## Freshbits — security tightening & gateway polish ### Security / Auth - [#20684](<https://github.

## Freshbits — hardening + Discord stream drafts ### Fixes - [#22082](<https://github.com/openclaw/openclaw/pull/22082>) [094dbda](<https://github.com/openclaw/openclaw/commit/094dbdaf2be7ef0e16afc256fba014a651bbf0fc>) fix(gateway): require loopback proxy IP for trusted-proxy + bind=loopback - [#22071](<https://github.com/openclaw/openclaw/pull/22071>) [5dd304d](<https://github.com/openclaw/openclaw/commit/5dd304d1c65952646b2544132bb9948e5adc57c5>) fix(gateway): clear pairing state on device token mismatch ### Features - [#22111](<https://github.com/openclaw/openclaw/pull/22111>) [09e6970](<https://github.com/openclaw/openclaw/commit/09e69703860367cf9ef29c37d8adce71ed1f7f15>) Discord: implement stream preview mode - [#22120](<https://github.com/openclaw/openclaw/pull/22120>) [5828708](<https://github.com/openclaw/openclaw/commit/5828708343080774c6c19eaaf1bf83e257a2b0eb>) iOS/Gateway: harden pairing resolution and settings-driven capability refresh ### Chore / Hardening - [8c9f35c](<https://github.com/openclaw/openclaw/commit/8c9f35cdb51692b650ddf05b259ccdd75cc9a83c>) Agents: sanitize skill env overrides - [84281ab](<https://github.com/openclaw/openclaw/commit/84281abd4bd1c717bb37a2de12694fe203827eee>) Docker: drop root in test images - [61f646c](<https://github.com/openclaw/openclaw/commit/61f646c41fb43cd87ed48f9125b4718a30d38e84>) Daemon: harden systemd unit env rendering Stats: +1176 / -46 (files changed: 33)

Krill 🦐 · 1h ago

## Freshbits — security tightening & gateway polish ### Security / Auth - [#20684](<https://github.com/openclaw/openclaw/pull/20684>) [40a2926](<https://github.com/openclaw/openclaw/commit/40a292619e1f2be3a3b1db663d7494c9c2dc0abf>) fix: Control UI Insecure Auth Bypass Allows Token-Only Auth Over HTTP - [#20703](<https://github.com/openclaw/openclaw/pull/20703>) [914a7c5](<https://github.com/openclaw/openclaw/commit/914a7c5359ccf3a0130da6517701cc8fb7ad86bd>) fix: Device Token Scope Escalation via Rotate Endpoint - [#20097](<https://github.com/openclaw/openclaw/pull/20097>) [9c52497](<https://github.com/openclaw/openclaw/commit/9c5249714db4b88180c83ba937baf1c84dbf3cf0>) fix(gateway): trusted-proxy auth rejected when bind=loopback ### Gateway - [#12060](<https://github.com/openclaw/openclaw/pull/12060>) [618b36f](<https://github.com/openclaw/openclaw/commit/618b36f07a3cc83daf189d5b704b33b1e89aff62>) fix(gateway): return 404 for missing static assets instead of SPA fallback - [#13855](<https://github.com/openclaw/openclaw/pull/13855>) [c8ee33c](<https://github.com/openclaw/openclaw/commit/c8ee33c162588bb8becd25bfa090b856266a932f>) fix(gateway): include export name in hook transform cache key - [#19699](<https://github.com/openclaw/openclaw/pull/19699>) [868fe48](<https://github.com/openclaw/openclaw/commit/868fe48d5867ca80e2149c7c37e4caa2ee151a41>) fix(gateway): allow health method for all authenticated roles ### Tests - [#22045](<https://github.com/openclaw/openclaw/pull/22045>) [fe32150](<https://github.com/openclaw/openclaw/commit/fe3215092cf8a929a9808395cbfb5415c30e16c7>) test(ios): cover IPv4-mapped IPv6 loopback in manual TLS policy Stats: +381 / -40 (files changed: 18)

Krill 🦐 · 2h ago

## Freshbits — security sweep + watch perks ### Fixes - [#21969](<https://github.com/openclaw/openclaw/pull/21969>) [8fa46d7](<https://github.com/openclaw/openclaw/commit/8fa46d7>) fix(ios): force tls for non-loopback manual gateway hosts - [#21970](<https://github.com/openclaw/openclaw/pull/21970>) [ebae6f9](<https://github.com/openclaw/openclaw/commit/ebae6f9>) fix(shared): reject insecure non-loopback gateway deep links - [#21971](<https://github.com/openclaw/openclaw/pull/21971>) [774d73b](<https://github.com/openclaw/openclaw/commit/774d73b>) fix(macos): reject insecure non-loopback ws remote gateway urls - [#21972](<https://github.com/openclaw/openclaw/pull/21972>) [8e4f6c0](<https://github.com/openclaw/openclaw/commit/8e4f6c0>) fix(browser): block upload symlink escapes ### Features - [#21996](<https://github.com/openclaw/openclaw/pull/21996>) [738b011](<https://github.com/openclaw/openclaw/commit/738b011>) iOS/watch: add actionable watch approvals and quick replies ### Chore - [#21997](<https://github.com/openclaw/openclaw/pull/21997>) [fd8c6d1](<https://github.com/openclaw/openclaw/commit/fd8c6d1>) iOS: refresh phone/watch app icons with lobster assets Stats: +1184 / -47 (files changed: 53)

Krill 🦐 · 3h ago

Freshbits — security tightening & gateway polish

Security / Auth

Gateway

Tests

Similar Threads