes = Array(ipv6.rawValue)

53+

let isUniqueLocal = (bytes[0] & 0xFE) == 0xFC

54+

let isLinkLocal = bytes[0] == 0xFE && (bytes[1] & 0xC0) == 0x80

55+

return isUniqueLocal || isLinkLocal

56+

}

57+
58+

static func normalizedHost(_ rawHost: String) -> String {

59+

var host = rawHost

60+

.trimmingCharacters(in: .whitespacesAndNewlines)

61+

.lowercased()

62+

.trimmingCharacters(in: CharacterSet(charactersIn: "[]"))

63+

if host.hasSuffix(".") {

64+

host.removeLast()

65+

}

66+

if let zoneIndex = host.firstIndex(of: "%") {

67+

host = String(host[..<zoneIndex])

68+

}

69+

return host

5470

}

5571
5672

static func parseIPv4(_ host: String) -> (UInt8, UInt8, UInt8, UInt8)? {

@@ -73,8 +89,6 @@ public enum LoopbackHost {

7389

if a == 127 { return true }

7490

// 169.254.0.0/16 (link-local)

7591

if a == 169, b == 254 { return true }

76-

// Tailscale: 100.64.0.0/10

77-

if a == 100, (64...127).contains(Int(b)) { return true }

7892

return false

7993

}

8094

}

Original file line numberDiff line numberDiff line change

@@ -59,6 +59,40 @@ private func setupCode(from payload: String) -> String {

5959

password: nil))

6060

}

6161
62+

@Test func setupCodeAllowsPrivateLanWs() {

63+

let payload = #"{"url":"ws://192.168.1.20:18789","bootstrapToken":"tok"}"#

64+

#expect(

65+

GatewayConnectDeepLink.fromSetupCode(setupCode(from: payload)) == .init(

66+

host: "192.168.1.20",

67+

port: 18789,

68+

tls: false,

69+

bootstrapToken: "tok",

70+

token: nil,

71+

password: nil))

72+

}

73+
74+

@Test func setupCodeAllowsMDNSWs() {

75+

let payload = #"{"url":"ws://openclaw.local:18789","bootstrapToken":"tok"}"#

76+

#expect(

77+

GatewayConnectDeepLink.fromSetupCode(setupCode(from: payload)) == .init(

78+

host: "openclaw.local",

79+

port: 18789,

80+

tls: false,

81+

bootstrapToken: "tok",

82+

token: nil,

83+

password: nil))

84+

}

85+
86+

@Test func setupCodeRejectsTailnetPlaintextWs() {

87+

let payload = #"{"url":"ws://gateway.tailnet.ts.net:18789","bootstrapToken":"tok"}"#

88+

#expect(GatewayConnectDeepLink.fromSetupCode(setupCode(from: payload)) == nil)

89+

}

90+
91+

@Test func setupCodeRejectsCgnatPlaintextWs() {

92+

let payload = #"{"url":"ws://100.64.0.9:18789","bootstrapToken":"tok"}"#

93+

#expect(GatewayConnectDeepLink.fromSetupCode(setupCode(from: payload)) == nil)

94+

}

95+
6296

@Test func setupCodeParsesHostPayload() {

6397

let payload = #"{"host":"gateway.tailnet.ts.net","port":443,"tls":true,"bootstrapToken":"tok"}"#

6498

#expect(

@@ -88,6 +122,18 @@ private func setupCode(from payload: String) -> String {

88122

#expect(GatewayConnectDeepLink.fromSetupCode(setupCode(from: payload)) == nil)

89123

}

90124
125+

@Test func setupCodeAllowsPrivateLanHostPayload() {

126+

let payload = #"{"host":"openclaw.local","port":18789,"tls":false,"bootstrapToken":"tok"}"#

127+

#expect(

128+

GatewayConnectDeepLink.fromSetupCode(setupCode(from: payload)) == .init(

129+

host: "openclaw.local",

130+

port: 18789,

131+

tls: false,

132+

bootstrapToken: "tok",

133+

token: nil,

134+

password: nil))

135+

}

136+
91137

@Test func setupInputParsesFullCopiedSetupMessage() {

92138

let payload = #"{"url":"wss://gateway.tailnet.ts.net","bootstrapToken":"tok"}"#

93139

let message = """

Original file line numberDiff line numberDiff line change

@@ -249,6 +249,42 @@ struct GatewayNodeSessionTests {

249249

await gateway.disconnect()

250250

}

251251
252+

@Test

253+

func passwordTakesPrecedenceOverBootstrapToken() async throws {

254+

let session = FakeGatewayWebSocketSession()

255+

let gateway = GatewayNodeSession()

256+

let options = GatewayConnectOptions(

257+

role: "operator",

258+

scopes: ["operator.read"],

259+

caps: [],

260+

commands: [],

261+

permissions: [:],

262+

clientId: "openclaw-ios-test",

263+

clientMode: "ui",

264+

clientDisplayName: "iOS Test",

265+

includeDeviceIdentity: false)

266+
267+

try await gateway.connect(

268+

url: URL(string: "ws://example.invalid")!,

269+

token: nil,

270+

bootstrapToken: "stale-bootstrap-token",

271+

password: "shared-password",

272+

connectOptions: options,

273+

sessionBox: WebSocketSessionBox(session: session),

274+

onConnected: {},

275+

onDisconnected: { _ in },

276+

onInvoke: { req in

277+

BridgeInvokeResponse(id: req.id, ok: true, payloadJSON: nil, error: nil)

278+

})

279+
280+

let auth = try #require(session.latestTask()?.latestConnectAuth())

281+

#expect(auth["password"] as? String == "shared-password")

282+

#expect(auth["bootstrapToken"] == nil)

283+

#expect(auth["token"] == nil)

284+
285+

await gateway.disconnect()

286+

}

287+
252288

@Test

253289

func bootstrapHelloStoresAdditionalDeviceTokens() async throws {

254290

let tempDir = FileManager.default.temporaryDirectory

Original file line numberDiff line numberDiff line change

@@ -134,12 +134,11 @@ That bootstrap token carries the built-in pairing bootstrap profile:

134134
135135

Treat the setup code like a password while it is valid.

136136
137-

For Tailscale, public, or other non-loopback mobile pairing, use Tailscale

138-

Serve/Funnel or another `wss://` Gateway URL. Direct non-loopback `ws://` setup

139-

URLs are rejected before QR/setup-code issuance. Plaintext `ws://` setup codes

140-

are limited to loopback URLs; private-network `ws://` clients still require the explicit

141-

`OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1` break-glass described in the remote

142-

Gateway guide.

137+

For Tailscale, public, or other remote mobile pairing, use Tailscale Serve/Funnel

138+

or another `wss://` Gateway URL. Plaintext `ws://` setup codes are accepted only

139+

for loopback, private LAN addresses, `.local` Bonjour hosts, and the Android

140+

emulator host. Tailnet CGNAT addresses, `.ts.net` names, and public hosts still

141+

fail closed before QR/setup-code issuance.

143142
144143

### Approve a node device

145144