2026_OPENCLAW
GATEWAY_
SURFACE_
BIND_AUDIT.

// Pain: Gateway is up, but bind addresses, webhooks, and admin ports are undocumented. ClawHub skills run code—did anyone read the diff? Docker still writes as root across huge mounts? Conclusion: bind / reverse proxy / Tailscale / SSH matrix, five-step hardening, ClawHub audit checklist, read-only root + volume allowlists, remote Mac notes. See install matrix, Docker production, systemd/launchd runbook, migration, memory & tokens, SSH/VNC, plans.

Network security and access control concept

1. Pain points: exposure is more than open ports

(1) Bind semantics: 0.0.0.0 exposes all interfaces—fine for dev, toxic for prod when LAN scans or mis-firewalls stack. A single forgotten IPv6 listener or dual-stack rule gap can recreate the exposure you thought you removed on IPv4. Treat listener audits as part of every release gate not only first-time setup.

(2) Supply chain at the skill layer: skills are executable paths; upgrades without pinned commits widen blast radius. Transitive dependencies pulled at install time can change even when the skill headline version looks unchanged. Record the full resolution graph you used in CI and fail builds when hashes drift without a reviewed bump.

(3) Containers: read-only root without a tight volume allowlist still permits destructive writes to mounted secrets or home directories. Read-only flags do not stop a process from exfiltrating data through an allowed mount that was broader than intended. Pair filesystem permissions on the host with seccomp or AppArmor profiles when your threat model includes untrusted prompt injection driving tool calls.

2. Access topology matrix

Mode Best for Cost / watch-outs
127.0.0.1 only Solo dev, smallest LAN exposure Remote needs tunnels; local malware can still hit loopback
Reverse proxy + TLS (optional mTLS) Central TLS, logging, rate limits Cert lifecycle; avoid plaintext upstream hop
Tailscale / WireGuard Team remote without public admin ports Device inventory + ACL per port; revoke departed devices
SSH -L Incidents, jump hosts already exist Human tunnels rot; still fix app bind long term

Use the matrix as a negotiation tool between security and velocity: reverse proxies buy centralized policy but shift trust to the TLS private keys on that tier Tailscale buys simplicity for small teams but requires disciplined device lifecycle management SSH tunnels buy speed during incidents but rot if they replace permanent architecture. Pick one primary pattern per environment and document exceptions instead of mixing all four without rationale.

When you rotate patterns, replay the same smoke tests against the gateway health endpoint and a representative skill invocation so regressions surface before users do. Capture packet captures or structured logs for one happy path and one denied path per pattern; those artifacts become invaluable when auditors ask how you proved isolation actually held under load. Store the evidence alongside your change ticket so reviewers can correlate code, config, and observed behavior in one place.

3. Five-step hardening runbook

  1. Draw data-flow: channel ingress, gateway listen, model egress, workspace I/O—missing edges default to 0.0.0.0.
  2. Freeze bind contract: document addresses/ports/TLS termination; changes via PR with gateway status before/after.
  3. Pin and audit skills: source URL/commit, install time, required caps; upgrade only with diff review.
  4. Read-only container template: read-only root, tmpfs or dedicated cache volume, explicit workspace mounts—never mount full $HOME “for convenience”.
  5. Observe and roll back: log remote IP, channel id, skill exit codes; keep one-click rollback per Gateway runbook.
# Sanity checks (adapt to your stack) # Is gateway bound to loopback or a named tailnet IP only? # Does the reverse proxy upstream hit loopback, not another 0.0.0.0? # docker: --read-only + explicit -v allowlist present?

4. Citeable thresholds

  • If the team cannot list exact bind addresses and ports in 30 minutes, treat as high config drift—freeze docs and automated probes before adding channels.
  • With >15 skills and >50% never hash- or source-reviewed, enforce quarterly audits + pinned versions.
  • If container writable paths overlap host secrets beyond the minimal business set, split mounts in the next change window.

