From 327f0526d13797908eaed4720fb2e6cbd096aa00 Mon Sep 17 00:00:00 2001 From: Peter Steinberger Date: Thu, 26 Feb 2026 12:10:02 +0000 Subject: [PATCH] fix(gateway): use loopback for CLI status probe when bind=lan (land #26997, thanks @chikko80) Co-authored-by: Manuel Seitz --- CHANGELOG.md | 1 + src/cli/daemon-cli/shared.ts | 6 ++++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 681c6d663..57862c972 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,7 @@ Docs: https://docs.openclaw.ai - Security/Plugin channel HTTP auth: normalize protected `/api/channels` path checks against canonicalized request paths (case + percent-decoding + slash normalization), and fail closed on malformed `%`-encoded channel prefixes so alternate-path variants cannot bypass gateway auth. - Security/Exec approvals forwarding: prefer turn-source channel/account/thread metadata when resolving approval delivery targets so stale session routes do not misroute approval prompts. - Onboarding/Gateway: seed default Control UI `allowedOrigins` for non-loopback binds during onboarding (`localhost`/`127.0.0.1` plus custom bind host) so fresh non-loopback setups do not fail startup due to missing origin policy. (#26157) thanks @stakeswky. +- CLI/Gateway status: force local `gateway status` probe host to `127.0.0.1` for `bind=lan` so co-located probes do not trip non-loopback plaintext WebSocket checks. (#26997) thanks @chikko80. - Auto-reply/Streaming: suppress only exact `NO_REPLY` final replies while still filtering streaming partial sentinel fragments (`NO_`, `NO_RE`, `HEARTBEAT_...`) so substantive replies ending with `NO_REPLY` are delivered and partial silent tokens do not leak during streaming. (#19576) Thanks @aldoeliacim. - Doctor/State integrity: ignore metadata-only slash routing sessions when checking recent missing transcripts so `openclaw doctor` no longer reports false-positive transcript-missing warnings for `*:slash:*` keys. (#27375) thanks @gumadeiras. - Channels/Multi-account config: when adding a non-default channel account to a single-account top-level channel setup, move existing account-scoped top-level single-account values into `channels..accounts.default` before writing the new account so the original account keeps working without duplicated account values at channel root; `openclaw doctor --fix` now repairs previously mixed channel account shapes the same way. (#27334) thanks @gumadeiras. diff --git a/src/cli/daemon-cli/shared.ts b/src/cli/daemon-cli/shared.ts index bfd54e877..cc520781d 100644 --- a/src/cli/daemon-cli/shared.ts +++ b/src/cli/daemon-cli/shared.ts @@ -5,7 +5,6 @@ import { } from "../../daemon/constants.js"; import { resolveGatewayLogPaths } from "../../daemon/launchd.js"; import { formatRuntimeStatus } from "../../daemon/runtime-format.js"; -import { pickPrimaryLanIPv4 } from "../../gateway/net.js"; import { getResolvedLoggerSettings } from "../../logging.js"; import { colorize, isRich, theme } from "../../terminal/theme.js"; import { formatCliCommand } from "../command-format.js"; @@ -73,7 +72,10 @@ export function pickProbeHostForBind( return tailnetIPv4 ?? "127.0.0.1"; } if (bindMode === "lan") { - return pickPrimaryLanIPv4() ?? "127.0.0.1"; + // Same as call.ts: self-connections should always target loopback. + // bind=lan controls which interfaces the server listens on (0.0.0.0), + // but co-located CLI probes should connect via 127.0.0.1. + return "127.0.0.1"; } return "127.0.0.1"; }