Issue Station
Sign In
Tools hereToolbox

openclaw - ✅(Solved) Fix Feature: Allow LAN devices to auto-pair without manual approval [1 pull requests, 1 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
openclaw/openclaw#60800Fetched 2026-04-08 02:47:01
View on GitHub
Comments
0
Participants
1
Timeline
1
Reactions
0
Author
woaim65woaim65
Participants
woaim65woaim65
Timeline (top)
cross-referenced ×1

Fix Action

Fix / Workaround

  • Gateway bind: lan (0.0.0.0)
  • Use case: personal Android/iOS app reconnecting after reinstall
  • Current workaround: run openclaw devices approve each time, but this is inconvenient

PR fix notes

PR #61004: Feat- issue node pairing auto approve cidrs

Description (problem / solution / changelog)

Summary

Describe the problem and fix in 2–5 bullets:

If this PR fixes a plugin beta-release blocker, title it fix(<plugin-id>): beta blocker - <summary> and link the matching Beta blocker: <plugin-name> - <summary> issue labeled beta-blocker. Contributors cannot label PRs, so the title is the PR-side signal for maintainers and automation.

  • Problem: Gateway had no opt-in way to auto-approve first-time role: node device pairing from explicitly trusted CIDRs, so tightly controlled node deployments still required manual approval every time.
  • Why it matters: node onboarding on trusted networks was unnecessarily manual, but any automation here is security-sensitive and must not weaken operator/ browser pairing or upgrade approval boundaries.
  • What changed: added gateway.nodes.pairing.autoApproveCidrs, wired it into device pairing for first-time node pairing only, documented it, and added focused tests for allowed and rejected paths.
  • What did NOT change (scope boundary): operator/browser/Control UI pairing still stays manual; role, scope, and metadata upgrades still require approval; loopback trusted-proxy headers are not eligible for auto-approve; no blanket LAN auto-approve mode was added.

Change Type (select all)

  • Bug fix
  • Feature
  • Refactor required for the fix
  • Docs
  • Security hardening
  • Chore/infra

Scope (select all touched areas)

  • Gateway / orchestration
  • Skills / tool execution
  • Auth / tokens
  • Memory / storage
  • Integrations
  • API / contracts
  • UI / DX
  • CI/CD / infra

Linked Issue/PR

  • Closes #60800
  • Related #
  • This PR fixes a bug or regression

Root Cause (if applicable)

For bug fixes or regressions, explain why this happened, not just what changed. Otherwise write N/A. If the cause is unclear, write Unknown.

  • Root cause: the new trusted-CIDR pairing path initially keyed only off requested role/scopes and reported client IP, without fully preserving existing browser/control-ui/manual-pairing boundaries and without accounting for spoofable loopback trusted-proxy header paths.
  • Missing detection / guardrail: there was no server-level regression test covering browser/control-ui node-role connects or loopback trusted-proxy header rejection on the trusted-CIDR path.
  • Contributing context (if known): pairing decisions already combined several silent-approval paths, so the new path needed to inherit the same trust boundaries instead of only checking CIDR membership.

Regression Test Plan (if applicable)

For bug fixes or regressions, name the smallest reliable test coverage that should catch this. Otherwise write N/A.

  • Coverage level that should have caught this:
    • Unit test
    • Seam / integration test
    • End-to-end test
    • Existing coverage already sufficient
  • Target test or file: - src/gateway/node-pairing-auto-approve.test.ts - src/gateway/server.node-pairing-auto-approve.test.ts
  • Scenario the test should lock in: - matching trusted CIDR is only eligible for first-time role: node pairing with empty scopes - browser/control-ui/webchat node-role connects stay manual - loopback trusted-proxy header paths do not silently auto-approve - role/scope upgrades still require approval
  • Why this is the smallest reliable guardrail: the helper test locks policy decisions directly, and the server test locks handshake wiring and pairing behavior without needing broader E2E infrastructure.
  • Existing test that already covers this (if any): existing pairing and allowlist tests still cover neighboring approval behavior.
  • If no new test is added, why not: N/A

User-visible / Behavior Changes

  • New optional config: gateway.nodes.pairing.autoApproveCidrs
  • When configured, first-time node device pairing with no requested scopes can auto-approve if the effective client IP matches an explicit CIDR/IP allowlist
  • Operator/browser/Control UI pairing still remains manual
  • Role, scope, and metadata upgrades still remain manual
  • Docs now describe the new config and its security boundary