5. Remote Mac Gateway signals

Signal Action
Laptop sleep drops channels / webhooks backlog Move to dedicated remote Mac or VPS; validate power + launchd—SSH/VNC guide
GPU/transcode colocated with Gateway, OOM/port fights Split processes/hosts
Admin must leave office LAN Tailscale ACL + tailnet bind only; public edge only for channel webhooks via proxy
Post-upgrade auth drift Run silent Gateway diagnostic runbook; backup per migration guide

6. FAQ: hardening decisions operators actually face

Q: Should our Gateway ever listen on 0.0.0.0 in production? Treat 0.0.0.0 as a deliberate, reviewed exception with a ticket number, time box, and rollback. Default production posture should be loopback or a named tailnet IP behind a proxy. If a vendor guide says bind all interfaces, translate that to bind loopback plus reverse proxy unless you have written threat-model approval for WAN exposure.

Q: How do we separate webhook traffic from admin or debug routes? Use distinct hostnames or path prefixes at the reverse proxy, different rate-limit buckets, and separate TLS certificates where practical. Never reuse the same URL prefix for health, metrics, and webhook without authentication layers. Logging should tag each request class so an operator can filter noise during an incident.

Q: What is the minimum viable ClawHub skill audit before install? Capture publisher identity, exact commit or tarball hash, declared permissions for filesystem subprocess and network, and outbound endpoints implied by the skill README or code. Run a read-only diff against the previously pinned version. If the diff touches credential paths or broadens glob patterns, require a second reviewer before merge to production.

Q: Are automatic skill updates ever acceptable? Only when you control the release channel such as an internal registry or mirrored tarball with cryptographic verification and when CI replays a smoke suite against pinned fixtures. Public always-latest pulls belong in sandboxes, not on the same host that holds long-lived tokens for Slack GitHub or enterprise messaging.

Q: How does MEMORY.md relate to security? It expands data exposure because sensitive transcripts API snippets or file paths may land on disk. Apply filesystem permissions encryption at rest where available and backup policies comparable to application secrets. Pair memory hygiene with the memory governance runbook linked in the lede so token growth does not push operators toward unsafe shortcuts.

Q: Where do configuration writes go when the container root is read-only? Only whitelisted volumes tmpfs locations sized for cache or immutable config maps baked into tagged images. If someone proposes chmod on the read-only layer in a run script reject the change and redesign the mount graph. Persisted secrets should never live in world-readable paths inside the container.

Q: What signals suggest our Tailscale ACL is too loose? Any device class can reach Gateway ports unrelated to its role or departed employees retain tags that still match ACL rules. Quarterly reconcile Tailscale device inventory with HR offboarding tickets. Pair ACL tightening with monitoring for denied connection attempts so legitimate automation is not silently broken.

Q: When is SSH port-forwarding enough? For break-glass access or short migrations yes. For steady-state operations prefer application-level binds plus mesh VPN because SSH tunnels depend on individual laptops staying online and create opaque dependencies. Document every long-lived port forward with owner and expiry.

7. Deep dive: governance beats ad-hoc firewall tweaks

Self-hosted OpenClaw-style gateways sit at the intersection of untrusted message channels and powerful local tools. The failure mode is not only remote exploitation it is also insider-style misuse where a skill reads more files than the team understood or a webhook handler processes forged events because signing keys rotated asynchronously across environments.

Versioned contracts matter because humans forget ephemeral chat decisions. Check bind addresses upstream proxy configuration and TLS termination into the same change-management stream as application code. When someone opens a PR that alters ports require automated probe output or a scripted listener diff showing before and after results.

Supply-chain discipline for skills mirrors dependency management in backend services. Pin versions store hashes and require human-readable release notes for upgrades. If upstream publishes only a moving tag mirror artifacts you trust and promote them through your own pipeline.

