fix(ios): harden gateway pairing setup

Harden iOS gateway setup-code pairing by rejecting non-loopback plaintext ws:// setup URLs before bootstrap token issuance, consolidating iOS setup parsing, and adding QR scan support from Settings. Verification: - pnpm test extensions/device-pair/index.test.ts - swift test --package-path apps/shared/OpenClawKit --filter DeepLinksSecurityTests - XcodeBuildMCP OpenClawLogicTests/DeepLinkParserTests - targeted SwiftLint for touched iOS/OpenClawKit files - pnpm exec oxfmt --check --threads=1 extensions/device-pair/index.ts extensions/device-pair/index.test.ts - git diff --check origin/main...HEAD - GitHub PR checks green on 58e5e60a5c
2026-05-06 19:40:42 +00:00 · 2026-05-04 02:11:47 -05:00
parent 5fe8cde28f
commit b2efd19648
15 changed files with 556 additions and 188 deletions
--- a/apps/ios/Tests/DeepLinkParserTests.swift
+++ b/apps/ios/Tests/DeepLinkParserTests.swift
@@ -161,4 +161,34 @@ private func agentAction(
            token: nil,
            password: nil))
    }
+
+    @Test func parseGatewaySetupInputParsesFullCopiedSetupMessage() {
+        let payload = #"{"url":"wss://gateway.example.com","bootstrapToken":"tok"}"#
+        let link = GatewayConnectDeepLink.fromSetupInput("""
+        Pairing setup code generated.
+
+        Setup code:
+        \(setupCode(from: payload))
+        """)
+
+        #expect(link == .init(
+            host: "gateway.example.com",
+            port: 443,
+            tls: true,
+            bootstrapToken: "tok",
+            token: nil,
+            password: nil))
+    }
+
+    @Test func parseGatewaySetupInputParsesRawGatewayURL() {
+        let link = GatewayConnectDeepLink.fromSetupInput("wss://gateway.example.com:444")
+
+        #expect(link == .init(
+            host: "gateway.example.com",
+            port: 444,
+            tls: true,
+            bootstrapToken: nil,
+            token: nil,
+            password: nil))
+    }
 }