docs: clarify IRC managed proxy coverage (#76822)

Summary: - The PR adds a changelog note plus IRC and network-proxy documentation stating that IRC raw TCP/TLS egress is outside operator-managed forward proxy routing and should be disabled unless direct egress is approved. - Reproducibility: not applicable. for this docs-only PR. Source inspection establishes the documented premise ... kets while managed proxy routing covers normal HTTP/WebSocket paths and documents raw-socket bypass limits. Automerge notes: - PR branch already contained follow-up commit before automerge: fix(clawsweeper): address review for automerge-openclaw-openclaw-7682… Validation: - ClawSweeper review passed for head 7dde35adb9. - Required merge gates passed before the squash merge. Prepared head SHA: 7dde35adb9 Review: https://github.com/openclaw/openclaw/pull/76822#issuecomment-4366671907 Co-authored-by: jesse-merhi <79823012+jesse-merhi@users.noreply.github.com> Co-authored-by: clawsweeper <274271284+clawsweeper[bot]@users.noreply.github.com>
2026-05-06 17:20:45 +00:00 · 2026-05-04 10:52:47 +10:00
parent 4856cbb017
commit 9c3b7b7b15
3 changed files with 3 additions and 0 deletions
--- a/docs/channels/irc.md
+++ b/docs/channels/irc.md
@@ -39,6 +39,7 @@ openclaw gateway run

 ## Security defaults

+- IRC uses raw TCP/TLS sockets outside OpenClaw operator-managed forward proxy routing. In deployments that require all egress through that forward proxy, set `channels.irc.enabled=false` unless direct IRC egress is explicitly approved.
 - `channels.irc.dmPolicy` defaults to `"pairing"`.
 - `channels.irc.groupPolicy` defaults to `"allowlist"`.
 - With `groupPolicy="allowlist"`, set `channels.irc.groups` to define allowed channels.