feat: add device auth for OpenClaw v2026.2.14+ compatibility#32
Merged
ibelick merged 1 commit intoibelick:mainfrom Feb 16, 2026
Merged
feat: add device auth for OpenClaw v2026.2.14+ compatibility#32ibelick merged 1 commit intoibelick:mainfrom
ibelick merged 1 commit intoibelick:mainfrom
Conversation
samgibson-bot
pushed a commit
to samgibson-bot/gold-dashboard
that referenced
this pull request
Feb 18, 2026
- Add Ed25519 keypair generation, persistence (.device-keys.json, 0o600) - Sign connect payload (v1|deviceId|clientId|...) via loadOrCreateDeviceIdentity - Include device field in ConnectParams for all connection paths - Handle WS close code 1008 with actionable log + device ID - Graceful fallback if auth fails: connect proceeds without device field - Preserve: 30s timeout, getGatewayScopes(), connection reuse cache - Add PR ibelick#26 streaming infrastructure: gatewayRpcShared, acquireGatewayClient, gatewayEventStream, createGatewayClient - Exclude .device-keys.json from git Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Merged
7 tasks
samgibson-bot
added a commit
to samgibson-bot/gold-dashboard
that referenced
this pull request
Feb 18, 2026
…belick#27, ibelick#14, #4, ibelick#29 * feat: PR ibelick#32 — device auth for OpenClaw v2026.2.14+ compatibility - Add Ed25519 keypair generation, persistence (.device-keys.json, 0o600) - Sign connect payload (v1|deviceId|clientId|...) via loadOrCreateDeviceIdentity - Include device field in ConnectParams for all connection paths - Handle WS close code 1008 with actionable log + device ID - Graceful fallback if auth fails: connect proceeds without device field - Preserve: 30s timeout, getGatewayScopes(), connection reuse cache - Add PR ibelick#26 streaming infrastructure: gatewayRpcShared, acquireGatewayClient, gatewayEventStream, createGatewayClient - Exclude .device-keys.json from git Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * feat: PR ibelick#15 — slim Shiki bundle via createHighlighterCore Replace createHighlighter with createHighlighterCore + JS regex engine. Pre-load 29 explicit languages at init instead of dynamic loadLanguage(). Replace bundledLanguages import with SUPPORTED_LANGUAGES Set in utils.ts. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * feat: PR ibelick#26 — /api/stream SSE endpoint with sanitizeError in catch Add Server-Sent Events stream route using acquireGatewayClient. All error paths use sanitizeError(). Heartbeat every 15s. Update routeTree.gen.ts with full ApiStreamRoute registration. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * feat: PR ibelick#27 — streamdown replaces react-markdown Remove react-markdown, marked, remark-gfm, remark-breaks. Rewrite markdown.tsx using Streamdown component. PRESERVED: javascript: protocol blocking in a component (safeHref logic). Add ThinkingLevel type and thinkingLevel setting to ChatSettings. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * feat: PR ibelick#14 — pin sessions with localStorage persistence Add usePinnedSessionsStore (Zustand + persist) in use-pinned-sessions.ts. Update SessionItem with isPinned prop + onTogglePin callback + PinIcon button. Update SidebarSessions to split pinned/unpinned with divider separator. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * feat: PR #4 — image attachments with canvas compression and 5MB limit Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * feat: PR ibelick#29 — randomUUID utility with Math.random fallback for LAN/HTTP contexts Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * fix: PR ibelick#15 — use bundledThemes/bundledLanguages from shiki instead of @shikijs/* subpaths Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * chore: update routeTree.gen.ts after build (route order normalized) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> --------- Co-authored-by: Nathen McVittie <nathenmcvittie@gmail.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Since OpenClaw v2026.2.14, clients without device identity have their scopes cleared during the WebSocket handshake. This breaks WebClaw — sessions, models, and chat all fail with
missing scope: operator.read.The current workaround requires two steps:
dangerouslyDisableDeviceAuth: truein gateway configThis PR eliminates the need for
dangerouslyDisableDeviceAuthentirely.Solution
Implement Ed25519 device authentication in WebClaw's gateway connection:
apps/webclaw/.device-keys.json(0600 permissions)v1|deviceId|clientId|...)devicefield in the WebSocket connect paramsDetails
cryptoonly — no external dependenciesdangerouslyDisableDeviceAuthstill needed for scope preservation) and v2026.2.15+ (full device auth, no config flag needed)Changes
apps/webclaw/src/server/gateway.ts— Device identity + signing + connect params.gitignore— Exclude.device-keys.jsonTesting
dangerouslyDisableDeviceAuthremoved successfullyCloses #30 (together with #31)
AI-assisted (Codex). Reviewed and tested by human.