Fix private LAN mobile pairing auth policy

[BunsDev]

Summary

Fixes the private-LAN mobile pairing policy for #47887 without opening public or tailnet plaintext routes.

• allows ws:// setup/manual endpoints only for loopback, private LAN, link-local, ULA, and .local hosts across iOS setup/manual paths, Android setup/manual paths, the setup-code generator, and the device-pair plugin
• keeps public and Tailscale/tailnet cleartext endpoints rejected; those still require wss:// or a tunnel/Serve/Funnel path
• makes explicit password auth suppress stale bootstrap-token auth in Swift and TypeScript gateway clients
• persists Android bootstrap handoff tokens for the same private/local cleartext endpoints that Android setup/manual pairing accepts, while keeping public/tailnet cleartext persistence rejected
• adds mixed-auth, private-LAN, .local, public, tailnet, and Android session persistence coverage for the changed clients and setup-code paths
• includes a small iOS onboarding compile fix so the setup-code parser symbol is imported where the onboarding flow uses it

Verification

• pnpm test src/gateway/client.test.ts extensions/device-pair/index.test.ts src/pairing/setup-code.test.ts src/cli/qr-cli.test.ts passed locally
• swift test --package-path apps/shared/OpenClawKit --filter 'DeepLinksSecurityTests|GatewayNodeSessionTests' passed locally at 77b48f43b1 with 26 tests
• Android targeted Testbox proof passed at fbd0c6afdb: cd apps/android && ./gradlew :app:testPlayDebugUnitTest --tests ai.openclaw.app.gateway.GatewaySessionInvokeTest.bootstrapHandoffPersistenceTrustsPrivateLanCleartextEndpoints --tests ai.openclaw.app.ui.GatewayConfigResolverTest --tests ai.openclaw.app.node.ConnectionManagerTest
• pnpm check:changed passed in Testbox at fbd0c6afdb
• live proof is still pending: no Android adb/emulator is available locally, connected iOS devices are unavailable, and the iOS simulator app target still fails before launch on unrelated apps/ios/Sources/Settings/SettingsTab.swift issues (SwiftFormat drift on the branch state; after a local formatting experiment, Swift type-check timeout at line 423). The formatting experiment was reverted and is not part of this PR.

Fixes #47887.

[clawsweeper]

Codex review: needs maintainer review before merge.

Summary
The PR broadens private/local mobile ws:// setup and manual pairing, aligns bootstrap handoff persistence, preserves public/tailnet plaintext rejection, and updates related tests and docs.

Reproducibility: yes. by source inspection. Current Android main still rejects private-LAN cleartext manual/scanned endpoints and persists bootstrap handoff tokens only on loopback or TLS; I did not establish a live-device repro.

Real behavior proof
Not applicable: Not applicable because this is a member PR with the protected maintainer label, though the PR body still notes final live iOS/Android pairing proof is unavailable.

Next step before merge
Protected maintainer draft needs rebase/conflict handling, security-policy sign-off, and live mobile proof rather than an autonomous repair job.

Security
Cleared: No dependency, workflow, package, or secret-handling regression was found; the plaintext policy change is security-sensitive but bounded to private/local mobile pairing.

Review details

Best possible solution:

Rebase onto current main, preserve the mainline Swift/TypeScript behavior, land the remaining Android/docs/protocol alignment, and merge only after maintainer sign-off plus live mobile pairing proof.

Do we have a high-confidence way to reproduce the issue?

Yes, by source inspection. Current Android main still rejects private-LAN cleartext manual/scanned endpoints and persists bootstrap handoff tokens only on loopback or TLS; I did not establish a live-device repro.

Is this the best way to solve the issue?

Mostly yes, but not merge-ready. The narrow code direction matches the remaining Android/docs gap while preserving public and tailnet plaintext rejection, but the stale draft branch needs rebase, conflict review, and live pairing proof.

