security: add mDNS discovery config to reduce information disclosure (#1882)

* security: add mDNS discovery config to reduce information disclosure mDNS broadcasts can expose sensitive operational details like filesystem paths (cliPath) and SSH availability (sshPort) to anyone on the local network. This information aids reconnaissance and should be minimized for gateways exposed beyond trusted networks. Changes: - Add discovery.mdns.enabled config option to disable mDNS entirely - Add discovery.mdns.minimal option to omit cliPath/sshPort from TXT records - Update security docs with operational security guidance Minimal mode still broadcasts enough for device discovery (role, gatewayPort, transport) while omitting details that help map the host environment. Apps that need CLI path can fetch it via the authenticated WebSocket. * fix: default mDNS discovery mode to minimal (#1882) (thanks @orlyjamie) --------- Co-authored-by: theonejvo <orlyjamie@users.noreply.github.com> Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-01-27 00:32:11 +11:00
parent 58949a1f95
commit a1f9825d63
10 changed files with 162 additions and 22 deletions
--- a/src/infra/bonjour.test.ts
+++ b/src/infra/bonjour.test.ts
@@ -138,6 +138,42 @@ describe("gateway bonjour advertiser", () => {
    expect(shutdown).toHaveBeenCalledTimes(1);
  });

+  it("omits cliPath and sshPort in minimal mode", async () => {
+    // Allow advertiser to run in unit tests.
+    delete process.env.VITEST;
+    process.env.NODE_ENV = "development";
+
+    vi.spyOn(os, "hostname").mockReturnValue("test-host");
+
+    const destroy = vi.fn().mockResolvedValue(undefined);
+    const advertise = vi.fn().mockResolvedValue(undefined);
+
+    createService.mockImplementation((options: Record<string, unknown>) => {
+      return {
+        advertise,
+        destroy,
+        serviceState: "announced",
+        on: vi.fn(),
+        getFQDN: () => `${asString(options.type, "service")}.${asString(options.domain, "local")}.`,
+        getHostname: () => asString(options.hostname, "unknown"),
+        getPort: () => Number(options.port ?? -1),
+      };
+    });
+
+    const started = await startGatewayBonjourAdvertiser({
+      gatewayPort: 18789,
+      sshPort: 2222,
+      cliPath: "/opt/homebrew/bin/clawdbot",
+      minimal: true,
+    });
+
+    const [gatewayCall] = createService.mock.calls as Array<[Record<string, unknown>]>;
+    expect((gatewayCall?.[0]?.txt as Record<string, string>)?.sshPort).toBeUndefined();
+    expect((gatewayCall?.[0]?.txt as Record<string, string>)?.cliPath).toBeUndefined();
+
+    await started.stop();
+  });
+
  it("attaches conflict listeners for services", async () => {
    // Allow advertiser to run in unit tests.
    delete process.env.VITEST;
--- a/src/infra/bonjour.ts
+++ b/src/infra/bonjour.ts
@@ -20,6 +20,11 @@ export type GatewayBonjourAdvertiseOpts = {
  canvasPort?: number;
  tailnetDns?: string;
  cliPath?: string;
+  /**
+   * Minimal mode - omit sensitive fields (cliPath, sshPort) from TXT records.
+   * Reduces information disclosure for better operational security.
+   */
+  minimal?: boolean;
 };

 function isDisabledByEnv() {
@@ -115,12 +120,24 @@ export async function startGatewayBonjourAdvertiser(
  if (typeof opts.tailnetDns === "string" && opts.tailnetDns.trim()) {
    txtBase.tailnetDns = opts.tailnetDns.trim();
  }
-  if (typeof opts.cliPath === "string" && opts.cliPath.trim()) {
+  // In minimal mode, omit cliPath to avoid exposing filesystem structure.
+  // This info can be obtained via the authenticated WebSocket if needed.
+  if (!opts.minimal && typeof opts.cliPath === "string" && opts.cliPath.trim()) {
    txtBase.cliPath = opts.cliPath.trim();
  }

  const services: Array<{ label: string; svc: BonjourService }> = [];

+  // Build TXT record for the gateway service.
+  // In minimal mode, omit sshPort to avoid advertising SSH availability.
+  const gatewayTxt: Record<string, string> = {
+    ...txtBase,
+    transport: "gateway",
+  };
+  if (!opts.minimal) {
+    gatewayTxt.sshPort = String(opts.sshPort ?? 22);
+  }
+
  const gateway = responder.createService({
    name: safeServiceName(instanceName),
    type: "clawdbot-gw",
@@ -128,11 +145,7 @@ export async function startGatewayBonjourAdvertiser(
    port: opts.gatewayPort,
    domain: "local",
    hostname,
-    txt: {
-      ...txtBase,
-      sshPort: String(opts.sshPort ?? 22),
-      transport: "gateway",
-    },
+    txt: gatewayTxt,
  });
  services.push({
    label: "gateway",
@@ -149,7 +162,7 @@ export async function startGatewayBonjourAdvertiser(
  logDebug(
    `bonjour: starting (hostname=${hostname}, instance=${JSON.stringify(
      safeServiceName(instanceName),
-    )}, gatewayPort=${opts.gatewayPort}, sshPort=${opts.sshPort ?? 22})`,
+    )}, gatewayPort=${opts.gatewayPort}${opts.minimal ? ", minimal=true" : `, sshPort=${opts.sshPort ?? 22}`})`,
  );

  for (const { label, svc } of services) {