Diagram (if applicable)

Before: [node connect] -> [not paired] -> [manual pairing required]

After: [node connect from allowed CIDR] -> [first-time node + no scopes + non-browser + non-loopback-proxy] -> [auto-approved]

After (blocked cases): [node connect] -> [browser/control-ui OR loopback trusted-proxy OR upgrade OR non-match] -> [manual pairing required]

Security Impact (required)

  • New permissions/capabilities? (Yes/No) Yes
  • Secrets/tokens handling changed? (Yes/No) No
  • New/changed network calls? (Yes/No) No
  • Command/tool execution surface changed? (Yes/No) No
  • Data access scope changed? (Yes/No) No
  • If any Yes, explain risk + mitigation:
    • This adds an opt-in silent-pairing capability for node devices on explicitly trusted CIDRs. Risk is accidental over-trust from misconfigured CIDRs or\ spoofed client-IP paths. Mitigations: explicit allowlist only, first-time node pairing only, empty scopes only, browser/control-ui/webchat excluded,\ role/scope/metadata upgrades excluded, and loopback trusted-proxy header paths explicitly rejected.

Repro + Verification

Environment

  • OS: macOS

  • Runtime/container: local Node/pnpm dev environment

  • Model/provider: N/A

  • Integration/channel (if any): Gateway node pairing

  • Relevant config (redacted):

    gateway: trustedProxies: - "127.0.0.1" nodes: pairing: autoApproveCidrs: - "203.0.113.0/24"

Steps

  1. Configure gateway.nodes.pairing.autoApproveCidrs with an explicit CIDR.
  2. Connect a node-role device with empty scopes from a matching and then a non-matching path.
  3. Repeat with browser/control-ui-style clients, upgrade flows, and loopback trusted-proxy headers.

Expected

  • Matching trusted node path can auto-approve only within the narrow allowed boundary.
  • Browser/control-ui, upgrades, and spoofable loopback trusted-proxy paths require manual pairing.

Actual

  • Matches expected in targeted local verification.

Evidence

Attach at least one:

  • Failing test/log before + passing after
  • Trace/log snippets
  • Screenshot/recording
  • Perf numbers (if relevant)

Human Verification (required)

  • Verified scenarios:
    • config accepts CIDR/IP entries
    • helper accepts/rejects trusted CIDR decisions correctly
    • browser/control-ui node-role connects stay manual
    • loopback trusted-proxy header path stays manual
    • role/scope upgrade flows stay manual
    • untrusted proxy headers stay manual
  • Edge cases checked:
    • exact IP entry
    • IPv6 CIDR
    • empty/missing CIDR list
    • non-empty scopes
  • What you did not verify:
    • full repo landing gate is not green because unrelated existing pnpm build failures remain outside this touched surface
    • no external reverse-proxy E2E environment was run

Review Conversations

  • I replied to or resolved every bot review conversation I addressed in this PR.
  • I left unresolved only the conversations that still need reviewer or maintainer judgment.

If a bot review conversation is addressed by this PR, resolve that conversation yourself. Do not leave bot review conversation cleanup for maintainers.

Compatibility / Migration

  • Backward compatible? (Yes/No) Yes
  • Config/env changes? (Yes/No) Yes
  • Migration needed? (Yes/No) No
  • If yes, exact upgrade steps: N/A

Risks and Mitigations

List only real risks for this PR. Add/remove entries as needed. If none, write None.

  • Risk: an operator may configure an overly broad CIDR and auto-approve more node clients than intended.
    • Mitigation: feature is fully opt-in, documented as explicit CIDR/IP allowlist only, and limited to first-time node pairing with no scopes.
  • Risk: future pairing changes could accidentally reopen browser/control-ui or spoofed proxy paths.
    • Mitigation: focused unit and server-level regression tests now lock those rejection paths.
  • Risk: reviewers may treat broader repo build failures as related to this PR.
    • Mitigation: call out that current pnpm build failures are pre-existing/unrelated and outside the touched gateway files.

