Gateway: fix device identity required despite dangerouslyDisableDeviceAuth=true#29960
Open
alexyyyander wants to merge 7 commits intoopenclaw:mainfrom
Open
Gateway: fix device identity required despite dangerouslyDisableDeviceAuth=true#29960alexyyyander wants to merge 7 commits intoopenclaw:mainfrom
alexyyyander wants to merge 7 commits intoopenclaw:mainfrom
Conversation
The secondary window was defaulting to 24 hours (86400 seconds), causing the status to show 'Day' instead of 'Week' for users with weekly usage limits when the API doesn't return the limit. Changed default to 604800 seconds (168 hours = 1 week) since Codex typically has weekly secondary windows.
Previously, detectContentType() checked for MP4 magic bytes (ftyp at bytes 4-7) before the M4A-specific check, causing LINE voice messages (M4A/AAC-LC in MPEG-4 container) to be misclassified as video/mp4 instead of audio/mp4. This fix checks the ftyp sub-brand at bytes 8-11 to distinguish: - M4A / M4B (audio) -> returns audio/mp4 - isom/mp42 (video) -> returns video/mp4 Fixes openclaw#29751
- Show days (e.g., '2d', '3d') for multi-day windows between 24-167 hours - 24 hours = 'Day', 168+ hours = 'Week' - Previously all windows >= 24 hours showed as 'Day', which was confusing for multi-day periods
Fix issue openclaw#29886 where isolated sessions (cron/subagents) could not access built-in provider env vars from openclaw.json. The issue was that config env vars (like OPENAI_API_KEY, ANTHROPIC_API_KEY) configured in openclaw.json were not being applied to process.env when running isolated cron sessions. This fix ensures applyConfigEnvVars is called at the start of runCronIsolatedAgentTurn to ensure these env vars are available when resolving API keys for built-in providers.
The hardcoded system prompt instructed agents to use memory_search + memory_get to pull only needed lines from memory files, which conflicts with AGENTS.md that instructs agents to read entire memory files directly. This conflict caused confusion for agents deciding which instructions to follow. Fixes openclaw#29772
Fixes openclaw#29772 - Hardcoded system prompt conflicts with AGENTS.md The AGENTS.md template instructed agents to read memory files directly, while the system prompt instructed to use memory_search/memory_get tools for memory context. This caused conflicting guidance. Changes: - Update AGENTS.md template to use memory_search/memory_get for memory - Keep reading SOUL.md and USER.md directly (identity files) - Update AGENTS.default.md similarly for consistency
…eAuth=true When gateway.controlUi.dangerouslyDisableDeviceAuth=true is set, the Gateway was still requiring device identity if there was no shared auth (token/password) present. This was because evaluateMissingDeviceIdentity() didn't check the allowBypass flag early enough - it fell through to roleCanSkipDeviceIdentity() which requires sharedAuthOk=true. Fix by adding an early check for controlUiAuthPolicy.allowBypass at the beginning of evaluateMissingDeviceIdentity(), which returns 'allow' immediately when device auth is disabled, regardless of whether shared auth is present. Also adds test coverage for this scenario. Fixes openclaw#29801
openclaw-barnacle
bot
added
docs
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 735297d3a9
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| "## Memory Recall", | ||
| "Before answering anything about prior work, decisions, dates, people, preferences, or todos: run memory_search on MEMORY.md + memory/*.md; then use memory_get to pull only the needed lines. If low confidence after search, say you checked.", | ||
| ]; | ||
| const lines = ["## Memory Recall"]; |
There was a problem hiding this comment.
The Memory Recall section now only emits a heading plus citation formatting guidance, but no longer tells the model to run memory_search/memory_get before answering questions about prior work or preferences. In sessions where memory tools are available, this regression makes it much more likely the agent responds from stale model context instead of retrieved notes, reducing answer accuracy for history-dependent queries.
Useful? React with 👍 / 👎.
Contributor
Greptile SummaryFixes device identity requirement bug when device auth is set to bypass mode by adding an early check in the Key changes:
Critical issue found: Comment corruption on line 94 of Confidence Score: 3/5
Last reviewed commit: 735297d |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| // (needed for device identity) is unavailable in insecure HTTP contexts. | ||
| // Remote connections are still rejected to preserve the MitM protection | ||
| // that the security fix (#20684) intended. | ||
| // that the security fix (#20684) (!params.controlUi intended. |
Contributor
There was a problem hiding this comment.
comment corrupted - extra text (!params.controlUi inserted
Suggested change
| // that the security fix (#20684) (!params.controlUi intended. | |
| // that the security fix (#20684) intended. |
Prompt To Fix With AI
This is a comment left during a code review.
Path: src/gateway/server/ws-connection/connect-policy.ts
Line: 94
Comment:
comment corrupted - extra text `(!params.controlUi` inserted
```suggestion
// that the security fix (#20684) intended.
```
How can I resolve this? If you propose a fix, please make it concise.
razvanandreibratu
approved these changes
Feb 28, 2026
razvanandreibratu
approved these changes
Feb 28, 2026
|
This pull request has been automatically marked as stale due to inactivity. |
|
is this being worked on ? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
When
gateway.controlUi.dangerouslyDisableDeviceAuth=trueis set, the Gateway was still requiring device identity if there was no shared auth (token/password) present.Root Cause
The
evaluateMissingDeviceIdentity()function inconnect-policy.tsdidn't check theallowBypassflag early enough. It fell through toroleCanSkipDeviceIdentity()which requiressharedAuthOk=true, but when there's no token/password,sharedAuthOkisfalse, causing the connection to be rejected with "device identity required" even though device auth was supposed to be disabled.Fix
Added an early check for
controlUiAuthPolicy.allowBypassat the beginning ofevaluateMissingDeviceIdentity(), which returns'allow'immediately when device auth is disabled, regardless of whether shared auth is present.Changes
src/gateway/server/ws-connection/connect-policy.ts: Added early return whenallowBypassis truesrc/gateway/server/ws-connection/connect-policy.test.ts: Added test coverage for the scenarioFixes #29801