Jamieson O'Reilly
e74d8eb8fe
fix(gateway): prevent auth bypass when behind unconfigured reverse proxy ( #1795 )
...
* fix(gateway): prevent auth bypass when behind unconfigured reverse proxy
When proxy headers (X-Forwarded-For, X-Real-IP) are present but
gateway.trustedProxies is not configured, the gateway now treats
connections as non-local. This prevents a scenario where all proxied
requests appear to come from localhost and receive automatic trust.
Previously, running behind nginx/Caddy without configuring trustedProxies
would cause isLocalClient=true for all external connections, potentially
bypassing authentication and auto-approving device pairing.
The gateway now logs a warning when this condition is detected, guiding
operators to configure trustedProxies for proper client IP detection.
Also adds documentation for reverse proxy security configuration.
* fix: harden reverse proxy auth (#1795 ) (thanks @orlyjamie)
---------
Co-authored-by: orlyjamie <orlyjamie@users.noreply.github.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-01-25 15:08:03 +00:00
Peter Steinberger
74102fd90d
fix: allow control ui token auth without pairing
2026-01-25 12:47:17 +00:00
Peter Steinberger
af82faa1e9
docs: add tips + clawd-to-clawd faq
2026-01-25 04:04:18 +00:00
Peter Steinberger
1aff951422
fix: honor trusted proxy client IPs (PR #1654 )
...
Thanks @ndbroadbent.
Co-authored-by: Nathan Broadbent <git@ndbroadbent.com>
2026-01-25 01:52:19 +00:00
Peter Steinberger
f9d746eadd
docs: clarify prompt injection guidance
2026-01-22 04:19:33 +00:00
Peter Steinberger
e9245837ea
fix: enforce secure control ui auth
2026-01-21 23:58:42 +00:00
Peter Steinberger
7efa487150
fix: add explicit tailnet gateway bind
2026-01-21 20:36:09 +00:00
Peter Steinberger
161806fbe3
docs: add network hub + pairing locality
2026-01-21 00:14:14 +00:00
Peter Steinberger
cc94557d54
fix: tighten small-model audit guardrails
2026-01-20 23:52:26 +00:00
Peter Steinberger
20c58a285b
docs: update protocol + security notes
2026-01-20 13:04:20 +00:00
Peter Steinberger
607b24cf16
docs: elevate security audit callout
2026-01-18 23:37:14 +00:00
Peter Steinberger
0ecd13b7a2
feat: add exec host routing + node daemon
2026-01-18 07:46:00 +00:00
Peter Steinberger
9f0b6f12a0
docs: note session log disk access
2026-01-17 19:30:46 +00:00
Ruby
1ae19b55c9
feat: add session.identityLinks for cross-platform DM session linking ( #1033 )
...
Co-authored-by: Shadow <shadow@clawd.bot>
2026-01-16 14:23:22 -06:00
Peter Steinberger
7a6561a1c0
feat: warn on weak model tiers
2026-01-16 09:34:37 +00:00
Ubuntu
7df03a2456
feat(session): add dmScope for multi-user DM isolation
...
Co-authored-by: Alphonse-arianee <Alphonse-arianee@users.noreply.github.com>
2026-01-16 04:13:10 +00:00
Peter Steinberger
cc145407c3
feat: mac node exec policy + remote skills hot reload
2026-01-16 03:45:06 +00:00
Peter Steinberger
87400c3aa0
feat(security): expand audit and safe --fix
2026-01-15 05:31:43 +00:00
Peter Steinberger
889e615bff
docs(security): mention audit --fix
2026-01-15 05:03:13 +00:00
Peter Steinberger
ebcf6ada8c
feat: add Chrome extension browser relay
2026-01-15 04:52:28 +00:00
hyaxia
39678bdce5
Security: add detect-secrets scan
2026-01-15 03:14:43 +00:00
Peter Steinberger
e2832f544f
feat: add security audit + onboarding checkpoint
2026-01-15 01:25:11 +00:00
Peter Steinberger
10ec96eca6
docs: complete channels rename sweep
2026-01-13 08:40:39 +00:00
Peter Steinberger
ea979f0669
refactor!: rename chat providers to channels
2026-01-13 08:40:39 +00:00
Peter Steinberger
6db96e7291
fix: document Tailscale Serve auth headers ( #823 ) (thanks @roshanasingh4)
2026-01-13 04:37:04 +00:00
Peter Steinberger
2bb8e0d369
test: align group policy defaults
2026-01-12 08:45:57 +00:00
Peter Steinberger
c0dd3d0628
fix: harden msteams group access
2026-01-12 08:32:08 +00:00
Peter Steinberger
4d0beca324
feat: add apply_patch tool (exec-gated)
2026-01-12 03:42:56 +00:00
Peter Steinberger
218e5a52e0
fix: rename bash tool to exec ( #748 ) (thanks @myfunc)
2026-01-12 02:49:55 +00:00
Peter Steinberger
71c1446394
feat: add plugin architecture
2026-01-11 12:11:12 +00:00
Peter Steinberger
a430f7cdfa
docs: clarify browser allowlist defaults and risks
2026-01-11 02:00:30 +01:00
Peter Steinberger
f4e2fb75c6
fix: update gateway auth docs and clients
2026-01-11 01:51:24 +01:00
Peter Steinberger
f5023e9ee8
fix(pairing): accept positional provider args
2026-01-10 16:36:43 +01:00
Peter Steinberger
fbf44d47be
chore: normalize Clawdbot naming
2026-01-10 05:14:09 +01:00
Peter Steinberger
a25ffba8f2
feat: allow session_status in sandbox
2026-01-09 23:41:57 +00:00
Peter Steinberger
9374401cb7
fix: cap pairing requests and suppress outbound pairing replies
2026-01-09 22:58:18 +00:00
Peter Steinberger
ba1e9058e7
feat: add per-agent elevated controls
2026-01-09 20:42:19 +00:00
Peter Steinberger
947844117c
feat: wire multi-agent config and routing
...
Co-authored-by: Mark Pors <1078320+pors@users.noreply.github.com>
2026-01-09 12:48:42 +00:00
Peter Steinberger
796f1bd2ef
docs: add model allowlist + reasoning safety notes
2026-01-09 02:07:33 +01:00
Peter Steinberger
7a5585ab4c
fix: tighten group elevated targeting
2026-01-08 22:57:18 +01:00
Peter Steinberger
a60a091e9d
feat(doctor): audit config + state permissions
2026-01-08 21:51:34 +01:00
Peter Steinberger
814b1430d2
docs: add sandboxing page and cross-links
2026-01-08 21:49:26 +01:00
Peter Steinberger
33900124de
docs: expand per-agent sandbox profiles
2026-01-07 20:31:23 +01:00
Peter Steinberger
6e72501384
feat(sandbox): add workspace access mode
2026-01-07 09:33:38 +00:00
Peter Steinberger
316e3c02a9
fix: harden pairing flow
2026-01-07 05:06:04 +01:00
Peter Steinberger
cd767a3569
feat: add sandbox scope default
2026-01-07 02:52:41 +01:00
Peter Steinberger
0d18b2a650
docs: fix internal doc links
2026-01-07 02:15:46 +01:00
Peter Steinberger
5898eb4938
docs: reorganize documentation structure
2026-01-07 00:45:46 +01:00