docs: refresh gateway probe and discovery refs

2026-04-23 14:45:46 +00:00 · 2026-04-04 19:00:09 +01:00
parent ac5d1de13a
commit e6f054ac76
3 changed files with 31 additions and 10 deletions
--- a/docs/cli/gateway.md
+++ b/docs/cli/gateway.md
@@ -3,7 +3,7 @@ summary: "OpenClaw Gateway CLI (`openclaw gateway`) — run, query, and discover
 read_when:
  - Running the Gateway from the CLI (dev or servers)
  - Debugging Gateway auth, bind modes, and connectivity
-  - Discovering gateways via Bonjour (LAN + tailnet)
+  - Discovering gateways via Bonjour (local + wide-area DNS-SD)
 title: "gateway"
 ---

@@ -117,7 +117,7 @@ openclaw gateway status --require-rpc

 Options:

- `--url <url>`: override the probe URL.
+- `--url <url>`: add an explicit probe target. Configured remote + localhost are still probed.
 - `--token <token>`: token auth for the probe.
 - `--password <password>`: password auth for the probe.
 - `--timeout <ms>`: probe timeout (default `10000`).
@@ -144,6 +144,13 @@ Notes:
 - your configured remote gateway (if set), and
 - localhost (loopback) **even if remote is configured**.

+If you pass `--url`, that explicit target is added ahead of both. Human output labels the
+targets as:
+
+- `URL (explicit)`
+- `Remote (configured)` or `Remote (configured, inactive)`
+- `Local loopback`
+
 If multiple gateways are reachable, it prints all of them. Multiple gateways are supported when you use isolated profiles/ports (e.g., a rescue bot), but most installs still run a single gateway.

 ```bash
@@ -182,7 +189,9 @@ Options:

 - `--ssh <target>`: `user@host` or `user@host:port` (port defaults to `22`).
 - `--ssh-identity <path>`: identity file.
- `--ssh-auto`: pick the first discovered gateway host as SSH target (LAN/WAB only).
+- `--ssh-auto`: pick the first discovered gateway host as SSH target from the resolved
+  discovery endpoint (`local.` plus the configured wide-area domain, if any). TXT-only
+  hints are ignored.

 Config (optional, used as defaults):

@@ -275,3 +284,9 @@ Examples:
 openclaw gateway discover --timeout 4000
 openclaw gateway discover --json | jq '.beacons[].wsUrl'
 ```
+
+Notes:
+
+- The CLI scans `local.` plus the configured wide-area domain when one is enabled.
+- `wsUrl` in JSON output is derived from the resolved service endpoint, not from TXT-only
+  hints such as `lanHost` or `tailnetDns`.
--- a/docs/gateway/bonjour.md
+++ b/docs/gateway/bonjour.md
@@ -8,9 +8,10 @@ title: "Bonjour Discovery"

 # Bonjour / mDNS discovery

-OpenClaw uses Bonjour (mDNS / DNS‑SD) as a **LAN‑only convenience** to discover
-an active Gateway (WebSocket endpoint). It is best‑effort and does **not** replace SSH or
-Tailnet-based connectivity.
+OpenClaw uses Bonjour (mDNS / DNS‑SD) to discover an active Gateway (WebSocket endpoint).
+Multicast `local.` browsing is a **LAN-only convenience**. For cross-network discovery, the
+same beacon can also be published through a configured wide-area DNS-SD domain. Discovery is
+still best-effort and does **not** replace SSH or Tailnet-based connectivity.

 ## Wide-area Bonjour (Unicast DNS-SD) over Tailscale

@@ -63,7 +64,7 @@ In the Tailscale admin console:
 - Add a nameserver pointing at the gateway’s tailnet IP (UDP/TCP 53).
 - Add split DNS so your discovery domain uses that nameserver.

-Once clients accept tailnet DNS, iOS nodes can browse
+Once clients accept tailnet DNS, iOS nodes and CLI discovery can browse
 `_openclaw-gw._tcp` in your discovery domain without multicast.

 ### Gateway listener security (recommended)
@@ -104,6 +105,7 @@ Security notes:

 - Bonjour/mDNS TXT records are **unauthenticated**. Clients must not treat TXT as authoritative routing.
 - Clients should route using the resolved service endpoint (SRV + A/AAAA). Treat `lanHost`, `tailnetDns`, `gatewayPort`, and `gatewayTlsSha256` as hints only.
+- SSH auto-targeting should likewise use the resolved service host, not TXT-only hints.
 - TLS pinning must never allow an advertised `gatewayTlsSha256` to override a previously stored pin.
 - iOS/Android nodes should treat discovery-based direct connects as **TLS-only** and require explicit user confirmation before trusting a first-time fingerprint.

--- a/docs/gateway/discovery.md
+++ b/docs/gateway/discovery.md
@@ -42,9 +42,13 @@ Protocol details:

 ## Discovery inputs (how clients learn where the gateway is)

-### 1) Bonjour / mDNS (LAN only)
+### 1) Bonjour / DNS-SD discovery

-Bonjour is best-effort and does not cross networks. It is only used for “same LAN” convenience.
+Multicast Bonjour is best-effort and does not cross networks. OpenClaw can also browse the
+same gateway beacon via a configured wide-area DNS-SD domain, so discovery can cover:
+
+- `local.` on the same LAN
+- a configured unicast DNS-SD domain for cross-network discovery

 Target direction:

@@ -113,7 +117,7 @@ See [Remote access](/gateway/remote).
 Recommended client behavior:

 1. If a paired direct endpoint is configured and reachable, use it.
-2. Else, if Bonjour finds a gateway on LAN, offer a one-tap “Use this gateway” choice and save it as the direct endpoint.
+2. Else, if discovery finds a gateway on `local.` or the configured wide-area domain, offer a one-tap “Use this gateway” choice and save it as the direct endpoint.
 3. Else, if a tailnet DNS/IP is configured, try direct.
   For mobile nodes on tailnet/public routes, direct means a secure endpoint, not plaintext remote `ws://`.
 4. Else, fall back to SSH.