Summary

• reject openclaw://gateway deep links that request insecure ws:// transport for non-loopback hosts
• reject setup-code payloads with insecure non-loopback ws:// URLs
• keep loopback ws:// flows working for local development and same-host agent setups
• apply equivalent guardrails in macOS remote config normalization
• add iOS/macOS/OpenClawKit tests for reject/allow behavior

Security impact

This closes a configuration/deep-link vector where users could be tricked into pairing over cleartext WebSocket to a non-loopback host, exposing gateway tokens in transit.

Validation

• swift test --package-path apps/shared/OpenClawKit --filter DeepLinksSecurityTests (fails in this environment due upstream macro plugin resolution in dependency checkout: SwiftUIMacros not found; unrelated to this change)
• swiftc apps/shared/OpenClawKit/Sources/OpenClawKit/DeepLinks.swift /tmp/deeplink_security_repro.swift -o /tmp/deeplink_security_repro && /tmp/deeplink_security_repro
• swiftc apps/macos/Sources/OpenClaw/GatewayRemoteConfig.swift /tmp/gateway_remote_config_repro.swift -o /tmp/gateway_remote_config_repro && /tmp/gateway_remote_config_repro

Notes

• scoped to avoid overlap with currently open PRs from this repo fork

Greptile Summary

Adds security guardrails to prevent cleartext WebSocket (ws://) connections to non-loopback hosts in gateway deep links and setup codes, mitigating a social engineering vector where users could be tricked into pairing over insecure connections.

Key changes:

• Added isLoopbackHost() helper in DeepLinks.swift and GatewayRemoteConfig.swift that checks for localhost, 127.0.0.1, ::1, and 127.* prefixes
• Modified DeepLinkParser.parse() to reject openclaw://gateway deep links with tls=0 for non-loopback hosts
• Modified GatewayConnectDeepLink.fromSetupCode() to reject setup code payloads with insecure non-loopback ws:// URLs
• Modified GatewayRemoteConfig.normalizeGatewayUrl() to reject non-loopback ws:// URLs in macOS remote config
• Added comprehensive test coverage across iOS, macOS, and OpenClawKit test suites

Security impact:
This prevents users from being socially engineered into establishing cleartext WebSocket connections that would expose gateway authentication tokens to network eavesdropping. The change preserves local development workflows (ws://127.0.0.1) while blocking the attack vector (ws://attacker.example).

Confidence Score: 5/5

• This PR is safe to merge with minimal risk - it adds important security protections without affecting legitimate use cases
• The implementation is clean, well-tested, and narrowly scoped to address a specific security vulnerability. The loopback detection logic is duplicated across two files (DeepLinks.swift and GatewayRemoteConfig.swift) with identical implementations, comprehensive test coverage validates both rejection and allowance behavior, and the changes preserve backwards compatibility for legitimate local development scenarios
• No files require special attention - all changes are straightforward security improvements

_{Last reviewed commit: 290f1c9}