fix(android): trust private LAN credentials

obviyus · obviyus · commit 771ddcf1846f · 2026-05-28T10:00:32.000+05:30
diff --git a/apps/android/app/src/main/java/ai/openclaw/app/gateway/GatewaySession.kt b/apps/android/app/src/main/java/ai/openclaw/app/gateway/GatewaySession.kt
@@ -632,7 +632,7 @@ class GatewaySession(
 
     private fun shouldPersistBootstrapHandoffTokens(authSource: GatewayConnectAuthSource): Boolean {
       if (authSource != GatewayConnectAuthSource.BOOTSTRAP_TOKEN) return false
-      if (isLoopbackGatewayHost(endpoint.host)) return true
+      if (isLocalCleartextGatewayHost(endpoint.host)) return true
       return tls != null
     }
 
@@ -1212,9 +1212,7 @@ class GatewaySession(
     endpoint: GatewayEndpoint,
     tls: GatewayTlsParams?,
   ): Boolean {
-    if (isLoopbackGatewayHost(endpoint.host)) {
-      return true
-    }
+    if (isLocalCleartextGatewayHost(endpoint.host)) return true
     return tls?.expectedFingerprint?.trim()?.isNotEmpty() == true
   }
 }
diff --git a/apps/android/app/src/main/java/ai/openclaw/app/node/ConnectionManager.kt b/apps/android/app/src/main/java/ai/openclaw/app/node/ConnectionManager.kt
@@ -44,6 +44,7 @@ class ConnectionManager(
         }
 
       if (isManual) {
+        if (!manualTlsEnabled && cleartextAllowedHost) return null
         if (!stored.isNullOrBlank()) {
           return GatewayTlsParams(
             required = true,
@@ -52,7 +53,6 @@ class ConnectionManager(
             stableId = stableId,
           )
         }
-        if (!manualTlsEnabled && cleartextAllowedHost) return null
         return GatewayTlsParams(
           required = true,
           expectedFingerprint = null,
diff --git a/apps/android/app/src/test/java/ai/openclaw/app/node/ConnectionManagerTest.kt b/apps/android/app/src/test/java/ai/openclaw/app/node/ConnectionManagerTest.kt
@@ -123,7 +123,7 @@ class ConnectionManagerTest {
   }
 
   @Test
-  fun resolveTlsParamsForEndpoint_manualPrivateLanPreservesStoredPin() {
+  fun resolveTlsParamsForEndpoint_manualPrivateLanCleartextCanOverrideStoredPin() {
     val endpoint = GatewayEndpoint.manual(host = "192.168.1.20", port = 18789)
 
     val params =
@@ -133,9 +133,7 @@ class ConnectionManagerTest {
         manualTlsEnabled = false,
       )
 
-    assertEquals(true, params?.required)
-    assertEquals("pinned", params?.expectedFingerprint)
-    assertEquals(false, params?.allowTOFU)
+    assertNull(params)
   }
 
   @Test

Original file line number	Diff line number	Diff line change
`@@ -632,7 +632,7 @@ class GatewaySession(`
`632`	`632`
`633`	`633`	`private fun shouldPersistBootstrapHandoffTokens(authSource: GatewayConnectAuthSource): Boolean {`
`634`	`634`	`if (authSource != GatewayConnectAuthSource.BOOTSTRAP_TOKEN) return false`
`635`		`- if (isLoopbackGatewayHost(endpoint.host)) return true`
	`635`	`+ if (isLocalCleartextGatewayHost(endpoint.host)) return true`
`636`	`636`	`return tls != null`
`637`	`637`	`}`
`638`	`638`
`@@ -1212,9 +1212,7 @@ class GatewaySession(`
`1212`	`1212`	`endpoint: GatewayEndpoint,`
`1213`	`1213`	`tls: GatewayTlsParams?,`
`1214`	`1214`	`): Boolean {`
`1215`		`- if (isLoopbackGatewayHost(endpoint.host)) {`
`1216`		`- return true`
`1217`		`- }`
	`1215`	`+ if (isLocalCleartextGatewayHost(endpoint.host)) return true`
`1218`	`1216`	`return tls?.expectedFingerprint?.trim()?.isNotEmpty() == true`
`1219`	`1217`	`}`
`1220`	`1218`	`}`
Original file line number	Diff line number	Diff line change
`@@ -44,6 +44,7 @@ class ConnectionManager(`
`44`	`44`	`}`
`45`	`45`
`46`	`46`	`if (isManual) {`
	`47`	`+ if (!manualTlsEnabled && cleartextAllowedHost) return null`
`47`	`48`	`if (!stored.isNullOrBlank()) {`
`48`	`49`	`return GatewayTlsParams(`
`49`	`50`	`required = true,`
`@@ -52,7 +53,6 @@ class ConnectionManager(`
`52`	`53`	`stableId = stableId,`
`53`	`54`	`)`
`54`	`55`	`}`
`55`		`- if (!manualTlsEnabled && cleartextAllowedHost) return null`
`56`	`56`	`return GatewayTlsParams(`
`57`	`57`	`required = true,`
`58`	`58`	`expectedFingerprint = null,`
Original file line number	Diff line number	Diff line change
`@@ -123,7 +123,7 @@ class ConnectionManagerTest {`
`123`	`123`	`}`
`124`	`124`
`125`	`125`	`@Test`
`126`		`- fun resolveTlsParamsForEndpoint_manualPrivateLanPreservesStoredPin() {`
	`126`	`+ fun resolveTlsParamsForEndpoint_manualPrivateLanCleartextCanOverrideStoredPin() {`
`127`	`127`	`val endpoint = GatewayEndpoint.manual(host = "192.168.1.20", port = 18789)`
`128`	`128`
`129`	`129`	`val params =`
`@@ -133,9 +133,7 @@ class ConnectionManagerTest {`
`133`	`133`	`manualTlsEnabled = false,`
`134`	`134`	`)`
`135`	`135`
`136`		`- assertEquals(true, params?.required)`
`137`		`- assertEquals("pinned", params?.expectedFingerprint)`
`138`		`- assertEquals(false, params?.allowTOFU)`
	`136`	`+ assertNull(params)`
`139`	`137`	`}`
`140`	`138`
`141`	`139`	`@Test`