feat(gateway): add config to disable Bonjour/mDNS (fix #28174)

[zichen0116]

Summary

• Problem: On Android/Termux (and other platforms without multicast networking), the Gateway's Bonjour/mDNS advertiser cannot broadcast. The watchdog fires every ~60 s emitting noisy log spam, and a Wi-Fi disconnect can trigger an assertion that crashes the process.
• Why it matters: Users running OpenClaw on Android/Termux have no config-based way to suppress mDNS — the only escape hatch is the undiscoverable OPENCLAW_DISABLE_BONJOUR=1 env var, and the crash risk makes the Gateway unusable on those platforms.
• What changed: Added gateway.mdns.enabled (boolean, default true) as a first-class config key with full schema validation, Zod schema, help text, UI labels, and docs. Setting it to false forces mdnsMode: "off" in the discovery runtime, preventing both the advertiser and watchdog from starting.
• What did NOT change (scope boundary): The existing discovery.mdns.mode enum ("off"/"minimal"/"full") is untouched. No changes to the Bonjour advertiser itself, watchdog logic, or any channel/auth/tool code. OPENCLAW_DISABLE_BONJOUR=1 retains its highest-priority override semantics.

Change Type (select all)

• Bug fix
• Feature
• Refactor
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes Feature Request: Option to disable mDNS/Bonjour (critical for Android/Termux) #28174

User-visible / Behavior Changes

• New optional config key gateway.mdns.enabled (boolean). Omitting it keeps current behavior (mDNS on).
• Setting gateway.mdns.enabled: false disables the Bonjour advertiser and its 60-second watchdog timer entirely — no more log spam on platforms without multicast.
• docs/gateway/bonjour.md "Disabling / configuration" section now documents the new config key with a JSON5 example and clarifies priority order: OPENCLAW_DISABLE_BONJOUR=1 > gateway.mdns.enabled: false > discovery.mdns.mode: "off".

Security Impact (required)

• New permissions/capabilities? No
• Secrets/tokens handling changed? No
• New/changed network calls? No
• Command/tool execution surface changed? No
• Data access scope changed? No

Repro + Verification

Environment

• OS: Android (Termux) / any platform without multicast support
• Runtime/container: Node 22 / Bun
• Model/provider: N/A
• Integration/channel (if any): N/A
• Relevant config (redacted):

  { gateway: { mdns: { enabled: false } } }

Steps

1. Add gateway: { mdns: { enabled: false } } to ~/.openclaw/openclaw.json.
2. Start the Gateway: openclaw gateway run.
3. Wait 60+ seconds and observe logs.

Expected

• No bonjour: log lines appear (advertiser never starts, watchdog never fires).
• Gateway starts and operates normally for all channel and API functions.

Actual (before this fix)

• No config key exists; schema rejects any attempt to add gateway.mdns.* with an unknown-key error. Only the env var path works, and it is not surfaced in the UI or config docs.

Evidence

• Failing test/log before + passing after

4 new schema validation tests in src/config/config.gateway-mdns.test.ts — all pass:

✓ accepts gateway.mdns.enabled: false
✓ accepts gateway.mdns.enabled: true
✓ accepts gateway.mdns as empty object
✓ rejects unknown keys inside gateway.mdns

schema.help.quality.test.ts (20 tests) and all other touched test files continue to pass. pnpm check (lint + format + typecheck) passes clean.

Human Verification (required)

• Verified scenarios: Schema accepts { gateway: { mdns: { enabled: false } } } and rejects { gateway: { mdns: { unknown: true } } }. pnpm check passes. All touched test files pass.
• Edge cases checked: gateway.mdns omitted entirely (no regression); gateway.mdns.enabled: true (no-op, identical to default); discovery.mdns.mode: "off" still works independently of the new key.
• What you did not verify: Live runtime on a real Android/Termux device; interaction with the macOS menubar app restart flow.

