Release 0.5.57

What's Changed

• feat(addon): make lan_https device-auth toggle configurable by @techartdev in #88
• fix(build): stabilize NodeSource Node 22 install in Docker image by @techartdev in #91

Full Changelog: v0.5.55...v0.5.57

v0.5.55

What's Changed

• Bump OpenClaw to 2026.3.2 by @techartdev in #85

Full Changelog: v0.5.54...v0.5.55

v0.5.54

Changed

• Added startup guidance when gateway_auth_mode=trusted-proxy is enabled to clarify why direct local CLI gateway calls can show trusted_proxy_user_missing/unauthorized.
• Bump OpenClaw to 2026.2.24.

Added

• New add-on option gateway_additional_allowed_origins for extra Control UI origins in lan_https mode.
• Custom SANs in TLS certificate (lan_https mode): hostnames and IPs from gateway_additional_allowed_origins and gateway_public_url are now included in the server certificate's Subject Alternative Name. The certificate auto-regenerates when SANs change.

Fixed

• Gateway token on landing page: read token directly from openclaw.json instead of via openclaw config get which redacts secrets since OpenClaw v2026.2.22+ (fixes "Open Gateway Web UI" button sending openclaw_redacted as the token).
• Token retrieval instructions: all "get your token" references in the landing page and DOCS now use jq -r '.gateway.auth.token' /config/.openclaw/openclaw.json with a note explaining why the old openclaw config get command no longer works.
• lan_https startup no longer overwrites gateway.controlUi.allowedOrigins with defaults only.
• Control UI origins are now merged as: built-in defaults + existing config values + gateway_additional_allowed_origins (deduplicated).
• In lan_reverse_proxy and other non-lan_https setups, Control UI origins now also include the origin derived from gateway_public_url.
• gateway.controlUi.allowedOrigins configuration is now consistently applied via merge logic (defaults + existing values + user extras), reducing manual openclaw.json edits after upgrades.
• Add-on no longer exits/restarts when OpenClaw runtime process is restarted during onboarding or config changes.
• run.sh now supervises the OpenClaw runtime (openclaw gateway run / openclaw node run) and auto-restarts it while keeping nginx + terminal alive.

Full Changelog: v0.5.53...v0.5.54

v0.5.53

What's Changed

• Added issue templates
• Bumped OpenClaw to version 2026.2.23

Full Changelog: v0.5.52...v0.5.53

Release 0.5.52

What's Changed

• feat: support gateway environment variables via add-on config by @megamen32 in #70

Full Changelog: v0.5.51...v0.5.52

Release 0.5.51

Fixed

• web_fetch failed: fetch failed: changed force_ipv4_dns default to true. Node 22 tries IPv6 first; most HAOS VMs lack IPv6 egress, causing outbound web_fetch / HTTP tool calls to time out.

Added

• nginx_log_level option (minimal / full, default minimal): suppresses repetitive Home Assistant health-check and polling requests (GET /, GET /v1/models, POST /tools/invoke) from the nginx access log.

Full Changelog: v0.5.50...v0.5.51

Release 0.5.50

[!WARNING!]
This update contains lots of changes. It is adviced to backup before installing!

Changed

• Upgraded OpenClaw to v2026.2.22-2 — includes major gateway/auth/pairing fixes and security hardening.
• Precreate $OPENCLAW_CONFIG_DIR/identity on startup to prevent EACCES errors on CLI commands that need device identity.
• Gateway token is auto-constructed from detected LAN IP when lan_https is active and gateway_public_url is empty.
• Config helper now receives the effective internal port (gateway_port + 1 in lan_https mode).

