openclaw - 💡(How to fix) Fix [Feature]: Emit runtime warning when Control UI config will silently reject non-secure connections [1 participants]

Feature type

Enhancement (developer experience / operator UX)

Summary

When the gateway starts with controlUi.enabled: true and dangerouslyDisableDeviceAuth is not set, non-localhost HTTP connections are silently rejected with DEVICE_IDENTITY_REQUIRED. The user sees a cryptic "Disconnected from Gateway" message in the Control UI with no server-side guidance.

Proposed behavior

At gateway startup, if controlUi.enabled && !dangerouslyDisableDeviceAuth && !isSecureContext, emit a clear warning in the server logs:

⚠️  Control UI requires a secure context (HTTPS or localhost).
    Connections from non-localhost HTTP origins will be rejected.
    Options:
    1. Access via https://localhost:18789 or SSH tunnel
    2. Set up HTTPS reverse proxy (Caddy, Traefik, Nginx)
    3. Set controlUi.dangerouslyDisableDeviceAuth: true (not recommended)
    See: https://docs.openclaw.ai/gateway/security

Why this matters

This is one of the most common issues for Docker and VPS users (see #32473 with 12+ comments, #45820). The current behavior makes it look like the gateway is broken when it's actually working as designed. A startup warning would:

1. Save users hours of debugging
2. Reduce duplicate issue filings
3. Make the security decision visible rather than silent

Context

The Morpheus Skill ships OpenClaw in Docker containers for decentralized AI inference. Every new user deploying on a VPS or NAS hits this wall. The fix is always the same (HTTPS proxy, SSH tunnel, or the bypass flag) — but discovering the cause takes far too long because the server gives no hint.

Environment

Affects all deployment methods where Control UI is accessed over HTTP from a non-localhost address (Docker, VPS, NAS, any remote host).