From e68fe2a6448ae298af2fbbb75b2465f568029f96 Mon Sep 17 00:00:00 2001 From: "openclaw-docs-sync[bot]" Date: Mon, 4 May 2026 00:55:58 +0000 Subject: [PATCH] chore(sync): mirror docs from openclaw/openclaw@9c3b7b7b151b7ecdf5b18ebbb8967f26886d9346 --- .openclaw-sync/source.json | 4 ++-- docs/channels/irc.md | 1 + docs/security/network-proxy.md | 1 + 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.openclaw-sync/source.json b/.openclaw-sync/source.json index 4820e3b09..d7115e583 100644 --- a/.openclaw-sync/source.json +++ b/.openclaw-sync/source.json @@ -1,5 +1,5 @@ { "repository": "openclaw/openclaw", - "sha": "4856cbb017dac9cea4eac6f8f2eb87fd8e09fb28", - "syncedAt": "2026-05-04T00:53:47.752Z" + "sha": "9c3b7b7b151b7ecdf5b18ebbb8967f26886d9346", + "syncedAt": "2026-05-04T00:54:01.430Z" } diff --git a/docs/channels/irc.md b/docs/channels/irc.md index bc3b5cd7c..f06d6b0b6 100644 --- a/docs/channels/irc.md +++ b/docs/channels/irc.md @@ -39,6 +39,7 @@ openclaw gateway run ## Security defaults +- IRC uses raw TCP/TLS sockets outside OpenClaw operator-managed forward proxy routing. In deployments that require all egress through that forward proxy, set `channels.irc.enabled=false` unless direct IRC egress is explicitly approved. - `channels.irc.dmPolicy` defaults to `"pairing"`. - `channels.irc.groupPolicy` defaults to `"allowlist"`. - With `groupPolicy="allowlist"`, set `channels.irc.groups` to define allowed channels. diff --git a/docs/security/network-proxy.md b/docs/security/network-proxy.md index 49d4eb1fd..e8439fdc2 100644 --- a/docs/security/network-proxy.md +++ b/docs/security/network-proxy.md @@ -193,6 +193,7 @@ proxy: - The proxy improves coverage for process-local JavaScript HTTP and WebSocket clients, but it is not an OS-level network sandbox. - Raw `net`, `tls`, and `http2` sockets, native addons, and child processes may bypass Node-level proxy routing unless they inherit and respect proxy environment variables. +- IRC is a raw TCP/TLS channel outside operator-managed forward proxy routing. In deployments that require all egress through that forward proxy, set `channels.irc.enabled=false` unless direct IRC egress is explicitly approved. - User local WebUIs and local model servers should be allowlisted in the operator proxy policy when needed; OpenClaw does not expose a general local-network bypass for them. - Gateway control-plane proxy bypass is intentionally limited to `localhost` and literal loopback IP URLs. Use `ws://127.0.0.1:18789`, `ws://[::1]:18789`, or `ws://localhost:18789` for local direct Gateway control-plane connections; other hostnames route like ordinary hostname-based traffic. - OpenClaw does not inspect, test, or certify your proxy policy.