Notes — v2026.2.22 impact on this add-on

• Pairing fixes (loopback): v2026.2.22 auto-approves loopback scope-upgrade pairing requests, includes operator.read/operator.write in default scope bundles, and treats operator.admin as satisfying other scopes. This greatly improves local_only mode reliability.
• dangerouslyDisableDeviceAuth security warning: v2026.2.22 now emits a startup warning when this flag is active. The warning is expected and harmless for lan_https mode — the flag is still required because LAN browser connections through the HTTPS proxy are not considered loopback by the gateway. Token auth remains enforced.
• Gateway lock improvements: stale-lock detection now uses port reachability, reducing false "already running" errors after unclean restarts.
• Log file size cap: new logging.maxFileBytes default (500 MB) prevents disk exhaustion from log storms.
• wss:// default for remote onboarding: validates our HTTPS proxy approach as the correct direction.

Added

• Disk-space monitoring on the landing page — shows total / used / available with colour-coded indicator (🟢 / 🟡 / 🔴).
• Low-disk warning banner appears automatically when usage exceeds 90 %.
• oc-cleanup terminal command — interactive helper that shows cache sizes (npm, pnpm, OpenClaw, Homebrew, pycache, tmp) and lets users reclaim space with a menu-driven cleanup.
• Startup disk-space check with log warnings when the overlay is above 75 % or 90 %.
• access_mode preset option — simplifies secure access configuration with one setting:
  • custom (default, backward-compatible): use individual gateway settings
  • local_only: loopback + token (Ingress/terminal only)
  • lan_https: built-in HTTPS reverse proxy for LAN access (recommended for phones/tablets)
  • lan_reverse_proxy: LAN bind + trusted-proxy for external reverse proxy (NPM, Caddy, Traefik)
  • tailnet_https: Tailscale interface bind + token auth
• Built-in TLS certificate generation (lan_https mode):
  • Auto-generates a local CA + server certificate on first startup
  • Server cert is regenerated automatically when LAN IP changes
  • CA certificate downloadable from the landing page for one-tap phone trust
  • nginx HTTPS server block terminates TLS and proxies to the loopback gateway
• Overhauled landing page with:
  • Real-time status cards (gateway health, secure context, access mode)
  • Access wizard with step-by-step guidance per mode
  • Error translation — maps raw errors like 1008: requires device identity to friendly messages with fixes
  • CA certificate download button (lan_https mode)
  • Migration banner for users on custom mode recommending a preset
  • Collapsible reverse-proxy recipes (NPM / Caddy / Traefik / Tailscale)
• Added openssl to Docker image for TLS certificate generation.
• Translations for access_mode in all 6 languages (EN, BG, DE, ES, PL, PT-BR).

Fixed

• lan_https — error 1008 "pairing required": auto-set gateway.controlUi.dangerouslyDisableDeviceAuth: true to skip interactive device pairing (token auth remains enforced). Replaces the invalid pairingMode key that caused Unrecognized key config errors.
• Config helper now removes stale/invalid keys (e.g. pairingMode) from controlUi on startup.
• Landing page error translation now covers "pairing required" and "origin not allowed" errors with correct fix guidance.
• Dropdown translations for access_mode, gateway_mode, gateway_bind_mode, and gateway_auth_mode now show human-readable labels in all 6 languages.
• lan_https — error 1008 "origin not allowed": auto-configure gateway.controlUi.allowedOrigins with the HTTPS proxy origins (LAN IP, homeassistant.local, homeassistant) so the Control UI WebSocket is accepted.

Full Changelog: v0.5.49...v0.5.50

Release 0.5.49

What's Changed

• Fix config 0.5.48 by @techartdev in #66
• Add configurable outbound proxy support via add-on http_proxy option by @megamen32 in #67

New Contributors

• @megamen32 made their first contribution in #67

Full Changelog: v0.5.48...v0.5.49

Release 0.5.48

Changed

• Bump OpenClaw to 2026.2.21-2.
• Add Home Assistant share and media mounts to the add-on (map: share:rw, media:rw).

Full Changelog: v0.5.47...v0.5.48

Release 0.5.47

What's Changed

• chore: Add force_ipv4_dns option and update translations; bump OpenCl… by @techartdev in #57
• feat: add tailnet and auto bind mode support by @nathang21 in #62

New Contributors

• @nathang21 made their first contribution in #62

Full Changelog: v0.5.45...v0.5.47