mirror of
https://github.com/openclaw/openclaw.git
synced 2026-07-12 20:23:16 +08:00
* fix: prefer loopback for local tailnet dashboard * fix(gateway): preserve local access for specific binds --------- Co-authored-by: haruaiclone-droid <281899875+haruaiclone-droid@users.noreply.github.com> Co-authored-by: Peter Steinberger <steipete@gmail.com>
1.9 KiB
1.9 KiB
summary, read_when, title
| summary | read_when | title | ||
|---|---|---|---|---|
| CLI reference for `openclaw dashboard` (open the Control UI) |
|
Dashboard |
openclaw dashboard
Open the Control UI using your current auth.
openclaw dashboard
openclaw dashboard --no-open
openclaw dashboard --yes
--no-open: print the URL but do not launch a browser.--yes: start/install the Gateway without prompting when needed.
Notes:
- Resolves configured
gateway.auth.tokenSecretRefs when possible. - Follows
gateway.tls.enabled: TLS-enabled gateways print/openhttps://Control UI URLs and connect overwss://. - For
lanor a wildcardcustombind, same-host launches always use loopback because a wildcard is not a browser destination. Plaintexttailnetandcustombinds also use127.0.0.1so the browser has a secure context; TLS-enabled specific hosts keep the configured address so certificate names match. - Before delivering an authenticated loopback URL for a specific-interface bind, the command probes the configured interface and verifies that it and
127.0.0.1are owned by the same Gateway process. Ambiguous listener ownership fails closed with status guidance. - For SecretRef-managed tokens (resolved or unresolved), the printed/copied/opened URL never includes the token, so external secrets do not leak into terminal output, clipboard history, or browser-launch arguments.
- If
gateway.auth.tokenis SecretRef-managed but unresolved, the command prints a non-tokenized URL and remediation guidance instead of an invalid token placeholder. - If clipboard/browser delivery fails for a token-authenticated URL, the command logs a safe manual-auth hint naming
OPENCLAW_GATEWAY_TOKEN,gateway.auth.token, and the URL fragment keytoken, without printing the token value.