romtuck/openclaw
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
8,014 Commits 258 Branches 39 Tags 276 MiB
15d4738fb5
Commit Graph

51 Commits

Author SHA1 Message Date
theonejvo
25f32a1778 security: add mDNS discovery config to reduce information disclosure 
mDNS broadcasts can expose sensitive operational details like filesystem
paths (cliPath) and SSH availability (sshPort) to anyone on the local
network. This information aids reconnaissance and should be minimized
for gateways exposed beyond trusted networks.

Changes:
- Add discovery.mdns.enabled config option to disable mDNS entirely
- Add discovery.mdns.minimal option to omit cliPath/sshPort from TXT records
- Update security docs with operational security guidance

Minimal mode still broadcasts enough for device discovery (role, gatewayPort,
transport) while omitting details that help map the host environment.
Apps that need CLI path can fetch it via the authenticated WebSocket.
 2026-01-26 13:19:50 +00:00
Peter Steinberger
c4a80f4edb fix: require gateway auth by default 2026-01-26 12:56:33 +00:00
Peter Steinberger
fd9be79be1 fix: harden tailscale serve auth 2026-01-26 12:49:19 +00:00
Jamieson O'Reilly
6aec34bc60
fix(gateway): prevent auth bypass when behind unconfigured reverse proxy (#1795) 
* fix(gateway): prevent auth bypass when behind unconfigured reverse proxy

When proxy headers (X-Forwarded-For, X-Real-IP) are present but
gateway.trustedProxies is not configured, the gateway now treats
connections as non-local. This prevents a scenario where all proxied
requests appear to come from localhost and receive automatic trust.

Previously, running behind nginx/Caddy without configuring trustedProxies
would cause isLocalClient=true for all external connections, potentially
bypassing authentication and auto-approving device pairing.

The gateway now logs a warning when this condition is detected, guiding
operators to configure trustedProxies for proper client IP detection.

Also adds documentation for reverse proxy security configuration.

* fix: harden reverse proxy auth (#1795) (thanks @orlyjamie)

---------

Co-authored-by: orlyjamie <orlyjamie@users.noreply.github.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
 2026-01-25 15:08:03 +00:00
Peter Steinberger
8f3da653b0 fix: allow control ui token auth without pairing 2026-01-25 12:47:17 +00:00
Peter Steinberger
629ce4454d docs: add tips + clawd-to-clawd faq 2026-01-25 04:04:18 +00:00
Peter Steinberger
e6e71457e0 fix: honor trusted proxy client IPs (PR #1654) 
Thanks @ndbroadbent.

