fix(gateway): honor minimal discovery mode for wide-area DNS-SD [AI] (#80903)

* fix: respect discovery mode for wide-area cli path * addressing codex review * docs: add changelog entry for PR merge
2026-05-18 16:54:46 +00:00 · 2026-05-12 16:03:50 +05:30
parent d164f8cc74
commit da6f32bedf
5 changed files with 39 additions and 10 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,7 @@ Docs: https://docs.openclaw.ai

 ### Fixes

+- fix(gateway): honor minimal discovery mode for wide-area DNS-SD [AI]. (#80903) Thanks @pgondhi987.
 - slack: enforce reaction notification policy [AI]. (#80907) Thanks @pgondhi987.
 - Enforce gateway command scopes by caller context [AI]. (#80891) Thanks @pgondhi987.
 - Enforce Slack plugin approval button authorization [AI]. (#80899) Thanks @pgondhi987.
--- a/docs/cli/gateway.md
+++ b/docs/cli/gateway.md
@@ -520,15 +520,15 @@ openclaw gateway restart

 Only gateways with Bonjour discovery enabled (default) advertise the beacon.

-Wide-Area discovery records include (TXT):
+Wide-area discovery records can include these TXT hints:

 - `role` (gateway role hint)
 - `transport` (transport hint, e.g. `gateway`)
 - `gatewayPort` (WebSocket port, usually `18789`)
- `sshPort` (optional; clients default SSH targets to `22` when it is absent)
+- `sshPort` (full discovery mode only; clients default SSH targets to `22` when it is absent)
 - `tailnetDns` (MagicDNS hostname, when available)
 - `gatewayTls` / `gatewayTlsSha256` (TLS enabled + cert fingerprint)
- `cliPath` (remote-install hint written to the wide-area zone)
+- `cliPath` (full discovery mode only)

 ### `gateway discover`

@@ -553,7 +553,7 @@ openclaw gateway discover --json | jq '.beacons[].wsUrl'
 <Note>
 - The CLI scans `local.` plus the configured wide-area domain when one is enabled.
 - `wsUrl` in JSON output is derived from the resolved service endpoint, not from TXT-only hints such as `lanHost` or `tailnetDns`.
- On `local.` mDNS, `sshPort` and `cliPath` are only broadcast when `discovery.mdns.mode` is `full`. Wide-area DNS-SD still writes `cliPath`; `sshPort` stays optional there too.
+- On `local.` mDNS and wide-area DNS-SD, `sshPort` and `cliPath` are only published when `discovery.mdns.mode` is `full`.

 </Note>

--- a/docs/gateway/bonjour.md
+++ b/docs/gateway/bonjour.md
@@ -100,8 +100,8 @@ The Gateway advertises small non-secret hints to make UI flows convenient:
 - `canvasPort=<port>` (only when the canvas host is enabled; currently the same as `gatewayPort`)
 - `transport=gateway`
 - `tailnetDns=<magicdns>` (mDNS full mode only, optional hint when Tailnet is available)
- `sshPort=<port>` (mDNS full mode only; wide-area DNS-SD may omit it)
- `cliPath=<path>` (mDNS full mode only; wide-area DNS-SD still writes it as a remote-install hint)
+- `sshPort=<port>` (full mode only; omitted in minimal and off modes)
+- `cliPath=<path>` (full mode only; omitted in minimal and off modes)

 Security notes:

@@ -176,9 +176,11 @@ openclaw plugins enable bonjour
 ```

 When enabled, Bonjour uses `discovery.mdns.mode` to decide how much TXT metadata
-to publish. The default mode is `minimal`; use `full` only when local clients need
-`cliPath` or `sshPort` hints, and use `off` to suppress LAN multicast without
-changing plugin enablement.
+to publish. The same mode controls optional TXT hints in wide-area DNS-SD records.
+The default mode is `minimal`; use `full` only when clients need `cliPath` or
+`sshPort` hints. Use `off` to suppress LAN multicast without changing plugin
+enablement; wide-area DNS-SD can still publish the minimal Gateway beacon when
+`discovery.wideArea.enabled` is true.

 ## When to disable Bonjour

--- a/src/gateway/server-discovery-runtime.test.ts
+++ b/src/gateway/server-discovery-runtime.test.ts
@@ -232,4 +232,30 @@ describe("startGatewayDiscovery", () => {
    ]);
    expect(result.bonjourStop).toBeNull();
  });
+
+  it("omits the CLI path from wide-area DNS-SD in minimal mode", async () => {
+    process.env.NODE_ENV = "development";
+    delete process.env.VITEST;
+
+    const logs = makeLogs();
+
+    await startGatewayDiscovery({
+      machineDisplayName: "Lab Mac",
+      port: 18789,
+      gatewayTls: { enabled: false },
+      wideAreaDiscoveryEnabled: true,
+      wideAreaDiscoveryDomain: "openclaw.internal.",
+      tailscaleMode: "serve",
+      mdnsMode: "minimal",
+      gatewayDiscoveryServices: [],
+      logDiscovery: logs,
+    });
+
+    const [zoneParams] = mocks.writeWideAreaGatewayZone.mock.calls.at(-1) ?? [];
+    if (zoneParams === undefined) {
+      throw new Error("Expected wide-area gateway zone to be written");
+    }
+    expect(zoneParams.cliPath).toBeUndefined();
+    expect(mocks.resolveBonjourCliPath).not.toHaveBeenCalled();
+  });
 });
--- a/src/gateway/server-discovery-runtime.ts
+++ b/src/gateway/server-discovery-runtime.ts
@@ -169,7 +169,7 @@ export async function startGatewayDiscovery(params: {
          gatewayTlsFingerprintSha256: params.gatewayTls?.fingerprintSha256,
          tailnetDns,
          sshPort,
-          cliPath: resolveBonjourCliPath(),
+          cliPath,
        });
        params.logDiscovery.info(
          `wide-area DNS-SD ${result.changed ? "updated" : "unchanged"} (${wideAreaDomain} → ${result.zonePath})`,