feat(doctor): add gateway network exposure security check

Adds security warnings to `clawdbot doctor` when the gateway is bound to
network-exposed addresses (all, lan, 0.0.0.0) without proper authentication.

- CRITICAL warning when exposed with auth=off (full shell access risk)
- WARN when exposed with password auth (recommend switching to loopback)

Fixes #2015

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Alex Alaniz 2026-01-25 21:22:42 -05:00
parent 8f6542409a
commit 27cfc6ffc3

View File

@ -10,6 +10,26 @@ export async function noteSecurityWarnings(cfg: ClawdbotConfig) {
const warnings: string[] = [];
const auditHint = `- Run: ${formatCliCommand("clawdbot security audit --deep")}`;
// Check gateway network exposure (fixes #2015)
const gatewayBind = cfg.gateway?.bind ?? "loopback";
const authMode = cfg.gateway?.auth?.mode ?? "off";
const exposedBindings = ["all", "lan", "0.0.0.0"];
const isExposed = exposedBindings.includes(gatewayBind);
if (isExposed && authMode === "off") {
warnings.push(
`- CRITICAL: Gateway bound to "${gatewayBind}" with NO authentication.`,
` Anyone on the network can fully control your agent (shell access, API keys).`,
` Fix: ${formatCliCommand("clawdbot config set gateway.bind loopback")} or enable auth.`,
);
} else if (isExposed && authMode === "password") {
warnings.push(
`- WARN: Gateway bound to "${gatewayBind}" (network-exposed).`,
` Password auth is enabled, but ensure it's strong and not in config file.`,
` Recommended: Use ${formatCliCommand("clawdbot config set gateway.bind loopback")} if remote access not needed.`,
);
}
const warnDmPolicy = async (params: {
label: string;
provider: ChannelId;