From de7427a1401fbfa0f7afd821bfef47d9ebd08d44 Mon Sep 17 00:00:00 2001
From: Felipe Vicens <felipejose.vicensgonzalez@telefonica.com>
Date: Mon, 11 May 2026 22:41:08 +0200
Subject: [PATCH 1/2] fix(openclaw): bind gateway to loopback interface

   Add Bind: loopback to the openclaw gateway bootstrap configuration
   so the local gateway only listens on the loopback interface rather
   than all network interfaces.

Signed-off-by: Felipe Vicens <felipejose.vicensgonzalez@telefonica.com>
---
 go/core/pkg/sandboxbackend/openshell/openclaw/bootstrap.go | 1 +
 go/core/pkg/sandboxbackend/openshell/openclaw/types.go     | 1 +
 2 files changed, 2 insertions(+)

diff --git a/go/core/pkg/sandboxbackend/openshell/openclaw/bootstrap.go b/go/core/pkg/sandboxbackend/openshell/openclaw/bootstrap.go
index 137a867f9..b96330b92 100644
--- a/go/core/pkg/sandboxbackend/openshell/openclaw/bootstrap.go
+++ b/go/core/pkg/sandboxbackend/openshell/openclaw/bootstrap.go
@@ -59,6 +59,7 @@ func buildCoreBootstrapDocument(mc *v1alpha2.ModelConfig, gwPort int, apiKeyEnv,
 	return bootstrapDocument{
 		Gateway: gatewaySection{
 			Mode: "local",
+			Bind: "loopback",
 			Auth: gatewayAuth{Mode: "none"},
 			Port: gwPort,
 		},
diff --git a/go/core/pkg/sandboxbackend/openshell/openclaw/types.go b/go/core/pkg/sandboxbackend/openshell/openclaw/types.go
index 38abeb0d2..da7334766 100644
--- a/go/core/pkg/sandboxbackend/openshell/openclaw/types.go
+++ b/go/core/pkg/sandboxbackend/openshell/openclaw/types.go
@@ -13,6 +13,7 @@ type bootstrapDocument struct {
 
 type gatewaySection struct {
 	Mode string      `json:"mode"`
+	Bind string      `json:"bind"`
 	Auth gatewayAuth `json:"auth"`
 	Port int         `json:"port"`
 }

From 7fe3dab17e24253aee495e945273bdacd41b4ce1 Mon Sep 17 00:00:00 2001
From: Felipe Vicens <felipejose.vicensgonzalez@telefonica.com>
Date: Wed, 13 May 2026 20:22:11 +0200
Subject: [PATCH 2/2] test(openclaw): assert gateway bind is loopback in
 bootstrap test

Signed-off-by: Felipe Vicens <felipejose.vicensgonzalez@telefonica.com>
---
 go/core/pkg/sandboxbackend/openshell/openclaw/bootstrap_test.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/go/core/pkg/sandboxbackend/openshell/openclaw/bootstrap_test.go b/go/core/pkg/sandboxbackend/openshell/openclaw/bootstrap_test.go
index 36e5a0c78..3ffd74b8d 100644
--- a/go/core/pkg/sandboxbackend/openshell/openclaw/bootstrap_test.go
+++ b/go/core/pkg/sandboxbackend/openshell/openclaw/bootstrap_test.go
@@ -100,6 +100,8 @@ func TestBuildBootstrapJSON_OpenAIAndTelegram(t *testing.T) {
 	var root map[string]any
 	require.NoError(t, json.Unmarshal(raw, &root))
 	require.Contains(t, root, "gateway")
+	gw := root["gateway"].(map[string]any)
+	require.Equal(t, "loopback", gw["bind"])
 	require.Contains(t, root, "models")
 	require.Contains(t, root, "agents")
 	models := root["models"].(map[string]any)