Container graphs deserve diagramming which host paths enter the namespace which UIDs write there and what happens if the skill enumerates parent directories. The smallest mount surface wins. Where graphics or ML workloads share the machine with Gateway isolate them when tail latency or memory pressure causes restarts that drop channel connectivity.

Remote Mac hosting helps when laptops sleep or when corporate VPN policies block stable inbound webhooks. A dedicated Apple Silicon node with launchd supervision log rotation and explicit power settings can carry channels twenty-four seven while developers keep interactive machines for experimentation. The trade-off is operational ownership you still must patch macOS rotate credentials and validate backups.

Finally rehearse rollback quarterly. If rolling back Gateway takes longer than recovering from a bad model prompt your automation is mis-prioritized. Keep two known-good artifacts previous container image digest or npm tarball and a verified workspace snapshot without secrets committed.

8. Observability and alert routing

Instrument Gateway like any API edge request counts by route class error codes from skill execution p95 latency per skill and process restarts. Sudden spikes in webhook signature failures usually indicate desynchronized secrets between channel provider and Gateway. Disk write spikes often trace to verbose logging or skills dumping large artifacts into workspace.

Signal How to collect First investigation step
Admin UI probed from unexpected ASNs Reverse-proxy access logs with ASN retained where policy allows Verify bind addresses IPv6 listeners and cloud security groups
Skill p95 latency regression Histogram per skill name and major version Check model endpoints disk IO and competing batch jobs
launchd or container restart storm Centralized log tail plus exit codes Look for writes to read-only paths or failing health checks
Outbound connection fan-out Host-level flow logs or eBPF summaries if available Diff recently upgraded skills for new domains

Route alerts to whoever can change bind configuration and skill pins not only generic infra on-call because many incidents are corrected faster by reverting a config PR than by scaling hardware.

9. Evidence pack for security review

Deliver an architecture one-pager plus machine-readable attachments exported listener lists redacted proxy configs Tailscale ACL snippets with annotations Docker compose or Kubernetes manifests highlighting read-only flags and volume mounts and a spreadsheet of skills with commit hashes and reviewers. Include notes from the last two rollback drills with timestamps and owners.

10. Closing: separate works on my machine from production channels

Laptops excel for development but combine sleep VPN changes and interactive GPU workloads that destabilize always-on agents. Moving Gateway to a dedicated remote Mac or small server trades capital for predictability. Apple Silicon remote nodes preserve toolchain parity with desktop creative workflows while giving launchd a stable home.

MACGPU exists to lower the friction of renting that dedicated Mac capacity with predictable hardware help pages that do not require login for baseline guidance and a natural fit when OpenClaw workflows touch graphics or multimedia automation. The CTA below stays aligned with that positioning evaluate your exposure first then decide whether a remote node removes the last operational blocker.

Before shipping new channels repeat an external port scan against the documented surface. Mismatches between paper and reality are defects not optional tech debt.

11. Install paths Docker and systemd launchd alignment

npm global installs Docker Compose bundles and pnpm-from-source builds differ in where state lands and how you roll back. Duplicate the hardening checklist per path user versus root writable directories and update cadence. Cross-link the install matrix Docker production guide and Gateway runbook so newcomers do not inherit a one-off laptop setup as the way production works.

12. Weekly operator cadence seven checks

  1. Diff active listeners against the frozen bind contract file a ticket if anything drifted.
  2. Review webhook signature error rate and compare with channel provider status pages.
  3. Scan skill versions for unpinned latest or floating tags pin anything loose.
  4. Verify backup jobs for workspace and memory files completed successfully.
  5. Check disk usage growth in log and artifact directories trim or rotate before saturation.
  6. Confirm Tailscale or VPN device inventory matches current employees and contractors.
  7. Run one controlled rollback rehearsal on staging using the previous golden artifact.

These seven checks complement the five hardening steps in section three the steps establish baseline architecture while the weekly cadence catches drift that humans introduce under schedule pressure.