feat: add gateway.trustedNetworks for ws:// over encrypted mesh networks#2
Merged
feat: add gateway.trustedNetworks for ws:// over encrypted mesh networks#2
Conversation
* Dependencies: make @discordjs/opus an optional peer * Dependencies: bump node-llama-cpp peer to 3.16.2 * Dependencies: pin Google auth deps to warning-free versions * CI: reduce Dependabot cooldown to 2 days * CI: fix invalid Dependabot npm registry config * CI: restore Dependabot npm registry with token auth * Dependencies: remove global Google auth pnpm overrides * CI: make Dependabot updates daily * Dependencies: restore optional install semantics for @discordjs/opus * CI: keep Docker Dependabot interval weekly
…nclaw#17874) * feat(memory-lancedb): add custom baseUrl and dimensions support * fix(memory-lancedb): strict model typing and safe dimension resolution * style: fix formatting in memory-lancedb config * fix(memory-lancedb): sync manifest schema with new embedding options --------- Co-authored-by: OpenClaw Bot <[email protected]>
…nclaw#16930, openclaw#22441, openclaw#25088) Landed from contributor PRs openclaw#16930, openclaw#22441, and openclaw#25088. Co-authored-by: liweiguang <[email protected]> Co-authored-by: EdwardWu7 <[email protected]> Co-authored-by: MoerAI <[email protected]>
Verified: - pnpm build - pnpm check - pnpm test:macmini (fails in this environment at src/daemon/launchd.integration.test.ts beforeAll hook timeout; merged with Tak override) Co-authored-by: rodrigouroz <[email protected]> Co-authored-by: Tak Hoffman <[email protected]>
Land contributor PR openclaw#29032 by @maloqab with Slack native alias docs, integration tests, and changelog entry. Co-authored-by: maloqab <[email protected]>
- Remove trailing blank line after Jonathan Taylor entry - Escape underscore in @jlehman_ X handle Fixes openclaw#29039
…nclaw#26050) thanks @bmendonca3 Verified: - pnpm install --frozen-lockfile - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: bmendonca3 <[email protected]> Co-authored-by: Tak Hoffman <[email protected]>
… custom provider probes (openclaw#27380) * fix(onboard): increase verification timeout and reduce max_tokens for custom provider probes The onboard wizard sends a chat-completion request to verify custom providers. With max_tokens: 1024 and a 10 s timeout, large local models (e.g. Qwen3.5-27B on llama.cpp) routinely time out because the server needs to load the model and generate up to 1024 tokens before responding. Changes: - Raise VERIFY_TIMEOUT_MS from 10 s to 30 s - Lower max_tokens from 1024 to 1 (verification only needs a single token to confirm the API is reachable and the model ID is valid) - Add explicit stream: false to both OpenAI and Anthropic probes Closes openclaw#27346 Made-with: Cursor * Changelog: note custom-provider onboarding verification fix --------- Co-authored-by: Philipp Spiess <[email protected]>
When an agent triggers a gateway restart in supervised mode, the process exits expecting launchd KeepAlive to respawn it. But ThrottleInterval (default 10s, or 60s on older installs) can delay or prevent restart. Now calls triggerOpenClawRestart() to issue an explicit launchctl kickstart before exiting, ensuring immediate respawn. Falls back to in-process restart if kickstart fails. Co-Authored-By: Claude Opus 4.6 <[email protected]>
…back Co-authored-by: Cathryn Lavery <[email protected]>
* agents: auto-discover Ollama models without API key * tests: cover Ollama autodiscovery warning behavior
openclaw#28295) thanks @zhoulongchao77 Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: zhoulongchao77 <[email protected]> Co-authored-by: Tak Hoffman <[email protected]>
…#27884) (openclaw#27928) thanks @joelnishanth Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: joelnishanth <[email protected]> Co-authored-by: Tak Hoffman <[email protected]>
…penclaw#28822) Merged via squash. Prepared head SHA: 83d4329 Co-authored-by: lailoo <[email protected]> Co-authored-by: velvet-shark <[email protected]> Reviewed-by: @velvet-shark
…ions in feishu_doc (openclaw#20304) Co-authored-by: Tak Hoffman <[email protected]>
…I calls (openclaw#28907) thanks @Glucksberg Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: Glucksberg <[email protected]> Co-authored-by: Tak Hoffman <[email protected]>
Add trustedNetworks config option to allow plaintext ws:// connections
over trusted encrypted networks like WireGuard, Tailscale, or VPNs.
Without this, users behind encrypted mesh networks are forced to use
wss:// which requires opening ports or setting up certificates.
Example config:
{
gateway: {
trustedNetworks: ["100.64.0.0/10", "10.0.0.0/8"]
}
}
Fixes openclaw#21192
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
16 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add trustedNetworks config option to allow plaintext ws:// connections over trusted encrypted networks like WireGuard, Tailscale, or VPNs.
Problem
OpenClaw v2026.2.19 introduced a security check that blocks ws:// connections to non-loopback addresses. This breaks existing deployments using encrypted mesh networks (WireGuard, Tailscale) where the transport is already encrypted at the network layer.
Users are forced to use wss:// which requires:
Solution
Add gateway.trustedNetworks configuration option that specifies CIDR subnets to trust for ws:// connections:
{ "gateway": { "trustedNetworks": ["100.64.0.0/10", "10.0.0.0/8"] } }This allows ws:// connections from Tailscale (100.64.0.0/10) and WireGuard (10.0.0.0/8) networks without security warnings.
Files Changed
Security
Closes openclaw#21192