diff --git a/docs/cli/node.md b/docs/cli/node.md index 46c794d8590..b15b8dfb131 100644 --- a/docs/cli/node.md +++ b/docs/cli/node.md @@ -77,7 +77,9 @@ Options: For a node connecting to a non-loopback `ws://` Gateway on a trusted private network, set `OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1`. Without it, node startup fails closed and asks you to use `wss://`, an SSH tunnel, or Tailscale. -`openclaw node install` persists this opt-in into the supervised node service. +This is a process-environment opt-in, not an `openclaw.json` config key. +`openclaw node install` persists it into the supervised node service when it is +present in the install command environment. ## Service (background) diff --git a/docs/cli/onboard.md b/docs/cli/onboard.md index fea50fde3fe..814f3249388 100644 --- a/docs/cli/onboard.md +++ b/docs/cli/onboard.md @@ -28,6 +28,8 @@ openclaw onboard --mode remote --remote-url wss://gateway-host:18789 For plaintext private-network `ws://` targets (trusted networks only), set `OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1` in the onboarding process environment. +There is no `openclaw.json` equivalent for this client-side transport +break-glass. Non-interactive custom provider: diff --git a/docs/gateway/configuration-reference.md b/docs/gateway/configuration-reference.md index 17c9c44b0b2..0cd85bda65b 100644 --- a/docs/gateway/configuration-reference.md +++ b/docs/gateway/configuration-reference.md @@ -319,7 +319,12 @@ See [Plugins](/tools/plugin). - `controlUi.allowedOrigins`: explicit browser-origin allowlist for Gateway WebSocket connects. Required when browser clients are expected from non-loopback origins. - `controlUi.dangerouslyAllowHostHeaderOriginFallback`: dangerous mode that enables Host-header origin fallback for deployments that intentionally rely on Host-header origin policy. - `remote.transport`: `ssh` (default) or `direct` (ws/wss). For `direct`, `remote.url` must be `ws://` or `wss://`. -- `OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1`: client-side break-glass override that allows plaintext `ws://` to trusted private-network IPs; default remains loopback-only for plaintext. +- `OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1`: client-side process-environment + break-glass override that allows plaintext `ws://` to trusted private-network + IPs; default remains loopback-only for plaintext. There is no `openclaw.json` + equivalent, and browser private-network config such as + `browser.ssrfPolicy.dangerouslyAllowPrivateNetwork` does not affect Gateway + WebSocket clients. - `gateway.remote.token` / `.password` are remote-client credential fields. They do not configure gateway auth by themselves. - `gateway.push.apns.relay.baseUrl`: base HTTPS URL for the external APNs relay used by official/TestFlight iOS builds after they publish relay-backed registrations to the gateway. This URL must match the relay URL compiled into the iOS build. - `gateway.push.apns.relay.timeoutMs`: gateway-to-relay send timeout in milliseconds. Defaults to `10000`. diff --git a/docs/gateway/remote.md b/docs/gateway/remote.md index c43fd735aa7..cc41e72f7c2 100644 --- a/docs/gateway/remote.md +++ b/docs/gateway/remote.md @@ -138,7 +138,9 @@ Short version: **keep the Gateway loopback-only** unless you’re sure you need - **Loopback + SSH/Tailscale Serve** is the safest default (no public exposure). - Plaintext `ws://` is loopback-only by default. For trusted private networks, - set `OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1` on the client process as break-glass. + set `OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1` on the client process as + break-glass. There is no `openclaw.json` equivalent; this must be process + environment for the client making the WebSocket connection. - **Non-loopback binds** (`lan`/`tailnet`/`custom`, or `auto` when loopback is unavailable) must use gateway auth: token, password, or an identity-aware reverse proxy with `gateway.auth.mode: "trusted-proxy"`. - `gateway.remote.token` / `.password` are client credential sources. They do **not** configure server auth by themselves. - Local call paths can use `gateway.remote.*` as fallback only when `gateway.auth.*` is unset. diff --git a/docs/gateway/security/index.md b/docs/gateway/security/index.md index 1c33aeebae6..4d0c3e786c4 100644 --- a/docs/gateway/security/index.md +++ b/docs/gateway/security/index.md @@ -840,7 +840,9 @@ If `gateway.auth.token` / `gateway.auth.password` is explicitly configured via SecretRef and unresolved, resolution fails closed (no remote fallback masking). Optional: pin remote TLS with `gateway.remote.tlsFingerprint` when using `wss://`. Plaintext `ws://` is loopback-only by default. For trusted private-network -paths, set `OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1` on the client process as break-glass. +paths, set `OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1` on the client process as +break-glass. This is intentionally process environment only, not an +`openclaw.json` config key. Local device pairing: diff --git a/docs/plugins/google-meet.md b/docs/plugins/google-meet.md index 2ddd662bf68..2211084b780 100644 --- a/docs/plugins/google-meet.md +++ b/docs/plugins/google-meet.md @@ -152,6 +152,10 @@ OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1 \ openclaw node restart ``` +`OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1` is process environment, not an +`openclaw.json` setting. `openclaw node install` stores it in the LaunchAgent +environment when it is present on the install command. + Approve the node from the Gateway host: ```bash