Acceptance criteria:

• pnpm test src/gateway/client.test.ts extensions/device-pair/index.test.ts src/pairing/setup-code.test.ts src/cli/qr-cli.test.ts
• cd apps/android && ./gradlew :app:testPlayDebugUnitTest --tests ai.openclaw.app.gateway.GatewaySessionInvokeTest --tests ai.openclaw.app.ui.GatewayConfigResolverTest --tests ai.openclaw.app.node.ConnectionManagerTest
• swift test --package-path apps/shared/OpenClawKit --filter 'DeepLinksSecurityTests|GatewayNodeSessionTests'
• pnpm check:changed in Testbox after rebase/conflict resolution
• Live iOS and Android private-LAN setup-code/manual pairing proof

What I checked:

• Protected PR state: Provided GitHub context shows authorAssociation MEMBER, label maintainer, draft true, mergeable false, head fbd0c6afdb111b0f5703b28dc5930a8cd7476f8f, and a Fixes #47887 link. (fbd0c6afdb11)
• Current Android manual TLS gate remains loopback-only: On current main, Android manual/discovery TLS resolution computes cleartextAllowedHost with isLoopbackGatewayHost(endpoint.host), so private LAN cleartext endpoints are still forced to TLS. (apps/android/app/src/main/java/ai/openclaw/app/node/ConnectionManager.kt:37, 60171e863882)
• Current Android endpoint parser remains loopback-only: Current Android setup/manual URL parsing rejects non-TLS endpoints unless isLoopbackGatewayHost(host) is true, which excludes the private LAN and .local endpoints this PR targets. (apps/android/app/src/main/java/ai/openclaw/app/ui/GatewayConfigResolver.kt:152, 60171e863882)
• Current Android bootstrap handoff persistence is narrower than policy: Current Android persists bootstrap handoff tokens only for bootstrap auth over loopback or TLS; the PR adds private/local cleartext persistence coverage. (apps/android/app/src/main/java/ai/openclaw/app/gateway/GatewaySession.kt:527, 60171e863882)
• Main already has Swift and TypeScript policy work: Current main already uses LoopbackHost.isLocalNetworkHost for iOS manual TLS and suppresses bootstrap auth when an explicit password is present in the TypeScript client, so the PR must be rebased carefully around mainline work from 36df0d93b93a. (apps/ios/Sources/Gateway/GatewayConnectionController.swift:691, 36df0d93b93a)
• Documentation is currently inconsistent across pages: Pairing/QR docs say private LAN and .local ws:// remain supported, while the gateway security doc still says Android/mobile private-LAN, link-local, and .local must use TLS unless opted into break-glass. Public docs: docs/gateway/security/index.md. (docs/gateway/security/index.md:879, 60171e863882)

Likely related people:

• Val Alexander: Authored 36df0d93b93a (fix: repair iOS LAN pairing) and blame shows this commit on the central Swift and TypeScript private/local pairing helpers. (role: recent mainline policy maintainer; confidence: high; commits: 36df0d93b93a; files: apps/shared/OpenClawKit/Sources/OpenClawKit/LoopbackHost.swift, apps/ios/Sources/Gateway/GatewayConnectionController.swift, src/pairing/setup-code.ts)
• Peter Steinberger: Blame on the current Android gateway, session, node connection, and config resolver paths points to 24853ced114a; adjacent native node work also appears in 466f7183207d. (role: adjacent Android/gateway owner; confidence: medium; commits: 24853ced114a, 466f7183207d; files: apps/android/app/src/main/java/ai/openclaw/app/gateway/GatewayHostSecurity.kt, apps/android/app/src/main/java/ai/openclaw/app/gateway/GatewaySession.kt, apps/android/app/src/main/java/ai/openclaw/app/node/ConnectionManager.kt)

Remaining risk / open question:

• The PR body says live iOS/Android pairing proof is still pending, so device-runtime behavior is not proven end to end.
• The branch is a draft and reported mergeable false; rebasing over current main could change the Swift/TypeScript policy overlap.
• The plaintext exception is security-sensitive even though the diff keeps public and tailnet cleartext blocked.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 60171e863882.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/25414337965
• Updated: 2026-05-06T03:14:29.638Z

[BunsDev]

Closing this draft as superseded by #78807, which recreates the relevant mobile private LAN pairing/auth fixes from a fresh current main branch with a single verified signed commit and fresh verification notes.