Harden gateway connection and pairing flows#741
Draft
ranjeshj wants to merge 1 commit into
Draft
Conversation
ranjeshj
force-pushed
the
user/ranjeshj/connectionfixes
branch
from
e9f84ac to
e27427c
Compare
This was referenced Jun 10, 2026
Closed
Open
Consolidate the connection/pairing hardening work into one validated change set. Connection and credential handling: - keep gateway credentials registry-backed and preserve strict credential precedence: device token, shared gateway token, then bootstrap token - force fresh setup-code bootstrap credentials for immediate QR/setup-code pairing while preserving shared gateway tokens for HTTP/dashboard paths - dedupe loopback-equivalent gateway URLs so localhost and 127.0.0.1 records do not split pairing state - validate replacement shared tokens before disconnecting or clearing durable device tokens - clear stale bootstrap tokens only after required role tokens are durably readable - recover stale operator device-token mismatches by falling back to bootstrap when recovery material is still present Operator/node pairing and token lifecycle: - keep operator clients in the operator role during bootstrap while preserving explicit node bootstrap behavior - persist role-specific handoff tokens from hello-ok auth.deviceTokens[] for both operator and node roles - forward WindowsNodeClient node-token receipt through NodeConnector so GatewayConnectionManager can complete bootstrap cleanup after the node token becomes durable - request operator.pairing with normal shared-token operator connects so node trust approvals can be reached - wait for node/device pair approval responses instead of treating a sent frame as success - fall back from node.pair.approve to device.pair.approve only when admin authority is available - guard node connection events by client generation so stale clients cannot mutate current state - abort node handshake when pre-connect capability binding fails, preventing caps=0/cmds=0 registrations Tray, MCP, and browser-control behavior: - expose connection-control MCP tools only through local MCP, not the gateway node transport - route MCP setup-code and shared-token connection tools through GatewayConnectionManager - refresh gateway node state when local node connected/paired events arrive - register browser.proxy only when a live gateway client and shared gateway token are available, and use the shared token for browser-control HTTP auth Setup and reliability: - add bounded retry for transient WSL startup timing when validating /etc/wsl.conf after WSL terminate/apply-config - keep invalid wsl.conf content validation strict after the read succeeds - preserve SSH tunnel behavior for operator and node connection paths Maintainability simplifications: - reuse setup-code gateway lookup state in GatewayConnectionManager - centralize delayed reconnect scheduling with generation/disposal guards - centralize response-aware pair approval RPC handling - consolidate operator scope helper literals and checks Validation: - build.ps1 passed - OpenClaw.Shared.Tests passed - OpenClaw.Tray.Tests passed - OpenClaw.Connection.Tests passed - OpenClaw.SetupEngine.Tests passed - full OpenClaw.E2ETests passed with OPENCLAW_RUN_E2E=1 and win-arm64 runtime - targeted QR/setup-code E2E tests passed after audit follow-up - Copilot autoreview passed with no accepted/actionable findings - dual-model protocol audit completed; accepted multi-role handoff finding fixed Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
ranjeshj
force-pushed
the
user/ranjeshj/connectionfixes
branch
from
e27427c to
6b93d72
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Harden Windows companion gateway connection, setup-code pairing, node pairing, token recovery, and browser-control auth flows.
Key changes:
role=operatorhello-ok.auth.deviceTokens[]WindowsNodeClientthroughNodeConnectorso bootstrap cleanup can complete after node reconnect/etc/wsl.confread timing while keeping config validation strictValidation
./build.ps1passeddotnet test ./tests/OpenClaw.Shared.Tests/OpenClaw.Shared.Tests.csproj --no-restorepasseddotnet test ./tests/OpenClaw.Tray.Tests/OpenClaw.Tray.Tests.csproj --no-restorepasseddotnet test ./tests/OpenClaw.Connection.Tests/OpenClaw.Connection.Tests.csproj --no-restorepasseddotnet test ./tests/OpenClaw.SetupEngine.Tests/OpenClaw.SetupEngine.Tests.csproj --no-restorepassedOPENCLAW_RUN_E2E=1 dotnet test ./tests/OpenClaw.E2ETests/OpenClaw.E2ETests.csproj -r win-arm64 --no-restorepassed: 17/17Notes
Draft PR for review. The changes intentionally avoid broad WebSocket lifecycle rewrites or gateway-side assumptions; fixes are scoped to client-side behavior verified against
docs/CONNECTION_PROTOCOL_RESEARCH.mdanddocs/CONNECTION_ARCHITECTURE.md.