[Feature]: auth mode = none is required

[jetcar]

Summary

Feature request / improvement

openclaw may be deployed inside a trusted internal network where no user authorization is required. At the moment the only viable approach is to enable the trusted proxy option and place nginx in front of the service.

This workaround feels unnecessary and awkward in environments such as Kubernetes. Hardcoding headers in a proxy does not meaningfully improve security, especially when authentication and authorization are already handled by external infrastructure components (API gateways, ingress controllers, service meshes, etc.), which are typically more robust and flexible.

In our case, we already operate behind a gateway, so introducing an additional proxy layer solely to satisfy the trusted proxy requirement adds unnecessary complexity and operational overhead.

It would be helpful if openclaw could support running in a mode suitable for trusted internal environments where authentication is intentionally disabled and security is delegated entirely to external components.

Problem to solve

overcomplicated setup of openclaw in trusted networks

Proposed solution

auth mode = none without any validations

Alternatives considered

No response

Impact

should fix issues when running in docker, k8s and other server like solutions

Evidence/examples

No response

Additional information

No response

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Summary
Keep open. Current main still intentionally rejects non-loopback auth.mode: "none" in runtime and CLI startup, and the related discussion shows this is a security/product policy decision rather than a cleanup-close candidate.

Reproducibility: yes. for the current missing capability: source inspection shows bind: "lan" with auth.mode: "none" reaches the non-loopback no-auth rejection, and the focused runtime-config test asserts that rejection. I did not execute tests because this was a read-only sweep.

Next step
Needs maintainer/security approval before relaxing the non-loopback no-auth startup invariant.

Security
Needs attention: The issue requests a security-sensitive relaxation that would allow unauthenticated Gateway exposure beyond loopback when external infrastructure is assumed to enforce access.

Review details

Best possible solution:

Make an explicit maintainer/security decision on private-ingress no-auth support; if accepted, implement it consistently across runtime validation, CLI preflight, security audit severity, docs, and regression tests.

Do we have a high-confidence way to reproduce the issue?

Yes for the current missing capability: source inspection shows bind: "lan" with auth.mode: "none" reaches the non-loopback no-auth rejection, and the focused runtime-config test asserts that rejection. I did not execute tests because this was a read-only sweep.

Is this the best way to solve the issue?

Unclear. Directly removing the guard is mechanically narrow, but the maintainable solution needs security/product approval and should align with the broader gateway-auth design discussion in #69066.

Security concerns:

• [medium] Review unauthenticated non-loopback Gateway exposure — src/gateway/server-runtime-config.ts:144
  Permitting explicit auth.mode: "none" on lan, tailnet, or custom binds would make Gateway WS/HTTP control-plane surfaces reachable without a shared secret unless the surrounding private ingress is correctly locked down.
  Confidence: 0.94

Acceptance criteria:

• pnpm test src/gateway/server-runtime-config.test.ts src/cli/gateway-cli/run.option-collisions.test.ts src/gateway/auth.test.ts src/security/audit-gateway-exposure.test.ts src/security/audit-gateway-http-auth.test.ts
• pnpm check:changed

What I checked:

• Runtime guard still blocks requested deployment shape: resolveGatewayRuntimeConfig throws when the resolved bind host is non-loopback and there is no token/password shared secret unless auth mode is trusted-proxy; explicit auth.mode: "none" does not bypass this guard. (src/gateway/server-runtime-config.ts:144, 443f7035a2e5)
• Focused test preserves rejection: The runtime-config test has a named lan binding with explicit none auth rejection case expecting refusing to bind gateway. (src/gateway/server-runtime-config.test.ts:165, 443f7035a2e5)
• CLI preflight mirrors runtime policy: openclaw gateway run warns for explicit none auth, then exits for non-loopback binds when no shared secret can be used and mode is not trusted-proxy. (src/cli/gateway-cli/run.ts:743, 443f7035a2e5)
• Auth handler itself supports none once reached: authorizeGatewayConnect returns success for auth.mode === "none"; the remaining blocker is startup/bind policy, not request-auth parsing. (src/gateway/auth.ts:492, 443f7035a2e5)
• Docs still state the current startup contract: The configuration reference says non-loopback binds require auth and says gateway.auth.mode: "none" is for trusted local loopback setups only. Public docs: docs/gateway/configuration-reference.md. (docs/gateway/configuration-reference.md:428, 443f7035a2e5)
• Security audit treats non-loopback no-auth as critical: The Gateway audit emits gateway.bind_no_auth as critical for non-loopback binds without a shared secret and outside trusted-proxy mode. (src/security/audit-gateway-config.ts:109, 443f7035a2e5)

Likely related people:

• steipete: Recent commits shown locally cover non-loopback Control UI hardening, trusted-proxy fallback behavior, and gateway server type refactoring around this policy area. (role: recent gateway auth/security maintainer; confidence: high; commits: 223d7dc23d73, 1a98938479b3, 58f2d17e9e05; files: src/gateway/server-runtime-config.ts, src/cli/gateway-cli/run.ts, src/gateway/auth.ts)
• vincentkoc: Current-main metadata and local blame at the shallow boundary show recent maintenance across the checked-out files and current branch, including the gateway/auth source snapshot used for this review. (role: recent adjacent maintainer; confidence: medium; commits: 443f7035a2e5, 8a1e22027344; files: src/gateway/server-runtime-config.ts, src/cli/gateway-cli/run.ts, src/security/audit-gateway-config.ts)
• gumadeiras: Merged PR Security: default gateway auth bootstrap and explicit mode none #20686 restored explicit gateway.auth.mode: "none" support while deliberately preserving the strict non-loopback bind/auth matrix. (role: introduced current explicit-none auth shape; confidence: medium; commits: be1b73182cdc; files: src/gateway/startup-auth.ts, src/gateway/auth.ts, src/gateway/server-runtime-config.ts)

Remaining risk / open question:

• Allowing auth.mode: "none" on non-loopback binds would expose Gateway WebSocket and HTTP operator surfaces without Gateway auth if the external ingress, firewall, or service mesh boundary is misconfigured.
• Some HTTP API docs already describe private-ingress none as an identity-bearing mode, while runtime/configuration docs still restrict none to loopback, so any accepted policy needs coordinated docs and audit updates.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 443f7035a2e5.