Compatibility / Migration

• Backward compatible? Yes — enabled defaults to true; omitting the key is identical to current behavior.
• Config/env changes? Yes — new optional key gateway.mdns.enabled.
• Migration needed? No

Failure Recovery (if this breaks)

• How to disable/revert this change quickly: Remove gateway.mdns from ~/.openclaw/openclaw.json, or set OPENCLAW_DISABLE_BONJOUR=1 to suppress mDNS via the pre-existing env path.
• Files/config to restore: src/config/types.gateway.ts, src/config/zod-schema.ts, src/gateway/server.impl.ts (one-line change each).
• Known bad symptoms reviewers should watch for: Gateway refusing to start with a schema validation error on gateway.mdns (Zod .strict() object not updated); Bonjour watchdog still firing when enabled: false (override in server.impl.ts not reached).

Risks and Mitigations

• Risk: Two overlapping ways to disable mDNS (gateway.mdns.enabled vs discovery.mdns.mode) may confuse users.
  • Mitigation: gateway.mdns.enabled is the simple boolean convenience path for the Android/Termux use case; discovery.mdns.mode handles finer-grained control. Priority order is documented in bonjour.md.
• Risk: gateway.mdns.enabled: false silently overrides discovery.mdns.mode when both are set.
  • Mitigation: The override only activates when enabled === false; all other combinations respect discovery.mdns.mode unchanged. Documented explicitly.

[greptile-apps]

Greptile Summary

This PR adds gateway.mdns.enabled (boolean, default true) as a first-class, schema-validated config key to disable the Bonjour/mDNS advertiser on platforms without multicast support (e.g. Android/Termux), closing a crash-risk and log-spam issue. The implementation is clean and backward-compatible.

Key changes:

• GatewayMdnsConfig type + Zod schema with .strict() correctly expose the new key and reject unknown subkeys.
• server.impl.ts uses strict === false equality so the mdnsMode: "off" override fires only when explicitly disabled — absent or true preserves existing discovery.mdns.mode semantics.
• audit.ts correctly suppresses the discovery.mdns_full_mode security finding when gateway.mdns.enabled === false, with a matching new test case.
• Documentation, UI labels, and help text are all updated, and schema.help.quality.test.ts tracks the new keys.
• Two unrelated cleanups are bundled in: a TypeScript type-narrowing guard in openai-http.ts (redundant at runtime since parseImageUrlToSource already validates, but needed to satisfy the data?: string type), and a minor cron test reliability improvement (replacing await Promise.resolve() busy-wait with await cron.status()). Neither introduces regressions.

Confidence Score: 4/5

• This PR is safe to merge — the feature is backward-compatible, well-tested, and the implementation is straightforward.
• The main mDNS disable logic is minimal (one ternary in server.impl.ts), the Zod schema uses .strict(), the audit suppression is logically sound, and there are 5+ new targeted tests. Score is 4 rather than 5 because two unrelated changes (openai-http.ts type guard, cron test tweak) are bundled without mention in the PR description, and the openai-http.ts guard is technically dead code that could confuse future readers without a clarifying comment.
• No files require special attention; the one style note on src/gateway/openai-http.ts is non-blocking.

_{Last reviewed commit: 8322ad0}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 3d07091741

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Align audit inputs with new mDNS disable switch

This new override changes runtime behavior so gateway.mdns.enabled=false forces mDNS off even when discovery.mdns.mode is still "full", but the security audit logic still derives risk only from discovery.mdns.mode. In that configuration, openclaw security audit can incorrectly report discovery.mdns_full_mode findings even though Bonjour is disabled, which makes the new config path produce stale/false risk output; audit should evaluate the effective mDNS state (including this new switch) before emitting that check.

Useful? React with 👍 / 👎.

[zichen0116]

if (mdnsMode === "full") ----> if (mdnsMode === "full" && gatewayMdnsEnabled)

[openclaw-barnacle]

This pull request has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

[zichen0116]

Addressed review feedback, please take another look.

[openclaw-barnacle]

This pull request has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

[openclaw-barnacle]

Closing due to inactivity.
If you believe this PR should be revived, post in #pr-thunderdome-dangerzone on Discord to talk to a maintainer.
That channel is the escape hatch for high-quality PRs that get auto-closed.