Co-authored-by: Nathan Broadbent <git@ndbroadbent.com>
 2026-01-25 01:52:19 +00:00
Peter Steinberger
9ae03b92bb docs: clarify prompt injection guidance 2026-01-22 04:19:33 +00:00
Peter Steinberger
f76e3c1419 fix: enforce secure control ui auth 2026-01-21 23:58:42 +00:00
Peter Steinberger
b5fd66c92d fix: add explicit tailnet gateway bind 2026-01-21 20:36:09 +00:00
Peter Steinberger
e5ea8a0d22 docs: add network hub + pairing locality 2026-01-21 00:14:14 +00:00
Peter Steinberger
51dfd6efdb fix: tighten small-model audit guardrails 2026-01-20 23:52:26 +00:00
Peter Steinberger
06c17a333e docs: update protocol + security notes 2026-01-20 13:04:20 +00:00
Peter Steinberger
6f5205d826 docs: elevate security audit callout 2026-01-18 23:37:14 +00:00
Peter Steinberger
ae0b4c4990 feat: add exec host routing + node daemon 2026-01-18 07:46:00 +00:00
Peter Steinberger
e71fa4a145 docs: note session log disk access 2026-01-17 19:30:46 +00:00
Ruby
0cd24137e8
feat: add session.identityLinks for cross-platform DM session linking (#1033) 
Co-authored-by: Shadow <shadow@clawd.bot>
 2026-01-16 14:23:22 -06:00
Peter Steinberger
d0c986c4f0 feat: warn on weak model tiers 2026-01-16 09:34:37 +00:00
Ubuntu
ca9688b5cc feat(session): add dmScope for multi-user DM isolation 
Co-authored-by: Alphonse-arianee <Alphonse-arianee@users.noreply.github.com>
 2026-01-16 04:13:10 +00:00
Peter Steinberger
b2b331230b feat: mac node exec policy + remote skills hot reload 2026-01-16 03:45:06 +00:00
Peter Steinberger
ca1902fb4e feat(security): expand audit and safe --fix 2026-01-15 05:31:43 +00:00
Peter Steinberger
0e76d21f11 docs(security): mention audit --fix 2026-01-15 05:03:13 +00:00
Peter Steinberger
ef78b198cb feat: add Chrome extension browser relay 2026-01-15 04:52:28 +00:00
hyaxia
f3c9252840 Security: add detect-secrets scan 2026-01-15 03:14:43 +00:00
Peter Steinberger
c2a4f256c8 feat: add security audit + onboarding checkpoint 2026-01-15 01:25:11 +00:00
Peter Steinberger
3eb48cbea7 docs: complete channels rename sweep 2026-01-13 08:40:39 +00:00
Peter Steinberger
90342a4f3a refactor!: rename chat providers to channels 2026-01-13 08:40:39 +00:00
Peter Steinberger
b70298fbca fix: document Tailscale Serve auth headers (#823) (thanks @roshanasingh4) 2026-01-13 04:37:04 +00:00
Peter Steinberger
98e75fce17 test: align group policy defaults 2026-01-12 08:45:57 +00:00
Peter Steinberger
006e1352d8 fix: harden msteams group access 2026-01-12 08:32:08 +00:00
Peter Steinberger
8b4bdaa8a4 feat: add apply_patch tool (exec-gated) 2026-01-12 03:42:56 +00:00
Peter Steinberger
98337a14b3 fix: rename bash tool to exec (#748) (thanks @myfunc) 2026-01-12 02:49:55 +00:00
Peter Steinberger
cf0c72a557 feat: add plugin architecture 2026-01-11 12:11:12 +00:00
Peter Steinberger
fe46a2663b docs: clarify browser allowlist defaults and risks 2026-01-11 02:00:30 +01:00
Peter Steinberger
b0b4b33b6b fix: update gateway auth docs and clients 2026-01-11 01:51:24 +01:00
Peter Steinberger
81f9093c3c fix(pairing): accept positional provider args 2026-01-10 16:36:43 +01:00
Peter Steinberger
cdb915d527 chore: normalize Clawdbot naming 2026-01-10 05:14:09 +01:00
Peter Steinberger
bd10f3d3f1 feat: allow session_status in sandbox 2026-01-09 23:41:57 +00:00
Peter Steinberger
88cbe2d275 fix: cap pairing requests and suppress outbound pairing replies 2026-01-09 22:58:18 +00:00
Peter Steinberger
5fa26bfec7 feat: add per-agent elevated controls 2026-01-09 20:42:19 +00:00
Peter Steinberger
7b81d97ec2 feat: wire multi-agent config and routing 
Co-authored-by: Mark Pors <1078320+pors@users.noreply.github.com>
 2026-01-09 12:48:42 +00:00
Peter Steinberger
14096fb629 docs: add model allowlist + reasoning safety notes 2026-01-09 02:07:33 +01:00
Peter Steinberger
014667e00b fix: tighten group elevated targeting 2026-01-08 22:57:18 +01:00
Peter Steinberger
884e734809 feat(doctor): audit config + state permissions 2026-01-08 21:51:34 +01:00
Peter Steinberger
d55750189e docs: add sandboxing page and cross-links 2026-01-08 21:49:26 +01:00
Peter Steinberger
0e9837183d docs: expand per-agent sandbox profiles 2026-01-07 20:31:23 +01:00
Peter Steinberger
0914517ee3 feat(sandbox): add workspace access mode 2026-01-07 09:33:38 +00:00
Peter Steinberger
42ae2341aa fix: harden pairing flow 2026-01-07 05:06:04 +01:00
Peter Steinberger
467d4e17fe feat: add sandbox scope default 2026-01-07 02:52:41 +01:00
Peter Steinberger
4fb9293c29 docs: fix internal doc links 2026-01-07 02:15:46 +01:00