diff --git a/CHANGELOG.md b/CHANGELOG.md index c5f8e15a02a..4c338e78b7b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1731,7 +1731,7 @@ Docs: https://docs.openclaw.ai - Control UI: show loading, reload, and retry states when a lazy dashboard panel cannot load after an upgrade, so the Logs tab no longer appears blank on stale browser bundles. Fixes #72450. Thanks @sobergou. - Gateway/plugins: start the Gateway in degraded mode when a single plugin entry has invalid schema config, and let `openclaw doctor --fix` quarantine that plugin config instead of crash-looping every channel. Fixes #62976 and #70371. Thanks @Doraemon-Claw and @pksidekyk. - Agents/plugins: skip malformed plugin tools with missing schema objects and report plugin diagnostics, so one broken tool no longer crashes Anthropic agent runs. Fixes #69423. Thanks @jmnickels. -- Dashboard: log a CVE-safe self-recovery hint pointing users to `OPENCLAW_GATEWAY_TOKEN` and `gateway.auth.token` when neither clipboard nor browser delivery places the token-bearing URL within reach, so headless and WSL invocations are not stranded on the bare URL. Fixes #72081. Thanks @praveen9354. +- Dashboard: log a CVE-safe self-recovery hint pointing users to `OPENCLAW_GATEWAY_TOKEN`, `gateway.auth.token`, and fragment key `token` when neither clipboard nor browser delivery places the token-bearing URL within reach, so headless and WSL invocations are not stranded on the bare URL. Fixes #72081. Thanks @praveen9354 and @BunsDev. - Agents/reasoning: recover fully wrapped unclosed `` replies that would otherwise sanitize to empty text while keeping strict stripping for closed reasoning blocks and unclosed tails after visible text. Fixes #37696; supersedes #51915. Thanks @druide67 and @okuyam2y. - Control UI/Gateway: bind WebChat handshakes to their active socket and reject post-close server registrations, so aborted connects no longer leave zombie clients or misleading duplicate WebSocket connection logs. Fixes #72753. Thanks @LumenFromTheFuture. - Agents/fallback: split ambiguous provider failures into `empty_response`, `no_error_details`, and `unclassified`, and add flat fallback-step fields to structured fallback logs so primary-model failures stay visible when later fallbacks also fail. Fixes #71922; refs #71744. Thanks @andyk-ms and @nikolaykazakovvs-ux. diff --git a/docs/cli/dashboard.md b/docs/cli/dashboard.md index 1603156eac6..e06caaa1f26 100644 --- a/docs/cli/dashboard.md +++ b/docs/cli/dashboard.md @@ -20,6 +20,10 @@ Notes: - `dashboard` resolves configured `gateway.auth.token` SecretRefs when possible. - `dashboard` follows `gateway.tls.enabled`: TLS-enabled gateways print/open `https://` Control UI URLs and connect over `wss://`. +- If clipboard/browser delivery fails for a token-authenticated dashboard URL, + `dashboard` logs a safe manual-auth hint naming `OPENCLAW_GATEWAY_TOKEN`, + `gateway.auth.token`, and fragment key `token` without printing the token + value. - For SecretRef-managed tokens (resolved or unresolved), `dashboard` prints/copies/opens a non-tokenized URL to avoid exposing external secrets in terminal output, clipboard history, or browser-launch arguments. - If `gateway.auth.token` is SecretRef-managed but unresolved in this command path, the command prints a non-tokenized URL and explicit remediation guidance instead of embedding an invalid token placeholder. diff --git a/docs/web/dashboard.md b/docs/web/dashboard.md index 403f98f921a..e833eee02fc 100644 --- a/docs/web/dashboard.md +++ b/docs/web/dashboard.md @@ -39,6 +39,10 @@ Prefer localhost, Tailscale Serve, or an SSH tunnel. - After onboarding, the CLI auto-opens the dashboard and prints a clean (non-tokenized) link. - Re-open anytime: `openclaw dashboard` (copies link, opens browser if possible, shows SSH hint if headless). +- If clipboard and browser delivery fail, `openclaw dashboard` still prints the + clean URL and tells you to use the token from `OPENCLAW_GATEWAY_TOKEN` or + `gateway.auth.token` as the URL fragment key `token`; it does not print token + values in logs. - If the UI prompts for shared-secret auth, paste the configured token or password into Control UI settings.