diff --git a/docs/concepts/architecture.md b/docs/concepts/architecture.md index 12c590b7a..722f3b4a8 100644 --- a/docs/concepts/architecture.md +++ b/docs/concepts/architecture.md @@ -77,6 +77,21 @@ Client Gateway safely retry; the server keeps a short‑lived dedupe cache. - Nodes must include `role: "node"` plus caps/commands/permissions in `connect`. +## Pairing + local trust + +- All WS clients (operators + nodes) include a **device identity** on `connect`. +- New device IDs require pairing approval; the Gateway issues a **device token** + for subsequent connects. +- **Local** connects (loopback or the gateway host’s own tailnet address) can be + auto‑approved to keep same‑host UX smooth. +- **Non‑local** connects must sign the `connect.challenge` nonce and require + explicit approval. +- Gateway auth (`gateway.auth.*`) still applies to **all** connections, local or + remote. + +Details: [Gateway protocol](/gateway/protocol), [Pairing](/start/pairing), +[Security](/gateway/security). + ## Protocol typing and codegen - TypeBox schemas define the protocol. diff --git a/docs/gateway/protocol.md b/docs/gateway/protocol.md index 47335ead0..85cf1cbd9 100644 --- a/docs/gateway/protocol.md +++ b/docs/gateway/protocol.md @@ -195,6 +195,8 @@ The Gateway treats these as **claims** and enforces server-side allowlists. - Gateways issue tokens per device + role. - Pairing approvals are required for new device IDs unless local auto-approval is enabled. +- **Local** connects include loopback and the gateway host’s own tailnet address + (so same‑host tailnet binds can still auto‑approve). - All WS clients must include `device` identity during `connect` (operator + node). - Non-local connections must sign the server-provided `connect.challenge` nonce. diff --git a/docs/gateway/security.md b/docs/gateway/security.md index 62fbe4754..4afe2d380 100644 --- a/docs/gateway/security.md +++ b/docs/gateway/security.md @@ -270,6 +270,12 @@ Note: `gateway.remote.token` is **only** for remote CLI calls; it does not protect local WS access. Optional: pin remote TLS with `gateway.remote.tlsFingerprint` when using `wss://`. +Local device pairing: +- Device pairing is auto‑approved for **local** connects (loopback or the + gateway host’s own tailnet address) to keep same‑host clients smooth. +- Other tailnet peers are **not** treated as local; they still need pairing + approval. + Auth modes: - `gateway.auth.mode: "token"`: shared bearer token (recommended for most setups). - `gateway.auth.mode: "password"`: password auth (prefer setting via env: `CLAWDBOT_GATEWAY_PASSWORD`). diff --git a/docs/network.md b/docs/network.md new file mode 100644 index 000000000..94e43e85d --- /dev/null +++ b/docs/network.md @@ -0,0 +1,51 @@ +--- +summary: "Network hub: gateway surfaces, pairing, discovery, and security" +read_when: + - You need the network architecture + security overview + - You are debugging local vs tailnet access or pairing + - You want the canonical list of networking docs +--- +# Network hub + +This hub links the core docs for how Clawdbot connects, pairs, and secures +devices across localhost, LAN, and tailnet. + +## Core model + +- [Gateway architecture](/concepts/architecture) +- [Gateway protocol](/gateway/protocol) +- [Gateway runbook](/gateway) +- [Web surfaces + bind modes](/web) + +## Pairing + identity + +- [Pairing overview (DM + nodes)](/start/pairing) +- [Gateway-owned node pairing](/gateway/pairing) +- [Devices CLI (pairing + token rotation)](/cli/devices) +- [Pairing CLI (DM approvals)](/cli/pairing) + +Local trust: +- Local connections (loopback or the gateway host’s own tailnet address) can be + auto‑approved for pairing to keep same‑host UX smooth. +- Non‑local tailnet/LAN clients still require explicit pairing approval. + +## Discovery + transports + +- [Discovery & transports](/gateway/discovery) +- [Bonjour / mDNS](/gateway/bonjour) +- [Remote access (SSH)](/gateway/remote) +- [Tailscale](/gateway/tailscale) + +## Nodes + bridge + +- [Nodes overview](/nodes) +- [Bridge protocol (legacy nodes)](/gateway/bridge-protocol) +- [Node runbook: iOS](/platforms/ios) +- [Node runbook: Android](/platforms/android) + +## Security + +- [Security overview](/gateway/security) +- [Gateway config reference](/gateway/configuration) +- [Troubleshooting](/gateway/troubleshooting) +- [Doctor](/gateway/doctor) diff --git a/docs/start/hubs.md b/docs/start/hubs.md index 1e5b09d59..346178b2b 100644 --- a/docs/start/hubs.md +++ b/docs/start/hubs.md @@ -32,6 +32,7 @@ Use these hubs to discover every page, including deep dives and reference docs t ## Core concepts - [Architecture](/concepts/architecture) +- [Network hub](/network) - [Agent runtime](/concepts/agent) - [Agent workspace](/concepts/agent-workspace) - [Memory](/concepts/memory)