Summary

Describe the problem and fix in 2–5 bullets:

• Problem: iOS node permissions were not centrally modeled/exposed, and gateway capability reporting could imply tools were available when the OS permission state did not allow them.
• Why it matters: this creates misleading capability negotiation and no single UI flow to request/review important iOS permissions.
• What changed: added a centralized iOS permission center (photos/contacts/calendar/reminders/motion), added NodeAppModel permission APIs, added a Settings permissions disclosure/request section, and gated gateway capabilities/commands/permission flags from live permission state.
• What did NOT change (scope boundary): no Android changes, no watchOS permission implementation, no new backend API endpoints, no behavioral change to unrelated tool families.

Change Type (select all)

• Bug fix
• Feature
• Refactor
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes #
• Related #

User-visible / Behavior Changes

• New Settings > Device permissions section for Photos, Contacts, Calendar, Reminders, and Motion with state, request action, and deep-link to iOS Settings.
• Gateway-reported capabilities/commands now reflect current permission state (read/write/denied where applicable) instead of over-reporting access.
• Added required iOS Info.plist usage-description keys for these permission families.

Security Impact (required)

• New permissions/capabilities? (Yes)
• Secrets/tokens handling changed? (No)
• New/changed network calls? (No)
• Command/tool execution surface changed? (Yes)
• Data access scope changed? (Yes)
• If any Yes, explain risk + mitigation:
  • Risk: inaccurate capability exposure could allow attempted tool calls that iOS would deny at runtime.
  • Mitigation: capabilities/commands are now computed from live OS authorization status and exposed explicitly as denied/read/write flags.

Repro + Verification

Environment

• OS: macOS 15.x
• Runtime/container: Xcode iOS Simulator build
• Model/provider: N/A
• Integration/channel (if any): iOS app + gateway connection controller
• Relevant config (redacted): default local iOS build settings

Steps

1. pnpm ios:gen
2. xcodebuild -project OpenClaw.xcodeproj -scheme OpenClaw -destination 'generic/platform=iOS Simulator' -configuration Debug build -quiet
3. Open SettingsTab code path and verify permission section/actions + gateway permission/capability gating logic.

Expected

• Build succeeds and permission-centric capability gating is wired.

Actual

• Build succeeds (exit code 0) and permission gating/settings UI compile and link correctly.

Evidence

Attach at least one:

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

What you personally verified (not just CI), and how:

• Verified scenarios: generated iOS project, ran full simulator build, validated that prior Swift type-check timeout in SettingsTab is resolved, validated permission-gating code paths compile.
• Edge cases checked: denied/restricted/limited/full mapping branches in permission center and calendar/reminder write gating.
• What you did not verify: physical iPhone/watch grant/deny flows and runtime interaction UX on real devices.

Compatibility / Migration

• Backward compatible? (Yes)
• Config/env changes? (No)
• Migration needed? (No)
• If yes, exact upgrade steps:

Failure Recovery (if this breaks)

• How to disable/revert this change quickly: revert commit 23693c7aa.
• Files/config to restore: apps/ios/Sources/Gateway/GatewayConnectionController.swift, apps/ios/Sources/Info.plist, apps/ios/Sources/Settings/SettingsTab.swift, apps/ios/project.yml, and remove added permission files.
• Known bad symptoms reviewers should watch for: Settings screen compile slowdown/type-check errors, missing permission prompts, capability reports not matching iOS permission state.

Risks and Mitigations

• Risk: permission mapping may diverge from Apple APIs over time.
  • Mitigation: centralized mapping in IOSPermissionCenter keeps updates in one place.
• Risk: UI complexity in SettingsTab can regress compiler performance.
  • Mitigation: split large modifier chains into helper methods to keep type-checking tractable.

Greptile Summary

Centralized iOS permission management and gated gateway capabilities by permission state.

Major changes:

• Added IOSPermissionCenter to centralize permission checking for photos, contacts, calendar, reminders, and motion
• Gated gateway capability reporting based on actual iOS permission state (read/write/denied)
• Added Settings UI section for permission disclosure, request, and deep-link to iOS Settings
• Added required Info.plist usage description keys for new permission families
• Refactored SettingsTab.swift to improve type-checking performance by splitting view builders

Critical issue:

• GatewayConnectionController.swift:687 has incorrect byte-order conversion that will break loopback IP detection on iOS devices (little-endian systems)

Confidence Score: 2/5

• This PR has a critical logical error affecting loopback IP detection on iOS
• The byte-order conversion bug in loopback IP detection is a critical issue that will cause incorrect behavior when checking for loopback addresses. The permission implementation appears sound, but this networking bug must be fixed before merge.
• Pay close attention to apps/ios/Sources/Gateway/GatewayConnectionController.swift - the ntohl replacement breaks loopback detection

_{Last reviewed commit: 23693c7}