docs: clarify IRC managed proxy coverage (#76822) · openclaw/openclaw@9c3b7b7
jesse-merhi
·
2026-05-04
·
via Recent Commits to openclaw:main
| Original file line number | Diff line number | Diff line change |
|---|
@@ -15,6 +15,7 @@ Docs: https://docs.openclaw.ai
|
15 | 15 | - Agents/commands: add `/steer <message>` for queue-independent steering of the active current-session run without starting a new turn when the session is idle. (#76934) |
16 | 16 | - Tools/BTW: add `/side` as a text and native slash-command alias for `/btw` side questions. |
17 | 17 | - Doctor/config: `doctor --fix` now commits safe legacy migrations even when unrelated validation issues (e.g. a missing plugin) prevent full validation from passing, so `agents.defaults.llm` and other known-legacy keys are always cleaned up by `doctor --fix` regardless of other config problems. Fixes #76798. (#76800) Thanks @hclsys. |
| 18 | +- Docs: clarify that IRC uses raw TCP/TLS sockets outside operator-managed forward proxy routing, so direct IRC egress should be explicitly approved before enabling IRC. Thanks @jesse-merhi. |
18 | 19 | - Agents/tools: skip optional media and PDF tool factories when the effective tool denylist already blocks them, avoiding unnecessary hot-path setup for tools that will be filtered out before model use. (#76773) Thanks @dorukardahan. |
19 | 20 | - Discord/status: let explicit reaction tool calls opt into tracking subsequent tool progress on the reacted message with `trackToolCalls: true`, and use the shared tool display emoji table for status reactions. |
20 | 21 | - Gateway/config: stop Gateway startup and hot reload from auto-restoring invalid config; invalid config now fails closed and `openclaw doctor --fix` owns last-known-good repair. |
|
| Original file line number | Diff line number | Diff line change |
|---|
@@ -39,6 +39,7 @@ openclaw gateway run
|
39 | 39 | |
40 | 40 | ## Security defaults |
41 | 41 | |
| 42 | +- IRC uses raw TCP/TLS sockets outside OpenClaw operator-managed forward proxy routing. In deployments that require all egress through that forward proxy, set `channels.irc.enabled=false` unless direct IRC egress is explicitly approved. |
42 | 43 | - `channels.irc.dmPolicy` defaults to `"pairing"`. |
43 | 44 | - `channels.irc.groupPolicy` defaults to `"allowlist"`. |
44 | 45 | - With `groupPolicy="allowlist"`, set `channels.irc.groups` to define allowed channels. |
|
| Original file line number | Diff line number | Diff line change |
|---|
@@ -193,6 +193,7 @@ proxy:
|
193 | 193 | |
194 | 194 | - The proxy improves coverage for process-local JavaScript HTTP and WebSocket clients, but it is not an OS-level network sandbox. |
195 | 195 | - Raw `net`, `tls`, and `http2` sockets, native addons, and child processes may bypass Node-level proxy routing unless they inherit and respect proxy environment variables. |
| 196 | +- IRC is a raw TCP/TLS channel outside operator-managed forward proxy routing. In deployments that require all egress through that forward proxy, set `channels.irc.enabled=false` unless direct IRC egress is explicitly approved. |
196 | 197 | - User local WebUIs and local model servers should be allowlisted in the operator proxy policy when needed; OpenClaw does not expose a general local-network bypass for them. |
197 | 198 | - Gateway control-plane proxy bypass is intentionally limited to `localhost` and literal loopback IP URLs. Use `ws://127.0.0.1:18789`, `ws://[::1]:18789`, or `ws://localhost:18789` for local direct Gateway control-plane connections; other hostnames route like ordinary hostname-based traffic. |
198 | 199 | - OpenClaw does not inspect, test, or certify your proxy policy. |
|
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。