docs: fix Gateway & Ops audit findings (7 pages)

- cli-backends.md: remove duplicate modelAliases key - discovery.md: add missing transport=gateway and displayName TXT keys - authentication.md: retitle to "Authentication (Model Providers)", add disambiguation Note pointing to gateway connection auth docs - health.md: expand frontmatter scope, add --probe flag and response shape docs - gateway-lock.md: remove stale hardcoded date, add Related section - troubleshooting.md: fix wrong auth cross-link (model auth -> gateway config) - logging.md: add Related section linking to gateway logging internals
2026-05-05 04:50:23 +00:00 · 2026-03-31 14:23:59 +09:00
parent 6c6792446b
commit 637f15375b
7 changed files with 31 additions and 8 deletions
--- a/docs/gateway/authentication.md
+++ b/docs/gateway/authentication.md
@@ -6,7 +6,11 @@ read_when:
 title: "Authentication"
 ---

-# Authentication
+# Authentication (Model Providers)
+
+<Note>
+This page covers **model provider** authentication (API keys, OAuth, setup tokens). For **gateway connection** authentication (token, password, trusted-proxy), see [Configuration](/gateway/configuration) and [Trusted Proxy Auth](/gateway/trusted-proxy-auth).
+</Note>

 OpenClaw supports OAuth and API keys for model providers. For always-on gateway
 hosts, API keys are usually the most predictable option. Subscription/OAuth
--- a/docs/gateway/cli-backends.md
+++ b/docs/gateway/cli-backends.md
@@ -119,7 +119,6 @@ The provider id becomes the left side of your model ref:
          input: "arg",
          modelArg: "--model",
          modelAliases: {
-            "claude-opus-4-6": "opus",
            "claude-opus-4-6": "opus",
            "claude-sonnet-4-6": "sonnet",
          },
--- a/docs/gateway/discovery.md
+++ b/docs/gateway/discovery.md
@@ -59,6 +59,8 @@ Troubleshooting and beacon details: [Bonjour](/gateway/bonjour).
  - `_openclaw-gw._tcp` (gateway transport beacon)
 - TXT keys (non-secret):
  - `role=gateway`
+  - `transport=gateway`
+  - `displayName=<friendly name>` (operator-configured display name)
  - `lanHost=<hostname>.local`
  - `sshPort=22` (or whatever is advertised)
  - `gatewayPort=18789` (Gateway WS + HTTP)
--- a/docs/gateway/gateway-lock.md
+++ b/docs/gateway/gateway-lock.md
@@ -8,8 +8,6 @@ title: "Gateway Lock"

 # Gateway lock

-Last updated: 2025-12-11
-
 ## Why

 - Ensure only one gateway instance runs per base port on the same host; additional gateways must use isolated profiles and unique ports.
@@ -32,3 +30,8 @@ Last updated: 2025-12-11

 - If the port is occupied by _another_ process, the error is the same; free the port or choose another with `openclaw gateway --port <port>`.
 - The macOS app still maintains its own lightweight PID guard before spawning the gateway; the runtime lock is enforced by the WebSocket bind.
+
+## Related
+
+- [Multiple Gateways](/gateway/multiple-gateways) — running multiple instances with unique ports
+- [Troubleshooting](/gateway/troubleshooting) — diagnosing `EADDRINUSE` and port conflicts
--- a/docs/gateway/health.md
+++ b/docs/gateway/health.md
@@ -1,7 +1,8 @@
 ---
-summary: "Health check steps for channel connectivity"
+summary: "Health check commands and gateway health monitoring"
 read_when:
-  - Diagnosing WhatsApp channel health
+  - Diagnosing channel connectivity or gateway health
+  - Understanding health check CLI commands and options
 title: "Health Checks"
 ---

@@ -41,4 +42,12 @@ Short guide to verify channel connectivity without guessing.

 ## Dedicated "health" command

-`openclaw health --json` asks the running Gateway for its health snapshot (no direct channel sockets from the CLI). It reports linked creds/auth age when available, per-channel probe summaries, session-store summary, and a probe duration. It exits non-zero if the Gateway is unreachable or the probe fails/timeouts. Use `--timeout <ms>` to override the 10s default.
+`openclaw health --json` asks the running Gateway for its health snapshot (no direct channel sockets from the CLI). It reports linked creds/auth age when available, per-channel probe summaries, session-store summary, and a probe duration. It exits non-zero if the Gateway is unreachable or the probe fails/timeouts.
+
+Options:
+
+- `--json`: machine-readable JSON output
+- `--timeout <ms>`: override the default 10s probe timeout
+- `--probe`: force a live probe of all channels instead of returning the cached health snapshot
+
+The health snapshot includes: `ok` (boolean), `ts` (timestamp), `durationMs` (probe time), per-channel status, agent availability, and session-store summary.
--- a/docs/gateway/troubleshooting.md
+++ b/docs/gateway/troubleshooting.md
@@ -145,7 +145,8 @@ If logs show nonce/signature errors, update the connecting client and verify it:
 Related:

 - [/web/control-ui](/web/control-ui)
- [/gateway/authentication](/gateway/authentication)
+- [/gateway/configuration](/gateway/configuration) (gateway auth modes)
+- [/gateway/trusted-proxy-auth](/gateway/trusted-proxy-auth)
 - [/gateway/remote](/gateway/remote)
 - [/cli/devices](/cli/devices)

--- a/docs/logging.md
+++ b/docs/logging.md
@@ -350,3 +350,8 @@ Queues + sessions:
 - **Logs empty?** Check that the Gateway is running and writing to the file path
  in `logging.file`.
 - **Need more detail?** Set `logging.level` to `debug` or `trace` and retry.
+
+## Related
+
+- [Gateway Logging Internals](/gateway/logging) — WS log styles, subsystem prefixes, and console capture
+- [Diagnostics](/gateway/configuration-reference#diagnostics) — OpenTelemetry export and cache trace config