Changed files

  • .agents/skills/openclaw-secret-scanning-maintainer/scripts/secret-scanning.mjs (modified, +17/-10)
  • docs/.generated/config-baseline.sha256 (modified, +2/-2)
  • docs/gateway/configuration-reference.md (modified, +9/-0)
  • docs/gateway/pairing.md (modified, +24/-0)
  • docs/platforms/android.md (modified, +19/-0)
  • docs/platforms/ios.md (modified, +19/-0)
  • extensions/memory-lancedb/config.ts (modified, +9/-1)
  • src/agents/pi-embedded-helpers/errors.ts (modified, +3/-1)
  • src/agents/pi-embedded-runner/run/attempt.context-engine-helpers.ts (modified, +33/-34)
  • src/agents/pi-embedded-runner/run/attempt.prompt-helpers.ts (modified, +4/-4)
  • src/agents/pi-embedded-runner/run/attempt.test.ts (modified, +5/-3)
  • src/agents/pi-embedded-runner/run/preemptive-compaction.ts (modified, +2/-2)
  • src/agents/pi-settings.test.ts (modified, +1/-4)
  • src/agents/pi-settings.ts (modified, +1/-4)
  • src/config/config.gateway-node-pairing-auto-approve.test.ts (added, +74/-0)
  • src/config/schema.base.generated.ts (modified, +27/-0)
  • src/config/schema.help.ts (modified, +6/-0)
  • src/config/schema.labels.ts (modified, +3/-0)
  • src/config/schema.tags.ts (modified, +1/-0)
  • src/config/types.gateway.ts (modified, +10/-0)
  • src/config/zod-schema.ts (modified, +6/-0)
  • src/gateway/node-pairing-auto-approve.test.ts (added, +199/-0)
  • src/gateway/node-pairing-auto-approve.ts (added, +56/-0)
  • src/gateway/server.node-pairing-auto-approve.test.ts (added, +414/-0)
  • src/gateway/server/ws-connection/message-handler.ts (modified, +27/-1)

Code Example

{
  "gateway": {
    "nodes": {
      "pairing": {
        "lanAutoApprove": true,
        "lanSubnets": ["192.168.0.0/16", "10.0.0.0/8"]
      }
    }
  }
}
RAW_BUFFERClick to expand / collapse

Problem

Currently, when a device (Android/iOS app) connects to the Gateway via LAN IP (e.g. 192.168.x.x), it requires manual pairing approval via CLI or UI every time the app is reinstalled or the device reconnects. This is inconvenient for personal LAN setups where trust is already established at the network level.

Proposed Solution

Add a configuration option to allow all devices on the local network to auto-approve pairing without manual intervention.

{
  "gateway": {
    "nodes": {
      "pairing": {
        "lanAutoApprove": true,
        "lanSubnets": ["192.168.0.0/16", "10.0.0.0/8"]
      }
    }
  }
}

Use Case

For personal/home deployments where the Gateway is behind a router firewall and only accessible via LAN, requiring manual pairing approval on every fresh app install creates unnecessary friction for the owner.

Additional Context

  • Gateway bind: lan (0.0.0.0)
  • Use case: personal Android/iOS app reconnecting after reinstall
  • Current workaround: run openclaw devices approve each time, but this is inconvenient

extent analysis

TL;DR

Enable the lanAutoApprove configuration option to allow devices on the local network to auto-approve pairing without manual intervention.

Guidance

  • Review the proposed JSON configuration and apply it to the Gateway settings to enable lanAutoApprove.
  • Verify that the lanSubnets list includes the relevant local network subnets (e.g., 192.168.0.0/16, 10.0.0.0/8) to ensure auto-approval works as expected.
  • Test the auto-approval feature by reinstalling the app and checking if the device connects without requiring manual pairing approval.
  • Consider the security implications of enabling auto-approval and ensure that the Gateway is properly secured behind a router firewall.

Example

{
  "gateway": {
    "nodes": {
      "pairing": {
        "lanAutoApprove": true,
        "lanSubnets": ["192.168.0.0/16"]
      }
    }
  }
}

Notes

The effectiveness of this solution relies on the Gateway being properly configured and secured. Additionally, the lanSubnets list should be carefully curated to prevent unintended access.

Recommendation

Apply the workaround by enabling the lanAutoApprove configuration option, as it provides a convenient solution for personal LAN setups where trust is already established at the network level.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#API middleware#SSR setup#ISR setup#authentication setup#request error

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING