chore(sync): mirror docs from openclaw/openclaw@b7fba2100f

This commit is contained in:
openclaw-docs-sync[bot] 2026-04-24 06:35:06 +00:00
parent 1aaca6eac2
commit af64e7ba1a
7 changed files with 23 additions and 6 deletions

View File

@ -1,5 +1,5 @@
{
"repository": "openclaw/openclaw",
"sha": "cb4fc585472a3ac9961a8d2948eb2904777585b0",
"syncedAt": "2026-04-24T06:30:49.022Z"
"sha": "b7fba2100f1780f9d2485ed7452482359747d1a1",
"syncedAt": "2026-04-24T06:33:36.993Z"
}

View File

@ -77,7 +77,9 @@ Options:
For a node connecting to a non-loopback `ws://` Gateway on a trusted private
network, set `OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1`. Without it, node startup
fails closed and asks you to use `wss://`, an SSH tunnel, or Tailscale.
`openclaw node install` persists this opt-in into the supervised node service.
This is a process-environment opt-in, not an `openclaw.json` config key.
`openclaw node install` persists it into the supervised node service when it is
present in the install command environment.
## Service (background)

View File

@ -28,6 +28,8 @@ openclaw onboard --mode remote --remote-url wss://gateway-host:18789
For plaintext private-network `ws://` targets (trusted networks only), set
`OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1` in the onboarding process environment.
There is no `openclaw.json` equivalent for this client-side transport
break-glass.
Non-interactive custom provider:

View File

@ -319,7 +319,12 @@ See [Plugins](/tools/plugin).
- `controlUi.allowedOrigins`: explicit browser-origin allowlist for Gateway WebSocket connects. Required when browser clients are expected from non-loopback origins.
- `controlUi.dangerouslyAllowHostHeaderOriginFallback`: dangerous mode that enables Host-header origin fallback for deployments that intentionally rely on Host-header origin policy.
- `remote.transport`: `ssh` (default) or `direct` (ws/wss). For `direct`, `remote.url` must be `ws://` or `wss://`.
- `OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1`: client-side break-glass override that allows plaintext `ws://` to trusted private-network IPs; default remains loopback-only for plaintext.
- `OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1`: client-side process-environment
break-glass override that allows plaintext `ws://` to trusted private-network
IPs; default remains loopback-only for plaintext. There is no `openclaw.json`
equivalent, and browser private-network config such as
`browser.ssrfPolicy.dangerouslyAllowPrivateNetwork` does not affect Gateway
WebSocket clients.
- `gateway.remote.token` / `.password` are remote-client credential fields. They do not configure gateway auth by themselves.
- `gateway.push.apns.relay.baseUrl`: base HTTPS URL for the external APNs relay used by official/TestFlight iOS builds after they publish relay-backed registrations to the gateway. This URL must match the relay URL compiled into the iOS build.
- `gateway.push.apns.relay.timeoutMs`: gateway-to-relay send timeout in milliseconds. Defaults to `10000`.

View File

@ -138,7 +138,9 @@ Short version: **keep the Gateway loopback-only** unless youre sure you need
- **Loopback + SSH/Tailscale Serve** is the safest default (no public exposure).
- Plaintext `ws://` is loopback-only by default. For trusted private networks,
set `OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1` on the client process as break-glass.
set `OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1` on the client process as
break-glass. There is no `openclaw.json` equivalent; this must be process
environment for the client making the WebSocket connection.
- **Non-loopback binds** (`lan`/`tailnet`/`custom`, or `auto` when loopback is unavailable) must use gateway auth: token, password, or an identity-aware reverse proxy with `gateway.auth.mode: "trusted-proxy"`.
- `gateway.remote.token` / `.password` are client credential sources. They do **not** configure server auth by themselves.
- Local call paths can use `gateway.remote.*` as fallback only when `gateway.auth.*` is unset.

View File

@ -840,7 +840,9 @@ If `gateway.auth.token` / `gateway.auth.password` is explicitly configured via
SecretRef and unresolved, resolution fails closed (no remote fallback masking).
Optional: pin remote TLS with `gateway.remote.tlsFingerprint` when using `wss://`.
Plaintext `ws://` is loopback-only by default. For trusted private-network
paths, set `OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1` on the client process as break-glass.
paths, set `OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1` on the client process as
break-glass. This is intentionally process environment only, not an
`openclaw.json` config key.
Local device pairing:

View File

@ -152,6 +152,10 @@ OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1 \
openclaw node restart
```
`OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1` is process environment, not an
`openclaw.json` setting. `openclaw node install` stores it in the LaunchAgent
environment when it is present on the install command.
Approve the node from the Gateway host:
```bash