Cherry-pick: Gateway fixes and hardening (20 commits) #1825
Description
Cherry-pick from upstream — Gateway Fixes and Hardening
Source: openclaw/openclaw main branch
Scan session: 2026-03-22
Tier: AUTO-PICK (automatic qualifier: bug fixes in gateway infrastructure we keep)
Commits (sorted by size ascending)
| # | Hash | Author | Subject | Lines |
|---|---|---|---|---|
| 1 | 92fc8065e |
Andrew Demczuk | fix(gateway): remove re-introduced auth.mode=none pairing bypass | 24 |
| 2 | 9bffa3422 |
Andrew Demczuk | fix(gateway): skip device pairing when auth.mode=none | 27 |
| 3 | 7dc447f79 |
Peter Steinberger | fix(gateway): strip unbound scopes for shared-auth connects | 34 |
| 4 | 36f394c29 |
fuller-stack-dev | fix(gateway): increase WS handshake timeout from 3s to 10s (openclaw#49262) | 68 |
| 5 | 26e0a3ee9 |
Andrew Demczuk | fix(gateway): skip Control UI pairing when auth.mode=none (openclaw#47148) | 96 |
| 6 | 57204b4fa |
Peter Steinberger | fix(gateway): surface env override keys in exec approvals | 125 |
| 7 | ccf16cd88 |
Peter Steinberger | fix(gateway): clear trusted-proxy control ui scopes | 132 |
| 8 | 3faaf8984 |
Peter Steinberger | fix(gateway): guard interface discovery failures | 136 |
| 9 | c0d4abc59 |
Peter Steinberger | fix(gateway): suppress ciao interface assertions | 148 |
| 10 | 8cc0c9baf |
Peter Steinberger | fix(gateway): run before_tool_call for HTTP tools | 150 |
| 11 | 57f1cf66a |
caesargattuso | fix(gateway): skip seq-gap broadcast for stale post-lifecycle events (openclaw#43751) | 151 |
| 12 | 4da617e17 |
Peter Steinberger | fix(gateway): honor trusted proxy hook auth rate limits | 163 |
| 13 | ebed3bbde |
Robin Waslander | fix(gateway): enforce browser origin check regardless of proxy headers | 176 |
| 14 | 29fec8bb9 |
Tak Hoffman | fix(gateway): harden health monitor account gating (openclaw#46749) | 204 |
| 15 | 5fc43ff0e |
Tak Hoffman | fix(gateway): bound unanswered client requests (openclaw#45689) | 360 |
| 16 | a1520d70f |
Robin Waslander | fix(gateway): propagate real gateway client into plugin subagent runtime | 376 |
| 17 | dafd61b5c |
Robin Waslander | fix(gateway): enforce caller-scope subsetting in device.token.rotate | 386 |
| 18 | a69f6190a |
Peter Steinberger | fix(gateway): pin plugin webhook route registry (openclaw#47902) | 954 |
| 19 | c91d1622d |
Peter Steinberger | fix(gateway): split conversation reset from admin reset | 1037 |
| 20 | a76e81019 |
Josh Avant | fix(gateway): harden token fallback/reconnect behavior and docs (openclaw#42507) | 1854 |
Classification
All commits are automatic qualifiers: bug fixes and hardening in the gateway layer (core infrastructure we maintain).
Areas Touched
src/gateway/— server methods, WebSocket handling, auth, device pairing, health monitorsrc/gateway/protocol/— schema, exec approvalssrc/gateway/server/— connection handling, plugin routing
Adaptation Notes
- Commits 18-20 are large (>900 lines) — may need conflict resolution
- CHANGELOG.md entries should be discarded
- Some commits may reference plugin patterns that differ in fork
Execution
Pick up with: /pick-from-openclaw pick up issue #N
Recommended strategy: staging branch (20 commits, single CI run)