npm - @ssdavidai/zoclaw - Versions diffs - 1.2.0 → 1.2.2 - Mend

@ssdavidai/zoclaw 1.2.0 → 1.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/package.json +1 -1
package/scripts/bootstrap.sh +15 -29

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@ssdavidai/zoclaw",
-  "version": "1.2.0",
+  "version": "1.2.2",
   "description": "Set up OpenClaw on Zo with Tailscale access in one command",
   "license": "MIT",
   "repository": {

package/scripts/bootstrap.sh CHANGED Viewed

@@ -6,8 +6,6 @@
 set -euo pipefail
 CONFIG="${HOME}/.openclaw/openclaw.json"
-PAIRED="${HOME}/.openclaw/devices/paired.json"
-PENDING="${HOME}/.openclaw/devices/pending.json"
 if [ ! -f "$CONFIG" ]; then
   echo "Error: $CONFIG not found. Run 'openclaw configure' first."
@@ -16,8 +14,7 @@ fi
 echo "Patching openclaw config for Tailscale Serve..."
-# Patch gateway config — use OpenClaw's native tailscale integration
-# instead of manually configuring tailscale serve.
+# Patch gateway config — use OpenClaw's native tailscale integration.
 # Ref: https://docs.openclaw.ai/gateway/tailscale
 node -e "
   const fs = require('fs');
@@ -32,6 +29,12 @@ node -e "
   // and proxy HTTPS traffic from the tailnet to the local port.
   gw.tailscale = { mode: 'serve' };
+  // Trust localhost as a reverse proxy. Tailscale Serve connects
+  // to the gateway on 127.0.0.1 and adds x-forwarded-for headers.
+  // Without this, the gateway ignores proxy headers and can't
+  // resolve the caller's Tailscale identity.
+  gw.trustedProxies = ['127.0.0.1/32'];
   // Trust Tailscale identity headers — valid Tailscale Serve
   // requests authenticate via x-forwarded-for + tailscale whois
   // without needing a token or password.
@@ -56,31 +59,12 @@ node -e "
 echo "  gateway.bind = loopback"
 echo "  gateway.tailscale.mode = serve"
+echo "  gateway.trustedProxies = [127.0.0.1/32]"
 echo "  gateway.auth.allowTailscale = true"
 echo "  gateway.controlUi.enabled = true"
 echo "  nodes.denyCommands -> removed"
 echo "  credentials dir -> 700"
-# Upgrade any existing paired devices to full admin scopes
-if [ -f "$PAIRED" ]; then
-  node -e "
-    const fs = require('fs');
-    const paired = JSON.parse(fs.readFileSync(process.argv[1], 'utf8'));
-    const scopes = ['operator.read','operator.admin','operator.approvals','operator.pairing'];
-    for (const dev of Object.values(paired)) {
-      dev.clientId = 'cli';
-      dev.clientMode = 'cli';
-      dev.scopes = scopes;
-      for (const tok of Object.values(dev.tokens ?? {})) tok.scopes = scopes;
-    }
-    fs.writeFileSync(process.argv[1], JSON.stringify(paired, null, 2) + '\n');
-  " "$PAIRED"
-  echo "  Upgraded paired device scopes to full admin"
-fi
-# Clear stale pairing requests
-[ -f "$PENDING" ] && echo '{}' > "$PENDING"
 # Restart gateway to pick up config changes.
 # The gateway will auto-configure tailscale serve on startup.
 # Do NOT use --force as it regenerates the gateway identity
@@ -108,10 +92,12 @@ echo "Ready!"
 echo "  TUI:     openclaw tui"
 if [ -n "$TS_HOSTNAME" ]; then
   echo "  Browser: https://${TS_HOSTNAME}/"
-  if [ -n "$TOKEN" ]; then
-    echo "  (with token: https://${TS_HOSTNAME}/#token=${TOKEN})"
-  fi
   echo ""
-  echo "  Accessible from any device on your tailnet."
-  echo "  Tailscale identity auth is enabled — no token needed for tailnet users."
+  echo "  To access from another device on your tailnet:"
+  echo "    1. Open the URL above in your browser"
+  echo "    2. Run: openclaw devices list"
+  echo "    3. Run: openclaw devices approve <request-id>"
+  echo "    4. Refresh the browser"
+  echo ""
+  echo "  This is a one-time pairing per browser."
 fi