Alberto Leal
449511484d
fix(gateway): allow ws:// to private network addresses (#28670)
* fix(gateway): allow ws:// to RFC 1918 private network addresses
resolve ws-private-network conflicts
* gateway: keep ws security strict-by-default with private opt-in
* gateway: apply private ws opt-in in connection detail guard
* gateway: apply private ws opt-in in websocket client
* onboarding: gate private ws urls behind explicit opt-in
* gateway tests: enforce strict ws defaults with private opt-in
* onboarding tests: validate private ws opt-in behavior
* gateway client tests: cover private ws env override
* gateway call tests: cover private ws env override
* changelog: add ws strict-default security entry for pr 28670
* docs(onboard): document private ws break-glass env
* docs(gateway): add private ws env to remote guide
* docs(docker): add private ws break-glass env var
* docs(security): add private ws break-glass guidance
* docs(config): document OPENCLAW_ALLOW_PRIVATE_WS
* Update CHANGELOG.md
* gateway: normalize private-ws host classification
* test(gateway): cover non-unicast ipv6 private-ws edges
* changelog: rename insecure private ws break-glass env
* docs(onboard): rename insecure private ws env
* docs(gateway): rename insecure private ws env in config reference
* docs(gateway): rename insecure private ws env in remote guide
* docs(security): rename insecure private ws env
* docs(docker): rename insecure private ws env
* test(onboard): rename insecure private ws env
* onboard: rename insecure private ws env
* test(gateway): rename insecure private ws env in call tests
* gateway: rename insecure private ws env in call flow
* test(gateway): rename insecure private ws env in client tests
* gateway: rename insecure private ws env in client
* docker: pass insecure private ws env to services
* docker-setup: persist insecure private ws env
---------
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>