vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-07 04:30:43 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
09d7e7f4615bffd3e9d98dcfe1acbb6487d7f501
openclaw/docs/cli/qr.md
Val Alexander 36df0d93b9 fix: repair iOS LAN pairing 
Fix iOS LAN/setup-code pairing policy for #47887.

- Allow explicit private LAN and .local plaintext ws:// setup/manual connects where policy allows it.
- Keep public hosts, .ts.net, and Tailscale CGNAT plaintext fail-closed.
- Prefer explicit passwords over stale bootstrap tokens in Swift and TypeScript gateway clients.
- Update setup-code/device-pair coverage, docs, and changelog with source credit for #65185.

Verification:
- pnpm install
- git diff --check origin/main..HEAD
- pnpm exec oxfmt --check --threads=1 src/gateway/client.ts src/gateway/client.test.ts src/pairing/setup-code.ts src/pairing/setup-code.test.ts extensions/device-pair/index.ts extensions/device-pair/index.test.ts
- pnpm format:docs:check
- pnpm test src/gateway/client.test.ts src/pairing/setup-code.test.ts extensions/device-pair/index.test.ts
- cd apps/shared/OpenClawKit && swift test --filter 'DeepLinksSecurityTests|GatewayNodeSessionTests'
- pnpm lint:swift passes with the existing TalkModeRuntime.swift type-body-length warning

Blocked locally:
- iOS app-target xcodebuild tests require unavailable watchOS 26.4 runtime here.
- Testbox check:changed previously failed because the image lacks swiftlint; local swiftlint passes.
2026-05-05 21:07:19 -05:00

3.2 KiB
Raw Blame History

summary, read_when, title
summary read_when title
CLI reference for `openclaw qr` (generate mobile pairing QR + setup code)
You want to pair a mobile node app with a gateway quickly
You need setup-code output for remote/manual sharing
QR

openclaw qr

Generate a mobile pairing QR and setup code from your current Gateway configuration.

Usage

openclaw qr
openclaw qr --setup-code-only
openclaw qr --json
openclaw qr --remote
openclaw qr --url wss://gateway.example/ws

Options

  • --remote: prefer gateway.remote.url; if it is unset, gateway.tailscale.mode=serve|funnel can still provide the remote public URL
  • --url <url>: override gateway URL used in payload
  • --public-url <url>: override public URL used in payload
  • --token <token>: override which gateway token the bootstrap flow authenticates against
  • --password <password>: override which gateway password the bootstrap flow authenticates against
  • --setup-code-only: print only setup code
  • --no-ascii: skip ASCII QR rendering
  • --json: emit JSON (setupCode, gatewayUrl, auth, urlSource)

Notes

  • --token and --password are mutually exclusive.
  • The setup code itself now carries an opaque short-lived bootstrapToken, not the shared gateway token/password.
  • In the built-in node/operator bootstrap flow, the primary node token still lands with scopes: [].
  • If bootstrap handoff also issues an operator token, it stays bounded to the bootstrap allowlist: operator.approvals, operator.read, operator.talk.secrets, operator.write.
  • Bootstrap scope checks are role-prefixed. That operator allowlist only satisfies operator requests; non-operator roles still need scopes under their own role prefix.
  • Mobile pairing fails closed for Tailscale/public ws:// gateway URLs. Private LAN addresses and .local Bonjour hosts remain supported over ws://, but Tailscale/public mobile routes should use Tailscale Serve/Funnel or a wss:// gateway URL.
  • With --remote, OpenClaw requires either gateway.remote.url or gateway.tailscale.mode=serve|funnel.
  • With --remote, if effectively active remote credentials are configured as SecretRefs and you do not pass --token or --password, the command resolves them from the active gateway snapshot. If gateway is unavailable, the command fails fast.
  • Without --remote, local gateway auth SecretRefs are resolved when no CLI auth override is passed:
    • gateway.auth.token resolves when token auth can win (explicit gateway.auth.mode="token" or inferred mode where no password source wins).
    • gateway.auth.password resolves when password auth can win (explicit gateway.auth.mode="password" or inferred mode with no winning token from auth/env).
  • If both gateway.auth.token and gateway.auth.password are configured (including SecretRefs) and gateway.auth.mode is unset, setup-code resolution fails until mode is set explicitly.
  • Gateway version skew note: this command path requires a gateway that supports secrets.resolve; older gateways return an unknown-method error.
  • After scanning, approve device pairing with:
    • openclaw devices list
    • openclaw devices approve <requestId>

Related

Reference in New Issue View Git Blame Copy Permalink