docs: clarify remote access setups

docs/start/faq.md

@@ -710,6 +710,31 @@ Telegram → Gateway → Agent → `node.*` → Node → Gateway → Telegram
 
 Nodes don’t see inbound provider traffic; they only receive bridge RPC calls.
 
+### How can my agent access my computer if the Gateway is hosted remotely?
+
+Short answer: **pair your computer as a node**. The Gateway runs elsewhere, but it can
+call `node.*` tools (screen, camera, system) on your local machine over the Bridge.
+
+Typical setup:
+1) Run the Gateway on the always‑on host (VPS/home server).
+2) Put the Gateway host + your computer on the same tailnet.
+3) Enable the bridge on the Gateway host:
+   ```json5
+   { bridge: { enabled: true, bind: "auto" } }
+   ```
+4) Open the macOS app locally and connect in **Remote over SSH** mode so it can tunnel
+   the bridge port and register as a node.
+5) Approve the node on the Gateway:
+   ```bash
+   clawdbot nodes pending
+   clawdbot nodes approve <requestId>
+   ```
+
+Security reminder: pairing a macOS node allows `system.run` on that machine. Only
+pair devices you trust, and review [Security](/gateway/security).
+
+Docs: [Nodes](/nodes), [Bridge protocol](/gateway/bridge-protocol), [macOS remote mode](/platforms/mac/remote), [Security](/gateway/security).
+
 ### Do nodes run a gateway daemon?
 
 No. Only **one gateway** should run per host unless you intentionally run isolated profiles (see [Multiple gateways](/gateway/multiple-gateways)). Nodes are peripherals that connect

docs/start/getting-started.md

@@ -187,3 +187,4 @@ Health probes: `clawdbot health` (or `clawdbot status --deep`) asks the running
 - macOS menu bar app + voice wake: [macOS app](/platforms/macos)
 - iOS/Android nodes (Canvas/camera/voice): [Nodes](/nodes)
 - Remote access (SSH tunnel / Tailscale Serve): [Remote access](/gateway/remote) and [Tailscale](/gateway/tailscale)
+- Always-on / VPN setups: [Remote access](/gateway/remote), [exe.dev](/platforms/exe-dev), [Hetzner](/platforms/hetzner), [macOS remote](/platforms/mac/remote)